pkgsrc changes: distfile now apparently in 'gtar' format, not standard. annoying
0.33 Mon Jan 13 2014
- Fix config loading so that if passed a directory including
a . in the file name, then loading it as a directory works
(would have previously tried to force a specific filename
and failed)
- More comprehensive tests
* The NEWS files have been re-organized.
This file contains news for R >= 3.0.0: news for the 0.x.y, 1.x.y
and 2.x.y releases is in files NEWS.0, NEWS.1 and NEWS.2. The
latter files are now installed when R is installed. An HTML
version of news from 2.10.0 to 2.15.3 is available as
doc/html/NEWS.2.html.
* sum() for integer arguments now uses an integer accumulator of at
least 64 bits and so will be more accurate in the very rare case
that a cumulative sum exceeds 2^53 (necessarily summing more than
4 million elements).
* The example() and tools::Rd2ex() functions now have parameters to
allow them to ignore \dontrun markup in examples. (Suggested by
Peter Solymos.)
* str(x) is considerably faster for very large lists, or factors
with 100,000 levels, the latter as in PR#15337.
* col2rgb() now converts factors to character strings not integer
codes (suggested by Bryan Hanson).
* tail(warnings()) now works, via the new `[` method.
* There is now support for the LaTeX style file zi4.sty which has
in some distributions replaced inconsolata.sty.
* unlist(x) now typically returns all non-list xs unchanged, not
just the "vector" ones. Consequently, format(lst) now also works
when the list lst has non-vector elements.
* The tools::getVignetteInfo() function has been added to give
information about installed vignettes.
* New assertCondition(), etc. utilities in tools, useful for
testing.
* Profiling now records non-inlined calls from byte-compiled code
to BUILTIN functions.
* Various functions in stats and elsewhere that use non-standard
evaluation are now more careful to follow the namespace scoping
rules. E.g. stats::lm() can now find stats::model.frame() even
if stats is not on the search path or if some package defines a
function of that name.
* If an invalid/corrupt .Random.seed object is encountered in the
workspace it is ignored with a warning rather than giving an
error. (This allows R itself to rely on a working RNG, e.g. to
choose a random port.)
* seq() and seq.int() give more explicit error messages if called
with invalid (e.g. NaN) inputs.
* When parse() finds a syntax error, it now makes partial parse
information available up to the location of the error. (Request
of Reijo Sund.)
* Methods invoked by NextMethod() had a different dynamic parent to
the generic. This was causing trouble where S3 methods invoked
via lazy evaluation could lose track of their generic.
(PR#15267)
* Code for the negative binomial distribution now treats the case
size == 0 as a one-point distribution at zero.
* abbreviate() handles without warning non-ASCII input strings
which require no abbreviation.
* read.dcf() no longer has a limit of 8191 bytes per line. (Wish of
PR#15250.)
* formatC(x) no longer copies the class of x to the result, to
avoid misuse creating invalid objects as in PR#15303. A warning
is given if a class is discarded.
* Dataset npk has been copied from MASS to allow more tests to be
run without recommended packages being installed.
* The initialization of the regression coefficients for
non-degenerate differenced models in arima() has been changed and
in some examples avoids a local maximum. (PR#15396)
* termplot() now has an argument transform.x to control the display
of individual terms in the plot. (PR#15329)
* format() now supports digits = 0, to display nsmall decimal
places.
* There is a new read-only par() parameter called "page", which
returns a logical value indicating whether the next plot.new()
call will start a new page.
* Processing Sweave and Rd documents to PDF now renders backticks
* utils::modifyList() gets a new argument keep.null allowing NULL
components in the replacement to be retained, instead of causing
corresponding components to be deleted.
* tools::pkgVignettes() gains argument check; if set to TRUE, it
will warn when it appears a vignette requests a non-existent
vignette engine.
This module implements a very simple parser for cookies used in
HTTP applications. We've found CGI::Simple::Cookie and CGI::Cookie
rather slow according to the profiling results for our OpenResty
project, hence the rewrite in C.
WARNING: This module is obsolete; please use CGI::Cookie::XS instead.
This module implements a very simple parser for cookies used in
HTTP applications. We've found CGI::Simple::Cookie and CGI::Cookie
rather slow according to the profiling results for our OpenResty
project, hence the rewrite in C.
Special effort has been made to ensure this module works in the
same way as the latest CGI::Cookie (i.e., the pure Perl implementation).
If you find it doesn't, please let us know.
Revision history for Perl extension Catalyst::Plugin::Session
0.39 2013-10-16
- Fixed a bug when "expiry_threshold" is non-zero, where changes to the
session were not saved.
0.38 2013-09-18
- New feature: "expiry_threshold" which allows you more control over when
this plugin checks and updates the expiration date for the session.
This is useful when you have high traffic and need to reduce the number
of session expiration hits (like if you are using a database for sessions
and your db is getting pounded).
PR pkg/48465 by ISIHARA Takanori.
Version 5.6
IMPROVEMENTS:
* SMTP AUTH LOGIN support added (MS Exchange SMTP authentication
should now work).
* favicon.ico added to the HTTP interface.
BUGFIXES:
* If an undefined checksum test was used and the file did not exist
on Monit start, Monit would return an error.
* If the configuration file ended with a comment but with no trailing LF
character, Monit would return syntax error.
* If a service timed out after too many restarts and alert was used as
the action, then the Timeout flag remained set even if the service
recovered.
* SmartOS zone system memory usage report fix.
* Escape mail messages properly for sending via SMTP.
* Escape XML messages properly.
* Compilation: fix the configure script to support default compiler
paths when searching for OpenSSL (fixes library search on multi-
architecture platforms like Debian and Ubuntu).
Version 5.5.1
IMPROVEMENTS:
* Info and debug messages are no longer sent to stderr, only to stdout.
Thanks to Sergey Kirpitchev for initial patch.
* Improved output from 'check program', If the program returns an error
message, include only that message in alert $DESCRIPTION so users can
compose their own alert format. If program provided no output on
error, use a default message.
* Improved "check system", $HOST can now be used as a service name.
$HOST will expand to the system hostname. Example: check system $HOST
BUGFIXES:
* Fixed "Unable to read magic" which was reported on first Monit start.
Version 5.5
IMPROVEMENTS:
* check program:
- Multiple exit values can be tested within single program check
- Exit value test supports multiple cycles option ("for X cycles")
- If exit value test matches and the stderr has no data, try stdout
Example syntax:
check program mytest with path "/usr/bin/mytest.sh" with timeout 1000 seconds
if status == 2 then exec "/usr/local/bin/fix_script.sh"
if status == 2 for 6 cycles then unmonitor
if status == 10 then alert
* Renamed mail header (message-id and mime-version) to prevent
triggering spam check of capitalization. Thanks to Ryan Lee
for tips.
* The 'check system <name>' statement sets the system hostname in mail
alerts and initial hostname in M/Monit.
* Increase the default mailserver timeout to 30 seconds.
* Add support for OpenBSD 5.x
BUGFIXES:
* Fix the rare hung on linux which may occur during program execution.
Thanks to Nick Upson for report.
* In the case that the process start/restart execution failed,
monit kept "Execution failed" flag even if the process was
recovered later (for example it was starting slowly or manually
recovered).
* Fix the mail alert (strict SMTP implementation) to pass
MTA-side sanity checks like postscreen. Thanks to Len Conrad
for report.
* The -t option tests the configuration file syntax even if the
file permissions are wrong. Thanks to Adam Nielsen for report.
* Do not display the default non-existence test for the check
program (not applicable in the check program context).
Version 5.4
IMPROVEMENTS:
* New process uptime test added. Allows to do some action in
the case that the process uptime matches the given limit.
For example to restart the process once per 3 days:
if uptime > 3 days then restart
* Linux uCLibc support: use internal getloadavg implementation
in the case that the system libc doesn't implement it.
BUGFIXES:
* The monit hostname will fallback to plain machine's hostname if the
lookup for FQDN hostname didn't found matching entry. The problem
was, that based on the order in the /etc/hosts the FQDN lookup
returned sometimes 'localhost' instead of the FQDN hostname.
* The CPU usage for multi-threaded processes on multi-core machine was
reported incorrectly in the case that the process used more CPU
resources then equivalent to one core. Thanks to Tom Pepper for patch.
* The content match test now sends one event per cycle and pattern.
Even if there are multiple lines matching the same pattern, only
one event will be generated. Also the event rate is fixed now, so
it is possible to require match for X cycles before generating the
event.
* The /proc/ files content match test was skipped, as the file size on
the procfs is 0, so monit supposed that there is no content to read.
* FreeBSD: If the monitored process had children with multiple threads,
the total memory usage was reported incorrectly. Thanks to Phil Kulin
for reporting the problem.
* Allow reading status and perform Monit actions when using client SSL
certificate. Previously, if Monit http server was setup to use ssl
and a client cert, status and action failed. Thanks to Markus Linnala
for initial patch.
* When the process is starting/stopping, do the process state check more
effectively to not stress the low power devices with aggresive polling.
Thanks to Thomas Petazzoni for initial patch.
* Make the process start/stop wait resistant to large time changes.
* Compilation: If PAM is enabled but the PAM headers or library are not
found by the configure script, it will report error.
* Cross-compilation: the configure checks the setjmp and vsnprintf with
test program which usually cannot be executed when cross-compiling
for other architecture. The configure script now takes the following
arguments which allow to specify whether the setjmp works on this
platform and whether the vsnprintf is C99 compliant. Thanks to
Thomas Petazzoni for patch.
