*) Security: a specially crafted request might result in an integer
overflow and incorrect processing of ranges in the range filter,
potentially resulting in sensitive information leak (CVE-2017-7529).
PkgSrc:
*) Updated external modules
*) Added RTMP module (Media Streaming Server)
go14 has no relro support AFAICT.
go-1.8.3 has if you use -buildmode=pie, but it claims it's not supported
on Linux.
Disable relro checking for go packages until bsiegert has time to
look at this.
Upstream changes:
RELEASE-NOTES-1.29
== MediaWiki 1.29 ==
=== Configuration changes in 1.29 ===
* Default cookie expiration time has been reduced to 30 days. Login cookie
expiration time is kept at 180 days.
* A new configuration variable has been added: $wgCookieSetOnAutoblock. This
determines whether to set a cookie when a user is autoblocked. Doing so means
that a blocked user, even after logging out and moving to a new IP address,
will still be blocked.
* The resetpassword right and associated password reset capture feature has
been removed.
* The $error parameter to the EmailUser hook should be set to a Status object
or boolean false. This should be compatible with at least MediaWiki 1.23 if
not earlier. Returning a raw HTML string is now deprecated.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
code for ApiBase::parseMsg() will no longer work.
* ApiBase::$messageMap is no longer public. Code attempting to access it will
result in a PHP fatal error.
* $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
policies.
* Subpages are now enabled by default in the Template namespace. Set
$wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
* $wgRunJobsAsync is now false by default (T142751). This change only affects
wikis with $wgJobRunRate > 0.
* (T158474) "Unknown user" has been added to $wgReservedUsernames.
* (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs.
* $wgDummyLanguageCodes is deprecated. Additional language code mappings may be
added to $wgExtraLanguageCodes instead.
* (T161453) LocalisationCache will no longer use the temporary directory in it's
fallback chain when trying to work out where to write the cache.
* The user right 'editusercssjs' (deprecated in 1.16) was removed. Use
'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead.
=== New features in 1.29 ===
* (T5233) A cookie can now be set when a user is autoblocked, to track that user
if they move to a new IP address. This is disabled by default.
* Added ILocalizedException interface to standardize the use of localized
exceptions, largely so the API can handle them more sensibly.
* Blocks created automatically by MediaWiki, such as for configured proxies or
dnsbls, are now indicated as such and use a new i18n message when displayed.
* Added new $wgHTTPImportTimeout setting. Sets timeout for
downloading the XML dump during a transwiki import in seconds.
* Parser limit report is now available in machine-readable format to JavaScript
via mw.config.get('wgPageParseReport').
* Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits
from certain IP ranges (e.g. private IPs).
* (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code
of the page being parsed.
* HTML5 form validation attributes will no longer be suppressed. Originally
browsers had poor support for them, but modern browsers handle them fine.
This might affect some forms that used them and only worked because the
attributes were not actually being set.
* Expiry times can now be specified when users are added to user groups.
* Completely new user interface for the RecentChanges page, which
structures filters into user-friendly groups. This has corresponding
changes to how filters are registered by core and extensions.
* The edit form now uses pretty OOjs UI buttons, checkboxes and summary input.
Because this change can cause problems for extensions and on-wiki
scripts depending on the exact HTML, the old version is still available
and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php.
This will be removed later and OOjs UI will become the only option.
To make testing easier, users can also force either mode by adding
&ooui=true or &ooui=false to the action=edit URL.
=== External library changes in 1.29 ===
==== Upgraded external libraries ====
* Updated QUnit from v1.22.0 to v1.23.1.
* Updated cssjanus from v1.1.2 to v1.2.0.
* Updated psr/log from v1.0.0 to v1.0.2.
* Update Moment.js from v2.8.4 to v2.15.0.
* Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14.
* Updated monolog from v1.18.2 to 1.22.1.
* Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0.
* Updated OOjs from v1.1.10 to v2.0.0.
==== New external libraries ====
* Added wikimedia/timestamp v1.0.0.
* Added wikimedia/remex-html v1.0.1.
==== Removed and replaced external libraries ====
=== Bug fixes in 1.29 ===
* (T62604) Core parser functions returning a number now format the number according
to the page content language, not wiki content language.
* (T27187) Search suggestions based on jquery.suggestions will now correctly only
highlight prefix matches in the results.
* (T157035) "new mw.Uri()" was ignoring options when using default URI.
* Special:Allpages can no longer be filtered by redirect in miser mode.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
in it's fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
it.
=== Action API changes in 1.29 ===
* Submitting sensitive authentication request parameters to action=login,
action=clientlogin, action=createaccount, action=linkaccount, and
action=changeauthenticationdata in the query string is now an error. They
should be submitted in the POST body instead.
* The capture option for action=resetpassword has been removed
* action=clearhasmsg now requires a POST.
* (T47843) API errors and warnings may be requested in non-English languages
using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters.
* API error codes may have changed. Most notably, errors from modules using
parameter prefixes (e.g. all query submodules) will no longer be prefixed.
* ApiPageSet-using modules will report the 'invalidreason' using the specified
'errorformat'.
* action=emailuser may return a "Warnings" status, and now returns 'warnings' and
'errors' subelements (as applicable) instead of 'message'.
* action=imagerotate returns an 'errors' subelement rather than 'errormessage'.
* action=move now reports errors when moving the talk page as an array under
key 'talkmove-errors', rather than using 'talkmove-error-code' and
'talkmove-error-info'. The format for subpage move errors has also changed.
* action=revisiondelete no longer includes a "rendered" property on warnings
and errors for each item. Use errorformat=wikitext if you're wanting parsed
output.
* action=rollback no longer returns a "messageHtml" property. Use
errorformat=html if you're wanting HTML formatting of error messages.
* action=upload now reports optional stash failures as an array under key
'stasherrors' rather than a 'stashfailed' text string.
* action=watch reports 'errors' and 'warnings' instead of a single 'error', and
no longer returns a 'message' on success.
* Added action=validatepassword to validate passwords for the account creation
and password change forms.
* action=purge now requires a POST.
* There is a new `languagevariants` siprop for action=query&meta=siteinfo,
which returns a list of languages with active LanguageConverter instances.
* action=query&query=allpages will no longer filter redirects using a database
query in miser mode. This may result in less results being returned than were
requested.
=== Action API internal changes in 1.29 ===
* New methods were added to ApiBase to handle errors and warnings using i18n
keys. Methods for using hard-coded English messages were deprecated:
* ApiBase::dieUsage() was deprecated
* ApiBase::dieUsageMsg() was deprecated
* ApiBase::dieUsageMsgOrDebug() was deprecated
* ApiBase::getErrorFromStatus() was deprecated
* ApiBase::parseMsg() was deprecated
* ApiBase::setWarning() was deprecated
* ApiBase::$messageMap is no longer public. Code attempting to access it will
result in a PHP fatal error.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
code for ApiBase::parseMsg() will no longer work.
* UsageException is deprecated in favor of ApiUsageException. For the time
being ApiUsageException is a subclass of UsageException to allow things that
catch only UsageException to still function properly.
* If, for some strange reason, code was using an ApiErrorFormatter instead of
ApiErrorFormatter_BackCompat, note that the result format has changed and
various methods now take a module path rather than a module name.
* ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes
from the message key, and maps some message keys for backwards compatibility.
* API parameters may now be marked as "sensitive" to keep their values out of
the logs.
=== extension.json changes in 1.29 ===
* Extensions must set a value for "manifest_version" in their extension.json
or skin.json files. See
<https://www.mediawiki.org/wiki/Manual:Extension.json/Schema#manifest_version>
for details.
* Extensions can now specify dependencies upon other extensions by using the
"requires" key. See
<https://www.mediawiki.org/wiki/Manual:Extension.json/Schema#requires> for
more details.
* (T151136) Functions set as the "callback" now recieve that extension's credits
information as the first argument.
