Change log
* Allow _ as a valid character in file names and URLs. Do not remove #
from file names. It only has a special meaning for URLs.
* Enable unlock on unload for inline edits
Updated packages and products
* Products.CMFPlone 3.1.7
* plone.i18n 1.0.7
* archetypes.kss 1.4.3
Pkgsrc changes:
- Remove now unneeded patch file.
Upstream changes:
1.11 13.11.2008
- removed =begin BUGS section in Pod that was preventing proper display
- fixed perlio layer for pass-through binary files
- ref to PodPOMWeb.css used wrong case (undetected on -Win32!)
- fixed page titles when the name has no "-- description"
- Fixed the following security issues:
MFSA 2008-58 Parsing error in E4X default namespace
MFSA 2008-57 -moz-binding property bypasses security checks on codebase
principals
MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin
violation
MFSA 2008-55 Crash and remote code execution in nsFrameManager
MFSA 2008-54 Buffer overflow in http-index-format parser
MFSA 2008-53 XSS and JavaScript privilege escalation via session restore
MFSA 2008-52 Crashes with evidence of memory corruption
(rv:1.9.0.4/1.8.1.18)
MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome
MFSA 2008-47 Information stealing via local shortcut files
- Fixed several stability issues.
- Official releases for the Icelandic and Thai languages are now available.
- Beta releases for the Bulgarian, Esperanto, Estonian, Latvian, Occitan,
and Welsh languages are available for testing.
- Updated the internal Public Suffix list.
- Fixed an issue where the IME input tool used to enter Japanese, Korean,
Chinese and Indic characters was covered by the "Add Bookmark" panel.
(bug 433340)
- Enabled additional EV root certificates. (bug 451305)
- Fixed an issue where some passwords saved using Firefox 3.0.2 did not
work properly. (bug 457358)
- In some cases, Firefox would not properly save proxy settings for
protocols other than HTTP. (bug 446536)
Security fixes in this version:
MFSA 2008-58 Parsing error in E4X default namespace
MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals
MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation
MFSA 2008-55 Crash and remote code execution in nsFrameManager
MFSA 2008-54 Buffer overflow in http-index-format parser
MFSA 2008-53 XSS and JavaScript privilege escalation via session restore
MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
MFSA 2008-50 Crash and remote code execution via __proto__ tampering
MFSA 2008-49 Arbitrary code execution via Flash Player dynamic module unloading
MFSA 2008-48 Image stealing via canvas and HTTP redirect
MFSA 2008-47 Information stealing via local shortcut files
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.18/releasenotes/
authenticate users by checking credentials via the Cyrus SASL library.
This may be interesting for setups where other daemons (e.g. for SMTP, IMAP
or LDAP) already running at a machine use SASL to authenticate users. The
module is also useful to authenticate users against databases that use shadow
passwords. You do not need to elevate Apache HTTPD's access rights to
superuser privileges.
* Added AuthExternalContext directive, which defines a string that will be
passed to the authenticator in the CONTEXT environment variable. This can
be set from the .htaccess file or the <Directory> block to give slightly
different behavior from the same authenticator in different directories.
Thanks to Olivier Thauvin <nanardon at mandriva dot org> for this patch.
* Rewrite external authenticator launching code to use Apache's cross-OS
process/thread library instead of directly calling Unix functions.
Theoretically this should get us much closer to being usable on non-
Unix platforms.
* Support alternate syntax for configuration, using DefineAuthExternal and
DefineAuthGroup commands.
* More detailed error logging.
* Much cleanup of documentation.
Trac 0.11.2 (November 8, 2008)
http://svn.edgewall.org/repos/trac/tags/trac-0.11.2
Trac 0.11.2 contains two security fixes and a couple of bug fixes.
The following list contains only a few highlights:
Bug fixes:
* Fixes potential DOS vulnerability with certain wiki markup. Reported by
Matt Murphy.
* Improved HTML sanitizer filter to detect possible phishing attempts.
