Add URL.normalize() method, which applies five normalizations from RFC 3986 (sections 2.3, 2.1, 3.2.2, 6.2.2.3, 6.2.3). See the docs for more details.
Enable URL.click() to accept a URL object as a target.
* moz.build: CONFIG['OS_TEST'] is apparently PCU, not MACHINE, so use
'powerpc' instead of the longish list of powerpc ports.
* xptcinvoke_asm_ppc_netbsd.s: adapt to use of NS_InvokeByIndex()
* xptcinvoke_ppc_netbsd.cpp: adapt to use of NS_InvokeByIndex()
* xptcstubs_ppc_netbsd.cpp: adapt in the direction of xptcstubs_ppc_linux.cpp;
this has apparently not been build-tested in a while.
The current stumbling block is the lack of 64-bit atomic operations.
No PKGREVISION bump as this is a partial build fix only for NetBSD/powerpc.
Bugfixes
- Athena will now time requests out client-side rather than waiting forever (up
to the browser timeout, at least) for a server response that may never come.
Ignore any invalidly formed query parameters for OrderingFilter.
Improve memory footprint when reading large JSON requests.
Fix schema generation for pagination.
Fix exception when HTML_CUTOFF is set to None.
Fix browsable API not supporting multipart/form-data correctly.
Fixed test_hyperlinked_related_lookup_url_encoded_exists.
Make sure max_length is in FileField kwargs.
Fix list_route & detail_route with kwargs contains curly bracket in url_path
Add Django manage command to create a DRF user Token.
Ensure API documentation templates do not check for user authentication
Fix special case where OneToOneField is also primary key.
Added aria-label and a new region for accessibility purposes in base.html
Quote nested API parameters in api.js.
Set ViewSet args/kwargs/request before dispatch.
Added unicode support to SlugField.
Fix HiddenField appears in Raw Data form initial content.
Raise validation error on invalid timezone parsing.
Fix SearchFilter to-many behavior/performance.
Simplified chained comparisons and minor code fixes.
RemoteUserAuthentication, docs, and tests.
Revert "Cached the field's root and context property"
Fix introspection of list field in schema.
Fix interactive docs for multiple nested and extra methods.
Fix/remove undefined template var "schema"
Upstream changes:
MediaWiki 1.29.1
Changes since 1.29.0
(T171197) Fix bundled extensions; SimpleAntiSpam and Vector (the extension) shouldn't have been included but were, and PdfHandler and SpamBlacklist should but weren't.
(T164999) mw.Upload.Dialog: Define .static.name
(T172061) refreshLinks.php: Fix fatal when using --category parameter
The following packages fail to build due to "." not being in @INC:
devel/p5-PPI-PowerToys
sysutils/p5-Monitoring-Plugin
textproc/p5-Text-Xslate
www/SpeedyCGI
Pass PERL_USE_UNSAFE_INC=1 through MAKE_ENV to allow the configure
and build to proceed.
This needs to be revisited when perl-5.30.0 is released and that
environment variable is removed from Perl.
new: prefix= kwarg now available on ApplicationSession.register for runtime method names
new: @wamp.register(None) will use the function-name as the URI
new: correlation and uri attributes for WAMP message tracing
Renamed :func:`~websockets.server.serve()` and :func:`~websockets.client.connect()`'s klass argument to create_protocol to reflect that it can also be a callable. For backwards compatibility, klass is still supported.
:func:`~websockets.server.serve` can be used as an asynchronous context manager on Python ≥ 3.5.
Added support for customizing handling of incoming connections with :meth:`~websockets.server.WebSocketServerProtocol.process_request()`.
Made read and write buffer sizes configurable.
Rewrote HTTP handling for simplicity and performance.
Added an optional C extension to speed up low level operations.
An invalid response status code during :func:`~websockets.client.connect` now raises :class:`~websockets.exceptions.InvalidStatusCode` with a code attribute.
- Improve HTTP request line validation:
* Improve HTTP version parsing
- Fix HTTP CONNECT method processing:
* Respond with ``405 Method Not Allowed`` if ``proxy_mode is False``
* Validate that request-target is in authority-form
- Improve tests in ``test.test_core``
- Fix EPROTOTYPE @ Mac OS
v5.8.2
- Fix 39 regression. Add HTTP request line check:
absolute URI path must start with a
forward slash ("/").
confusion-free.
Quickly write and share SQL queries for any Django app in a simple, usable SQL
editor, preview the results in the browser, share links to download CSV files,
and keep the information flowing!
Explorer values simplicity, intuitive use, unobtrusiveness, stability, and the
principle of least surprise.
Django SQL Explorer is inspired by any number of great query and reporting
tools out there.
- Bugfix: Handling case of `None` user in request (@pawelad).
- Documentation corrections (@danielquinn).
- Bugfix: "invalid literal for int() with base 10: 'None'" for unversioned admin inline relations.
If, after updating, you still experience this issue, run the following in a Django shell:
.. code::
from reversion.models import Version
Version.objects.filter(object_id="None").delete()
**Important:** Ensure that none of your versioned models contain a string primary key where `"None"` is a valid value
before running this snippet!
Fix build on FreeBSD after rev.14180
Bug 4464: Reduce "!Comm::MonitorsRead(serverConnection->fd)" assertions.
Fix mgr query handoff from the original recipient to Coordinator.
