* ikiwiki-mass-rebuild: Fix tty hijacking vulnerability by using su.
(Once su's related bug #628843 is fixed.) Thanks, Ludwig Nussel.
(CVE-2011-1408)
* search: Update search page when page.tmpl or searchquery.tmpl are locally
modified.
* Danish translation update. Closes: #625721
* Danish underlay translation update. Closes: #625765
(Thanks, Jonas Smedegaard)
* Support YAML::XS by not passing decoded unicode to Load. Closes: #625713
* openid, aggregate, pinger: Use Net::INET6Glue if available to
support making ipv6 connections. (Note that if LWPx::ParanoidAgent
is installed, it defeats this for openid.)
* Add additional directive quoting styles, to better support nested
directives. Both triple-single-quote and heredoc quotes can be used.
(Thanks, Timo Paulssen)
* Changed license of madduck's python plugins from GPL-2 to BSD-2-clause.
* po: support language codes in the form of 'es_AR', and 'arn'. (intrigeri)
Closes: #627844
* po: Make po4a warn, not error on a malformed document. (intrigeri)
* Support the Hiawatha web server which sets HTTPS=off rather than not
setting it. (There does not seem to be a standard here.)
pkgsrc changes:
* Adjust local modifications to improve our upstream chances.
* Quell pkglint.
* Indent consistently.
Version 1.6.17
(01 Jun 2011, from /branches/1.6.x)
http://svn.apache.org/repos/asf/subversion/tags/1.6.17
User-visible changes:
* improve checkout speed on Windows (issue #3719)
* make 'blame -g' more efficient on with large mergeinfo (r1094692)
* avoid some invalid handle exceptions on Windows (r1095654)
* preserve log message with a non-zero editor exit (r1072084)
* fix FSFS cache performance on 64-bit platforms (r1103665)
* make svn cleanup tolerate obstructed directories (r1091881)
* fix deadlock in multithreaded servers serving FSFS repositories (r1104093)
* detect very occasional corruption and abort commit (issue #3845)
* fixed: file externals cause non-inheritable mergeinfo (issue #3843)
* fixed: file externals cause mixed-revision working copies (issue #3816)
* fix crash in mod_dav_svn with GETs of baselined resources (r1104126)
See CVE-2011-1752, and descriptive advisory at
http://subversion.apache.org/security/CVE-2011-1752-advisory.txt
* fixed: write-through proxy could direcly commit to slave (r917523)
* detect a particular corruption condition in FSFS (r1100213)
* improve error message when clients refer to unkown revisions (r939000)
* bugfixes and optimizations to the DAV mirroring code (r878607)
* fixed: locked and deleted file causes tree conflict (issue #3525)
* fixed: update touches locked file with svn:keywords property (issue #3471)
* fix svnsync handling of directory copyfrom (issue #3641)
* fix 'log -g' excessive duplicate output (issue #3650)
* fix svnsync copyfrom handling bug with BDB (r1036429)
* server-side validation of svn:mergeinfo syntax during commit (issue #3895)
* fix remotely triggerable mod_dav_svn DoS
See CVE-2011-1783, and descriptive advisory at
http://subversion.apache.org/security/CVE-2011-1783-advisory.txt
* fix potential leak of authz-protected file contents
See CVE-2011-1921, and descriptive advisory at
http://subversion.apache.org/security/CVE-2011-1921-advisory.txt
Developer-visible changes:
* fix reporting FS-level post-commit processing errors (r1104098)
* fix JVM recognition on OS X Snow Leopard (10.6) (r1028084)
* allow building on Windows with recent Expat (r1074572)
== Changes
= Changes in 2.2.1 =
Jun 2, 2011 - version 2.2.1
* Bug fixes
* For Lighttpd + PUT/POST support, do not send a request using chunked
encoding when IO respond to :size, File for example.
- There is no need to send query with Transfer-Encoding: chuncked when
IO respond to :size.
- Lighttpd does not support PUT, POST with Transfer-Encoding: chuncked.
You will see that the lighty respond with 200 OK, but there is a file
whose size is zero.
LIMITATION:
timeout occurs certainly when you send very large file and
@send_timeout is default since HTTPClient::Session#query() assumes
that *all* write are finished in @send_timeout sec not each write.
WORKAROUND:
increment @send_timeout and @receive_timeout or set @send_timeout and
@receive_timeout to 0 not to be timeout.
This fix is by TANABE Ken-ichi <nabeken@tknetworks.org>. Thanks!
* Allow empty http_proxy ENV variable. Just treat it the same as if it's
nil/unset. This fix is by Ash Berlin <ash_github@firemirror.com>.
Thanks!
* Check EOF while reading chunked response and close the session. It
raised NoMethodError.
* Changes
* Updated trusted CA certificates file (cacert.p7s and cacert_sha1.p7s).
CA certs are imported from
'Java(TM) SE Runtime Environment (build 1.6.0_25-b06)'.