Reported by Simon Willison.
* MySQL db backend improvement (reconnect after idle timeout #4465)
* TicketQuery speed improvements (#6436)
* Fixes for RSS feeds (timeline entries no longer truncated #7316, no longer
download some feeds under Firefox #3899)
* Search now works for custom fields (#2530)
* Same order for ticket fields for new and existing tickets (#7018)
* Enforce fine-grained permission for "quickjump" search results (#7655)
* E-mail obfuscation was not done in a few remaining places (#7688, #6532)
* Uninstall of plugins from WebAdmin was not working - feature disabled
for now
* More robust pagination of results for reports and custom queries (#7424,
#7544)
* Support for newer version of pygments (#7622)
* Documentation updated (#7603, #7205, #7318)
Minor improvements:
* Better support for Wiki page hierarchy (show path #2780, link to
parent #2150)
* Custom query allow to search in description and other text fields (#4824)
- took maintainership
- added depends on p5-Test-Warn
Changelog:
0.07 Wed Sep 24 17:08:34 EDT 2008
- Code was silently truncating storage to MySQL, rendering the
session unreadable. Patched to check DBIx::Class size from
column_info (if available)
- Wrap find_or_create calls in a transaction to (hopefully)
avoid issues with duplicate flash rows
- took maintainership
ChangeLog:
0.108 2008-09-25
Adding SimpleDB realm to simplify basic auth configuration
Changing user_class to user_model, per req. by mst to avoid confusing newbies.
0.107 2008-09-29
Fix the typo in exception during authenticate
Doc fixes and clarifications
Added missing dependency on Catalyst::Model::DBIC::Schema to Makefile.PL
0.105 2008-03-19
Throw an exception if no fields are provided during authenticate
- better than retrieving a random user.
- still possible to do an empty search by using searchargs
- took maintainership
Changelog:
0.10007 2008-10-23
- Updating config to allow for inclusion of realm ref's in the main
config hash rather than in a subref called 'realms'
0.10007 2008-08-17
- Update tests prereqs to include Test::Exception (RT #36339)
- Some documentation fixes (including RT #36062)
- Compatibility fix where the use of new style config and old
style Authentication::Store::Minimal would cause a crash
(Reported & fixed by Jos Boumans C<kane@cpan.org>)
- Documentation update on Password - to indicate proper field naming
- Decouple Authentication system from session. The realm class
now allows complete control over how a user is persisted across
requests.
- pod fixes (RT #36062, RT #36063)
- took maintainership
ChangeLog:
5.7014 04 Nov 2008
- Remove a reference to a FOREACH loop that did not exist (RT #39046)
- Changed some Template Toolkit links to perldoc links (RT #38354)
- Fix Template Toolkit website link (RT #37574)
- Fix part numbering (RT #37963)
- Improvements to the ACCEPT_CONTEXT docs in Manual::Intro
- Happy Election Day, America!
2008-11-05 Release 5.820
Main news is the ability to control the heuristics used to determine
the expiry time for response objects.
Gisle Aas (8):
Reformat later parts of Changes
Add a paragraph to summarize the motivation for releases since 5.815
all_pod_files_ok();
Fix POD markup error
Calculation of current_age with missing Client-Date.
The age/freshness methods now take an optional 'time' argument
More correct matching of 'max-age' in freshness_lifetime method
The freshness_lifetime method now support options to control its heuristics
Pkgsrc changes:
- Add dependency on mail/p5-MIME-Types
- Add minor patch to fix POD formatting
Upstream changes:
1.10 07.11.2008
- passthrough for non-POD files (i.e. images, css, etc.)