* (T149597) "PasswordPolicy" can be set in extension.json.
=== Languages updated in 1.29 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* Based as always on linguistic studies on intelligibility and language
knowledge by geography, language fallbacks have been expanded. When a
translation is missing in the user's preferred interface language, the
corresponding translation for the fallback language will be used instead.
English will only be used as last resort when there are no translations.
Some configurations (such as date formats and gender namespaces) have also
been updated when using the fallback language's configuration was inadequate.
The new or reinstated language fallbacks are (after cs ↔ sk in 1.28):
ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro;
sh → bs, sr-el, hr.
* (T137376) New language support: Atikamekw (atj).
* (T163600) New language support: Dinka (din).
* (T155957) Talk Namespaces for Javanese language (jv) have been updated.
==== No fallback for Ukrainian ====
* (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian
language will now use the default fallback language: English. When a translation
to Ukrainian is not available, an English string will be shown.
=== Other changes in 1.29 ===
* Database::getSearchEngine() (deprecated in 1.28) was removed. Use
SearchEngineFactory::getSearchEngineClass() instead.
* $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is
required as all sessions are stored in Object Cache now.
* MWHttpRequest::execute() should be considered to return a StatusValue; the
Status return type is deprecated.
* User::edits() (deprecated in 1.21) was removed.
* Xml::escapeJsString() (deprecated in 1.21) was removed.
* Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21)
were removed.
* Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21)
were removed.
* Hook ArticleViewCustom (deprecated in 1.21) was removed. Use ArticleContentViewCustom
instead.
* Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed.
* Class RevisiondeleteAction (deprecated in 1.25) was removed.
* WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed.
* WikiPage::getText() (deprecated in 1.21) was removed.
* Article::fetchContent() (deprecated in 1.21) was removed.
* User::getPassword() (deprecated in 1.27) was removed.
* User::getTemporaryPassword() (deprecated in 1.27) was removed.
* User::isPasswordReminderThrottled() (deprecated in 1.27) was removed.
* Class FSRepo (deprecated in 1.19) was removed.
* WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use
\MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() instead.
* Class ImageGallery (deprecated in 1.22) was removed.
Use ImageGalleryBase::factory instead.
* Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class instead.
* Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now
emit warnings). Create a subclass of Action and add it to $wgActions instead.
* WikiRevision::getText() (deprecated since 1.21) is no longer marked deprecated.
* Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed.
* Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed.
* Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed.
* Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed.
* RedisConnectionPool::handleException (deprecated since 1.23) was removed.
* The static properties mw.Api.errors and mw.Api.warnings, containing incomplete
and outdated lists of errors/warnings returned by the API, are now deprecated.
* wiki.phtml entry point was removed. Refer to index.php instead. If you want "wiki.phtml"
URLs to continue to work, set up redirects. In Apache, this can be done by enabling
mod_rewrite and adding the following rules to your configuration:
RewriteEngine On
RewriteBase /
RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L]
* Hook ArticleAfterFetchContent (deprecated in 1.21) was removed.
Use ArticleAfterFetchContentObject instead.
* Hook ArticleInsertComplete (deprecated in 1.21) was removed.
Use PageContentInsertComplete instead.
* Hook ArticleSave (deprecated in 1.21) was removed.
Use PageContentSave instead.
* Hook ArticleSaveComplete (deprecated in 1.21) was removed.
Use PageContentSaveComplete instead.
* Hook EditFilterMerged (deprecated in 1.21) was removed.
Use EditFilterMergedContent instead.
* Hook EditPageGetPreviewText (deprecated in 1.21) was removed.
Use EditPageGetPreviewContent instead.
* Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed.
Use ContentHandlerDefaultModelFor instead.
* Hook TitleIsWikitextPage (deprecated in 1.21) was removed.
Use ContentHandlerDefaultModelFor instead.
* Article::getContent() (deprecated in 1.21) was removed.
* Revision::getText() (deprecated in 1.21) was removed.
* Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed.
* Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed.
* Article::doEditContent() was marked as deprecated, to be removed in 1.30
or later.
* ContentHandler::runLegacyHooks() was removed.
* refreshLinks.php now can be limited to a particular category with --category=...
or a tracking category with --tracking-category=...
* User-like objects that are passed to SpecialUserRights and its subclasses are
now required to have a getGroupMemberships() method. See UserRightsProxy for
an example.
* User::$mGroups (instance variable) was marked private. Use User::getGroups()
instead.
* User::getGroupName(), User::getGroupMember(), User:getGroupPage(),
User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated.
Use equivalent methods on the UserGroupMembership class.
* Maintenance scripts and tests that call User::addGroup() must now ensure that
User objects have been added to the database prior to calling addGroup().
* Protected function UsersPager::getGroups() was removed, and protected function
UsersPager::buildGroupLink() was changed from a static to an instance method.
* The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed;
see docs/hooks.txt.
* User::crypt() (deprecated in 1.24) was removed.
* User::comparePasswords() (deprecated in 1.24) was removed.
* ArchivedFile::getUserText() (deprecated in 1.23) was removed.
* HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed.
* BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage
and subclasses. It should only break if you call buildMainQueryConds
(changed to buildQuery with new signature) or doMainQuery (new
signature). Subclasses are likely to call at least doMainQuery
(possibly both), but other classes might too, because they were
public.
Also, some related hooks were deprecated, but this is not yet a
breaking change.
* Removed 'jquery.arrowSteps' module. (deprecated since 1.28)
* The 'jquery.autoEllipsis' ResourceLoader module is now deprecated.
* WikiRevision::$fileIsTemp was deprecated.
* WikiRevision::$importer was deprecated.
* WikiRevision::$user was deprecated.
* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
WikiPage::PURGE_* constants are deprecated, and the functions will always
return false. They were a hack for an issue that has since been fixed.
* Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook
'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options'
if you don't actually care about checkboxes and just want to add some HTML
to the page.
* Selflinks are now rendered as href-less <a> tags with the class mw-selflink
rather than <strong> tags. The old class name, "selflink", was deprecated
and will be removed in a future release. (T160480)
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* Browser support for non-ES5 JavaScript browsers, including Android 2,
Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C.
* Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755):
is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari,
webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs,
opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera,
ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent,
addClickHandler, removeHandler, getElementsByClassName, getInnerText,
setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons,
mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes,
escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix,
tooltipAccessKeyRegexp, updateTooltipAccessKeys.
* The ID of the <li> element containing the login link has changed from
'pt-login' to 'pt-login-private' in private wikis.
* The old, neglected "bulletin board style toolbar" in the edit form is now
deprecated (T30856). This old code dates from 2006, and was replaced in the
MediaWiki release tarball and in Wikimedia production by the WikiEditor
extension in 2010. It is only shown to users if no other editor was
installed, and leads to confusion.
* (T92459) Loading ResourceLoader modules containing JavaScript through
addModuleStyles() is deprecated and will log a warning server-side.
== Compatibility ==
MediaWiki 1.29 requires PHP 5.5.9 or later. There is experimental support for
HHVM 3.6.5 or later.
MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
but support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.
The supported versions are:
* MySQL 5.0.3 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)
== Upgrading ==
1.29 has several database changes since 1.28, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).
Don't forget to always back up your database before upgrading!
See the file UPGRADE for more detailed upgrade instructions, including
important information when upgrading from versions prior to 1.11.
For notes on 1.28.x and older releases, see HISTORY.
Re-release of 0.14.2 due to a release engineering mistake.
No changes other than the version number.
Nevow 0.14.1:
Nevow will now correctly map the MIME type of SVG files even if the
platform registry does not have such a mapping.
Athena no longer logs widget instantiation on initial page load.
Nevow's test suite is now compatible with Twisted 16.3.
Athena will no longer cause spurious errors resulting from page
disconnection.
Athena will now ignore responses to already-responded remote calls
during page shutdown.
