This release address a series of locally exploitable security problems
discovered since PHP 4.4.3. All PHP users are encouraged to upgrade to this
release as soon as possible.
This release provides the following security fixes:
* Added missing safe_mode/open_basedir checks inside the error_log(),
file_exists(), imap_open() and imap_reopen() functions.
* Fixed overflows inside str_repeat() and wordwrap() functions on 64bit systems.
* Fixed possible open_basedir/safe_mode bypass in cURL extension.
* Fixed overflow in GD extension on invalid GIF images.
* Fixed a buffer overflow inside sscanf() function.
* Fixed memory_limit restriction on 64 bit system.
${EXTRACT_SUFX}, so one can directly use EXTRACT_ONLY instead.
EXTRACT_ONLY defaults to ${DISTFILES} which in turn defaults to
${DISTNAME}${EXTRACT_SUFX}. So if EXTRACT_SUFX is relevant for determining
which tools are needed this can only happen if neither DISTFILES nor
EXTRACT_ONLY have been set by the package, in which case the relevant
variable EXTRACT_ONLY would contain EXTRACT_SUFX.
shntool is a multi-purpose WAVE data processing and reporting utility.
File formats are abstracted from its core, so it can process any file
that contains WAVE data, compressed or not - provided there exists a
format module to handle that particular file type.
* Number of bug fixes
* New option to help to avoid a potential denial of service in IAX2 channel driver
* Support for TE407P and TE412P quad T1/E1 interface cards
> Can everyone now agree that there are no more hangs? :)
>
> * Require that Dovecot master process's version number matches the
> child process's, unless version_ignore=yes. Usually it's an
> accidental installation problem if the version numbers don't match.
> * Maildir: Create maildirfolder file when creating new maildirs.
>
> + ldap+prefetch: Use global uid/gid settings if LDAP query doesn't
> return them
> + %variables: Negative offsets count from the end of the string.
> Patch by Johannes Berg.
> - kqueue ioloop code rewrite
> - notify=kqueue might have caused connection hangs sometimes
> - deliver: If message body contained a valid mbox From_ line, it
> and the rest of the message was skipped.
> - mbox: We got into infinite loops if trying to open a 2 byte sized
> file as mbox.
> - Don't crash with ssl_disable=yes
> - quota plugin caused compiling problems with some OSes
> - mbox: After saving a mail to a synced mbox, we lost the sync which
> caused worse performance
>
> I think my v1.0 TODO list is:
>
> - avoid duplicate flag change notifications, or in case the message is
> also expunged don't bother notifying its flag changes at all
> (shouldn't be hard)
> - HFS+ avoid-hardlinks patch?
> - 32bit -> 64bit upgrade still doesn't work without assert-crashing:
> mail-cache-transaction.c: line 709 (mail_cache_add): assertion failed:
> (fixed_size == (unsigned int)-1 || fixed_size == data_size)
> - Courier-compatible INBOX. namespace gives "invalid namespace" errors
>
> I'm still not sure about the last one though. Could someone give me
> specific commands that clients send that causes it?
>
> As for the 32bit -> 64bit upgrade fix, could someone give me access to a
> x86-64 machine for a while to test it out?
Overview of Changes from GLib 2.12.1 to GLib 2.12.2
===================================================
* Unicode updates:
- Normalization is following Unicode TR #29
- g_unichar_isxdigit() only accept characters
for which g_unichar_xdigit_value() returns a value
- g_unichar_toupper and g_unichar_tolower leave
unconvertable characters in place instead of
replacing them by NUL
* Bugs fixed
348491 g_utf8_strup() and g_utf8_strdown() returns
string with NUL bytes
349825 GKeyFile always inserts a newline before a group
347842 g_unichar_isxdigit() is too general about what
it considers a digit
348694 g_utf8_normalize() hasn't been updated to PR #29
348785 Hint about G_DEBUG in Message Logging docs
349792 Wrong english string (UI)
349952 gparamspecs.c uses gcc feature
* Translation updates (ca,cs,de,dz,es,eu,fi,gu,ko,
nl,pl,tr,uk,zh_HK,zh_TW)
Major changes compared to the IMP H3 (4.1.2) version are:
* Added server configuration option to limit numer of login tries.
* Added link to view attached S/MIME key details.
* Fixed escaping of folder names.
* Updated Catalan, German and Slovenian translations.
* Several small bugfixes and improvements.
The full list of changes (from version H3 (4.1.2)) can be viewed here:
http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.699.2.194&r2=1.699.2.206&ty=h
Major changes compared to Horde 3.1.2 are:
* Security Fixes
- Closed an XSS problem in index.php and improved protection against
phishing attempts.
* Bugfixes and improvements
- Added Kolab group ACL support.
- Improved import of date and time fields.
- Fixed synchronization support.
- Updated Catalan, German and Slovenian translations.
The full list of changes (from version 3.1.2) can be viewed here:
http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.252&r2=1.515.2.261&ty=h