- clicking hrefs in the TOC really loads the pages
- recompute height of treeNavigator
- alphabetical sort of Perl docs in each section
- sync displayed pages / TOC
- tooltips for Perl docs
- fixed hyperlinks in perlfunc
- initial page is 'perl' instead of 'perlintro', with hyperlinks
Changes:
1.10
treeNavigator
- new option noPingOnFirstClick
- new option treeTabIndex
- by default, tree element gets tabIndex 0
- better focus management when quick navigation through keys
- doubleClick handler
- up/down at end of tree falls back to default navigator behaviour
choiceList
- new option choiceItemTagName
autoCompleter
- multivalued
- click handler on drowpdown lists
- new options :
completeOnTab
actionItems
multivalued
multivalue_separator
choiceItemTagName
htmlWrapper
observed_scroll
additional_params
http_method
to make directory name match PKGNAME.
This is CGI_Lite.pm, a light-weight easy-to-use Perl5 library for writing
forms-based World Wide Web CGI scripts.
- drop allowing dependecy to php-pgsql since TYPOlight's framework
has support for PostgreSQL (and some other databases), but TYPOlight
itself runs with MySQL only.
- Add typolight-liveupdate option which alllow using TYPOlight Live Update
service though it inherently conflicts with pkgsrc's framework.
Version 2.6.2 (2008-11-01)
--------------------------
- Updated TinyMCE to version 3.2.0.2
- Improved TinyMCE plugin "typolinks" (#111)
- Added extension repository client
- Added front end module "article navigation"
- Added automatic insertion of the invisible copyright notice
- Added option to copy or move news and events between archives
- Added hook "addCustomRegexp" to add custom regular expressions to widgets
- Added workaround to determine the server IP on Strato servers (#113)
- Added option to add labels to back end drop-down menus (#5)
- Added config/langconfig.php to store custom labels (#119)
- Added a close button to the preview pane (#188)
- Added classes "first" and "last" to comments (#183)
- Added insert tag "image" to insert resized images (#55)
- Added the creator's name to tasks in the task list (#136)
- Added option to define date formats per root page (#190)
- Added event titles to calendar RSS/Atom feeds (#50)
- Fixed a small issue with the style sheet importer (#117)
- Fixed issue with mandatory select menus not throwing errors (#45)
- Fixed issue with flash movies being displayed in the back end (#121)
- Fixed issue with limited number of archives/calendars in front end modules (#159)
- Fixed issue with external news items without text not showing the "read more" link (#128)
- Fixed issue with module personal data not updating newsletter subscriptions (#149)
- Fixed issue with article teaser links not working with empty page ID (#180)
- Fixed issue with Analytics ID being shown in the front end preview (#103)
- Fixed issue with multi-day events and daylight saving time (#199)
- Fixed issue with incorrect e-mail address validation (#182)
- Fixed issue with style sheets not being written after import (#184)
- Fixed a few minor bugs
as well as support for boehm-gc and utf8. Myriad bug fixes.
I've switched the javascript support library over too lang/see,
as it seems to work better. If a release does not come out by
the next branch, I will package a snapshot, as it seems like
they've fixed even more bugs in the development tree.
* 6 Sep 2008 -- An image like XXX doesn't look as good as the same image XXX
that's vertically aligned with your surrounding text. Along with several
standard HTTP header fields, mimeTeX now also emits a special
Vertical-Align: -nn header, where -nn is the number of pixels (usually
negative as illustrated) needed for a style="Vertical-Align: -nn px"
attribute in the <img> tag used to render your expression.
See the mimeTeX manual for further discussion.
* 5 Sep 2008 -- Users running mimeTeX as a Win32 DLL with Shital Shah's Code
Project reported that color directives aren't reset, e.g., an expression
containing \red is rendered red as directed, but all subsequent images are
red, too.
This has been fixed (along with several similar bugs nobody noticed).
It never affected users running mimeTeX in the usual way, as a cgi.
- Don't set MAINTAINER and HOMEPAGE variables here, they should be set by
individual packages including this file (I don't want to implicitly be
maintainer for all packages including this Makefile fragment).
