documents over IO::Socket::SSL, then stop forcing Net::SSL (which
doesn't verify hostnames) even when the admin requested IO::Socket::SSL,
and then pass the server name through so SNI can work. Bump PKGREVISION.
Updating during the freeze for the security improvements.
== 2.2.1 / 2013-05-20
* Fix package problem (termtter requires termtter).
* Suppress the warning on ruby 1.9 with CentOS.
== 2.2.0 / 2013-04-20
* Using https to connect to api.twitter.com (important).
* Improvement testing (CI enabled).
* Using jeweler for packaging.
* Suppress the warning (on ruby 2.0).
* Change default stdout and colors.
* Added some plugins
== 2.1.1 / 2013-04-10
* Correspond to API 1.1
* Other fixes.
== 2.0.0 / 2013-04-07
* User own plugins loader.
* If ~/.termtter/lib/plugins exist, load them.
* Improvement easy_post plugin.
* Plug-in easy_post should operate only when above 15 characters.
* Improvement tests.
* "Failed to update :(" when updated with URL.
* use String#sub instead of String#[regexp]=.
* spec for expand_tco_url plugin.
* and fix other minor bugs.
* Don't double-decode CGI submissions with Encode.pm >= 2.53,
fixing "Error: Cannot decode string with wide characters".
Thanks, Antoine Beaupré
* Avoid making trails depend on everything in the wiki by giving them
a better way to sort the pages
* Don't let users post comments that won't be displayed
* Fix encoding of Unicode strings in Python plugins.
Thanks, chrysn
* Improve performance and correctness of the [[!if]] directive
* Let [[!inline rootpage=foo postform=no]] disable the posting form
* Switch default [[!man]] shortcut to manpages.debian.org. Closes: #700322
* Add UUID and TIME variables to edittemplate. Closes: #752827
Thanks, Jonathon Anderson
* Display pages in linkmaps as their pagetitle (no underscore escapes).
Thanks, chrysn
* Fix aspect ratio when scaling small images, and add support for
converting SVG and PDF graphics to PNG.
Thanks, chrysn
- suggest ghostscript (required for PDF-to-PNG thumbnailing)
and libmagickcore-extra (required for SVG-to-PNG thumbnailing)
- build-depend on ghostscript so the test for scalable images can be run
* In the CGI wrapper, incorporate $config{ENV} into the environment
before executing Perl code, so that PERL5LIB can point to a
non-system-wide installation of IkiWiki.
Thanks, Lafayette Chamber Singers Webmaster
* filecheck: accept MIME types not containing ';'
* autoindex: index files in underlays if the resulting pages aren't
going to be committed. Closes: #611068
* Add [[!templatebody]] directive so template pages don't have to be
simultaneously a valid template and valid HTML
* Add myself to Uploaders and release to Debian
-- Simon McVittie <smcv@debian.org> Fri, 12 Sep 2014 21:23:58 +0100
pkgsrc changes:
* Add 'cgi' option, enabled by default
* Add 'git' option, disabled by default
Updating during the freeze because it's a leaf with many fixes,
including our local patches.
Bug fixes
~~~~~~~~~
* Fixed a bug that could sometimes cause a timeout to fire after being
cancelled.
* `.AsyncTestCase` once again passes along arguments to test methods,
making it compatible with extensions such as Nose's test generators.
* `.StaticFileHandler` can again compress its responses when gzip is enabled.
* ``simple_httpclient`` passes its ``max_buffer_size`` argument to the
underlying stream.
* Fixed a reference cycle that can lead to increased memory consumption.
* `.add_accept_handler` will now limit the number of times it will call
`~socket.socket.accept` per `.IOLoop` iteration, addressing a potential
starvation issue.
