- Provisional Django 1.7 support
- Multi-db and multi-manager support to management commands
- Added index on reversion.date_created
- Minor bugfixes and documentation improvements
=================
WebKitGTK+ 2.4.6
=================
What's new in WebKitGTK+ 2.4.6?
- Use free icons for the web inspector.
- Make vimeo videos work again with the GStreamer media backend.
- Fix selection rendering when unfocused with recent GTK+ versions.
- Fix toggle buttons rendering with recent GTK+ versions.
- Fix race condition when downloading a file due to the intermediate
temporary file.
PHP5 rewrite of HTTP_Request package (with parts of HTTP_Client). Provides
cleaner API and pluggable Adapters:
* Socket adapter, based on old HTTP_Request code,
* Curl adapter, wraps around PHP's cURL extension,
* Mock adapter, to use for testing packages dependent on HTTP_Request2.
Supports POST requests with data and file uploads, basic and digest
authentication, cookies, managing cookies across requests, proxies, gzip and
deflate encodings, redirects, monitoring the request progress with Observers...
Upstream changes:
5.48 2014-10-07
- Emergency release for a serious security issue that can result in
parameter injection attacks, everybody should update!
Breaking change: Methods that previously worked differently in scalar than
in list context now always assume scalar context, and new methods have
been added to cover the list context functionality.
- Added every_cookie and every_upload methods to Mojo::Message.
- Added every_param method to Mojo::Message::Request.
- Added every_param method to Mojo::Parameters.
- Added every_cookie, every_param and every_signed_cookie methods to
Mojolicious::Controller.
- Added every_param method to Mojolicious::Validator::Validation.
- Added from_json and to_json functions to Mojo::JSON.
- Improved pluck method in Mojo::Collection to be able to extract values
from hash references.
Changelog:
Fixed
32.0.3: New security fixes can be found here
New
New HTTP cache provides improved performance including crash recovery
New
Integration of generational garbage collection
New
Public key pinning support enabled
New
View historical use information for logins stored in password manager
New
Display the number of found items in the find toolbar
New
Easier back, forward, reload, and bookmarking through the context menu
New
Lower Sorbian [dsb] locale added
Changed
Removed and turned off trust bit for some 1024-bit root certificates
Changed
Performance improvements to Password Manager and Add-on Manager
HTML5
drawFocusIfNeeded enabled by default
HTML5
ECMAScript 6 built-in method Array#copyWithin implemented
HTML5
CSS position:sticky enabled by default
HTML5
mix-blend-mode enabled by default
HTML5
New Array built-in: Array.from()
HTML5
navigator.languages property and languagechange event implemented
HTML5
Vibration API updated to latest W3C spec
HTML5
CSS box-decoration-break replaces -moz-background-inline-policy
HTML5
box-decoration-break enabled by default
Developer
HiDPI support in Developer Tools UI
Developer
Inspector button moved to the top left
Developer
Hidden nodes displayed differently in the markup-view
Developer
New Web Audio Editor
Developer
Code completion and inline documentation added to Scratchpad
Fixed
32.0.2 - Corrupt installations cause Firefox to crash on update
Fixed
32.0.1 - Stability issues for computers with multiple graphics cards
Fixed
32.0.1 - Mixed content icon may be incorrectly displayed instead of lock icon for SSL sites
Fixed
32.0.1 - WebRTC: setRemoteDescription() silently fails if no success callback is specified
Fixed
Various security fixes
Fixed
Mac OS X: cmd-L does not open a new window when no window is available
Fixed
Text Rendering Issues on Windows 7 with Platform Update KB2670838 (MSIE 10 Prerequisite) or on Windows 8.1
Security fixes:
Fixed in Firefox 32.0.3
MFSA 2014-73 RSA Signature Forgery in NSS
Fixed in Firefox 32
MFSA 2014-72 Use-after-free setting text directionality
MFSA 2014-71 Profile directory file access through file: protocol
MFSA 2014-70 Out-of-bounds read in Web Audio audio timeline
MFSA 2014-69 Uninitialized memory use during GIF rendering
MFSA 2014-68 Use-after-free during DOM interactions with SVG
MFSA 2014-67 Miscellaneous memory safety hazards (rv:32.0 / rv:31.1 / rv:24.8)
Upstream changes:
MediaWiki 1.23.5
This is a security release of the MediaWiki 1.23 branch.
Changes since 1.23.4
(bug 70672) SECURITY: OutputPage: Remove separation of css and js module allowance.
issues found in the prior Squid releases.