* Changed default chunk size from 4K to 16K. It's used for reading size
at a time.
Drupal 6.22, 2011-05-25
----------------------
- Made Drupal 6 work better with IIS and Internet Explorer.
- Fixed .po file imports to work better with custom textgroups.
- Improved code documentation at various places.
- Fixed a variety of other bugs.
mirrored by NetBSD.org, had completely hosed file permissions; plus,
it differed in size (but not version) from the distfile available from
the sourceforge project site.
Since the latter actually works, I updated the checksum to use it.
* Various security hardening by Alexander Concha.
* Taxonomy query hardening by John Lamansky.
* Prevent sniffing out user names of non-authors by using canonical redirects. Props Verónica Valeros.
* Media security fixes by Richard Lundeen of Microsoft, Jesse Ou of Microsoft, and Microsoft Vulnerability Research.
* Improves file upload security on hosts with dangerous security settings.
* Cleans up old WordPress import files if the import does not finish.
* Introduce "clickjacking" protection in modern browsers on admin and login pages.
Jekyll is a simple, blog aware, static site generator. It takes a
template directory (representing the raw form of a website), runs it
through Textile or Markdown and Liquid converters, and spits out a
complete, static website suitable for serving with Apache or your
favorite web server. This is also the engine behind GitHub Pages,
which you can use to host your project's page or blog right here
from GitHub.
Upstream changes:
Version 3.54, Apr 28, 2011
No code changes
[INTERNALS]
- Address test failures in t/tmpdir.t, thanks to Niko Tyni.
Some tests here are failing on some platforms and have been marked as TODO.
Version 3.53, Apr 25, 2011
[NEW FEATURES]
- The DELETE HTTP verb is now supported.
(RT#52614, James Robson, Eduardo Ari#o de la Rubia)
[INTERNALS]
- Correct t/tmpdir.t MANIFEST entry. (RT#64949)
- Update minimum required Perl version to be Perl 5.8.1, which
has been out since 2003. This allows us to drop some hacks
and exceptions (Mark Stosberg)
Version 3.52, Jan 24, 2011
[DOCUMENTATION]
- The documentation for multi-line header handling was been updated to reflect
the changes in 3.51. (Mark Stosberg, ntyni@iki.fi)
[INTERNALS]
- Add missing t/tmpfile.t file. (RT#64949)
- Fix warning in t/cookie.t (RT#64570, Chris Williams, Rainer Tammer, Mark Stosberg)
- Fixed logic bug in t/multipart_init.t (RT#64261, Niko Tyni)
Version 3.51, Jan 5, 2011
[NEW FEATURES]
- A new option to set $CGI::Carp::TO_BROWSER = 0, allows you to explicitly
exclude a particular scope from triggering printing to the browser when
fatatlsToBrowser is set. (RT#62783, Thanks to papowell)
- The <script> tag now supports the "charset" attribute.
(RT#62907, Thanks to Fabrice Metge)
- In CGI::Cookie, "Max-Age" is now supported for better spec compliance.
(Mark Stosberg)
[BUG FIXES]
- Setting charset() now works for all content types, not just "text/*".
(RT#57945, Thanks to Yanick and Gerv.)
- support for user temporary directories ($HOME/tmp) was commented out
in 2.61 but the documentation wasn't updated (Peter Gervai, Niko Tyni)
- setting $CGITempFile::TMPDIRECTORY before loading CGI.pm has been
working but undocumented since 3.12 (which listed it in Changes as
$CGI::TMPDIRECTORY) (Peter Gervai, Niko Tyni)
- unfortunately the previous change broke the runtime check for looking
for a new temporary directory if the current one suddenly became
unwritable (Peter Gervai, Niko Tyni)
- A bug was fixed in CGI::Carp triggered by certain death cases in
the BEGIN phase of parent classes.
(RT#57224, Thanks to UNERA, Yanick Champoux, Mark Stosberg)
- CGI::Cookie->new() now follows the documentation and returns undef
if the -name and -value args aren't provided. This new behavior is also
consistent with the docs and code of CGI::Simple::Cookie. (Mark Stosberg)
- CGI::Cookie->parse() now trims leading and trailing whitespace from cookie
elements as intended. The change also makes this part of the parsing
identical to CGI::Simple::Cookie (Mark Stosberg)
- Temp file handling was improved (RT#62762)
[SECURITY]
- Further improvements have been made to guard against newline injections
in headers. (Thanks to Max Kanat-Alexander, Yanick Champoux, Mark Stosberg)
[PERFORMANCE]
- Make EBCDIC a compile-time constant so there's zero overhead (and less
compiled code) in subroutines that test for it. (Tim Bunce)
- If you just want to use CGI::Cookie, CGI.pm will no longer be loaded
unless you call the bake() method, which requires it. (Mark Stosberg)
[DOCUMENTATION]
- quit referring to the <link> tag as being "rarely used". (Victor Sanders)
- typo and whitespace fixes (RT#62785, thanks to scop@cpan.org)
- The -dtd argument to start_html() is now documented
(RT#60473, Thanks to giecrilj and steve@fisharerojo.org)
- CGI::Carp doc are updated to reflect that it can work with mod_perl 2.0.