From the projects's announcement:
You'll find below the changes of this bugfixes version:
- various security fixes (#2475, #2476, #2492),
- fix regressions on self service portal:
- self-service users should not be auto assigned as tech (#2472)
- type and category fields was not selectable anymore (#2473)
The full changelog is available here for more details: https://github.com/glpi-project/glpi/milestone/20?closed=1
Fixed missing brackets in HTTP CONNECT when connecting to IPv6 address via IPv6 proxy.
Made the connection pool retry on SSLError. The original SSLError is available on MaxRetryError.reason.
Drain and release connection before recursing on retry/redirect. Fixes deadlocks with a blocking connectionpool.
Fixed compatibility for cookiejar.
pyopenssl: Use vendored version of six
Fixed a couple major decoding issues and simplified the URL API.
* limit types accepted by URL.from_text() to just text (str on py3, unicode on py2)
* fix percent decoding issues surrounding multiple calls to URL.to_iri()
* remove the socket-inspired family argument from URL's APIs. It was never consistently implemented and leaked slightly more problems than it solved.
* Improve authority parsing
* include LICENSE, README, docs, and other resources in the package
v5.7.0
======
- CI improvements:
* Don't run tests during deploy stage
* Use VM based build job env only for pyenv envs
* Opt-in for beta trusty image @ Travis CI
* Be verbose when running tests (show test names)
* Show xfail/skip details during test run
- #34: Fix ``_handle_no_ssl`` error handler calls
- #21: Fix ``test_conn`` tests:
* Improve setup_server def in HTTP connection tests
* Fix HTTP streaming tests
* Fix HTTP/1.1 pipelining test under Python 3
* Fix ``test_readall_or_close`` test
* Fix ``test_No_Message_Body``
* Clarify ``test_598`` fail reason
- #36: Add GitHub templates for PR, issue && contributing
- #27: Default HTTP Server header to Cheroot version str
- Cleanup _compat functions from server module
v5.6.0
======
- Fix all PEP 257 related errors in all non-test modules.
``cheroot/test/*`` folder is only one left allowed to fail with this linter.
- #30: Optimize chunked body reader loop by returning empty data is the size is 0.
Ref: cherrypy/cherrypy#1602
- Reset buffer if the body size is unknown
Ref: cherrypy/cherrypy#1486
- Add missing size hint to SizeCheckWrapper
Ref: cherrypy/cherrypy#1131
v5.5.2
======
- #32: Ignore "unknown error" and "https proxy request" SSL errors.
Ref: sabnzbd/sabnzbd#820
Ref: sabnzbd/sabnzbd#860
v5.5.1
======
- Make Appveyor list separate tests in corresponding tab.
- #29: Configure Travis CI build stages.
Prioritize tests by stages.
Move deploy stage to be run very last after all other stages finish.
- #31: Ignore "Protocol wrong type for socket" (EPROTOTYPE) @ OSX for non-blocking sockets.
This was originally fixed for regular sockets in cherrypy/cherrypy#1392.
Ref: https://forums.sabnzbd.org/viewtopic.php?f=2&t=22728&p=112251
v5.5.0
======
- #17 via #25: Instead of a read_headers function, cheroot now
supplies a HeaderReader class to perform the same function.
Any HTTPRequest object may override the header_reader attribute
to customize the handling of incoming headers.
The server module also presents a provisional implementation of
a DropUnderscoreHeaderReader that will exclude any headers
containing an underscore. It remains an exercise for the
implementer to demonstrate how this functionality might be
employed in a server such as CherryPy.
- #26: Configured TravisCI to run tests under OS X.
2.3.21 (2017-06-01)
-------------------
Enhancements
- [core] improved event invitation for all day events (#4145)
- [core] now possible to {un}subscribe to folders using sogo-tool
- [eas] added photo support for GAL search operations
- [web] added custom fields support from Thunderbird's address book
- [web] updated CKEditor to version 4.7.0
- [web] added Latvian (lv) translation - thanks to Juris Balandis
Bug fixes
- [core] fixed calendar component move across collections (#4116)
- [core] handle properly mails using windows-1255 charset (#4124)
- [core] properly honor the "include in freebusy" setting (#3354)
- [core] make sure to use crypt scheme when encoding md5/sha256/sha512 (#4137)
- [core] newly subscribed calendars are excluded from freebusy (#3354)
- [core] strip cr during LDIF import process (#4172)
- [web] fixed mail delegation of pristine user accounts (#4160)
- [web] respect SOGoLanguage and SOGoSupportedLanguages (#4169)
- [eas] fixed opacity in EAS freebusy (#4033)
- [eas] set reply/forwarded flags when ReplaceMime is set (#4133)
- [eas] remove alarms over EAS if we don't want them (#4059)
- [eas] correctly set RSVP on event invitations
- [eas] avoid sending IMIP request/update messages for all EAS clients (#4022)
additional Administration Interface. You can use it to build up a
database with an inventory for your company (computers, software,
printers, etc).
Its enhanced functionality makes daily life for administrators easier.
Besides an inventory, it provides a trouble-ticket system, job
tracking with mail notification, and methods to build a database with
basic information about your network-topology.
<http://glpi-project.org/>
Features:
* Supports both Client and HTTP Server.
* Supports both Server WebSockets and Client WebSockets out-of-the-box.
* Web-server has Middlewares, Signals and pluggable routing.
### 4.4.1 (2017-07-12)
* Prevent arbitrary PHP file inclusions in the back end (see CVE-2017-10993).
* Correctly handle subpalettes in "edit multiple" mode (see #946).
* Correctly show the DCA picker in the site structure (see #906).
* Correctly update the style sheets if a format definition is
enabled/disabled (see #893).
* Always show the "show from" and "show until" fields (see #908).
* Correctly set the "overwriteMeta" field during the database update (see
contao/core-bundle#888).
Version 3.5.28 (2017-07-12)
---------------------------
### Fixed
Prevent arbitrary PHP file inclusions in the back end (see CVE-2017-10993).
### Fixed
Improve the accessibility of the CAPTCHA widget (see #8709).
### Fixed
Fixed the iOS scrolling bug in the simple modal script (see #8708).
### Fixed
Correctly cache the unique keys in the SQL cache (see #8712).
*) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
global variable when using Lua 5.2 or later. This was exported as a
side effect from luaL_register, which is no longer supported as of
Lua 5.2 which deprecates pollution of the global namespace.
*) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
The server will continue to run, but HTTP/2 will no longer be negotiated.
*) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
default ProxyFCGIBackendType, fixing a regression with PHP-FPM.
*) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
*) mod_http2: Simplify ready queue, less memory and better performance. Update
mod_http2 version to 1.10.7.
*) Allow single-char field names inadvertently disallowed in 2.4.25.
*) htpasswd / htdigest: Do not apply the strict permissions of the temporary
passwd file to a possibly existing passwd file.
*) core: Avoid duplicate HEAD in Allow header.
This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
*) Allow single-char field names inadvertantly disallowed in 2.2.32.
Changes with Apache 2.2.33 (not released)
*) SECURITY: CVE-2017-7668 (cve.mitre.org)
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.
*) SECURITY: CVE-2017-3169 (cve.mitre.org)
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
*) SECURITY: CVE-2017-3167 (cve.mitre.org)
Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.
*) SECURITY: CVE-2017-7679 (cve.mitre.org)
mod_mime can read one byte past the end of a buffer when sending a
malicious Content-Type response header.
*) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
Caddy is a HTTP/2 web server with automatic HTTPS.
Caddy was born out of the need for a "batteries-included" web server
that runs anywhere and doesn't have to take its configuration with it.
Caddy took inspiration from spark, nginx, lighttpd, Websocketd and
Vagrant, which provides a pleasant mixture of features from each of
them.
that application, without starting up an HTTP server.
This provides convenient full-stack testing of applications written with any
WSGI-compatible framework.
Upstream changes:
Here is the full list of fixed issues in 3.3.1.