The major changes to be aware of:
* CVE-2014-6270 : SQUID-2014:3 Buffer overflow in SNMP processing
http://www.squid-cache.org/Advisories/SQUID-2014_3.txt
This vulnerability allows any client who is allowed to send SNMP
packets to the proxy to perform a denial of service attack on Squid.
The issue came to light as the result of active 0-day attacks. Since
publication several other attack sightings have been reported.
* CVE-2014-7141 and CVE-2014-7142 : SQUID-2014:4
http://www.squid-cache.org/Advisories/SQUID-2014_4.txt
These vulnerabilities allow a remote attack server to trigger DoS or
information leakage by sending various malformed ICMP and ICMPv6
packets to the Squid pinger helper.
The worst-case DoS scenario is a rarity, a more common impact will be
general service degradation for high-performance systems relying on
the pinger for realtime network measurement.
All users of Squid are urged to upgrade to this release as soon as
possible.
See the ChangeLog for the full list of changes in this and earlier
releases.
Please refer to the release notes at
http://www.squid-cache.org/Versions/v3/3.4/RELEASENOTES.html
when you are ready to make the switch to Squid-3.4
Upgrade tip:
"squid -k parse" is starting to display even more
useful hints about squid.conf changes.
Upstream changes:
5.47 2014-09-28
- Improved url_for performance.
5.46 2014-09-26
- PAUSE lost the previous release.
5.45 2014-09-26
- Deprecated Mojolicious::Routes::Route::has_conditions.
- Added extracting attribute to Mojo::UserAgent::CookieJar.
- Improved performance of next, next_sibling, previous and previous_sibling
methods in Mojo::DOM significantly.
- Improved Mojo::Cache to allow caching to be disabled. (mvgrimes, sri)
- Fixed url_for bug where deeply nested WebSocket routes would not work
correctly.
5.44 2014-09-23
- Fixed bug in Mojolicious::Renderer that prevented proxy objects from being
reused.
5.43 2014-09-22
- Updated Makefile.PL for version 2 of the CPAN distribution metadata
specification.
- Improved get command to not depend on Content-Type headers for
differentiating between JSON and HTML/XML.
5.42 2014-09-17
- Fixed url_for bug where an unnecessary slash could be rendered before
formats.
5.41 2014-09-13
- Deprecated Mojolicious::Controller::render_static in favor of
reply->static helper.
- Added mtime attribute to Mojo::Asset::Memory.
- Added mtime method to Mojo::Asset and Mojo::Asset::File.
- Added reply->asset and reply->static helpers to
Mojolicious::Plugin::DefaultHelpers.
- Fixed bug in Mojo::UserAgent where connections would sometimes not get
closed correctly.
5.40 2014-09-12
- Deprecated Mojo::EventEmitter::emit_safe.
- Added reply->exception and reply->not_found helpers to
Mojolicious::Plugin::DefaultHelpers.
- Improved all events to handle exceptions the same.
Changes in release 0.30.1:
* Fix memory leak with GnuTLS (Werner Baumann, Patrick Ohly).
* Fix possible crash after DNS lookup errors on Windows (Olivier Goffart).
* Don't fail if the SSL cert changes between connections with OpenSSL,
behaviour now matches that with GnuTLS.
* Fix PKCS#11 support under OpenSSL with TLS 1.2.
* Fix static linking with pkg-config file (Alan H).
