* v2.04
Minor documentation fixes and explanation of the proposed split into
legacy/trunk branches. No code changes from 2.03_02.
* v2.03_02
The uploads have had a minor change which may solve the windows size
difference failures. More diagnostics were added to the failures if it
does not.
* v2.03_01
The test multi-part upload data in the test suite has been fixed to have
the correct (CRLF) line terminators. These tests should now pass for
Microsoft users.
The documentation has been amended to reflect the change of maintainer.
* v2.03 - May 25, 2014
Maintainer change: Pete Houston has taken over maintenance from Smylers.
A test suite has been created.
BUG FIX: Cleared up some uninitialised value warnings emitted when query
strings are missing an entire key-value pair eg: "&foo=bar" (issue
38448).
BUG FIX: If the user calls parse_form_data as a class method without a
query string, the method now gives up early and silently
(issue 6180).
BUG FIX: In form-data uploads, the boundary string was not properly
escaped and therefore would not match when it contained
metacharacters (issue 29053).
BUG FIX: The content type for url-encoded forms now matches on the MIME
type only, so additional charset fields are allowed (issues 16236,
34827 and 41666).
BUG FIX: Leading/trailling whitespace is now stripped from cookie names
and values.
BUG FIX: Cookies now no longer need to be separated by whitespace.
Commas can now be used as separators too. (issue 32329).
BUG FIX: The semicolon is now a permitted delimiter in the query string
along with the ampersand (issue 8212).
Version 0.77 -- 2014-08-05
o re-release to remove build artifacts that should not have been shipped
Version 0.76 -- 2014-08-05
o On Android, set TMPDIR before calling configure (RT#97680, Brian Fraser)
Version 0.75 -- 2014-07-17
o deprecated APIs removed (chansen)
o broken PP implementation removed (chansen)
o retooled distribution so FCGI.pm and FCGI.xs exist as-is, rather than
being generated by FCGI.PL and FCGI.XL (chansen)
Upstream changes:
RELEASE 0.12
New SimpleTemplate parser implementation * Support for multi-line code blocks (<% ... %>). * The keywords include and rebase are functions now and can accept variable template names.
The new BaseRequest.route() property returns the Route that originally matched the request.
Removed the BaseRequest.MAX_PARAMS limit. The hash collision bug in CPythons dict() implementation was fixed over a year ago. If you are still using Python 2.5 in production, consider upgrading or at least make sure that you get security fixed from your distributor.
New ConfigDict API (see Configuration (DRAFT))
This module generates tokens to help protect against a website attack
known as Cross-Site Request Forgery (CSRF, also known as XSRF). CSRF
is an attack where an attacker fools a browser into make a request to
a web server for which that browser will automatically include some
form of credentials (cookies, cached HTTP Basic authentication, etc.),
thus abusing the web server's trust in the user for malicious use.
The most common CSRF mitigation is sending a special, hard-to-guess
token with every request, and then require that any request that is
not idempotent (i.e., has side effects) must be accompanied with such
a token. This mitigation depends critically on the fact that while an
attacker can easily make the victim's browser make a request, the
browser security model (same-origin policy, or SOP for short) prevents
third-party sites from reading the results of that request.
Upstream changes:
5.37 2014-09-03
- Improved Mojo::Template performance slightly.
- Fixed .ep template bug where the stash value "c" could no longer be used.
5.36 2014-09-02
- Improved Mojo::Template performance.
5.35 2014-08-30
- Improved monkey_patch to be able to name generated functions.
5.34 2014-08-29
- Added original_remote_address attribute to Mojo::Transaction.
- Fixed bug where Mojolicious::Commands would change @ARGV when loaded.
=================
WebKitGTK+ 2.4.5
=================
What's new in WebKitGTK+ 2.4.5?
- Do not freeze the UI process while scanning plugins if there's a
GTK+ 3 plugin installed.
- Fix a crash when drag and drop to a WebKitWebView.
- Fix a crash when navigating away from a web page containing an ogg
video.
- Fix slow motion rendering problem in GStreamer media backend due
to integer rounding.
- Make sure the plugins cache is always used even if the cache
directory doesn’t exist.
- Fix toggle buttons rendering with recent GTK+ versions.
- Do not use GtkWindow:resize-grip-visible with recent GTK+
versions.
- Add support for little-endian PowerPC64.
Version 3.3.5 (2014-08-27)
--------------------------
### Fixed
Do not output an empty `label` tag (see #7249).
### Fixed
Allow floating point numbers in "number" input fields (see #7257).
### Fixed
Do not adjust the start time of past events (see #7121).
### Fixed
Reset the image margins if it exceeds the maximum image size (see #7245).
### Fixed
Reset `$blnPreventSaving` when a model is cloned (see #7243).
### Fixed
Do not reload after storing `CURRENT_ID` in the session (see #7240).