Contents
1 Highlights
2 Security issues
3 Fixes and improvements
4 For developers
5 See also
Highlights
MDL-58136 - Show only "in progress" courses in the My courses list in Booost flat navigation
MDL-56046 - Fixed bug when downloading Quiz statistics report and other multiple-sheet reports
MDL-58646, MDL-59122 - Number of performance improvements in Boost cache rebuilding
MDL-58310, MDL-59312, MDL-58103 - Correctly display AJAX errors and ignore interrupted requests caused by page unload (occasional "undefined" popup)
MDL-44961 - When restoring course with rolling start date never change log dates
Security issues
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
Fixes and improvements
MDL-46322 - Assignment: Only enrolled users may be assigned as markers, if admins/managers can view course but are not enrolled they will not be assigned
MDL-58907 - Course overview: Remember last view mode (Timeline/Courses), add a setting for a default mode
MDL-58729 - Performance impovement in MySQL collation change script (follow up for Full UTF-8 Support in MySQL)
MDL-57957 - Assignment: Fixed bug with feedback files not being shown to students if assignment has no grading
MDL-57021 - Use normal password form field during sign up, adding new user and enrolling in a course
MDL-49988 - Wiki: line breaks in HTML source code should not affect page layout
MDL-58811 - Quiz: fixed bug preventing quiz duplication if questions have file links in their texts
For developers
MDL-58911 - Change of behavior when writing unittests for the dashboard events - now callback from module are executed in unittests same way they would be executed on the dashboard
Features
- Python 3.6 is now officially supported in Waitress
Bugfixes
- Add a work-around for libc issue on Linux not following the documented
standards. If getnameinfo() fails because of DNS not being available it
should return the IP address instead of the reverse DNS entry, however
instead getnameinfo() raises. We catch this, and ask getnameinfo()
for the same information again, explicitly asking for IP address instead of
reverse DNS hostname.
-----
* 26: Change six requirement to >=1.4.0
* 28: Py3k fixes
* 29: paste.wsgilib.add_close: Add __next__ method to support using `add_close` objects as iterators on Python 3.
* 30: tox.ini: Add py35 to envlist
* 31: Enable testing with pypy
* 33: tox.ini: Measure test coveraage
these packages pull in GCC_REQD+=4.9 via mozilla-common.mk, and
are very widely used (I suspect only www/firefox actually needs it)
this will take care of most of the fallout from major bumping
pkgsrc-gcc-libstdc++ to 7 on netbsd. these are the most widely
used packages setting GCC_REQD>4.8.
based on the work done by the amazing folks at magicstack.
On top of being Flask-like, Sanic supports async request handlers. This means
you can use the new shiny async/await syntax from Python 3.5, making your code
non-blocking and speedy.
User-visible changes:
- Client-side bugfixes:
* cp/mv: improve error message when target is an unversioned dir
* merge: reduce memory usage with large amounts of mergeinfo
- Server-side bugfixes:
* 'svnadmin freeze': document the purpose more clearly
* dump: fix segfault when a revision has no revprops
* fsfs: improve error message upon failure to open rep-cache
* fsfs: never attempt to share directory representations
* fsfs: make consistency independent of hash algorithms
This change makes Subversion resilient to collision attacks, including
SHA-1 collision attacks such as <http://shattered.io/>. See also our
documentation at <https://subversion.apache.org/faq#shattered-sha1> and
<https://subversion.apache.org/docs/release-notes/1.9#shattered-sha1>.
- Client-side and server-side bugfixes:
* work around an APR bug related to file truncation
- Bindings bugfixes:
* javahl: follow redirects when opening a connection
Developer-visible changes:
- General:
* win_tests.py: make the --bin option work, rather than abort
(regression introduced in 1.9.2)
* windows: support building with 'zlibstat.lib' in install-layout
- API changes:
(none)
1.85 2017-06-28 22:06:00Z
========================================
[FIXED]
- use 127.0.0.1 instead of 'localhost' in a test to avoid the test hanging
due to ipv6 issues (GH#31)
- Remove private logic for taint checking (Dave Doyle)
- Fix Pod (simbabque)
- Bump Test::More prereq to get working subtest support (Karen Etheridge)
- Fix intermittent failures of taint.t (GH#108) (Kivanc Yazan)
- Fix kwalitee issues (GH#107) (Kivanc Yazan)
[ENHANCEMENTS]
- Print section titles if mech-dump --all is invoked (GH#81) (Сергей
Романов)
- Add cookbook docs on dumping a req without sending it (#115) (Grigor
Karavardanyan)
- Document that submit only submits current form (GH#114) (nawglan)
- Add Travis testing on Perl 5.26 (Karen Etheridge)
- Remove obsolete and unincremented $VERSIONs in test modules (Karen
Etheridge)
Changelog:
52.2.1
Printing text does not work on Windows when Direct2D is disabled (Bug 1318845)
52.2.0
#CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
#CVE-2017-7749: Use-after-free during docshell reloading
#CVE-2017-7750: Use-after-free with track elements
#CVE-2017-7751: Use-after-free with content viewer listeners
#CVE-2017-7752: Use-after-free with IME input
#CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
#CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files
#CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
#CVE-2017-7757: Use-after-free in IndexedDB
#CVE-2017-7778: Vulnerabilities in the Graphite 2 library
#CVE-2017-7758: Out-of-bounds read in Opus encoder
#CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service
#CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application
#CVE-2017-7763: Mac fonts render some unicode characters as spaces
#CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
#CVE-2017-7765: Mark of the Web bypass when saving executable files
#CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service
#CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service
#CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service
#CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.252.2.0
52.1.2
FIx hangs when using a proxy with NTLM authentication (bug 1360574)
Changelog:
Fixed
Fix a display issue of tab title (bug 1357656)
Fix a display issue of opening new tab (bug 1371995)
Fix a display issue when opening multiple tabs (bug 1371962)
Fix a tab display issue when downloading files (bug 1373109)
Fix a PDF printing issue (bug 1366744)
Fix a Netflix issue on Linux (bug 1375708)
Documentation
We have received several patches to fix grammer and typos.
The broken out-of-tree build has been also fixed.
nghttp
We fixed the bug that HTTP Upgrade fails if HTTP response does not have reason-phrase.
nghttpx
The default minimum TLS version is now TLSv1.2. This is because the default cipher list only contains cipher suites which are compatible with it.
Bugfixes
Removed an incorrect deprecation warning about a missing renderer argument if a Widget.render() method accepts **kwargs.
Fixed a regression causing Model.__init__() to crash if a field has an instance only descriptor.
Fixed an incorrect DisallowedModelAdminLookup exception when using a nested reverse relation in list_filter.
Fixed admin’s FieldListFilter.get_queryset() crash on invalid input.
Fixed invalid HTML for a required AdminFileWidget.
Fixed model initialization to set the name of class-based model indexes for models that only inherit models.Model.
Fixed crash in admin’s inlines when a model has an inherited non-editable primary key.
Fixed QuerySet.union(), intersection(), and difference() when combining with an EmptyQuerySet.
Prevented Paginator’s unordered object list warning from evaluating a QuerySet.
Fixed the value of redirect_field_name in LoginView’s template context. It’s now an empty string (as it is for the original function-based login() view) if the corresponding parameter isn’t sent in a request (in particular, when the login page is accessed directly).
Prevented attribute values in the django/forms/widgets/attrs.html template from being localized so that numeric attributes (e.g. max and min) of NumberInput work correctly.
Removed casting of the option value to a string in the template context of the CheckboxSelectMultiple, NullBooleanSelect, RadioSelect, SelectMultiple, and Select widgets. In Django 1.11.1, casting was added in Python to avoid localization of numeric values in Django templates, but this made some use cases more difficult. Casting is now done in the template using the |stringformat:'s' filter.
Prevented a primary key alteration from adding a foreign key constraint if db_constraint=False.