./configure \
libmonit_cv_setjmp_available=[yes|no] \
libmonit_cv_vsnprintf_c99_conformant=[yes|no]
* Manual page language fixes. Thanks to Jonathan Boulle for patch.
Version 5.3.2
BUGFIXES:
* Fix bug #34801: The file content match test did reset of the
read position in the case that the unmonitor or stop action
was done. When the file monitoring was enabled again, the
content match test was applied to the content which was
tested already.
* Log error details in the case that the name resolving failed.
* Fix the system cpu usage statistics when pattern based process
check is used and the service is restarted. Thanks to Wayne
Lawrence for report.
* AIX 6.1 compile fix. Thanks to Benedikt Wegmann for patch.
* Debian Bug#652715: "include files not found" warning. Do not
display the warning if the include directory is empty.
Version 5.3.1
IMPROVEMENTS:
* Log the particular connection attempt failure in debug mode
when the retry is enabled.
* Monit can deliver events and status to independent M/Monit
instances if multiple mmonit URLs are set:
set mmonit https://user1:pass1@mmonit1/collectorhttps://user2:pass2@mmonit2/collector
BUGFIXES:
* The ICMP echo (ping) test may report false positive error
if the machine where Monit is running has heavy ICMP
traffic generated by other applications.
* The file content match test will be performed even on the
existing content when Monit starts. The last position is
saved to the statefile, so monit won't generate alert
after restart. Note that when you start the monit 5.3.1
the first time, it can do actions for content match which
was handled by previous monit version already as the
previous monit versions didn't saved the position.
* Make the monitoring state persistent for manual mode services.
* Display the memory usage total % in the status overview.
The memory usage in kB displayed the total already, so the
percentage didn't match.
* Fix the HTML overview page alignment in the Internet Explorer.
Thanks to Darhl Thomason for patch.
* Extend the SSL library search path for Debian Sid.
* Fix Solaris 10 compilation and Sun Studio support.
* Fix sporadic SSL routines:func(169):reason(161) errors
* If MySQL protocol test failed, report the correct MySQL
error code. Thanks to Vitaly Lipatov for patch.
Version 5.3
* New 'check program' statement added. Allows to check the exit
status of an external program or script from Monit.
* Added crontab style support for individual services. You can
now specify when an individual service should run its checks
(or not run). You can now, for instance, specify that apache
should be checked continuously, except between 1AM-5AM on
Sunday.
* Connection retry option added. Allows to retry a network
connection in the same testing cycle before reporting an error.
* Detailed protocol connection errors are now included in alerts.
* The HTML overview page displays the CPU and memory total now
(including children), so real service related usage is displayed
also for services which spawn worker processes, such as Apache
or Spamassassin.
* HTML view improvements
* Fix MySQL protocol test: MySQL 5.5.12 returns new error code in
the case of authentication failure.
* Fix Debian bug #621047: monit fails to build after SSLv2 removal
* Fix crash on Solaris which may occur if the system load is zero.
Thanks to Paul Sun for report.
* The stacktrace logging on error is disabled in -v (verbose) mode
as it was too verbose for common service debugging tasks, it can
be enabled using -vv option.
* Improve how fast Monit check if a program was started or stopped.
Thanks to Michael Renner for patch.
* Fix the monitoring state presentation during service restart which
temporarily displayed "Not monitored", whereas the monitoring was
enabled.
* The "data collected" is updated only if the check was not skipped.
Version 5.2.5
* Fix process match check - when the monitored process failed and
was restarted by Monit, Monit didn't recognized it is running
after the restart and reported start failure (similar on stop).
Thanks to Kenichi Futatsumori for report and helping to root
cause the problem.
* Fix Debian #617259: symbolic links in the filesystem check doesn't
work. Thanks to Sergey B Kirpichev for report.
* Fix Debian bug #614984: smtp protocol test issues both EHLO and
HELO. Thanks to Sergey B Kirpichev for report.
* Fix bug #32583: Multiple SIP OPTIONS messages use the same header
data. Thanks to Hugh Waite for patch.
* Try harder to get FQDN hostname for the host where monit is running.
The hostname in the $HOST variable which is used in the mail sender
may thus change. Thanks to Sergey B Kirpichev for patch.
* AIX: Fix the time display which was off by GMT difference. Thanks
to Helen Chen for report.
* AIX: Fix the M/Monit heartbeat. Thanks to Helen Chen for report.
* Support symbolic link to monit configuration file.
* Fix crash when monit daemon start delay option was used and monit
was signalized to stop before the start delay passed. Thanks to
John Schult for report.
Version 5.2.4
NEW FEATURES AND FUNCTIONS:
* Added the "procmatch" CLI command which allows for easy testing
of pattern for process match check. The command takes regular
expression as an argument and displays all running processes
matching the pattern. Example usage:
$ monit procmatch "iChatAgent"
* Set the default log file mask to 0640 (originally it was 0664).
Thanks to Sergey B Kirpichev.
* Reduced monit memory footprint by ca. 10%.
BUGFIXES:
* FreeBSD, NetBSD, OpenBSD, MacOSX, Solaris filesystem check fix:
If block/character device was used in the filesystem path instead
of mountpoint, monit reported usage of wrong filesystem.
* NetBSD filesystem check: Fix space usage report.
* Fix memory usage monitoring in OpenVZ VPS 2.6.32 virtual hosts.
Thanks to Kelly for report.
* If the protocol test failed, show the request in the event. Thanks
to Marco for report.
* Randomize the mail message id to prevent duplicates in the case, that
the same hostname is used on multiple hosts running monit and messages
are generated in the same second in parallel. Thanks to Sergey B
Kirpichev.
* Spelling fixes. Thanks to Sergey B Kirpichev.
Version 5.2.3
BUGFIXES:
* Mysql protocol test supports mysql 5.5.x and newer now.
Version 5.2.2
BUGFIXES:
* Fix crash on MacOSX
* ICMP echo test (ping):
- bug #31128: do not log error if different response type is received
- bug #31129: do not require root to use ping test. Privilege to create
raw socket is still required, but on some platforms such as Solaris it
can be granted to non-root users too. If the user has no permission to
perform ping, monit will skip the icmp test and log message (in debug
mode only).
* rsync protocol test:
- wait for full server response and verify exit was received
- bug #31249: send full version to rsync server. Thanks to John Hall
for report
Version 5.2.1
BUGFIXES:
* HTTP and URL protocol tests: Fixed a problem where HTTP protocol
tests using a specific request always failed. This bug may also
affect URL tests. The problem was caused by faulty URL encoding. In
the process of fixing this bug the new feature that allowed slash in
service names has been reverted and instead will be added in a later
release.
Version 5.2
NEW FEATURES AND FUNCTIONS:
* Added support for monitoring processes without pidfile using pattern
matching. You can use POSIX regular expressions or string matching
process name with arguments as provided by the 'ps' utility. If the
pattern matches multiple processes, the first match is used.
Example:
check process debian
matching "/usr/lib/vmware/bin/vmware-vmx .*deb.vmx"
* Added support for swap monitoring. Example:
check system myserver
if swap usage > 25% then alert
* Allow to override the default action when service doesn't exist. The
default action is restart, it can be customized with following
statement:
if [does] not exist [[<x> times within] <y> cycles] then <action1>
* Monit automatically registers credentials with M/Monit now, so it's
not necessary to set it manually in M/Monit anymore. To disable
credentials registration:
set mmonit https://monit:monit@10.0.0.1:8443/collector
and register without credentials
* Added memcache protocol test. Thanks to Sébastien Debrard for the
patch.
* Added openssl FIPS to Monit httpd. Thanks to Lior Okman for the
patch.
* The 'check system' can now use start/stop program statements too.
* Added the option to set the "Reply-To" mail header in mail-format.
* Display backtrace on error if debug mode is enabled (requires
backtrace support in libc)
BUGFIXES:
* Show real process uptime - formerly the presented uptime was based
on create and modify timestamp of process' pidfile which provides
invalid uptime if the pidfile is replaced and process keeps running
with original PID. Thanks to Nima Chavooshi for report.
* When user triggered action for some service (such as stop) and
before that action completed user triggered another action for the
same service (such as start), the second action has been ignored.
Monit will not accept new action and return temporary error until
the previous action completed.
* If process resource usage gathering failed, retry next cycle as the
error can be temporary.
* Fixed sporadic failures when SSL was used.
* ICMP echo test (ping):
- fixed sporadic false positive/negative
- removed limit of 20 pings per cycle
* DNS test:
- accept NS root request refusal as correct response because
server reacts on request
- accept authority answer as alternative to record. Thanks to
Nick Osborn for patch
* RADIUS test fix. Thanks to Alan DeKok for patch.
* M/Monit heartbeat is fully independent of testing cycle now to
prevent false positive when service test blocks.
* Fixed SMTP STARTTLS protocol, required for servers that adhere
strictly to RFC 3207 4.2. Thanks to Lorenzo A. Sedano Cadinanos for
patch.
* Service name:
- allow the service name to start with "/"
- fixed handling of the service names which contain "/" in the
name in Monit web interface. Thanks to Artyom Khafizov for
patch.
* When 'check system' is not defined, monit adds it automatically
using hostname for service name. If existing service was defined
with the same service name (matching hostname), monit didn't added
the entry and reported confusing error message pointing to the end
of configuration file. Thanks to Thorsten Kampe for report and help.
* Remove extra NL characters from message when resource succeeded
event is sent. The extra NL character may break the mail headers.
Thanks to Hanno Boeck for patch.