Fix message packing error handling in mgr and snmp SMP Forwarders.
basic_ncsa_auth: fix hash listing wrap in man(8) page
Bug 4687: Wrong names of components in man page, section SEE ALSO
Bug 4112: ssl_engine does not accept cryptodev
Bug 4671 pt3: various GCC 7 compile errors
Replace new/delete operators using modern C++ rules.
Bug 4671 pt2: GCC 7: raise FTP Gateway CTRL channel buffer to 16KB
SourceFormat Enforcement
Bug 2833 pt3: Do not respond with HTTP/304 to unconditional requests
Bug 2833 pt2: Collapse internal revalidation requests (SMP-unaware caches), again.
Upstream changes:
2017-04-07 Mattias Holmlund
Version 1.4
Fix tests when run without internet connectivity. Patch by Mike Parker.
Fixes https://rt.cpan.org/Ticket/Display.html?id=120584
2017-03-11 Mattias Holmlund
Version 1.3
Added missing Changes entry for version 1.2. No other changes.
2017-03-07 Mattias Holmlund
Version 1.2
Add X-No-Server-Contact header when the content returned has been
delivered without any contact with the external server
Changelog:
#CVE-2017-7798: XUL injection in the style editor in devtools
Reporter
Frederik Braun
Impact
critical
Description
The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool.
References
Bug 1371586, 1372112
#CVE-2017-7800: Use-after-free in WebSockets during disconnection
Reporter
Looben Yang
Impact
critical
Description
A use-after-free vulnerability can occur in WebSockets when the object holding the connection is freed before the disconnection operation is finished. This results in an exploitable crash.
References
Bug 1374047
#CVE-2017-7801: Use-after-free with marquee during window resizing
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur while re-computing layout for a marquee element during window resizing where the updated style object is freed while still in use. This results in a potentially exploitable crash.
References
Bug 1371259
#CVE-2017-7809: Use-after-free while deleting attached editor DOM node
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when an editor DOM node is deleted prematurely during tree traversal while still bound to the document. This results in a potentially exploitable crash.
References
Bug 1380284
#CVE-2017-7784: Use-after-free with image observers
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when reading an image observer during frame reconstruction after the observer has been freed. This results in a potentially exploitable crash.
References
Bug 1376087
#CVE-2017-7802: Use-after-free resizing image elements
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when manipulating the DOM during the resize event of an image element. If these elements have been freed due to a lack of strong references, a potentially exploitable crash may occur when the freed elements are accessed.
References
Bug 1378147
#CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM
Reporter
Nils
Impact
high
Description
A buffer overflow can occur when manipulating Accessible Rich Internet Applications (ARIA) attributes within the DOM. This results in a potentially exploitable crash.
References
Bug 1356985
#CVE-2017-7786: Buffer overflow while painting non-displayable SVG
Reporter
Nils
Impact
high
Description
A buffer overflow can occur when the image renderer attempts to paint non-displayable SVG elements. This results in a potentially exploitable crash.
References
Bug 1365189
#CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements
Reporter
SkyLined
Impact
high
Description
An out-of-bounds read occurs when applying style rules to pseudo-elements, such as ::first-line, using cached style data.
References
Bug 1353312
#CVE-2017-7787: Same-origin policy bypass with iframes through page reloads
Reporter
Oliver Wagner
Impact
high
Description
Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure.
References
Bug 1322896
#CVE-2017-7807: Domain hijacking through AppCache fallback
Reporter
Mathias Karlsson
Impact
high
Description
A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory.
References
Bug 1376459
#CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID
Reporter
Fraser Tweedale
Impact
high
Description
A buffer overflow will occur when viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID). This results in a potentially exploitable crash.
References
Bug 1368652
#CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher
Reporter
Stephen Fewer
Impact
high
Description
The destructor function for the WindowsDllDetourPatcher class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References
Bug 1372849
#CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts
Reporter
Jose MarÃa Acuña
Impact
moderate
Description
On pages containing an iframe, the data: protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content.
References
Bug 1365875
#CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections
Reporter
Arthur Edelstein
Impact
moderate
Description
An error in the WindowsDllDetourPatcher where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP his attack only affects Windows operating systems. Other operating systems are not affected.
References
Bug 1344034
#CVE-2017-7803: CSP containing 'sandbox' improperly applied
Reporter
Rhys Enniks
Impact
moderate
Description
When a pageâer directives are ignored. This results in the incorrect enforcement of CSP.
References
Bug 1377426
#CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
Reporter
Mozilla developers and community
Impact
critical
Descrlla developers and community members Masayuki Nakano, Gary Kwong, Ronald Crane, Andrew McCreight, Tyson Smith, Bevis Tseng, Christian Holler, Bryce Van Dyk, Dragana Damjanovic, Kartikaya Gupta, Philipp, Tristan Bourvon, and Andi-Bogdan Postelnicu reported presume that with enough effort that some of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
Apache Traffic Server is a high-performance web proxy
cache that improves network efficiency and performance
by caching frequently-accessed information at the edge
of the network.
Changelog:
Fixed
Fix a potential issue when the username had some specific characters in the path (Bug 1388584)
Fix an issue with new installation notification for sideload add-ons (Bug 1372448)
Fix performance regressions with WebExtension (Bugs 1386937 & 1389381)
Fix a regression with the popup menu (Bug 1388682)
pkgsrc change: Drop dependency to php-mysqli.
Quote from release announce:
The bugfix release fixes several issues including problems with the back end
referer management and the front end preview.