Fixed UnboundLocalError crash in RenameField with nonexistent field.
Fixed a regression preventing a model field’s limit_choices_to from being evaluated when a ModelForm is instantiated.
* t/git-cgi.t: Wait 1 second before doing a revert that should work.
This hopefully fixes a race condition in which the test failed
around 6% of the time. (Closes: 862494)
* Guard against set-but-empty REMOTE_USER CGI variable on
misconfigured nginx servers, and in general treat sessions with
a set-but-empty name as if they were not signed in.
* When the CGI fails, print the error to stderr, not "Died"
* mdwn: Don't mangle <style> into <elyts> under some circumstances
* mdwn: Enable footnotes by default when using the default Discount
implementation. A new mdwn_footnotes option can be used to disable
footnotes in MultiMarkdown and Discount.
* mdwn: Don't enable alphabetically labelled ordered lists by
default when using the default Discount implementation. A new
mdwn_alpha_list option can be used to restore the old
interpretation.
* osm: Convert savestate hook into a changes hook. savestate is not
the right place to write wiki content, and in particular this
breaks websetup if osm's dependencies are not installed, even
if the osm plugin is not actually enabled. (Closes: #719913)
* toc: if the heading is of the form <h1 id="...">, use that for
the link in the table of contents (but continue to generate
<a name="index42"></a> in case someone was relying on it)
* color: Do not leak markup into contexts that take only the plain
text, such as toc
* meta: Document [[!meta name="foo" content="bar"]]
Python. It implements RFC 6455 with a focus on correctness and simplicity.
It passes the Autobahn Testsuite.
Built on top of Python's asynchronous I/O support introduced in PEP 3156,
it provides an API based on coroutines, making it easy to write highly
concurrent applications.
HTTP, task offloading and other asynchrony support to your code, using familiar
Django design patterns and a flexible underlying framework that lets you not
only customize behaviours but also write support for your own protocols and
needs.
to power Django Channels.
It supports automatic negotiation of protocols; there's no need for URL
prefixing to determine WebSocket endpoints versus HTTP endpoints.
new: allow components to pass WebSocket/RawSocket options
fix: register/subscribe decorators support different URI syntax from what session.register and session.subscribe support
new: allow for standard Crossbar a.c..d style pattern URIs to be used with Pattern
new: dynamic authorizer example
new: configurable log level in ApplicationRunner.run for asyncio
fix: forward reason of hard dropping WebSocket connection in wasNotCleanReason
Changes are too many to write here, please refer
<https://github.com/jekyll/jekyll/releases> in detail.
* Upgrade to Liquid v4.
* Add support for TSV (Tab-Separated Values data) files.
* Add a template for custom 404 page.
* Documentation improvements.
## 4.0.0
### Changed
* Render an opaque internal error by default for non-Liquid::Error (#835) [Dylan Thacker-Smith]
* Ruby 2.0 support dropped (#832) [Dylan Thacker-Smith]
* Add to_number Drop method to allow custom drops to work with number filters (#731)
* Add strict_variables and strict_filters options to detect undefined references (#691)
* Improve loop performance (#681) [Florian Weingarten]
* Rename Drop method `before_method` to `liquid_method_missing` (#661) [Thierry Joyal]
* Add url_decode filter to invert url_encode (#645) [Larry Archer]
* Add global_filter to apply a filter to all output (#610) [Loren Hale]
* Add compact filter (#600) [Carson Reinke]
* Rename deprecated "has_key?" and "has_interrupt?" methods (#593) [Florian Weingarten]
* Include template name with line numbers in render errors (574) [Dylan Thacker-Smith]
* Add sort_natural filter (#554) [Martin Hanzel]
* Add forloop.parentloop as a reference to the parent loop (#520) [Justin Li]
* Block parsing moved to BlockBody class (#458) [Dylan Thacker-Smith]
* Add concat filter to concatenate arrays (#429) [Diogo Beato]
* Ruby 1.9 support dropped (#491) [Justin Li]
* Liquid::Template.file_system's read_template_file method is no longer passed the context. (#441) [James Reid-Smith]
* Remove support for `liquid_methods`
* Liquid::Template.register_filter raises when the module overrides registered public methods as private or protected (#705) [Gaurav Chande]
### Fixed
* Fix map filter when value is a Proc (#672) [Guillaume Malette]
* Fix truncate filter when value is not a string (#672) [Guillaume Malette]
* Fix behaviour of escape filter when input is nil (#665) [Tanel Jakobsoo]
* Fix sort filter behaviour with empty array input (#652) [Marcel Cary]
* Fix test failure under certain timezones (#631) [Dylan Thacker-Smith]
* Fix bug in uniq filter (#595) [Florian Weingarten]
* Fix bug when "blank" and "empty" are used as variable names (#592) [Florian Weingarten]
* Fix condition parse order in strict mode (#569) [Justin Li]
* Fix naming of the "context variable" when dynamically including a template (#559) [Justin Li]
* Gracefully accept empty strings in the date filter (#555) [Loren Hale]
* Fix capturing into variables with a hyphen in the name (#505) [Florian Weingarten]
* Fix case sensitivity regression in date standard filter (#499) [Kelley Reynolds]
* Disallow filters with no variable in strict mode (#475) [Justin Li]
* Disallow variable names in the strict parser that are not valid in the lax parser (#463) [Justin Li]
* Fix BlockBody#warnings taking exponential time to compute (#486) [Justin Li]
Bugfixes
- CONTINUATION frames sent on closed streams previously caused stream errors
of type STREAM_CLOSED. RFC 7540 § 6.10 requires that these be connection
errors of type PROTOCOL_ERROR, and so this release changes to match that
behaviour.
- Remote peers incrementing their inbound connection window beyond the maximum
allowed value now cause stream-level errors, rather than connection-level
errors, allowing connections to stay up longer.
- h2 now rejects receiving and sending request header blocks that are missing
any of the mandatory pseudo-header fields (:path, :scheme, and :method).
- h2 now rejects receiving and sending request header blocks that have an empty
:path pseudo-header value.
- h2 now rejects receiving and sending request header blocks that contain
response-only pseudo-headers, and vice versa.
- h2 now correct respects user-initiated changes to the HEADER_TABLE_SIZE
local setting, and ensures that if users shrink or increase the header
table size it is policed appropriately.
6.13 2017-06-20 01:07:03Z
- Non-TRIAL release of changes found in 6.12
6.12 2017-06-15 18:03:50Z (TRIAL RELEASE)
- If an object is passed to HTTP::Request, it must provide a canonical()
method (Olaf Alders)
- Make sure status messages don't die by checking the status exists before
checking the value range (Kent Fredric, GH #39)
- Add a .mailmap file to clean up the contributors list
- Avoid inconsistent setting of content to undef (Jerome Eteve)
- Simplify the way some methods are created (Tom Hukins)
- Remove some indirect object notation (Chase Whitener)
- Fix example in Pod (Tobias Leich)
- Add support for HTTP PATCH method (Mickey Nasriachi)
*) HTTP/2 support no longer tagged as "experimental" but is instead considered
fully production ready.
*) mod_http2: Fix for possible CPU busy loop introduced in v1.10.3 where a stream may keep
the session in continuous check for state changes that never happen.
*) mod_mime: Fix error checking for quoted pairs.
*) mod_proxy_wstunnel: Add "upgrade" parameter to allow upgrade to other
protocols.
*) MPMs unix: Place signals handlers and helpers out of DSOs to avoid
a possible crash if a signal is caught during (graceful) restart.
*) core: Deprecate ap_get_basic_auth_pw() and add
ap_get_basic_auth_components().
*) mod_rewrite: When a substitution is a fully qualified URL, and the
scheme/host/port matches the current virtual host, stop interpreting the
path component as a local path just because the first component of the
path exists in the filesystem. Adds RewriteOption "LegacyPrefixDocRoot"
to revert to previous behavior.