* Fixed display of cpu user/system/wait usage which temporarily
displayed -1.0% between two monitoring cycles while cpu monitoring
was initializing. Thanks to Marcus Muelbuesch for report.
* Fixed display of port response time as -1 if 'monit status' was
called in the middle of service test.
* Fixed display of service initializing state after monit start or
reload.
* Fixed MONIT_DESCRIPTION environment variable. Thanks to Marco
Roeland for patch
* AIX:
- fixed compilation
- fixed system load average monitoring
- fixed ICMP echo test
* Mac OS X:
- allow monitoring of system-wide load average, cpu and memory
usage even if
Monit is running as non-root user
* NetBSD:
- fixed ICMP echo test
Version 5.1.1
BUGFIXES:
* Fix FTP protocol test. Thanks to Axel Reinhold for report.
* Fix the HTTP protocol test's hostheader option which was added in 5.1.
Thanks to Naoya Nakazawa for report.
* Removed warning about missing system service check. Missing system service
check is not error and it shouldn't be reported as such.
* Fix manual page formating. Thanks to Stefan Alfredsson for report.
Version 5.1
NEW FEATURES AND FUNCTIONS:
* It is now possible to define any action for the restart timeout rule.
Multiple restart timeout rules can also be defined. Example:
if 3 restarts within 5 cycles then exec "/foo/bar"
if 8 restarts within 10 cycles then unmonitor
* Service can be added to multiple groups. Thanks to Brad Gessler
for suggestion. Syntax:
check filesystem wwwdata with path /www
group www
group filesystem
* Added GPS protocol test. Thanks to Sebastien Debrard for patch.
* Added RADIUS protocol test. Thanks to Alan DeKok for patch. Example syntax:
check process radiusd with pidfile /var/run/radiusd.pid
start program = "/etc/init.d/freeradius start"
stop program = "/etc/init.d/freeradius stop"
if failed
host 127.0.0.1 port 2000 type udp protocol radius secret testing1234
then alert
if 5 restarts within 5 cycles then timeout
* The HTTP protocol test now supports a hostheader option which allows to
override Host header in HTTP request. It can be used for example
to test a farm of HTTP servers by IP addresses and to set specific
Host header. Thanks to Brady Catherman for patch. Example:
if failed host 192.168.1.100 protocol http hostheader "example.com" then alert
* If an error occur during Monit command-line execution, report the error
and exit with 1, so it is possible to react if Monit is used from a script.
On success, 0 is returned as usual. Previously, Monit always exited with
0 even if an error occurred.
* Do not require SSL version type when specifying SSL communication with M/Monit
(SSL version is set to auto).
* If the Monit http interface failed to start, provide more details about
the reason.
BUGFIXES:
* Support resource monitoring (cpu usage, etc.) when Monit is running
inside virtual environment. Tested on:
- FreeBSD jail
- Solaris zone
- Linux Vserver
* Fix#26752: inside Solaris Zone, Monit failed to detect children
and computed host memory wrong
* On Solaris, FreeBSD, NetBSD and OpenBSD, Monit no longer needs to run as root user
in order to be able to watch process resource usage (cpu and memory).
* Send heartbeat to M/Monit even if Monit is busy in a long testing cycle to prevent
false alerts about non-responsive Monit agent.
* Fixed SMTP protocol test which may sometimes incorrectly
report ESMTP protocol failure. Thanks to Axel Reinhold for
report.
* Fixed content match check which reported only first
match during the same cycle. Thanks to Pavel Shevaev for
report.
* Allow for the use of complete SSL certificate chains.
Thanks to Lawrence Tan for patch.
* Added support for multiline greetings to FTP protocol test.
Thanks to Giovanni D'Cristina for report.
* Fix Debian Bug #541139: uses gethostbyname() and thus does
not work with "options inet6" in /etc/resolv.conf. Thanks to
Michael Stapelberg for patch.
* If Monit configuration allowed http interface access for a read-only
user and it was specified as the first allow entry, Monit command line
commands failed because it used the read-only account so commands
like start, stop, etc. were rejected. Monit will now use full access
regardless of allow option order. Thanks to Thorsten Kampe for report.
* Passive monitoring mode fixed. Thanks to Nelson Vale for report.
* Fixed#27784: wait_start/wait_stop can advance too quickly.
Thanks to Randy Puro for report.
* Solaris resource usage fixed when Monit was compiled with optimizations enabled.
* Fixed#28369: escape XML properly
* Check service name uniqueness when 'check system' is missing in monitrc and virtual
system service with name set to local hostname is added. Thanks to Marcus Muelbuesch
for report.
* Fix crash when queued event delivery was retried for service which was no longer
configured in Monit.
Version 5.0.3
BUGFIXES:
* Fixed#26664: crash on service timeout or unmonitor action
(introduced in 5.0.2). Thanks to Bretislav Kubesa and
Michael Shigorin for report.
* Removed the configure --without-resource option. If the user
who is running Monit doesn't have permissions to check the
processes state, the related checks are disabled dynamically.
Version 5.0.2
BUGFIXES:
* 35 improvements based on code scan with Klocwork
(http://www.klocwork.com/) which we were evaluating.
Huge thanks to Klocwork for their great product.
* Fixed#26382: if start or stop script for some service didn't
exist, monit logged error during configuration file parsing and
refused to start. Monit now just logs warning and continues.
Version 5.0.1
BUGFIXES:
* Fixed a bug where Monit did not stop logging succeeded events.
This bug occurred if PID, PPID, timestamp or size change tests
were used and failed and then succeeded again.
Version 5.0
NEW FEATURES AND FUNCTIONS:
* M/Monit support added. If you run Monit on more than one
server, you can use M/Monit to manage and control all your
Monit enabled servers from one simple Web Interface. See
http://mmonit.com/ for details.
* Support use of symbolic links in filesystem check. Thanks to
Aleksander Kamenik for suggestion. Example:
check filesystem rootfs path
/dev/disk/by-uuid/4ef973f7-67d1-4bb0-8223-cb1c692b72e4
if space usage > 95% then alert
if inode usage > 95% then alert
* If no 'set mailserver' was defined in monitrc, Monit tried to
fallback to localhost:25 SMTP server. This fallback was removed
since it may be confusing. If you want to deliver mail alerts
from Monit, the 'set mailserver' option is necessary. In case
it is missing, Monit will log appropriate error and hint to add
it.
* The generic send/expect protocol test limited the expect input
to 256 bytes. It's possible to set the input buffer for expect
globally - for example: set expectbuffer 20 kb Thanks to Asil
Carlin for suggestion.
* The following event types were added CONTENT, FSFLAGS, PID and
PPID and the following generic event types CHANGED and MATCH were
removed and replaced by the above types and with the existing SIZE,
CHECKSUM, TIMESTAMP events so the information is more specific
The event types are internal to Monit and unless you have used
either CHANGED or MATCH event in your alert filters, no change
is necessary (alerts are delivered as usual, the tests just use
different types internally).
* Monit now generates a unique id on first start and store the id
in a permanent file. This id is used in protocol communication
between Monit and M/Monit to pair a Monit instance with it's
host entry in M/Monit. By default the id file is placed in
$HOME/.monit.id. The location can be changed by using the set
idfile statement, for example:
set idfile /var/monit.id
* Monit now keep its service monitoring state even on Monit
restart. Previously Monit dropped the state when it was stopped
correctly. Services in manual monitoring mode will remember the
monitoring state across Monit restarts. If Monit is used in a
cluster, it is recommended to place the state file in a
temporary filesystem incase the primary machine will crash and
the the spare machine takeover, the state will be dropped on
reboot for the crashed machine and the services in manual
monitoring mode won't be started on reboot. For example the
"set statefile /tmp/monit.state" can be used to place the state
file in the /tmp/ filesystem.
* Added a protocol test for testing the LMTP protocol. Thanks
to Fco. Javier Felix for patch.
* Added the start delay option for daemon statement which allows
to pause Monit on its startup for a while. If monitored
services are started by init scripts in parallel on system
boot, Monit may be too fast and detect that the service is not
running (yet) and restart the service. Note that it's still
recommended Monit is setup to be responsible for service
startup (that is, don't use init to start Monit controlled
services, instead use Monit). This will ensure correct startup
without need for a start delay since Monit will have full
control of service startup. Many users start services from init
on boot anyway, so in such cases this option will solve their
problems. Default start delay is 0 which corresponds to the
current behavior. Example syntax which will make Monit wait one
minute before starting its first monitoring cycle:
--8<--
set daemon 5 with start delay 60
--8<--
Thanks to Fco. Javier Felix for patch.
* Added PAM support for Monit http interface authentication. Note
that PAM is not supported on all platforms - currently works on
Linux, Mac OS X, FreeBSD, NetBSD. Monit uses the PAM service "monit".
Here is a Monit PAM service example for Mac OS X which is able
to authenticate system users for Monit access -
/etc/pam.d/monit:
--8<--
# monit: auth account password session
auth sufficient pam_securityserver.so
auth sufficient pam_unix.so
auth required pam_deny.so
account required pam_permit.so
--8<--
And configuration for monitrc which allows only group admins
to access the http interface:
--8<--
set httpd port 2812 allow @admin
--8<--
See the PAM manual page for details on how to configure the PAM
service on your system and the available PAM plugins. Thanks to
Wilhelm Meier for patch.
* Added more detailed reports for Monit resource tests on service
recovery. Thanks to Lars Kotthoff for patch.
* Set locale to C.