- when creating a temporary file in the directory fails, the error message
could indicate the root of the problem better (Peter Gervai, Niko Tyni)
[INTERNALS]
- Re-fixing https test in http.t. (RT#54768, thanks to SPROUT)
- param_fetch no longer triggers a warning when called with no arguments (ysth, Mark Stosberg)
Version 3.50, Nov 8, 2010
[SECURITY]
1. The MIME boundary in multipart_init is now random.
Thanks to Byron Jones, Masahiro Yamada, Reed Loden, and Mark Stosberg
2. Further improvements to handling of newlines embedded in header values.
An exception is thrown if header values contain invalid newlines.
Thanks to Michal Zalewski, Max Kanat-Alexander, Yanick Champoux,
Lincoln Stein, Fr#d#ric Buclin and Mark Stosberg
[DOCUMENTATION]
1. Correcting/clarifying documentation for param_fetch(). Thanks to
Ren#e B#cker. (RT#59132)
[INTERNALS]
1. Fixing https test in http.t. (RT#54768)
2. Tests were added for multipart_init(). Thanks to Mark Stosberg and CGI::Simple.
- Revert ABI breakage in 2.2.18 caused by the function signature change
of ap_unescape_url_keep2f(). This release restores the signature from
2.2.17 and prior, and introduces ap_unescape_url_keep2f_ex().
[Eric Covener]
Version 2.9.5 (2011-05-18)
--------------------------
- Updated: updated TCPDF to version 5.9.061 (#2929)
- Added: IE9 compatibility
- Added: added the Swedish editArea translation (#3016)
- Fixed: the code editor did not show up in the file manager (#2922)
- Fixed: the RSS reader did not parse HTML code correctly (#2918)
- Fixed: not all option callbacks worked correctly in override multiple mode (#2976)
- Fixed: the textarea widget did not support the readonly attribute (#2997)
- Fixed: the personal data modules did not handle checkbox fields (#3063)
- Fixed some minor issues
This package was submited as part of PR pkg/43929 which adds the Koha Integrated Library System
submitted by Edgar Fuß
-------------------------------------
HTTP::OAI is a stub module.
HTTP::OAI::Harvester is the harvesting front-end in the OAI-PERL library.
To harvest from an OAI-PMH compliant repository create an HTTP::OAI::Harvester
object using the baseURL option and then call OAI-PMH methods to request data
from the repository. To handle version 1.0/1.1 repositories automatically you
must request Identify() first.
It is recommended that you request an Identify from the Repository and use the
repository() method to update the Identify object used by the harvester.
When making OAI requests the underlying HTTP::OAI::UserAgent module will take
care of automatic redirection (http code 302) and retry-after (http code 503).
OAI-PMH flow control (i.e. resumption tokens) is handled transparently by
HTTP::OAI::Response.
This package was submited as part of PR pkg/43929 which adds the Koha Integrated Library System
submitted by Edgar Fuß
-------------------------------------
Original HTML::Template is written by Sam Tregar, sam@tregar.com with
contributions of many people mentioned there. Their efforts caused
HTML::Template to be mature html tempate engine which separate perl code and
html design. Yet powerful, HTML::Template is slow, especially if mod_perl isn't
available or in case of disk usage and memory limitations.
HTML::Template::Pro is a fast lightweight C/Perl+XS reimplementation of
HTML::Template (as of 2.9) and HTML::Template::Expr (as of 0.0.7). It is not
intended to be a complete replacement, but to be a fast implementation of
HTML::Template if you don't need quering, the extended facility of
HTML::Template. Designed for heavy upload, resource limitations, abcence of
mod_perl.
HTML::Template::Pro has complete support of filters and HTML::Template::Expr's
tag EXPR="<expression>", including user-defined functions and construction
<TMPL_INCLUDE EXPR="...">.
This package was submited as part of PR pkg/43929 which adds the Koha Integrated Library System
submitted by Edgar Fuß
-------------------------------------
This library can be used by CGI::Session to serialize session data.
It uses YAML, or the faster C implementation, YAML::Syck if it is available.
YAML serializers exist not just for Perl but also other dynamic languages,
such as PHP, Python, and Ruby, so storing session data in this format makes it
easy to share session data across different languages.
YAML is made to be friendly for humans to parse as well as other computer
languages. It creates a format that is easier to read than the default
serializer.
This package was submited as part of PR pkg/43929 which adds the Koha Integrated Library System
submitted by Edgar Fuß
-------------------------------------
CGI::Session::Driver::memcached is CGI::Session driver for memcached.