4.04 2014-09-04
[ RELEASE NOTES ]
- this release removes some long deprecated modules/functions and
includes refactoring to the temporary file handling in CGI.pm. if
you are doing anything out of the ordinary with regards to temp
files you should test your code before deploying this update as
temp files may no longer be stored in previously used locations
[ REMOVED / DEPRECATIONS ]
- startform and endform methods removed (previously deprecated, you
should be using the start_form and end_form methods)
- both CGI::Apache and CGI::Switch have been removed as these modules
1) have been deprecated for *years*, and 2) do nothing whatsoever
[ SPEC / BUG FIXES ]
- handle multiple values in X-Forwarded-Host header, we follow the
logic in most other frameworks and take the last value from the list
(RT #54487)
- refactor CGITempFile::find_tempdir to use File::Spec->tmpdir
(related: RT #71799)
- fix warnings when QUERY_STRING has empty key=value pairs (RT #54511)
- pad custom 500 status response messages to > 512 for MSIE (RT #81946)
- make Vars tied hash delete method return the value deleted from the hash
making it act like perl's delete (RT #51020)
[ TESTING ]
- add .travis.yml (https://travis-ci.org)
- test case for RT #53966 - disallow filenames with ~ char
- test case for RT #55166 - calling Vars to get the filename does not return
a filehandle, so this cannot be used in the call to uploadinfo, also
update documentation for the uploadInfo to show that ->Vars should not be
used to get the filename for this method
- fix t/url.t to pass on Win32 platforms that have the SCRIPT_NAME env
variable set (RT #89992)
- add procedural call tests for upload and uploadInfo to confirm these work
as should (RT #91136)
[ DOCUMENTATION ]
- tweak perldoc for -utf8 option (RT #54341, thanks to Helmut Richter)
- explain the HTML generation functions should no longer be used and that
they may be deprecated in a future release
4.03 2014-07-02
[ REMOVED / DEPRECATIONS ]
- the -multiple option to popup_menu is now IGNORED as this did not
function correctly. If you require a menu with multiple selections
use the scrolling_list method. (RT #30057)
[ SPEC / BUG FIXES ]
- support redirects in mod_perl2, or fall back to using env variable
for up to 5 redirects, when getting the query string (RT #36312)
- CGI::Cookie now correctly supports the -max-age argument, previously
if this was passed the value of the -expires argument would be used
meaning there was no way to supply *only* this argument (RT #50576)
- make :all actually import all methods, except for :cgi-lib, and add
:ssl to the :standard import (RT #70337)
[ DOCUMENTATION ]
- clarify documentation regarding query_string method (RT #48370)
- links fixed in some perldoc (Thanks to Michiel Beijen)
[ TESTING ]
- add t/changes.t for testing this Changes file
- test case for RT #31107 confirming multipart parsing is to spec
- improve t/rt-52469.t by adding a timeout check
4.02 2014-06-09
[ NEW FEATURES ]
- CGI::Carp learns noTimestamp / $CGI::Carp::NO_TIMESTAMP to prevent
timestamp in messages (RT #82364, EDAVIS@cpan.org)
- multipart_init and multipart_start learn -charset option (RT #22737)
[ SPEC / BUG FIXES ]
- Support multiple cookies when passing an ARRAY ref with -set-cookie
(RT #15065, JWILLIAMS@cpan.org)
[ DOCUMENTATION ]
- Made licencing information consistent and remove duplicate comments
about licence details, corrected location to report bugs (RT #38285)
#-----------------------------------------------------------------------
# Version 2.26 - 17th September 2014
#------------------------------------------------------------------------
* Andy Wardley added outline directives. See Template::Manual::Syntax and
Template::Manual::Config for details of the OUTLINE_TAG option and new
'outline' TAG_STYLE. See t/outline.t for examples.
* Andy Wardley improved the handling of keywords when the ANYCASE option
is in use. See t/anycase.t for examples.
* Chromatic fixed UTF-8 encoding in URLs in URL plugin.
https://github.com/abw/Template2/pull/31
* Brian Fraser added support for platforms without LC_ALL/setlocale.
https://github.com/abw/Template2/pull/34
* Amiri Barksdale fixed RT46691 to plug filter memory leaks
https://github.com/abw/Template2/pull/36
* John Lightsey fixed RT59208 to improve SET
https://github.com/abw/Template2/pull/38
UPDATE: This had to be reverted as it cause a subtle breakage elsewhere
Upstream changes:
MediaWiki 1.23.4
This is a security and maintenance release of the MediaWiki 1.23 branch.
Changes since 1.23.3
(bug 69008) SECURITY: Enhance CSS filtering in SVG files. Filter <style> elements; normalize style elements and attributes before filtering; add checks for attributes that contain css; add unit tests for html5sec and reported bugs.
(bug 65998) Make MySQLi work with non-standard socket.
(bug 66986) GlobalVarConfig shouldn't throw exceptions for null-valued config settings.
Restore module checksums that were lost in last update.
Changes with nginx 1.6.2 16 Sep 2014
*) Security: it was possible to reuse SSL sessions in unrelated contexts
if a shared SSL session cache or the same TLS session ticket key was
used for multiple "server" blocks (CVE-2014-3616).
Thanks to Antoine Delignat-Lavaud.
*) Bugfix: requests might hang if resolver was used and a DNS server
returned a malformed response; the bug had appeared in 1.5.8.
*) Bugfix: requests might hang if resolver was used and a timeout
occurred during a DNS request.
Upstream changes:
Highlights
MDL-45780 - Atto now working with form change checker and quiz autosave
MDL-46748 - Mathjax address that changed, that caused Atto to fail to load, has been updated in Moodle
MDL-35984 - Gradebook Sum of grades shows correct total if items are hidden
Functional changes
MDL-45724 - Warning given when the same memcached instance is used for both sessions and MUC
MDL-46681 - For Multiple choices questions in the quiz / question bank, the options "Clear incorrect responses" and "Show the number of correct responses" did not make sense for "One answer only" questions. It is now impossible to select that combination of options on the form.