* Added a protocol test for testing the SIP protocol which is
used by popular communication servers such as Asterisk and
FreeSWITCH. We received two patches for this protocol and have
taken code from both and merged them. Many thanks to Bret
McDanel and to Pierrick Grasland for supplying the patches.
* Added MONIT_DESCRIPTION to the list of environment variables
available to programs started by monit. Thanks to Morten
Bressendorff Schmidt for patch.
* If a service group is specified for Monit CLI action,
Monit no longer requires the "all" verb, so the following
command is possible:
monit -g web stop
If group is not specified (i.e. the -g option is omitted), the
service name or "all" is still required as a safeguard.
* Added an option to the 'set mailserver' statement so it is
possible to override the hostname used in SMTP EHLO/HELO and in
the Message-ID header when sending mail. Monit defaults to use
the localhost name. I.e. what you get when executing this
command 'uname -n'. Overriding the host name can be useful if
the host does not have a DNS entry and if the receiving
mailserver uses DNS verification as spam protection. The new
override option is:
set mailserver foo.bar.baz using hostname "my.monit.host"
* A new Event_Action type was added which reports actions
performed on Monit's administrator request (either via web
interface or CLI). If you don't want to received these events,
you can set the mail-filter for "action" event type.
* NOTA BENE: Monit start action is synchronous now. This improves
the startup sequence for dependent services, since Monit will
wait for parent service to start before trying to start the
child.
* It is now possible to define execution timeout for start and
stop commands. That is, how long Monit will wait after
executing a command before it assume execution failed. If the
timeout option is omitted, Monit defaults to 30 seconds. You
can override the timeout for example for services which are
starting slower.
Example syntax:
start program = "/bin/foo start" with timeout 60 seconds
* The event passed state is renamed to succeeded as this name
more reflects the state of things.
* The device service test is renamed to filesystem.
BUGFIXES:
* Some linux virtualization platforms report CPU count as 0.
Monit then dynamically disabled CPU usage monitoring. In such
case we now override the CPU count from 0 to 1 so resource
usage monitoring can continue. Thanks to Jenny Hopkins for
report.
* Increased the server socket backlog queue which will make Monit
able to handle more services. Thanks to Jochen Kramer.
* Fixed#24866: Email messages such as: cpu wait usage check
succeeded [current cpu wait usage=17.4%] were displayed as
"...usage<SOMEGARBAGE>.4%". The problem was incorrect transfer
encoding header in the email (the body itself was OK). Thanks
to Dave Cheney for report.
* When a Monit shutdown requested was issued while Monit were
working and testing services, Monit did not shutdown until all
work were done, i.e. until all services were tested. Monit will
now shutdown faster - as soon as it finish testing the current
service.
* Monit blocked/unblocked SIGTERM, SIGINT SIGHUP and SIGUSR1
signals during operation to protect certain code sections. When
a signal was sent during such a time, for example to stop
Monit, it was dropped and had to be retried in order to stop
Monit. This limitation is now removed and signals will be
processed at any time. Thanks to Nicola Tiling for report.
* If the Monit httpd allow option did not include a
user:password, Monit CLI logged the following error (even if
the action was performed anyway):
Cleartext credentials needed for basic authorization!
This error was false - even access restriction based on
host/net is sufficient - user and password is just one of
possible options (not requirement). Thanks to Gilad Benjamini
for report.
* Allow localhost as a value for the host header in the http
protocol test instead of setting an empty host header and let
the http server decide
* The 'if changed checksum ...' test can now be used even if a
monitored file doesn't exist at Monit startup. Thanks to Joe
Shang for report.
* If both event handlers (M/Monit and mail alerts) temporarily
failed at once and event queue was enabled, events will be
stored in the queue and delivered in the next cycle. However, a
bug caused delivery to be retried for every cycle for both
handlers if just one of them was recovered. Monit could then
deliver the same message multiple times until both handlers
recovered. The problem is now fixed and only one copy of the
event is sent even if only one handler did recover.
* Make unit in size test optional and default to byte unless
specified. So it is possible to write, if size > 1000 then ..
* Fixed handling of invalid input files in event queue handler.
Thanks to Fco.Javier Felix for patch.
* Set the content type to text/html for Monit web interface POST
responses. Thanks to Rich Drummond for patch.
* Fixed#23530: configure script will return error if bison,
byacc or yacc are not found at Monit compile time.
* Fix CPU and memory monitoring on Solaris (it was disabled on
Monit start)
* AIX fixes and extensions, Monit should run on AIX without
problems, including cpu, memory and filesystem monitoring
(tested with AIX 5.3). Thanks to Brian Downey for support
and help.
* HP-UX fixes and extensions, Monit should run on HP-UX without
problems, including cpu, memory and filesystem monitoring.
Thanks to Brian Downey for support and help.
* Fixed#23467: Don't exit, only issue a warning if the "include"
statement did not find any files to include.
* Fixed#23530: Event queue did not work with the default
unlimited slots.
* Fixed#23617: The process cpu usage is initializing in the
first cycle so the value is set to 0% - if the 'cpu usage <
xyz%' test was used to check that the process usage is higher
then given level, it was always true. Monit now skips the
process cpu usage check in the first cycle.
* Make sure Monit alerts has a unique message id. Thanks to Steve
Purcell for report
* Fixed possible crash when Monit is watching VPS environment on
Linux which reports number of CPUs as 0. Thanks to Marius
Schmidt for report.
* Cleanup event states during a service stop/unmonitor so old
events are not sent when the service is started/monitored again.
* Fixed#21989: Monit could start two instances of the process
when service restart is performed and the process is starting
slowly. Thanks to Nick Upson, Aaron Scamehorn and David Greaves
for report.
* Fixed#21550: Fix crash when Monit event queue contained an
empty file. Thanks to Douglas J Hunley for report.
* Fixed possible crash when the 'if changed checksum' test was
used along with restart action. Thanks to Brian Candler for
report.
* Fixed#22075: Allow using a mail address as username when using
SMTP authentication.
* Fixed#22191 and #19823: If the file content test does not match
anymore, reset the service error state. (Previous versions did
not clear the error state and kept showing a match in the status
listing and in the http interface).
* The 'if changed size ...' test can now be used even if the
monitored file does not exist on monit's start.
* If a htpasswd file is used to control Monit http interface
access and the hash type is set to MD5 but the file contains
wrong format (non-MD5), report the error and keep running.
Formerly Monit exited with an assert exception. Thanks to
Adrian Bridgett for report.
BACKWARD INCOMPATIBLE CHANGES:
* The current CPU usage test which checked the cpu usage of the
process itself plus the cpu usage of child processes was
renamed to TOTALCPU (otherwise it works the same). The new CPU
usage test checks the CPU usage of the process itself only.
This change was introduced to align the syntax with MEMORY and
TOTALMEMORY tests and to allow to test the CPU usage of
processes which fork child processes but the user don't want to
include children (such as Mythtv). Users who are using the CPU
check for services like Apache webserver to watch total cpu
utilization (including children) should rename the CPU
statement in their configuration to TOTALCPU.
17 Dec 2013 - 2.7.7
-------------------
Fixes:
- Changed release version to 2.7.7
- Got the configure scripts inside the release tarball
16 Dec 2013 - 2.7.6
-------------------
Improvements:
- Organizes all Makefile.am - 1cde4d2dd9d96747536c1c25d06ba0677069477f
Now using one file per line (sorted). This is the better way to handle it, since it reduces the possibility of merge conflicts.
- nginx: generates config file using configure input. - 351b9cc357d439e30ebd61d89a9e38ecf55c6827
The nginx config file was looking for depedencies by its own, by doing that it was ignoring the options that were passed to configure script. This commit deletes this config file and adds a meta-config which is populated by configure whenever the standalone-module is enabled.
- nginx: adds lua support - da16d9e5d51d4ef8734687514a4e1368e7fb4284
- iis: Cosmetics fixies on sqli. - 5046c8327ea21c69b4c0d0c0057c692b05b09fef
This is needed to get it compiled with VS2011 on Windows8
- Regression tests: makes configuration compatible with 2.2 and 2.4 (try 2) - ae252ee8767069363906e5a611dff487b799b839
- nginx: Trying apxs and apxs2 while compiling nginx module - 65d9272fdc353e1263567b60604542d377d19672
- nginx: Trying apxs and apxs2 while compiling nginx module - 35fd75d859e4a8873b8843da1db13e04a1b08140
- macos: Using glibtoolize instead of libtoolize - 751a9f4e45213cd69f00c62c71edc9d7ad99b82d
- regression-tests: makes configuration compatible with 2.2 and 2.4 - 6fc4cac37ab1be8d1232140042b58fe4bd93ee17
- Regression test: get it working with apache 2.4 - e9813cd0d9bfc5b0c9aa5832634ec1b39b805108
Changes in httpd.conf.in to get it working with apache 2.4
- Code cosmetics. - 7366f35c1d80772d739b35da8faa972f92a72b97
Changed to reduce the number of possible fails during Build Bot compilation.
- iis: Waiting for 5 seconds before move curl directory - 9bf2959c919587ebc63f5a1b8c0785da8927bff5
Testing buildbot.
- Redefines unixd_set_global_mutex_perms on tests - f70f6f4281b806627e0cf0dbb9c84ae5864bdb16
Avoding conflicts with the standalone implementation
- Adds verbose quality check - 388943440cc9b8c6fdea09f5e365a2e5a3e792e2
Vera++ and ccpcheck are not outputing to the stderr instead stdout allowing the buildbot to extract some numbers about it.