*) core: ap_parse_form_data() URL-decoding doesn't work on EBCDIC
platforms.
*) ab: enable option processing for setting a custom HTTP method also for
non-SSL builds.
*) core: EBCDIC fixes for interim responses with additional headers.
*) mod_ssl: Consistently pass the expected bio_filter_in_ctx_t
to ssl_io_filter_error().
*) mod_env: when processing a 'SetEnv' directive, warn if the environment
variable name includes a '='. It is likely a configuration error.
*) Evaluate nested If/ElseIf/Else configuration blocks.
*) mod_rewrite: Add 'BNP' (backreferences-no-plus) flag to RewriteRule to
allow spaces in backreferences to be encoded as %20 instead of '+'.
*) mod_rewrite: Add the possibility to limit the escaping to specific
characters in backreferences by listing them in the B flag.
*) mod_substitute: Fix spurious AH01328 (Line too long) errors on EBCDIC
systems.
*) mod_http2: fail requests without ERROR log in case we need to read interim
responses and see only garbage. This can happen if proxied servers send
data where none should be, e.g. a body for a HEAD request.
more...
Contao 4.4 is fourth minor release of Contao 4 and it is LTS (Long Term
Support) release until June 2021.
Additionally, these new features from 4.3.
* Improved backend theme
* Improved element preview
* Detect version conflicts
* Improved handling of image meta data
* Details view contains path addition to their UUIDs
* Honeypot anti-spam
* Allowed member groups
* Import options for some form fields
* DCA picker
* Filter pages and articles
* Search files
* Contao Manager support
* Fixed a bug in which cancelling the publishing dialog wasn't respected.
* Fixed a bug causing post-login redirection to an incorrect URL on single-language sites.
* Changed the signature for internal ``cms.plugin_base.CMSPluginBase`` methods ``get_child_classes``
and ``get_parent_classes`` to take an optional ``instance`` parameter.
* Fixed an error when retrieving placeholder label from configuration.
* Fixed a bug which caused certain translations to display double-escaped text in the page
list admin view.
* Adjusted the toolbar JavaScript template to escape values coming from the request.
* Added Dropdown class to toolbar items
* Replaced all custom markup on the ``admin/cms/page/includes/fieldset.html`` template
with an ``{% include %}`` call to Django's built-in ``fieldset.html`` template.
* Fixed a bug which prevented a page from being marked as dirty when a placeholder was cleared.
* Fixed an IntegrityError raised when publishing a page with no public version and whose publisher
state was pending.
* Fixed an issue with JavaScript not being able to determine correct path to the async bundle
* Fixed a ``DoesNotExist`` database error raised when moving a page marked as published, but whose public
translation did not exist.
* Fixed a bug in which the menu rendered nodes using the site session variable (set in the admin),
instead of the current request site.
* Fixed a race condition bug in which the database cache keys were deleted without syncing with the
cache server, and as a result old menu items would continue to be displayed.
* Fixed a 404 raised when using the ``Delete`` button for a Page or Title extension on Django >= 1.9
* Added "How to serve multiple languages" section to documentation
* Fixed a performance issue with nested pages when using the ``inherit`` flag on the ``{% placeholder %}`` tag.
* Removed the internal ``reset_to_public`` page method in favour of the ``revert_to_live`` method.
* Fixed a bug in which the placeholder cache was not consistently cleared when a page was published.
* Enhanced the plugin menu to not show plugins the user does not have permission to add.
* Fixed a regression which prevented users from setting a redirect to the homepage.
Add a CountryFieldMixin Django Rest Framework serializer mixin that automatically picks the right field type for a CountryField (both single and multi-choice).
Validation for Django Rest Framework field (thanks Simon Meers).
Allow case-insensitive .by_name() matching (thanks again, Simon).
Ensure a multiple-choice CountryField.max_length is enough to hold all countries.
Fix inefficient pickling of countries (thanks Craig de Stigter for the report and tests).
Stop adding a blank choice when dealing with a multi-choice CountryField.
Tests now cover multiple Django Rest Framework versions (back to 3.3).
Version 4.6.1
Fix invalid reStructuredText in CHANGES.
Add test targets, all tests pass for me.
Sun May 28 23:26:00 MSK 2017
Releasing GNU libmicrohttpd 0.9.55. -EG
Sun May 21 18:48:00 MSK 2017
Fixed build with disabled "UPGRADE".
Fixed possible null-dereference in HTTPS test.
Fixed compiler warning in process_request_body(), minor optimizations.
Do not allow suspend of "upgraded" connections.
Fixed returned value for MHD_CONNECTION_INFO_CONNECTION_SUSPENDED.
Fixed removal from timeout lists of non-existing connections in
cleanup_connection().
Fixed double locking of mutex. -EG
Sun May 14 15:05:00 MSK 2017
Fixed resuming connections and closing upgraded connections in select()
mode with thread-per-connection. -EG
Sun May 14 14:49:00 MSK 2017
Removed extra call to resume connections in MHD_run().
Handle resumed connection without delay in epoll mode.
Update states of resumed connection after resume in thread-per-connection
mode.
Fixed resuming connections and closing upgraded connections in poll()
mode with thread-per-connection. -EG
Thu May 11 22:37:00 MSK 2017
Faster start really processing data in resumed connections. -EG
Thu May 11 14:24:00 MSK 2017
Do not add any "Connection" headers for "upgrade" connections. -EG
Wed May 10 23:09:00 MSK 2017
Resume resuming connection before other processing in external polling
mode. -EG
Tue May 9 23:16:00 MSK 2017
Fixed: Do not add "Connection: Keep-Alive" header for "upgrade"
connections. -EG
Tue May 9 21:01:00 MSK 2017
Fixed: check all "Connection" headers of request for "Close" and "Upgrade"
tokens instead of using only first "Connection" header with full string
match. -EG
Tue May 9 12:28:00 MSK 2017
Revert: continue match footers in MHD_get_response_header() for backward
compatibility. -EG
Mon May 8 19:30:00 MSK 2017
Fixed: use case-insensitive matching for header name in
MHD_get_response_header(), match only headers (not footers). -EG
Fri May 5 20:57:00 MSK 2017
Fixed null dereference when connection has "Upgrade" request and
connection is not upgraded. -JB/EG
Better handle Keep-Alive/Close. -EG
7.33 2017-06-05
- Added EXPERIMENTAL support for :matches pseudo-class and :not pseudo-class
with compount selectors to Mojo::DOM::CSS.
- Fixed a few form element value extraction bugs in Mojo::DOM.
- Fixed version command to use the new MetaCPAN API, since the old one got
shut down.
7.32 2017-05-28
- Added -f option to get command.
- Improved get command with support for passing request data by redirecting
STDIN.
- Fixed memory leak in Mojo::IOLoop::Client that sometimes prevented the
connect timeout from working correctly for TLS handshakes.