* Improved error handling in `.IOStream.connect` (primarily for FreeBSD
systems)
Changes:
supports HTTP/2 draft-14
CURLE_HTTP2 is a new error code
CURLAUTH_NEGOTIATE is a new auth define
CURL_VERSION_GSSAPI is a new capability bit
no longer use fbopenssl for anything
schannel: use CryptGenRandom for random numbers
axtls: define curlssl_random using axTLS's PRNG
cyassl: use RNG_GenerateBlock to generate a good random number
findprotocol: show unsupported protocol within quotes
version: detect and show LibreSSL
version: detect and show BoringSSL
imap/pop3/smtp: Kerberos (SASL GSSAPI) authentication via Windows SSPI
http2: requires nghttp2 0.6.0 or later
Bugfixes:
SECURITY ADVISORY: cookie leak with IP address as domain
SECURITY ADVISORY: cookie leak for TLDs
fix a build failure on Debian when NSS support is enabled
HTTP/2: fixed compiler warnings when built disabled
cyassl: return the correct error code on no CA cert
http: Deprecate GSS-Negotiate macros due to bad naming
http: Fixed Negotiate: authentication
multi: Improve proxy CONNECT performance (regression)
ntlm_wb: Avoid invoking ntlm_auth helper with empty username
ntlm_wb: Fix hard-coded limit on NTLM auth packet size
url.c: use the preferred symbol name: *READDATA
smtp: fixed a segfault during test 1320 torture test
cyassl: made it compile with version 2.0.6 again
nss: do not check the version of NSS at run time
c-ares: fix build without IPv6 support
HTTP/2: use base64url encoding
SSPI Negotiate: Fix 3 memory leaks
libtest: fixed duplicated line in Makefile
conncache: fix compiler warning
openssl: make ossl_send return CURLE_OK better
HTTP/2: Support expect: 100-continue
HTTP/2: Fix infinite loop in readwrite_data()
parsedate: fix the return code for an overflow edge condition
darwinssl: don't use strtok()
http_negotiate_sspi: Fixed specific username and password not working
openssl: replace call to OPENSSL_config
http2: show the received header for better debugging
HTTP/2: Move :authority before non-pseudo header fields
HTTP/2: Reset promised stream, not its associated stream
HTTP/2: added some more logging for debugging stream problems
ntlm: Added support for SSPI package info query
ntlm: Fixed hard coded buffer for SSPI based auth packet generation
sasl_sspi: Fixed memory leak with not releasing Package Info struct
sasl_sspi: Fixed SPN not being converted to wchar under Unicode builds
sasl: Use a dynamic buffer for DIGEST-MD5 SPN generation
http_negotiate_sspi: Use a dynamic buffer for SPN generation
sasl_sspi: Fixed missing free of challenge buffer on SPN failure
sasl_sspi: Fixed hard coded buffer for response generation
Curl_poll + Curl_wait_ms: fix timeout return value
docs/SSLCERTS: update the section about NSS database
create_conn: prune dead connections
openssl: fix version report for the 0.9.8 branch
mk-ca-bundle.pl: switched to using hg.mozilla.org
http: fix the Content-Range: parser
Curl_disconnect: don't free the URL
win32: Fixed WinSock 2 #if
NTLM: ignore CURLOPT_FORBID_REUSE during NTLM HTTP auth
curl.1: clarify --limit-rate's effect on both directions
disconnect: don't touch easy-related state on disconnects
Cmake: big cleanup and numerous fixes
HTTP/2: supports draft-14 - moved :headers before the non-psuedo headers
HTTP/2: Reset promised stream, not its associated stream
configure.ac: Add support for recent GSS-API implementations for HP-UX
CONNECT: close proxy connections that fail
CURLOPT_NOBODY.3: clarify this option is for downloads
darwinssl: fix CA certificate checking using PEM format
resolve: cache lookup for async resolvers
low-speed-limit: avoid timeout flood
polarssl: implement CURLOPT_SSLVERSION
multi: convert CURLM_STATE_CONNECT_PEND handling to a list
curl_multi_cleanup: remove superfluous NULL assigns
polarssl: support CURLOPT_CAPATH / --capath
progress: size_dl/size_ul are always >= 0, and clear "KNOWN" properly
Add missing DEPENDS.
Upstream changes:
0.150000 2014-08-17 01:35:16CEST+0200 Europe/Amsterdam
[ DOCUMENTATION ]
* GH #657: Update multi-app example in cookbook to include route
merging. (Bas Bloemsaat)
* GH #643: Improve session factory docs by mentioning Dancer2::Config.
(Andy Jack)
[ BUG FIXES ]
* Postponed hooks are no longer sent to all Apps.
(Sawyer X, Mickey Nasriachi)
* 404 File Not Found Application reworked to stay up to date with
postponed hooks merging in multiple apps. (Russell Jenkins)
* GH #610, #662: Removed two circular references memory leaks!