### Fixed
Correctly validate the page number of the versions menu (see #7235).
### Fixed
Handle underscores in the Google+ vanity name (see #7241).
### Fixed
Correctly handle the `rem` unit when importing style sheets (see #7220).
### Fixed
Fix two issues with the extension repository theme.
Version 3.2.14 (2014-08-27)
---------------------------
### Fixed
Allow floating point numbers in "number" input fields (see #7257).
### Fixed
Do not adjust the start time of past events (see #7121).
### Fixed
Reset the image margins if it exceeds the maximum image size (see #7245).
### Fixed
Reset `$blnPreventSaving` when a model is cloned (see #7243).
### Fixed
Do not reload after storing `CURRENT_ID` in the session (see #7240).
### Fixed
Correctly validate the page number of the versions menu (see #7235).
### Fixed
Handle underscores in the Google+ vanity name (see #7241).
### Fixed
Correctly handle the `rem` unit when importing style sheets (see #7220).
### Fixed
Fix two issues with the extension repository theme.
kerberos_ldap_group: Fix 'error during setup of Kerberos credential cache'
Ignore Range headers with unidentifiable byte-range values
Use v3 for fake certificate if we add _any_ certificate extension.
Fix regression in rev.13156
Fix %USER_CA_CERT_* and %CA_CERT_ external_acl formating codes
Enable compile-time override for MAXTCPLISTENPORTS
ntlm_sspi_auth: fix various build errors
negotiate_wrapper: vfork is not portable
Windows: fix iphlpapi.h include case-sensitivity
Windows: correct libsspwin32 API for SSP_LogonUser()
negotiate_sspi_auth: Portability fixes for MinGW
ext_lm_group_acl: portability fixes for MinGW
SourceFormat Enforcement
Bug 4080: worker hangs when client identd is not responding
Bug 3966: Add KeyEncipherment when ssl-bump substitues RSA for EC.
Reduce cache_effective_user was leaking $HOME memory
Upstream changes:
5.33 2014-08-24
- Improved Mojo::Date to be able to handle higher precision times.
- Improved Mojo::ByteStream performance.
5.32 2014-08-21
- Added to_datetime method to Mojo::Date.
- Improved Mojo::Date to support RFC 3339.
5.31 2014-08-19
- Improved Mojolicious::Static to allow custom content types.
- Improved url_for performance.
5.30 2014-08-17
- Improved Mojolicious::Static to only handle GET and HEAD requests.
- Improved Mojo::URL performance.
- Improved url_for performance slightly.
- Fixed bug where DATA sections sometimes got corrupted after forking, which
caused applications to fail randomly.
- Fixed Mojo::IOLoop::Client to use a timeout for every connection.
5.29 2014-08-16
- Added helpers method to Mojolicious::Controller.
- Improved performance of .ep templates slightly.
- Fixed "0" value bug in Mojolicious::Plugin::EPRenderer.
We had 2 previously undetected regressions in 3.0.4. These are now fixed.
One small new feature also snuck into this release: apphooks and plugin registration now work as decorators.
If you are running 3.0.4 please upgrade.
- reversion.register() can now be used as a class decorator
- Danish translation
- Improvements to Travis CI integration
- Simplified Chinese translation
- Minor bugfixes and documentation improvement
Security fixes:
* Issue: reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
* Issue: file upload denial of service (CVE-2014-0481)
* Issue: RemoteUserMiddleware session hijacking (CVE-2014-0482)
* Issue: data leakage via querystring manipulation in admin (CVE-2014-0483)
Security fixes:
* Issue: reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
* Issue: file upload denial of service (CVE-2014-0481)
* Issue: RemoteUserMiddleware session hijacking (CVE-2014-0482)
* Issue: data leakage via querystring manipulation in admin (CVE-2014-0483)
kamelderouiche.
WebOb provides wrappers around the WSGI request environment, and an
object to help create WSGI responses.
The objects map much of the specified behavior of HTTP, including
header parsing and accessors for other standard parts of the
environment
WebDriver is a tool for writing automated tests of websites. It aims to mimic
the behaviour of a real user, and as such interacts with the HTML of the
application.
* Add google back to openid selector. Apparently this has gotten a stay
of execution until April 2015. (It may continue to work until 2017.)
* highlight: Add compatibility with highlight 3.18, while still supporting
3.9+. Closes: #757679
Thanks, David Bremner
* highlight: Add support for multiple language definition directories
Closes: #757680
Thanks, David Bremner
pkgsrc changes:
* Add ikiwiki-highlight option that pulls in textproc/p5-highlight,
for syntax highlighting code blocks (or entire source files).
The build will now fall back to pure-python mode if the C
extension fails to build for any reason (previously it would
fall back for some errors but not others).