* If your 54.0 is unstable, please disable e10s with
browser.tabs.remote.autostart.2=false (this works at least for me)
Changelog:
New
Simplified the download button and download status panel
Added support for multiple content processes (e10s-multi)
Added Burmese (my) locale
Fixed
Various security fixes
Changed
Moved the mobile bookmarks folder to the main bookmarks menu for easier access
Security fixes:
#CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
#CVE-2017-7749: Use-after-free during docshell reloading
#CVE-2017-7750: Use-after-free with track elements
#CVE-2017-7751: Use-after-free with content viewer listeners
#CVE-2017-7752: Use-after-free with IME input
#CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
#CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files
#CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
#CVE-2017-7757: Use-after-free in IndexedDB
#CVE-2017-7778: Vulnerabilities in the Graphite 2 library
#CVE-2017-7758: Out-of-bounds read in Opus encoder
#CVE-2017-7759: Android intent URLs can cause navigation to local file system
#CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service
#CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application
#CVE-2017-7762: Addressbar spoofing in Reader mode
#CVE-2017-7763: Mac fonts render some unicode characters as spaces
#CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
#CVE-2017-7765: Mark of the Web bypass when saving executable files
#CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service
#CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service
#CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service
#CVE-2017-7770: Addressbar spoofing with JavaScript events and fullscreen mode
#CVE-2017-5471: Memory safety bugs fixed in Firefox 54
#CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.2
curl: show the libcurl release date in --version output
Bugfixes:
CVE-2017-9502: default protocol drive letter buffer overflow
openssl: fix memory leak in servercert
tests: remove the html and PDF versions from the tarball
mbedtls: enable NTLM (& SMB) even if MD4 support is unavailable
typecheck-gcc: handle function pointers properly
llist: no longer uses malloc
gnutls: removed some code when --disable-verbose is configured
lib: fix maybe-uninitialized warnings
multi: clarify condition in curl_multi_wait
schannel: Don't treat encrypted partial record as pending data
configure: fix the -ldl check for openssl, add -lpthread check
configure: accept -Og and -Ofast GCC flags
Makefile: avoid use of GNU-specific form of $<
if2ip: fix -Wcast-align warning
configure: stop prepending to LDFLAGS, CPPFLAGS
curl: set a 100K buffer size by default
typecheck-gcc: fix _curl_is_slist_info
nss: do not leak PKCS 11 slot while loading a key
nss: load libnssckbi.so if no other trust is specified
examples: ftpuploadfrommem.c
url: declare get_protocol_family() static
examples/cookie_interface.c: changed to example.com
test1443: test --remote-time
curl: use utimes instead of obsolescent utime when available
url: fixed a memory leak on OOM while setting CURLOPT_BUFFERSIZE
curl_rtmp: fix missing-variable-declarations warnings
tests: fixed OOM handling of unit tests to abort test
curl_setup: Ensure no more than one IDN lib is enabled
tool: Fix missing prototype warnings for CURL_DOES_CONVERSIONS
CURLOPT_BUFFERSIZE: 1024 bytes is now the minimum size
curl: non-boolean command line args reject --no- prefixes
telnet: Write full buffer instead of byte-by-byte
typecheck-gcc: add missing string options
typecheck-gcc: add support for CURLINFO_SOCKET
opt man pages: they all have examples now
curl_setup_once: use SEND_QUAL_ARG2 for swrite
test557: set a known good numeric locale
schannel: return a more specific error code for SEC_E_UNTRUSTED_ROOT
tests/server: make string literals const
runtests: use -R for random order
unit1305: fix compiler warning
curl_slist_append.3: clarify a NULL input creates a new list
tests/server: run checksrc by default in debug-builds
tests: fix -Wcast-qual warnings
runtests.pl: simplify the datacheck read section
curl: remove --environment and tool_writeenv.c
buildconf: fix hang on IRIX
tftp: silence bad-function-cast warning
asyn-thread: fix unused macro warnings
tool_parsecfg: fix -Wcast-qual warning
sendrecv: fix MinGW-w64 warning
test537: use correct variable type
rand: treat fake entropy the same regardless of endianness
curl: generate the --help output
tests: removed redundant --trace-ascii arguments
multi: assign IDs to all timers and make each timer singleton
multi: use a fixed array of timers instead of malloc
mbedtls: Support server renegotiation request
pipeline: fix mistakenly trying to pipeline POSTs
lib510: don't write past the end of the buffer if it's too small
CURLOPT_HTTPPROXYTUNNEL.3: clarify, add example
SecureTransport/DarwinSSL: Implement public key pinning
curl.1: clarify --config
curl_sasl: fix build error with CURL_DISABLE_CRYPTO_AUTH + USE_NTLM
darwinssl: Fix exception when processing a client-side certificate
curl.1: mention --oauth2-bearer's argument
mkhelp.pl: do not add current time into curl binary
asiohiper.cpp / evhiperfifo.c: deal with negative timerfunction input
ssh: fix memory leak in disconnect due to timeout
tests: stabilize test 1034
cmake: auto detection of CURL_CA_BUNDLE/CURL_CA_PATH
assert: avoid, use DEBUGASSERT instead
LDAP: using ldap_bind_s on Windows with methods
redirect: store the "would redirect to" URL when max redirs is reached
winbuild: fix the nghttp2 build
examples: fix -Wimplicit-fallthrough warnings
time: fix type conversions and compiler warnings
mbedtls: fix variable shadow warning
test557: fix ubsan runtime error due to int left shift
transfer: init the infilesize from the postfields
docs: clarify NO_PROXY further
build-wolfssl: Sync config with wolfSSL 3.11
curl-compilers.m4: enable -Wshift-sign-overflow for clang
example/externalsocket.c: make it use CLOSESOCKETFUNCTION too
lib574.c: use correct callback proto
lib583: fix compiler warning
curl-compilers.m4: fix compiler_num for clang
typecheck-gcc.h: separate getinfo slist checks from other pointers
typecheck-gcc.h: check CURLINFO_TLS_SSL_PTR and CURLINFO_TLS_SESSION
typecheck-gcc.h: check CURLINFO_CERTINFO
build: provide easy code coverage measuring
test1537: dedicated tests of the URL (un)escape API calls
curl_endian: remove unused functions
test1538: verify the libcurl strerror API calls
MD(4|5): silence cast-align clang warning
dedotdot: fixed output for ".." and "." only input
cyassl: define build macros before including ssl.h
updatemanpages.pl: error out on too old git version
curl_sasl: fix unused-variable warning
x509asn1: fix implicit-fallthrough warning with GCC 7
libtest: fix implicit-fallthrough warnings with GCC 7
BINDINGS: add Ring binding
curl_ntlm_core: pass unsigned char to toupper
test1262: verify ftp download with -z for "if older than this"
test1521: test all curl_easy_setopt options
typecheck-gcc: allow CURLOPT_STDERR to be NULL too
metalink: remove unused printf() argument
file: make speedcheck use current time for checks
configure: fix link with librtmp when specifying path
examples/multi-uv.c: fix deprecated symbol
cmake: Fix inconsistency regarding mbed TLS include directory
setopt: check CURLOPT_ADDRESS_SCOPE option range
gitignore: ignore all vim swap files
urlglob: fix division by zero
libressl: OCSP and intermediate certs workaround no longer needed
Features
- Implement trailing commas in parameters and arguments
- Implement unary slash expressions
Fixes
- Fix Attribute Selector equal compare operator
- Fix segfault for varargs with non-string keys
- Fix Element Selector compare operators
- Fix compiler issue with spec regression on NetBSD 6.1
- Fix some segfaults caused by the parser being too forgiving
- Fix segfault with invalid map keys
- Fix null pointer dereference in css_error
- Fix bug when parsing selector schemas
- Fix null pointer dereference in parse_selector_schema
- Fix segfault when extending pseudo selectors failed
- Fix parser for urls looking like ruleset selectors
- Error for trailing rulesets comma
- Improve selector and binominal look ahead
- Improve hex escape handling in interpolation
- Fix wrong parsing of calc functions as number units
- Skip comment evaluation for compressed output
- Improve parent selector handling in selector schema
- Improve parameter vararg and keyword handling
- Hotfix to avoid invalid nested :not selectors
- Fix a few minor memory leaks
Released on May 16 2017
- Fix a bug in `safe_join` on Windows.
Version 0.12.1
Bugfix release, released on March 31st 2017
- Prevent `flask run` from showing a NoAppException when an ImportError occurs
within the imported application module.
- Fix encoding behavior of ``app.config.from_pyfile`` for Python 3.
- Call `ctx.auto_pop` with the exception object instead of `None`, in the
event that a `BaseException` such as `KeyboardInterrupt` is raised in a
request handler.