(Russell Jenkins)
* GH #633: Log an error when a hook dies. (DavsX)
[ ENHANCEMENT ]
* Allow settings apps in the psgi_app() call by name or regex.
(Sawyer X)
* GH #651: silly typo in clearer method name (DavsX).
0.149000_02 2014-08-10 13:50:39CEST+0200 Europe/Amsterdam
[ ENHANCEMENT ]
* GH #641: Adding a shim layer to prevent available hooks (and
thus plugins) from breaking.
* Each App can now define its own configuration. The Runner's
application-specific configure has been untangled.
(Russell @veryrusty Jenkins, Sawyer X, Mickey Nasriachi)
* Multiple Dancer App support. You can now create a App-specific
PSGI application using MyApp->psgi_app.
(Russell @veryrusty Jenkins, Sawyer X, Mickey Nasriachi)
* Add routes and hooks to an existing app on import.
(Russell @veryrusty Jenkins, Stevan Humphrey, Stefan racke
Hornburg, Jean Stebens, Chunzi, Sawyer X, Mickey Nasriachi)
* Allow DSL class to be specified in configuration file.
(Stevan Humphrey)
* forward() now returns a new request which is then just runs
the dispatching loop again. (Sawyer X, Mickey Nasriachi)
[ BUG FIXES ]
* GH #336: Set log level correctly.
(Andrew Solomon, Pedro Bruno)
* GH #627, #607: Remove potential context issues with returning
undef explicitly. (Javier Rojas)
* GH #646: Fix whitespacing for tests. (DavsX)
0.149000_01 2014-07-23 21:31:21CEST+0200 Europe/Amsterdam
*************************** NOTICE ***************************
* This very is a major upgrade *
* We untangled the context, DSL implementation a bit *
* Please check your code, including your plugins, thoroughly *
* Thank you *
[ ENHANCEMENTS ]
* GH #589: Removing Dancer2::Core::Context global context variable.
Finally in.
(Sawyer X, Mickey Nasriachi, Russell @veryrusty Jenkins)
[ BUG FIXES ]
* GH #606, #605: Fix for setting public directory.
(Ivan Kocienski, Russell Jenkins, Stefan @racke Hornburg)
* GH #618, #620: Fix jQuery link generated by CLI skeleton.
(Micha Wojciechowski)
* GH #589: Major memory leak fix by removal of Dancer2::Core::Context.
[ ENHANCEMENTS ]
* GH #620: Bump jQuery to 1.11.1. (Micha Wojciechowski)
LWP::Protocol::PSGI is a module to hijack any code that uses
LWP::UserAgent underneath such that any HTTP or HTTPS requests can be
routed to your own PSGI application.
Major changes:
General
- Featured image previews now support .bmp files
- Featured Image meta box is now hidden for contributors lacking upload
capabilities
- New supported oEmbed providers: CollegeHumor, Issuu, Mixcloud, YouTube
playlists, TED talks
- Install WordPress in your language
- Streamlined Language management right from the dashboard
Posts
- Display embed previews for audio/visual URLs in Visual editor content
box.
- Page scrolling now scrolls post content box.
- Edit Post/Page menu bar sticks to top of content box when scrolling
(Visual and Text editor).
- Color picker was re-added to the Visual editor
Media
- Add Media Grid view option (default) for Media Library
- Add "Bulk Select" button to Media Grid view to delete multiple items
- Add oEmbed support for TED talks, Mixcloud, CollegeHumor.com, Issuu
- Expand oEmbed support to include YouTube playlist URLs and Polldaddy’s
short URL format
- Remove Viddler oEmbed support
- Update SlideShare oEmbed regex
- Improved media experience on small screen sizes (embedded videos now
responsive)
- Native video and audio shortcodes now support Flash playback looping
Comments
- Comments in trash can now be marked as spam.
Plugins
- Display plugins list as grid, with thumbnails, on Add New screen.
- Add popup window with plugin details (displays info from plugin's
directory page).
- Add "Beta Testing" tab to Plugins screen for new features-as-plugins.