- Adds support for coding style and quality check - b77e90152d119609ac78a7028383c3b79898b2cf
Initial effort to get the code on shape. This will be executed by the buildbots as soon as they get ready for it.
- iis: New improvements on the Wix installer - 2ea5a74a7bfb00f21312e51e48aa6dac03d84600
* Now the installation is divided in modules: ModSecurity and CRS.
* Added default configuration
* Configuration was moved to "Program Files" folder
* Build_msi script now using candle available in %PATH%
- iis: Removes the installer helper dependency - 1a12648c9f6028f251af0f03c889397c7954b74c
Now using appcmd directly with WiX instead of calling the installer helper.
- iis: Remove readme.html - 550d5aae21cba696cac1ce75ab8113e5255d5a59
This HTML is about "Creating a Native Module for IIS7" not straight related to ModSecurity itself.
- iis: Adds batch script to compile Wix - a2c5fc831baf0b324ebb66b0f878dacf1ec2f808
This batch script can be used to generate our msi installer.
- iis: Adds Wix installer resources - 3604763e15a665eb7a6ecae1f7e7c65cebbb1d17
This is all about cosmetic changes.
- iss: Removes Post-Build event. - 28bbde1bb218b004654cb865fc8563d69b848dc2
There was a copy on Post-Build event using a hard coded path. This patch removes this Post-Build event.
- iis: Relative paths on the VS project file - 368617ddb2443f9b6036f80a648d467d07c9a054
There are a ModSecurityIIS solution and project files, those were using hard coded paths to meet the dependencies. As consequence of the last update in our build scripts, now we are able to built the dependencies and load it to our Visual Studio project using relative paths.
- iis: Adds release script - 9477118903861ce80c4c27cb581bf3462315e98e
- iis: fixies the Installer.cpp coding style - 79875b1af8e8571098345b91557bab9c06eb7c88
- iis: Removes AppWizard remade file - 91738f93bcc82b6ab756c550a66b6cf6af2fa9f8
Apparently the AppWizard was used to generate part of this Installer, the ReadMe.txt created by the AppWizard was removed by this commit
- iss: Removes pre-compiled headers - adfbeb85dcfa9466b72eebb8d1bd8eb7728bab79
No need to use the pre-compiled headers in InstallerHelper, removing it, in order to keep the project lean.
- iis: Moves installer to InstallerHelper - 6adf25667dd4bfa33010bd6d8ae3d35046a69967
To organize the folder the Installer application was renamed to installer helper. It is not the real installer, it is just an helper which is executed during the installation phase.
- iss: Removes fart dependencies - 8c3b8d81b613aaa38f28472af1eb26c90c7fc9da
This commit removes the dependency of the fart.exe utility. The utility was responsible to rename contents inside some dependencies build files. Those modifications are not longer needed.
- iss: Better err handling in build scripts. - 192599bf63b6ae5aa08e4536a90d5d0a17f969f7
Now checking for errors in every step of the build phase
- iis: Moves build_module.bat to build_modsecurity.bat - e25c6b2e85ced7beba4d41867dbdf30e9c1286d3
The build_modsecurity.bat is now on the iis sub-directory, not in the dependencies anymore. Its content was also changed fixing all the paths.
- iis: Identifies arch before unzip apache - cf5de78dfb9fffd21edf17af9e1db8f2fd83c804
Currently we need the Apache binary which could be used in 32 or 64 bits. This patch makes usage of 'cl' to identify which architecture is set.
- iis: Renamves winbuild to dependencies - 1447766e816a896e88c9c8f053fcc3f62797bac1
Since the directory becomes all about dependencies there is no need to call it winbuild anymore.
- iis: Removes unnecessary files from winbuild dir - 9f8cbf6ed8034ba42aa4967699308df09864fd18
Those .mak files seems to be part of an old build system. Since the script are now working fine, this commit removes all those .mac files and also a CMakeList.txt and the Makefile.win.
- iis: Improves the iis build system - b277e538f28c87c81c1b50925dd8b82996b88294
Now checking for common errors while building. Refactoring on the build scripts, now there is this build_dependencies.bat script on the iis sub-folder. By calling this script all the dependencies should be build under the winbuild/. This commit also removes build scripts that were not needed anymore.
- iis: Fixes the vcxproj file - a946a163f0ad822c760af80ca32dda61f0e6b2a9
Versions of the dependencies were changed, as long as the version of the Visual Studio, now 12.
- iis: Removes unecessary files from the build system - 26738d2e34bcc7620047bd23180e0e26a64c71ee
The following files were removed:
* VCVarsQueryRegistry.bat
* vcvars64.bat
* vsvars32.bat
The visual studio files can be called direcltly, not necessary to distribute those files, at least in VS12.
- iss: Changes httpd version 2.4.6 - 0a772cb0748aa51a01800e0473309b9de792b456
Apache version was changed to 2.4.6 to sync with the current apache lounge version.
- iis: Changes the version of the dependencies - 3e6fb41d36b7a5e98a55d8f52b88b29d1bd50b64
* pcre from 8.30 to 8.33
* zlib from 1.2.7 to 1.2.8
* libxml2 from 2.7.7 to 2.9.1
* curl from 7.24 to 7.33.0
- Removes standalone/Makefile.in - e3c19d53d23c48fea337aae76a87b2a85c36a1f1
Makefile.in is recommended to be in the repository whenever it is edit manually, in our case the automatically generated Makefile.in is ok.
Bug Fixes:
- test: Avoids conflict of fuctions definition - cef72855e4106ce29e1d39103ebf9eb9ab28f17e
- test: Makes the unit tests to work again - cc982ae42ec86c79a67be1a01c6ee35fb06c272c
The unit tests was not working due to lack update. This patch adds the necessary stuff to have it work again.
- iis: Avoids directory link while building - ad330a44bfa39430cf6340cb52971568cccdf1d6
Build scripts was creating links allowing the project to be loaded into Visual Studio without care about the dependencies versions. Sometimes windows refuse to delete those links leading the script to fail. This patch moves the sources directories instead of create links to it.
- QA: Avoids the utilization of 3rd filedescriptor - 69c5ccac662f4e11a6eefd54a3e912583c067b9d
No need to use a 3rd description on the quality check scripts. Stderr is now redirected to stdout and filtered as needed.
- Supports WarningCountingShellCommand in cppcheck and vera - baaf502363e68c3240b60adb7f7c91f5b4f0ba03
WarningCountingShellCommand allow us to have some measurements on the buildbot waterfall.
- iis: Using base_rules instead of activated_rules - 7b1537058fa451e0df7098cd907ef19f04102f9d
- iis: Fix inet_pton build problem - a4202146b8d26b6615bbab986383fe0afae60d77
There is a function named inet_pton on windows API, with different signature. This patch just override the windows function and point the inet_pton to our implementation.
- iis: Adds Wix installer xml file.c - b32cb7d9ab397160f0154aa4bd4e9638658b41e6
This commit adds the Wix template to our git repository.
- iis: build_modsecurity.bat fixies - 7e03e3f840375ed682c35a5bb67932461cc77013
This commit enable a cleanup on the mod_security build directory avoiding symbols with different architectures.
- iis: Fix mlogc build on windows - 9b7663fa79377a0685130a019916d810f31e7478
The libcurl path was not pointing to the correct directory
- Fix#154, Uses addn instead of apr_table_setn - 1734221d9d3a78f9aafd68e35717da9ee1a4fe51
The headers are represented in the format of an apr_table, which is able to handle elements with the same key, however the function apr_table_setn checks if the key exists before add the element, if so it replaces the old value with the new one. This was making our implementation to just keep the last added Cookie. The apr_table_addn function, which is now used, just add a new item without check for olders one.
- Merge pull request #579 from zimmerle/revert_139 - 61e54f2067ae760808359926ff91d57275df1aac
Revert merge request #139
- Revert "Merge pull request #139 from chaizhenhua/remotes/trunk" - 7f7d00fa2c364716691df1b45779304b24a0debb
This reverts commit 10fd40fb0d06f6c577d870b6f15d2f6e2a3a5b1b, reversing changes made to 414033aafa94cd50c9b310afd3f164740caccc94.
- Merge pull request #578 from client9/remotes/trunk - b0c3977845f60747b15ae10531b7d20355a22627
libinjection sync to v3.8.0
- libinjection sync - a5f175d79fac1e69124da4e1e227b622e7e233d7
- Merge pull request #152 from client9/remotes/trunk - 88ebf8a0bdbc4db1be76f3a2e70df77cc52a5925
Sync to libinjection v3.7.1
- libinjection sync - fcb6dc13ed6efb066fb9b70405eecab8b83a2d96
- libinjection sync - f52242a013f301ca5c17e59b662124833cb7cc6d
- Merge pull request #148 from zimmerle/bugfix_charset_missing_string_terminator - b76e26d81ddafc2b99bffad53d1426f8fd33080a
Bugfix: missing string terminator while mounting the charset (nginx)
- Bugfix: missing string terminator while mounting the charset (nginx) - ff19dcd5c53d4af61d0a9397d4616f47f80ee207
The charset in headers is mounted using ngx_snprintf which does not place the string terminator. This patch adds the terminator at the end of the string. The size was correctly allocated, just missing the terminator.
- Merge pull request #141 from client9/remotes/trunk - 9a630eea23a7ead4e77617c86dc937fd7a421a57
libinjection sync to v3.6.0
- libinjection sync - 11217207e8f2e0cf15742273836399866971071a
- Fix Chunked string case sensitive issue - CVE-2013-5705 - f8d441cd25172fdfe5b613442fedfc0da3cc333d
- Revert "Fix Chuncked string case sensitive issue" - 3901128f17e0763ac1a260106b79859d2aad6d90
This reverts commit 16a815a3c2735f62238ef99af26090a2b8430d3d.