Security issues
MSA-14-0033 URL parameter injection in CAS authentication
MSA-14-0034 Identity information revealed early in Q&A forum
Fixes and improvements
MDL-37509 - Description of assignment hidden in calendar if "always show description" = NO
MDL-46545 - Weekly stats now working again
MDL-46589 - Automatic emails now sent after users import from CSV
MDL-43197 - Parent role only sees course total and no longer individual grades
MDL-46236 - Start New Attempt option is now followed if SCORM is set to appear in a popup
Approved by: wiz@
documents over IO::Socket::SSL, then stop forcing Net::SSL (which
doesn't verify hostnames) even when the admin requested IO::Socket::SSL,
and then pass the server name through so SNI can work. Bump PKGREVISION.
Updating during the freeze for the security improvements.
== 2.2.1 / 2013-05-20
* Fix package problem (termtter requires termtter).
* Suppress the warning on ruby 1.9 with CentOS.
== 2.2.0 / 2013-04-20
* Using https to connect to api.twitter.com (important).
* Improvement testing (CI enabled).
* Using jeweler for packaging.
* Suppress the warning (on ruby 2.0).
* Change default stdout and colors.
* Added some plugins
== 2.1.1 / 2013-04-10
* Correspond to API 1.1
* Other fixes.
== 2.0.0 / 2013-04-07
* User own plugins loader.
* If ~/.termtter/lib/plugins exist, load them.
* Improvement easy_post plugin.
* Plug-in easy_post should operate only when above 15 characters.
* Improvement tests.
* "Failed to update :(" when updated with URL.
* use String#sub instead of String#[regexp]=.
* spec for expand_tco_url plugin.
* and fix other minor bugs.
* Don't double-decode CGI submissions with Encode.pm >= 2.53,
fixing "Error: Cannot decode string with wide characters".
Thanks, Antoine Beaupré
* Avoid making trails depend on everything in the wiki by giving them
a better way to sort the pages
* Don't let users post comments that won't be displayed
* Fix encoding of Unicode strings in Python plugins.
Thanks, chrysn
* Improve performance and correctness of the [[!if]] directive
* Let [[!inline rootpage=foo postform=no]] disable the posting form
* Switch default [[!man]] shortcut to manpages.debian.org. Closes: #700322
* Add UUID and TIME variables to edittemplate. Closes: #752827
Thanks, Jonathon Anderson
* Display pages in linkmaps as their pagetitle (no underscore escapes).
Thanks, chrysn
* Fix aspect ratio when scaling small images, and add support for
converting SVG and PDF graphics to PNG.
Thanks, chrysn
- suggest ghostscript (required for PDF-to-PNG thumbnailing)
and libmagickcore-extra (required for SVG-to-PNG thumbnailing)
- build-depend on ghostscript so the test for scalable images can be run
* In the CGI wrapper, incorporate $config{ENV} into the environment
before executing Perl code, so that PERL5LIB can point to a
non-system-wide installation of IkiWiki.
Thanks, Lafayette Chamber Singers Webmaster
* filecheck: accept MIME types not containing ';'
* autoindex: index files in underlays if the resulting pages aren't
going to be committed. Closes: #611068
* Add [[!templatebody]] directive so template pages don't have to be
simultaneously a valid template and valid HTML
* Add myself to Uploaders and release to Debian
-- Simon McVittie <smcv@debian.org> Fri, 12 Sep 2014 21:23:58 +0100
pkgsrc changes:
* Add 'cgi' option, enabled by default
* Add 'git' option, disabled by default
Updating during the freeze because it's a leaf with many fixes,
including our local patches.
Bug fixes
~~~~~~~~~
* Fixed a bug that could sometimes cause a timeout to fire after being
cancelled.
* `.AsyncTestCase` once again passes along arguments to test methods,
making it compatible with extensions such as Nose's test generators.
* `.StaticFileHandler` can again compress its responses when gzip is enabled.
* ``simple_httpclient`` passes its ``max_buffer_size`` argument to the
underlying stream.
* Fixed a reference cycle that can lead to increased memory consumption.
* `.add_accept_handler` will now limit the number of times it will call
`~socket.socket.accept` per `.IOLoop` iteration, addressing a potential
starvation issue.
* Improved error handling in `.IOStream.connect` (primarily for FreeBSD
systems)