3.2.9 (2017-05-09)
------------------
New features
- [core] email alarms now have pretty formatting (#805)
Enhancements
- [core] improved event invitation for all day events (#4145)
- [web] improved interface refresh time with external IMAP accounts
- [eas] added photo support for GAL search operations
Bug fixes
- [web] fixed attachment path when inside multiple body parts
- [web] fixed email reminder with attendees (#4115)
- [web] prevented form to be marked dirty when changing password (#4138)
- [web] restored support for SOGoLDAPContactInfoAttribute
- [web] avoid duplicated email addresses in LDAP-based addressbook (#4129)
- [web] fixed mail delegation of pristine user accounts (#4160)
- [core] cherry-picked comma escaping fix from v2 (#3296)
- [core] fix sogo-tool restore potentially crashing on corrupted data (#4048)
- [core] handle properly mails using windows-1255 charset (#4124)
- [core] fixed email reminders sent multiple times (#4100)
- [core] fixed LDIF to vCard conversion for non-handled multi-value attributes (#4086)
- [core] properly honor the "include in freebusy" setting (#3354)
- [core] make sure to use crypt scheme when encoding md5/sha256/sha512 (#4137)
- [eas] set reply/forwarded flags when ReplaceMime is set (#4133)
- [eas] remove alarms over EAS if we don't want them (#4059)
- [eas] correctly set RSVP on event invitations
- [eas] avoid sending IMIP request/update messages for all EAS clients (#4022)
3.2.8 (2017-03-24)
------------------
New features
- [core] new sogo-tool manage-acl command to manage calendar/address book ACLs
Enhancements
- [web] constrain event/task reminder to a positive number
- [web] display year in day and week views
- [web] split string on comma and semicolon when pasting multiple addresses (#4097)
- [web] restrict Draft/Sent/Trash/Junk mailboxes to the top level
- [web] animations are automatically disabled under IE11
- [web] updated Angular Material to version 1.1.3
Bug fixes
- [core] handle broken CalDAV clients sending bogus SENT-BY (#3992)
- [core] fixed handling of exdates and proper intersection for fbinfo (#4051)
- [core] remove attendees that have the same identity as the organizer (#3905)
- [web] fixed ACL editor in admin module for Safari (#4036)
- [web] fixed function call when removing contact category (#4039)
- [web] localized mailbox names everywhere (#4040, #4041)
- [web] hide fab button when printing (#4038)
- [web] SOGoCalendarWeekdays must now be defined before saving preferences
- [web] fixed CAS session timeout handling during XHR requests (#1456)
- [web] exposed default value of SOGoMailAutoSave (#4053)
- [web] exposed default value of SOGoMailAddOutgoingAddresses (#4064)
- [web] fixed handling of contact organizations (#4028)
- [web] fixed handling of attachments in mail editor (#4058, #4063)
- [web] fixed saving draft outside Mail module (#4071)
- [web] fixed SCAYT automatic language selection in HTML editor
- [web] fixed task sorting on multiple categories
- [web] fixed sanitisation of flags in Sieve filters (#4087)
- [web] fixed missing CC or BCC when specified before sending message (#3944)
- [web] enabled Save button after deleting attributes from a card (#4095)
- [web] don't show Copy To and Move To menu options when user has a single address book
- [web] fixed display of category colors in events and tasks lists
- [eas] fixed opacity in EAS freebusy (#4033)
3.2.7 (2017-02-14)
------------------
New features
- [core] new sogo-tool checkup command to make sure user's data is sane
Enhancements
- [web] added Hebrew (he) translation - thanks to Raz Aidlitz
Bug fixes
- [core] generalized the bcc handling code
- [web] saving the preferences was not possible when Mail module is disabled
- [web] ignore mouse events in scrollbars of Month view (#3990)
- [web] fixed public URL with special characters (#3993)
- [web] keep the fab button visible when the center list is hidden
- [web] localized mail, phone, url and address types (#4030)
- [eas] improved EAS parameters parsing (#4003)
- [eas] properly handle canceled appointments
3.2.6a (2017-01-26)
-------------------
Bug fixes
- [core] fixed "include in freebusy" (reverts #3354)
- [web] improved ACLs handling of inactive users
3.2.6 (2017-01-23)
------------------
Enhancements
- [web] show locale codes beside language names in Preferences module
- [web] fixed visual glitches in Month view with Firefox
- [web] mail editor can now be expanded horizontally and automatically expands vertically
- [web] compose a new message inline or in a popup window
- [web] allow to select multiple files when uploading attachments (#3999)
- [web] use "date" extension of Sieve to enable/disable vacation auto-reply (#1530, #1949)
- [web] updated Angular to version 1.6.1
- [web] updated CKEditor to version 4.6.2
Bug fixes
- [core] remove all alarms before sending IMIP replies (#3925)
- [web] fixed rendering of forwared HTML message with inline images (#3981)
- [web] fixed pasting images in CKEditor using Chrome (#3986)
- [eas] make sure we trigger a download of service-side changed events
- [eas] now strip attendees with no email during MeetingResponse calls
Changes to GoAccess 1.2 - Tuesday, March 07, 2017
- Added a Dockerfile.
- Added Amazon S3 bucket name as a VirtualHost (server block).
- Added a replacement for GNU getline() to dynamically expand line buffer
while maintaining real-time output.
- Added --daemonize command line option to run GoAccess as daemon.
- Added several improvements to the HTML report on small-screen devices.
- Added option to the HTML report to auto-hide tables on small-screen
devices.
- Added --process-and-exit command line option to parse log and exit.
- Added several feed readers to the list of browsers.
- Added "-" single dash per convention to read from the standard input.
- Added support for MaxMind GeoIP2.
- Added the ability to read and follow from a pipe such as
"tail -f access.log | goaccess -"
- Added the ability to specify multiple logs as input sources, e.g.:
"goaccess access.log access.log.1" while maintaining real-time output.
- Added time unit (seconds) to the processed time label in the HTML/terminal
output.
- Added visitors' percent column to the terminal dashboard.
- Changed D3 charts to dim Y-axis on mouseover.
- Changed D3 charts to reflect HTML column sort.
- Changed D3 charts to render only if within the viewport. This improves the
overall real-time HTML performance.
- Changed HTML report tables to render only if within the viewport.
- Changed percentage calculation to be based on the total within each panel.
- Ensure start/end dates are updated real-time in the HTML output.
- Ensure "window.location.hostname" is used as the default WS server host.
In most cases, this should avoid the need for specifying "--ws-url=host".
Simply using "--real-time-html" should suffice.
- Fixed issue on HTML report to avoid outputting scientific notation for all
byte sizes.
- Fixed integer overflow when calculating bar graph length on terminal
output.
- Fixed issue where global config file would override command line arguments.
- Fixed issue where it wouldn't allow loading from disk without specifying a
file when executed from the cron.
- Fixed issue where parser couldn't read some X-Forwarded-For (XFF) formats.
Note that this breaks compatibility with the original implementation of
parsing XFF, but at the same time it gives much more flexibility on different
formats.
- Fixed issue where specifying fifo-in/out wouldn't allow HTML real-time
output.
- Fixed issue where the wrong number of parsed lines upon erroring out was
displayed.
- Fixed issue where the WebSocket server prevented to establish a connection
with a client due to invalid UTF-8 sequences.
- Fixed percent issue when calculating visitors field.
- Updated the list of crawlers.
* pkgsrc chagnge: depends on ruby-rack14 instead of ruby-rack16.
# Version 2.14.2
Release date: 2017-06-09
### Fixed
* Workaround for system modals when using headless Chrome now works if the
page changes
# Version 2.14.1
Release date: 2017-06-07
### Fixed
* Catch correct error when unexpected system modals are discovered in latest
selenium [Thomas Walpole]
* Update default `puma` server registration to encourage it to run in single
mode [Thomas Walpole]
* Suppress invalid element errors raised while lazily evaluating the results
of `all` [Thomas Walpole]
* Added missing `with_selected` option to the :select selector to match
`options`/`with_options` options - Issue #1865 [Bartosz Nowak]
* Workaround broken system modals when using selenium with headless Chrome