- Fix Chuncked string case sensitive issue - 16a815a3c2735f62238ef99af26090a2b8430d3d
- Merge pull request #139 from chaizhenhua/remotes/trunk - 10fd40fb0d06f6c577d870b6f15d2f6e2a3a5b1b
Fixed fd leackage after reload
- Merge pull request #138 from client9/remotes/trunk - 414033aafa94cd50c9b310afd3f164740caccc94
libinjection sync
- Fixed fd leackage after reload - e0993fcd7a166ce9e1a279a47d050af1311d9001
- libinjection sync - 2268626c20260e88cab9b7830f8a06101fa7172a
- Fix logical disjunction and conjunction issues - 7e0a9ecf7d492e85650671a0cfcfd53e5f15df2c
23 Jul 2013 - 2.7.5
-------------------
Improvements:
* SecUnicodeCodePage is deprecated. SecUnicodeMapFile now accepts the code page as a second parameter.
* Updated Libinjection to version 3.4.1. Many improvements were made.
* Severity action now supports strings (emergency, alert, critical, error, warning, notice, info, debug).
Bug Fixes:
* Fixed utf8toUnicode tfn null byte conversion.
* Fixed NGINX crash when issue reload command.
* Fixed flush output buffer before inject modified hashed response body.
* Fixed url normalization for Hash Engine.
* Fixed NGINX ap_unixd_set_global_perms_mutex compilation error with apache 2.4 devel files.
Security Issues:
10 May 2013 - 2.7.4
-------------------
Improvements:
* Added Libinjection project http://www.client9.com/projects/libinjection/ as a new operator @detectSQLi. (Thanks Nick Galbreath).
* Added new variable SDBM_DELETE_ERROR that will be set to 1 when sdbm engine fails to delete entries.
* NGINX is now set to STABLE. Thanks chaizhenhua and all the people in community who help the project testing, sending feedback and patches.
Bug Fixes:
* Fixed SecRulePerfTime storing unnecessary rules performance times.
* Fixed Possible SDBM deadlock condition.
* Fixed Possible @rsub memory leak.
* Fixed REMOTE_ADDR content will receive the client ip address when mod_remoteip.c is present.
* Fixed NGINX Audit engine in Concurrent mode was overwriting existing alert files because a issue with UNIQUE_ID.
* Fixed CPU 100% issue in NGINX port. This is also related to an memory leak when loading response body.
Security Issues:
* Fixed Remote Null Pointer DeReference (CVE-2013-2765). When forceRequestBodyVariable action is triggered and a unknown Content-Type is used,
mod_security will crash trying to manipulate msr->msc_reqbody_chunks->elts however msr->msc_reqbody_chunks is NULL. (Thanks Younes JAAIDI).
28 Mar 2013 - 2.7.3
-------------------
* Fixed IIS version race condition when module is initialized.
* Fixed IIS version failing config commands in libapr.
* Nginx version is now RC quality. The rule engine should works for all phases.
We fixed many issues and missing features (for more information please check jira).
Code is running well with latest Nginx 1.2.7 stable.
Thanks chaizhenhua for your help.
* Added MULTIPART_NAME and MULTIPART_FILENAME. Should be used soon by CRS
and will help prevent attacks using multipart data.
* Added --enable-htaccess-config configure option. It will allow the follow directives
to be used into .htaccess files when AllowOverride Options is set:
- SecAction
- SecRule
- SecRuleRemoveByMsg
- SecRuleRemoveByTag
- SecRuleRemoveById
- SecRuleUpdateActionById
- SecRuleUpdateTargetById
- SecRuleUpdateTargetByTag
- SecRuleUpdateTargetByMsg
* Improvements in the ID duplicate code checking. Should be faster now.
* SECURITY: Added SecXmlExternalEntity (On|Off - default it Off) that will disable
by default the external entity load task executed by LibXml2. This is a security issue
[CVE-2013-1915] reported by Timur Yunusov, Alexey Osipov (Positive Technologies).
21 Jan 2013 - 2.7.2
-------------------
* IIS version is now stable.
* Fixed IIS version does not pass through POST data to ASP.NET when SecRequestBodyAccess
is set to On (MODSEC-372).
* Fixed IIS version HTTP Request Smuggling protection does not work (MODSEC-344).
* Fixed IIS version PHP Injection Attack (958976) protection does not work (MODSEC-346).
* Fixed IIS version Request limit protections are not working (MODSEC-349).
* Fixed IIS version Outbound protections are not working (MODSEC-350).
* Added IIS version better installer.
* NGINX version removed ModSecurityPassCommand (Thanks chaizhenhua).
* Fixed NGINX version ngx_http_read_client_request_body returned unexpected buffer type (Thanks chaizhenhua).
* Fixed NGINX version INCS config directories on fedora (Thanks chaizhenhua).
* Added NGINX version Added drop action for nginx (Thanks chaizhenhua).
* Fixed bug in cpf_verify operator (Thanks Hideaki Hayashi).
* Fixed build modsecurity under Arch Linux.
* Fixed make test crashing when JIT pcre is enabled.
* Fixed better cookie separator detection code.
* Fixed mod_security displaying wrong ip address in error.log using apache 2.4 and mod_remoteip.
* Fixed mod_security was not compiling when use apr without ipv6 support.
* Fixed mod_security was not compiling when use lua 5.2.
* Fixed issue when execute make install under Solaris.
* Fixed ipmatchf operator was not working as expected.
01 Nov 2012 - 2.7.1
-------------------
* Changed "Encryption" name of directives and options related to hmac feature to "Hash".
SecEncryptionEngine to SecHashEngine
SecEncryptionKey to SecHashKey
SecEncryptionParam to SecHashParam
SecEncryptionMethodRx to SecHashMethodRx
SecEncryptionMethodPm to SecHashMethodPm
@validateEncryption to @validateHash
ctl:EncryptionEnforcement to ctl:HashEnforcement
ctl:EncryptionEngine to ctl:HashEngine
* Added a better random bytes generator using apr_generate_random_bytes() to create
the HMAC key.
* Fixed byte conversion issue during logging under Linux s390x platform.
* Fixed compilation bug with LibXML2 2.9.0 (Thanks Athmane Madjoudj).
* Fixed parsing error with modsecurity-recommended.conf and Apache 2.4.
* Fixed DROP action was disabled for Apache 2 module by mistake.
* Fixed bug when use ctl:ruleRemoveTargetByTag.
* Fixed IIS and NGINX modules bugs.
* Fixed bug when @strmatch patterns use invalid escape sequence (Thanks Hideaki Hayashi).
* Fixed bugs in @verifySSN (Thanks Hideaki Hayashi).
* The doc/ directory now contains the instructions to access online documentation.
15 Oct 2012 - 2.7.0
-------------------
* Fixed Pause action should work as a disruptive action (MODSEC-297).
* Fixed Problem loading mod_env variables in phase 2 (MODSEC-226).
* Fixed Detect cookie v0 separator and use it for parsing (MODSEC-261).
* Fixed Variable REMOTE_ADDR with wrong IP address in NGINX version (MODSEC-337).
* Fixed Errors compiling NGINX version.
* Added Include directive into standalone module. IIS and NGINX module should
support Include directive like Apache2.
* Added MULTIPART_INVALID_PART flag. Also used in rule id 200002 for multipart strict
validation. https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20121017-0_mod_security_ruleset_bypass.txt).
* Updated Reference Manual.
25 Sep 2012 - 2.6.8
-------------------
* Fixed ctl:ruleRemoveTargetByID order issue (MODSEC-333). Thanks to Armadillo Dasypodidae.
* Fixed variable HIGHEST_SEVERITY incorrectly gets reset in a chain rule (MODSEC-315). Thanks to Valery Reznic.
10 Sep 2012 - 2.7.0-rc3
-------------------
* Fixed requests bigger than SecRequestBodyNoFilesLimit were truncated even engine mode was detection only.
* Fixed double close() for multipart temporary files (Thanks Seema Deepak).
* Fixed many small issues reported by Coverity Scanner (Thanks Peter Vrabek).
* Fixed format string issue in ngnix experimental code. (Thanks Eldar Zaitov).
* Added ctl:ruleRemoveTargetByTag/Msg and removed ctl:ruleUpdateTargetByTag/Msg.
* Added IIS and Ngnix platform code.
* Added new transformation utf8toUnicode.
23 Jul 2012 - 2.6.7
-------------------
* Fixed explicit target replacement using SecUpdateTargetById was broken.
* The ctl:ruleUpdateTargetById is deprecated and will be removed for future versions since
there is no safe way to use it per-request.
* Added ctl:ruleRemoveTargetById that can be used to exclude targets to be processed per-request.
22 Jun 2012 - 2.7.0-rc2
-------------------
* Fixed compilation errors and warnings under Windows platform.
* Fixed SecEncryptionKey was not working as expected.
08 Jun 2012 - 2.7.0-rc1
-------------------
* Added SecEncryptionEngine. Initial crypt engine support, at the momment it will sign some Html
and Response Header options.
* Added SecEncryptionKey to define the a rand or static key for crypt engine.
* Added SecEncryptionParam to define the new parameter name.
* Added SecEncryptionMethodRx used with a regular expression to inspect the html in response
body/header and decide what to protect.