IOLoop.call_at and IOLoop.call_later now always return a timeout
handle for use with IOLoop.remove_timeout.
If any callback of a PeriodicCallback or IOStream returns a
Future, any error raised in that future will now be logged
(similar to the behavior of IOLoop.add_callback).
Fixed an exception in client-side websocket connections when
the connection is closed.
simple_httpclient once again correctly handles 204 status codes with no content-length header.
Fixed a regression in simple_httpclient that would result in
timeouts for certain kinds of errors.
Changes:
* Fixes a possible denial of service issue in PHP’s XML processing, reported by
Nir Goldshlager of the Salesforce.com Product Security Team. Fixed by Michael
Adams and Andrew Nacin of the WordPress security team and David Rothstein of
the Drupal security team.
* Fixes a possible but unlikely code execution when processing widgets
(WordPress is not affected by default), discovered by Alex Concha of the
WordPress security team.
* Prevents information disclosure via XML entity attacks in the external GetID3
library, reported by Ivan Novikov of ONSec.
* Adds protections against brute attacks against CSRF tokens, reported by David
Tomaschik of the Google Security Team.
* Contains some additional security hardening, like preventing cross-site
scripting that could be triggered only by administrators.
Changes with nginx 1.7.4 05 Aug 2014
*) Security: pipelined commands were not discarded after STARTTLS
command in SMTP proxy (CVE-2014-3556); the bug had appeared in 1.5.6.
Thanks to Chris Boulton.
*) Change: URI escaping now uses uppercase hexadecimal digits.
Thanks to Piotr Sikora.
*) Feature: now nginx can be build with BoringSSL and LibreSSL.
Thanks to Piotr Sikora.
*) Bugfix: requests might hang if resolver was used and a DNS server
returned a malformed response; the bug had appeared in 1.5.8.
*) Bugfix: in the ngx_http_spdy_module.
Thanks to Piotr Sikora.
*) Bugfix: the $uri variable might contain garbage when returning errors
with code 400.
Thanks to Sergey Bobrov.
*) Bugfix: in error handling in the "proxy_store" directive and the
ngx_http_dav_module.
Thanks to Feng Gu.
*) Bugfix: a segmentation fault might occur if logging of errors to
syslog was used; the bug had appeared in 1.7.1.
*) Bugfix: the $geoip_latitude, $geoip_longitude, $geoip_dma_code, and
$geoip_area_code variables might not work.
Thanks to Yichun Zhang.
*) Bugfix: in memory allocation error handling.
Thanks to Tatsuhiko Kubo and Piotr Sikora.
Changes with nginx 1.7.3 08 Jul 2014
*) Feature: weak entity tags are now preserved on response
modifications, and strong ones are changed to weak.
*) Feature: cache revalidation now uses If-None-Match header if
possible.
*) Feature: the "ssl_password_file" directive.
*) Bugfix: the If-None-Match request header line was ignored if there
was no Last-Modified header in a response returned from cache.
*) Bugfix: "peer closed connection in SSL handshake" messages were
logged at "info" level instead of "error" while connecting to
backends.
*) Bugfix: in the ngx_http_dav_module module in nginx/Windows.
*) Bugfix: SPDY connections might be closed prematurely if caching was
used.
Changes with nginx 1.7.2 17 Jun 2014
*) Feature: the "hash" directive inside the "upstream" block.
*) Feature: defragmentation of free shared memory blocks.
Thanks to Wandenberg Peixoto and Yichun Zhang.
*) Bugfix: a segmentation fault might occur in a worker process if the
default value of the "access_log" directive was used; the bug had
appeared in 1.7.0.
Thanks to Piotr Sikora.
*) Bugfix: trailing slash was mistakenly removed from the last parameter
of the "try_files" directive.
*) Bugfix: nginx could not be built on OS X in some cases.
*) Bugfix: in the ngx_http_spdy_module.
Changes with nginx 1.7.1 27 May 2014
*) Feature: the "$upstream_cookie_..." variables.
*) Feature: the $ssl_client_fingerprint variable.
*) Feature: the "error_log" and "access_log" directives now support
logging to syslog.
*) Feature: the mail proxy now logs client port on connect.
*) Bugfix: memory leak if the "ssl_stapling" directive was used.
Thanks to Filipe da Silva.
*) Bugfix: the "alias" directive used inside a location given by a
regular expression worked incorrectly if the "if" or "limit_except"
directives were used.
*) Bugfix: the "charset" directive did not set a charset to encoded
backend responses.
*) Bugfix: a "proxy_pass" directive without URI part might use original
request after the $args variable was set.
Thanks to Yichun Zhang.
*) Bugfix: in the "none" parameter in the "smtp_auth" directive; the bug
had appeared in 1.5.6.
Thanks to Svyatoslav Nikolsky.
*) Bugfix: if sub_filter and SSI were used together, then responses
might be transferred incorrectly.