- SECURITY: CVE-2008-2939 (cve.mitre.org)
mod_proxy_ftp: Prevent XSS attacks when using wildcards in the path of
the FTP URL. Discovered by Marc Bevand of Rapid7. [Ruediger Pluem]
- Allow for smax to be 0 for balancer members so that all idle
connections are able to be dropped should they exceed ttl.
Apache Bug #43371 [Phil Endecott <spam_from_apache_bugzilla chezphil.org>,
Jim Jagielski]
- mod_proxy_http: Don't trigger a retry by the client if a failure to
read the response line was the result of a timeout.
[Adam Woodworth <mirkperl gmail.com>]
- Support chroot on Unix-family platforms
Apache Bug #43596 [Dimitar Pashev <mitko banksoft-bg.com>]
- mod_ssl: implement dynamic mutex callbacks for the benefit of
OpenSSL. [Sander Temme]
- mod_proxy_balancer: Add 'bybusyness' load balance method.
[Joel Gluth <joelgluth yahoo.com.au>, Jim Jagielski]
- mod_authn_alias: Detect during startup when AuthDigestProvider
is configured to use an incompatible provider via AuthnProviderAlias.
Apache Bug #45196 [Eric Covener]
- mod_proxy: Add 'scolonpathdelim' parameter to allow for ';' to also be
used as a session path separator/delim Apache Bug #45158. [Jim Jagielski]
- mod_charset_lite: Avoid dropping error responses by handling meta buckets
correctly. Apache Bug #45687 [Dan Poirier <poirier pobox.com>]
- mod_proxy_http: Introduce environment variable proxy-initial-not-pooled to
avoid reusing pooled connections if the client connection is an initial
connection. Apache Bug #37770. [Ruediger Pluem]
- mod_rewrite: Allow Cookie option to set secure and HttpOnly flags.
Apache Bug #44799 [Christian Wenz <christian wenz.org>]
- mod_ssl: Rewrite shmcb to avoid memory alignment issues.
Apache Bug #42101. [Geoff Thorpe]
- mod_proxy: Add connectiontimeout parameter for proxy workers in order to
be able to set the timeout for connecting to the backend separately.
Apache Bug #45445. [Ruediger Pluem, rahul <rahul sun.com>]
- mod_dav_fs: Retrieve minimal system information about directory
entries when walking a DAV fs, resolving a performance degradation on
Windows. Apache Bug #45464. [Joe Orton, Jeff Trawick]
- mod_cgid: Pass along empty command line arguments from an ISINDEX
query that has consecutive '+' characters in the QUERY_STRING,
matching the behavior of mod_cgi.
[Eric Covener]
- mod_headers: Prevent Header edit from processing only the first header
of possibly multiple headers with the same name and deleting the
remaining ones. Apache Bug #45333. [Ruediger Pluem]
- mod_proxy_balancer: Move nonce field in the balancer manager page inside
the html form where it belongs. Apache Bug #45578. [Ruediger Pluem]
- mod_proxy_http: Do not forward requests with 'Expect: 100-continue' to
known HTTP/1.0 servers. Return 'Expectation failed' (417) instead.
[Ruediger Pluem]
- mod_rewrite: Preserve the query string when [proxy,noescape].
Apache Bug #45247. [Tom Donovan]
pkgsrc related note:
The security fix for CVE-2008-2939 has already been integrated as patch
before this update.
Catalyst plugin to force the application to restart server processes
when they reach a configurable memory threshold. Memory checks are
performed every 'N' requests. This is intended as a band-aid to
deal with problems like memory leaks; it's here to buy you time to
find and solve the underlying issues.
ssl, as there is no reason for it to be package-specific.
Most visible changes:
- Switch from GTK1 to FLTK2
- Tabbed browsing
- Downloads and FTP now work (at the expense of a wget dependency)
== Ruby-GNOME2 0.18.1: 2008-10-23
This release is bug fix release of 0.18.0.
=== Changes
Ruby/GTK2:
* fix a bug that init function is deleted. [Kouhei Sutou]