* Added SecEncryptionMethodPm used with multiple or single strings to inspect the html in response
body/header and decide what to protect.
* Added ctl encryptionEngine as a per transaction version of SecEncryptionEgine diretive.
* Added ctl encryptionEnforcement that will allow the engine to sign the data but the enforcement is
disabled.
* Added validateEncryption operator to enforce the signed elements.
* Added rsub operator supports the syntax |hex| allowing users to use special chars like \n \r.
* Added SecRuleUpdateTargetById now supports id range.
* Added SecRuleUpdateTargetByMsg and its ctl version (Thanks Scott Gifford).
* Added SecRuleUpdateTargetByTag and its ctl version (Thanks Scott Gifford).
* Added SecRulePerfTime when greater than zero it will fill rule id's execution time into PERF_RULE
and log id=usec information in the new Perf-rule-info: line in part H.
* Added PERF_RULES variable that contains rule execution time.
* Added Engine-mode: section in part H.
* Added ruleRemoveByMsg ctl version.
* Added removeCommentsChar and removeComments now can work with <!-- --> style.
* Added SecArgumentSeparator and SecCookieFormat can be used in different scope locations.
* Added Rules must have ID action and must be numeric.
* Added The use of tfns are deprecated in SecDefaultAction. Should be forbid in the future.
* Added Macro expansion support to the action pause.
* Added IpmatchFromFile/IpmatchF operator.
* Added New setrsc action, the RESOURCE collection used SecWebAppId Name Space
* Added Configure option --enable-cache-lua that allows reuse of Lua VM per transaction.
It will only take any effect when ModSecurity has multiple scripts to run per transaction.
* Added Configure option --enable-pcre-jit that allows ModSecurity regex engine to use PCRE Jit support.
* Added Configure option --enable-request-early that allows ModSecurity run phase 1 in post_read_request hook.
* Added RBL operator now support the httpBl api (http://www.projecthoneypot.org/httpbl_api.php).
* Added SecHttpBlKey to be used with httpBl api.
* Added SecSensorId will specify the modsecurity sensor name into audit log part H.
* Added aliases to phase:2 (phase:request), phase:4 (phase:response) and phase:5 (phase:logging).
* Added USERAGENT_IP variable. Created when Apache24 is used with mod_remoteip to know the real
client ip address.
^ Added new rule metadata actions ver, maturity and accuracy. Also included into RULE collection.
* Updated Reference manual into doc/ directory.
* Fixed Variable DURATION contains the elapsed time in microseconds for compatible reasons with apache and
other variables.
* Fixed Preserve names/identity of the variables going into MATCHED_VARS.
* Fixed Redirect macro expansion does not work in SecDefaultAction when SecRule uses block action.
* Fixed rsub operator does not work as expect if regex contains parentheses (Thanks Jerome Freilinger).
* Current Google Safe Browsing implementation is deprecated. Google changed the API and does not allow
anymore the malware database for download.
08 Jun 2012 - 2.6.6
-------------------
* Added build system support for KfreeBSD and HURD.
* Fixed a multipart bypass issue related to quote parsing
Credits to Qualys Vulnerability & Malware Research Labs (VMRL).
20 Mar 2012 - 2.6.5
-------------------
* Fixed increased a specific message debug level in SBDM code (MODSEC-293).
* Cleanup build system.
09 Mar 2012 - 2.6.4
-------------------
* Fixed Mlogc 100% CPU consume (Thanks Klaubert Herr and Ebrahim Khalilzadeh).
* Fixed ModSecurity cannot load session and user sdbm data.
* Fixed updateTargetById was creating rule unparsed content making apache memory grow.
* Code cleanup.
23 Feb 2012 - 2.6.4-rc1
-------------------
* Fixed @rsub adding garbage data into stream variables.
* Fixed regex for section A into mlogc-batch-load.pl (Thanks Ebrahim Khalilzadeh).
* Fixed logdata cuts message without closing it with final chars.
* Added sanitizeMatchedBytes support to verifyCPF, verifyCC and verifySSN.
06 Dec 2011 - 2.6.3-rc1
-------------------
* Fixed MATCHED_VARS does not correctly handle multiple VARS with the same name.
* Fixed SDBM garbage collection was not working as expected, increasing the size of files.
* Fixed wrong timestamp calculation for some time zones in log files.
* Fixed SecUpdateTargetById failed to load multiple VARS (MODSEC-270).
* Fixed Reverted hexDecode for hexEncode compatibility reason.
* Added SecCollectionTimeout to set collection timeout, default is 3600.
* Added sqlHexDecode transformation to decode sql hex data. Thanks Marc Stern.
30 Sep 2011 - 2.6.2
-------------------
* Fixed hexDecode test during make.
* Updated the reference manual into doc/ directory.
5 Sep 2011 - 2.6.2-rc1
-------------------
* Added support to macro expansion for rx operator.
* Added new transformations removeComments and removeCommentsChars
* Fixed colletion names are not case-sensitive anymore.
* Fixed compilation errors with apache 2.0.
* Fixed build system was not using some libraries CFLAGS.
* Fixed check for valid hex values into hexDecode transformation.
* Fixed ctl:ruleUpdateTargetById appending multiple targets.
18 Jun 2011 - 2.6.1
-------------------
* Updated the reference manual into doc/ directory.
11 Jul 2011 - trunk
-------------------
* Add HttpBl support to rbl operator.
30 Jun 2011 - 2.6.1-rc1
-------------------
* Fixed SecUploadFileMode doesn't work with the new build system.
* Fixed building with Lua library (Thanks Diego Elio).
* Fixed some ./configure --enable* features not being enabled in compilation time.
* Improvements on GSB database add/search operations.
* Log part K was removed from modsecurity.conf-recommended.
* Added SecUnicodeMapFile directive. Must be use to load the unicode.mapping file.
* Added SecUnicodeCodePage directive. Used to define the unicode code page. There are a few already available:
1250 (ANSI - Central Europe)
1251 (ANSI - Cyrillic)
1252 (ANSI - Latin I)
1253 (ANSI - Greek)
1254 (ANSI - Turkish)
1255 (ANSI - Hebrew)
1256 (ANSI - Arabic)
1257 (ANSI - Baltic)
1258 (ANSI/OEM - Viet Nam)
20127 (US-ASCII)
20261 (T.61)
20866 (Russian - KOI8)
28591 (ISO 8859-1 Latin I)
28592 (ISO 8859-2 Central Europe)
28605 (ISO 8859-15 Latin 9)
37 (IBM EBCDIC - U.S./Canada)
437 (OEM - United States)
500 (IBM EBCDIC - International)
850 (OEM - Multilingual Latin I)
860 (OEM - Portuguese)
861 (OEM - Icelandic)
863 (OEM - Canadian French)
865 (OEM - Nordic)
874 (ANSI/OEM - Thai)
932 (ANSI/OEM - Japanese Shift-JIS)
936 (ANSI/OEM - Simplified Chinese GBK)
949 (ANSI/OEM - Korean)
950 (ANSI/OEM - Traditional Chinese Big5)
Also mapping some extra unicode chars defined at http://tools.ietf.org/html/rfc3490#section-3.1
* Fixed SecRequestBodyLimit was truncating the real request body.
18 May 2011 - 2.6.0
-------------------
* Added SecWriteStateLimit for Slow Post DoS mitigation.
* Fix problem when buffering in input filter.
* Fix memory leak when use MATCHED_VAR_NAMES.
2 May 2011 - 2.6.0-rc2
-------------------
* Added code optimizations - thanks Diego Elio.
* Added support to AIX and HPUX in the build system (untested).
* Renamed decodeBase64Ext to base64DecodeExt.
* Build system improvements - thanks Diego Elio.
* Improvements on gsblookup parser.
* Fixed input filter bug when upload files and SecStreamInBodyInspect is enabled.
* Logging improvements and bug fix.
* Remove extra useless files when make clean and maintainer-clean
18 Apr 2011 - 2.6.0-rc1
-------------------
* Replaced previous GPLv2 License to Apachev2.
* Added Google Safe Browsing lookups operator and directive. It should be
used to extract and lookup urls from http packets.
* Added Data Modification operator. It must be used with STREAM_* variables
to replace/add/edit any data from http bodies.
* Added STREAM_OUPUT_BODY and STREAM_INPUT_BODY variables to work with data
modification operators.
* Added fast ip address operator. It supports partial ip address, cidr for
IPv4 and IPv6. Thanks Tom Donovan.
* Added new sensitive data tracking verifyCPF and verifySSN.
* Added MATCHED_VARS and MATCHED_VARS_NAMES. It is similiar to MATCHED_VAR,
but now we should see all matched variables.
* Added UNIQUE_ID variable. It holds the data created my mod_unique_id.
* Added new tranformation cmdline. Thanks Marc Stern.
* Added new exception handling operators and directives. It should help users
reduce FN and FPs. The directives SecRuleUpdateTargetById, SecRuleRemoveByTag
and its ctl actions were included.
* Added SecStreamOutBodyInspection and SecStreamInBodyInspection to enable STREAM_*
variables.
* Added SecGsbLookupDB used to load Google Safe Browsing malware databse into
memory.
* Added the directive SecInterceptOnError to control what to do if a rule returns
values less than zero.
* Improvements in DetectionOnly engine mode. Also added SecRequestBodyLimitAction
to control what to do if the engine receive a http request over a hard limit.
Note that there is now many combinations with SecRuleEngine and the limit action
directives for response and request data. Please see the reference manual.
* Improvements under RBL operator. It now will parse return code values for some
RBL lists.