*) Bugfix: nginx could not be built with the --with-file-aio option on
Linux/aarch64.
Changes with nginx 1.7.0 24 Apr 2014
*) Feature: backend SSL certificate verification.
*) Feature: support for SNI while working with SSL backends.
*) Feature: the $ssl_server_name variable.
*) Feature: the "if" parameter of the "access_log" directive.
Changes with nginx 1.5.13 08 Apr 2014
*) Change: improved hash table handling; the default values of the
"variables_hash_max_size" and "types_hash_bucket_size" were changed
to 1024 and 64 respectively.
*) Feature: the ngx_http_mp4_module now supports the "end" argument.
*) Feature: byte ranges support in the ngx_http_mp4_module and while
saving responses to cache.
*) Bugfix: alerts "ngx_slab_alloc() failed: no memory" no longer logged
when using shared memory in the "ssl_session_cache" directive and in
the ngx_http_limit_req_module.
*) Bugfix: the "underscores_in_headers" directive did not allow
underscore as a first character of a header.
Thanks to Piotr Sikora.
*) Bugfix: cache manager might hog CPU on exit in nginx/Windows.
*) Bugfix: nginx/Windows terminated abnormally if the
"ssl_session_cache" directive was used with the "shared" parameter.
*) Bugfix: in the ngx_http_spdy_module.
Update DEPENDS
Upstream changes:
2014-07-24 Release 6.08
Mike Schilli (1):
Requiring Net::HTTP 6.07 to fix IPv6 support
(RT#75618 and https://github.com/libwww-perl/net-http/pull/10)
Jason A Fesler (2):
When the hostname is an IPv6 literal, encapsulate it with [brackets]
before calling Net::HTTP [rt.cpan.org #29468]
Extra steps to make sure that the host address that has a ":" contains
only characters appropriate for an IPv6 address.
John Wittkoski (1):
Fix doc typo for cookie_jar
_______________________________________________________________________________
2014-07-01 Release 6.07
Mike Schilli (5):
Removed Data::Dump references in test suite and dependency in Makefile.PL
Added MANIFEST.SKIP to enable "make manifest".
release script now checks for MacOS to avoid incompatible tarballs
Bumped version number to 6.07
Fixed gnu-incompatible tarball problem ([rt.cpan.org #94844])
Upstream changes:
2014-07-23 Net-HTTP 6.07
Jason Fesler (1):
Opportunistically use IO::Socket::IP or IO::Socket::INET6.
Properly parse IPv6 literal addreses with optional port numbers. [RT#75618]
Upstream changes:
0.13 2014-08-09T22:48:53Z
- Added URI::postgresxc and URI::pgxc, which simply inherit from
URI::pg.
- Added URI::ldapdb, which represents LDAP databases. Patch from Brian
T. Wightman.
Upstream changes:
0.10 2014-06-23
- CPAN Testers looking good after previous developer release.
- Added github repo to pod
0.09_01 2014-06-13
- If you've got caching enabled, and get a 304 response (Not Modified)
with content (from the cache), then is_success() returns true.
Suggested in RT#75665
- Caching now done under the original url rather than the sanitised
version of it. Bug report and patch from Mario Domgoergen RT#39820
- Switched to Dist::Zilla
- Reformatted Changes as per CPAN::Changes::Spec
Upstream changes:
20140709 Wed Jul 9 16:28:37 PDT 2014
New Features
* The "git" scheme is supported. (Schwern)
* svn, ssh and svn+ssh schemes are supported. [rt.cpan.org 57490] (Schwern)
* Added a --schemeless option to urifind. (Schwern)
Bug Fixes
* http:// is no longer matched [rt.cpan.org 63283] (Schwern)
Backwards Incompatibilities
* Previously, URIs stringified to their canonical version. Now
they stringify as written. This results in less loss of
information. For example. "Blah HTTP:://FOO.COM" previously
would stringify as "http://foo.com/" and now it will stringify
as "HTTP://FOO.COM". To restore the old behavior you can call
$uri->canonical. (Schwern)
Distribution Changes
* No longer using URI::URL. (Schwern)
* Now requires URI 1.60 for Unicode support. (Schwern)
20140702 Wed Jul 2 13:41:47 PDT 2014
New Features
* IDNA (aka Unicode) domains are now supported. [github 3] (GwenDragon)
* The list of TLDs for schemeless matching has been updated. [github 3] (GwenDragon)
Bug Fixes
* Handle balanced [], {} and quotes in addition to (). [rt.cpan.org 85053] (Schwern)
* Don't mangle IPv6 URLs. [rt.cpan.org 85053] (Schwern)
* Schemeless is more accurate about two letter TLDs. [github 3] (GwenDragon)
Distribution Changes
* Switched the issue tracker to Github. (Schwern)