* Added new Log Part J. It should log some informations about uploaded files.
* Added new sanitizeMatchedBytes action. It will give more flexibilty for user to sanitize
logged data, also improving peformance when sanitize big amount of data.
* Improvements on Logging phase. It is possible now see full chains, distinguish between
simple rules, chain starters and chain nodes.
* Improvements on AutoTools usage.
* Improvements on pattern matching operators, pmf, pm and strmatch now supports more flexible
input data allowing any kind of special char.
* Improvements on SecRuleUpdateActionById to update chain nodes.
* Many bugs were fixed. Please see the ModSecurity Jira for more details
19 Mar 2010 - trunk
-------------------
* Added SecDisableBackendCompression, which disabled backend compression
while keeping the frontend compression enabled (assuming mod_deflate
in installed and configured in the proxy). [Ivan Ristic]
* Added REQUEST_BODY_LENGTH, which contains the number of request body
bytes read. [Ivan Ristic]
* Integrate with mod_log_config using the %{VARNAME}M format string.
(MODSEC-108) [Ivan Ristic]
* Replaced the previous time-measuring mechanism with a new one, which
provides the following information: request time, request duration,
phase duration (for all 5 phases), time spent dealing with persistent
storage, and time spent on audit logging. The new information is now
available in the Stopwatch2 audit log header. The Stopwatch header
remains for backward compatiblity, although it now only includes
the request time and request duration values. Added the following
variables: PERF_COMBINED, PERF_PHASE1, PERF_PHASE2, PERF_PHASE3,
PERF_PHASE4, PERF_PHASE5, PERF_SREAD, PERF_SWRITE, PERF_LOGGING,
PERF_GC. [Ivan Ristic]
* Added DURATION, which contains the time ellapsed since the beginning
of the current transaction, in milliseconds. [Ivan Ristic]
* Adjusted phase 5 to execute just prior to mod_log_config. This should
allow phase 5 rules to to implement conditional logging, as well as
pave support for allowing access to all ModSecurity variables from
mog_log_config. [Ivan Ristic]
* Added the URLENCODED_ERROR flag, which is raised whenever invalid URL
encoding is encountered in the query string or in the request body
(but only if URLENCODED request body processor is used). (MODSEC-111)
[Ivan Ristic]
* Removed the obsolete PDF UXSS functionality. (MODSEC-96) [Ivan Ristic]
* Renamed normalisePath to normalizePath and normalisePathWin to
normalizePathWin. Kept the previous names for backward compatibility.
(MODSEC-103) [Ivan Ristic]
* Moved phase 1 to be run in the same Apache hook as phase 2. This means
that you can now have phase 1 rules in <Location> tags and, more
importantly, override server configuration in <Location> and others.
(MODSEC-98) [Ivan Ristic]
* Renamed the sanitise family of actions to sanitize. Kept the old variants
for backward compatibility. (MODSEC-95) [Ivan Ristic]
* Improve the logging of the ctl action. (MODSEC-99) [Ivan Ristic]
* Cleanup build files that were from the Apache source.
Key pkgsrc change - move p5-Class-Data-Inheritable from BUILD_DEPENDS to
DEPENDS, as is needed at runtime (previous p5-Catalyst-Runtime package would
fail to run on non build machine due to this)
5.90053 - 2013-12-21
- Reverted a change in the previous release that moved the setup_log phase
to after setup_config. This change was made to allow people to use
configuration that is late loaded (such as via the ConfigLoader Plugin)
to setup the plugin. However it also broke the ability to use the log
during plugin setup (ie, it breaks lots of plugins). Reverting the
change. See Catalyst::Delta for workarounds.
5.90052 - 2013-12-18
- Fixed first block of startup debug messages missing when using a custom
logger that gets set at runtime, for example by overriding finalize_config
- Give a more descriptive error message when trying to load middleware that
does not exist.
- Change the way we initialize plugins to fix a bug where when using the
populare ConfigLoader plugin, configs merged are not available for setting
up middleware and data handlers (and probably other things as well).
NOTE: This change might cause issues if you had code that was relying on the
broken behavior. For example external configuration that was being loaded to
late to have effect might now take effect. Please test you code carefully and
be aware of this possible issue </NOTE>.
- You may now also call 'setup_middleware' as a package method if you think
that loading middleware via configuration is a weird or broken idea.
- Various POD formating fixed.
- Improved some documentation about what type of filehandles that ->body can
accept and issues that might arise.
5.90051 - 2013-11-06
- Be more skeptical of the existance of $request->env to fix a regression
introduced in Catalyst::Action::REST by the previous release
5.90050 - 2013-11-05
- Previously public predicates on the following attributes are now considered
private and their method names have been changed to follow Perl convention
for internal methods:
-- Catalyst::Request->has_io_fh ==> _has_io_fh
-- Catalyst::Request->has_env ==> _has_env
-- Catalyst::Response->has_write_fh ==> _has_write_fh
These are breaking changes but these methods were never documented and serve
no use for external code. If you are using thing, you need to make the noted
change (but please consider finding another way to do what you are trying to
do). t0m++ for code review of Hamburg branch.
5.90049_006 - 2013-11-04
- Fixed case where test could fail when Starman was partly installed (n0body++)
- Fixed missing date information in previous release
5.90049_005 - 2013-10-31
- NEW FEATURE: New Controller action attribute 'Consumes', which allows you
to specify the content type of the incoming request. This makes it easier
to create actions that only handle certain content type POST or PUT, such
as actions that only handle JSON or actions that only understand classic
HTML forms.
- NEW FEATURE: Request->body_data is now also populated from classic HTML
Forms using CGI::Struct to support nested data. For non nested data you
should use the classic ->body_parameters method.
- Removed PSGI $env keys that are added on the 'plack.request.*' namespace
since after discussion it was clear those keys are not part of the public
API. Keys removed: 'plack.request.query', 'plack.request.body',
'plack.request.merged' and 'plack.request.http.body'. Altered some test
cases to reflect this change.
5.90049_004 - 2013-10-18
- JSON Data handler looks for both JSON::MaybeXS and JSON, and uses
whichever is first (prefering to find JSON::MaybeXS). This should
improve compatibility as you likely already have one installed.
- Fixed a warning in the server script (bokutin++)
- We now populate various Plack $env keys in order to play nice with
downstream middleware or plack apps (and to reduce processing if
those keys already exist). Keys added:
- plack.request.query
- plack.request.body
- plack.request.merged
- plack.request.http.body
(NOTE: REMOVED IN 5.90049_005)
- If incoming input (from a POST or PUT) is not buffered, create the
buffer and set the correct psgi env keys to note this for downstream
psgi apps / middleware. This should solve some issues where Catalyst
sucks up the body input but its not buffered so downstream apps can't
read it (for example FCGI does not buffer). We now also try to make
sure the body content input is reset to the start of the filehandle
so that we are polite to downstream middleware /apps.
- NEW FEATURE: Catalyst::Response can now pull response from a PSGI
specification response. This makes it easier to host external Plack
applications under Catalyst. See Catalyst::Response->from_psgi_response
- NEW FEATURE: New configuration option 'use_hash_multivalue_in_request'
will populate $request methods 'parameters', 'body_parameters' and
'query_parameters' with an instance of Hash::MultiValue instead of a
HashRef. This is used by Plack and is intended to reduce the need to
write defensive logic since you are never sure if an incoming parameter
is a scalar or arrayref.
- NEW FEATURE: We now experimentally support Net::Async::HTTP::Server
and IO-Async based event loops. Examples will follow.
5.90049_003 - 2013-09-20
- Documented the new body_data method added in the previous release
- Merged from master many important bugfixes and forward compatiblity
updates, including:
- Use modern preferred method for Moose metaclass access and many other
small changes to how we use Moose for better forward compat (ether++)
- Killed some evil use of $@ (ether++)
- spelling fixes and documentation updates (ether++), (gerda++)
- use Test::Fatal over Test::Exception (ether++)
- Misc. test case fixes to modernize code (ether++)
- Added a first pass cpanfile, to try and make it easier to bootstrap
a development setup (ether++)
5.90049_002 - 2013-08-20
- Fixed loading middleware from project directory
- Fixed some pointless warnings when middleware class lacked VERSION
- NEW FEATURE: Declare global 'data_handlers' for parsing HTTP POST/PUT
alternative content, and created default JSON handler. Yes, now Catalyst
handles JSON request content out of the box! More docs eventually but
for now see the DATA HANDLERS section in Catalyst.pm (or review the test
case t/data_handler.t
5.90049_001 - 2013-07-26
- Declare PSGI compliant Middleware as part of your Catalyst Application via
a new configuration key, "psgi_middleware".
- Increased lowest allowed module version for Module::Pluggable to be 4.7 (up
from 3.4) to solve the fact this is no longer bundled with Perl in v5.18.
Provide Regex DispatchType for Catalyst (deprecated)
Regex dispatch types have been deprecated and removed from Catalyst
core. It is recommend that you use Chained methods or other techniques
instead. As part of the refactoring, the dispatch priority of Regex
vs Regexp vs LocalRegex vs LocalRegexp may have changed. Priority
is now influenced by when the dispatch type is first seen in your
application.
This module allows transforming CGI GET/POST data into intricate
data structures. It is reminiscent of PHP's building arrays from
form data, but with a perl twist.
changes:
-Re-factored Grilo Net library and fixed several bugs
-Show 'slow' keys in grl-inspect
-Updates in documentation
-Added new core function: grl_operation_set_data_full()
-fixes