Accessibility
- Improved keyboard accessibility in the Add Media panel
- Improved screen-reader support for Customizer sections
- Makes links in help tabs keyboard accessible
- Improvements for screen-readers when managing widgets in the
Customizer
Install Process
- Add language select menu as first Installation screen (skipped for
localized installs)
Multisite
- mp4 file extension was added to allowed upload file types
Multiple access.log files can be processed at the same time.
Multiprocess mode can be activated using the -j N command line option.
New ExcludedMimes configuration directive to exclude from statistics a comma separated list of mime-type or using regex like text/.*.
New ExcludedMethods configuration directive to exclude from statistics a comma separated list of HTTP methods (GET,POST,CONNECT,...).
New translation available: pl_PL
Upstream changes:
5.39 2014-09-07
- Improved decamelize performance.
- Fixed bug in Mojo::Template where newline characters could get lost.
5.38 2014-09-05
- Improved routes command to use new terminology for flags.
- Fixed bug in Mojo::Util where tablify could not handle empty columns.
Upstream changes:
1.3129 2014-09-09
[BUG FIXES]
- Dzil conversion left 'dancer' script behind. (GH#1066)
[STATISTICS]
- code churn: 17 files changed, 1425 insertions(+), 1432 deletions(-)
1.3128 2014-09-09
[BUG FIXES]
- Remove test dependency for Person and Person::Child. (GH#1063)
1.3127 2014-09-08
[BUG FIXES]
- Test was using deprecated 'import_warnings'. (GH#1045, mokko)
- Fix default test names for headers and redirection test methods.
(GH#1048, odyniec)
- DANCER_SERVER_TOKENS and DANCER_SESSION_INFO are now
DANCER_NO_SERVER_TOKENS and DANCER_NO_SESSION_INFO. And working. :-)
(GH#1014, Yanick Champoux)
- 'any' wasn't understanding 'del' (only 'delete'). (GH#1044, Yanick
Champoux)
[DISTRIBUTION]
- Now using Dist::Zilla as package manager.
[DOCUMENTATION]
- Correct POD formatting for HTTP methods in introduction.pod. (GH#1047,
Lx)
[ENHANCEMENTS]
- environment configs are now merged with the global config, versus the
previous behavior that was overriding the whole config segments.
(GH#1016, Yanick Champoux)
- Dancer::Handler::Debug now accepts env variables from the command-line.
(GH#1056, Yanick Champoux)
- Accessing values abstracted as methods in Dancer::Session. (GH#1000,
John Wittkoski)
uWSGI 2.0.7
===========
Changelog [20140905]
Bugfixes
********
- fixed counters in statsd plugin (Joshua C. Forest)
- fixed caching in php plugin (Andrew Bevitt)
- fixed management of system users starting with a number
- fixed request body readline using memmove instead of memcpy (Andrew Wason)
- ignore "user" namespace in setns (still a source of problems)
- fixed Python3 rpc bytes/string mess (result: we support both)
- do not destroy the Emperor on failed mount hooks
- fixed symbol lookup error in the Mono plugin on OS X (Ventero)
- fixed fastcgi and scgi protocols error when out of buffer happens
- fixed solaris/smartos I/O management
- fixed 2 memory leaks in the rpc subsystem (Riccardo Magliocchetti)
- fixed rados plugin PUT method (Martin Mlynář)
- fixed multiple python mountpoints with multiple threads in cow mode
- stats UNIX socket is now deleted by vacuum
- fixed off-by-one corruption in cache LRU mode
- force single-cpu build in cygwin (Guido Notari)
New Features and improvements
*****************************
allow calling the spooler from every cpython context
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
At Europython 2014, Ultrabug (a uWSGI contributor and packager) asked for the possibility to spool tasks directly from a greenlet.
Done.
store_delete cache2 option
^^^^^^^^^^^^^^^^^^^^^^^^^^
Author: goir
The store_delete flag of the --cache2 option, allows you to force the cache engine to automatically remove an invalid
backing store file.
file logger rotation
^^^^^^^^^^^^^^^^^^^^
Author: Riccardo Magliocchetti
The `file` logger has been extended to allow the use of rotation (the same system used by the non-pluggable --logto):
0324e5965c
vassals plugin hooks
^^^^^^^^^^^^^^^^^^^^
The plugin have has been extended with two new hooks: vassal and vassal_before_exec.
Both allows to customize a vassal soon after its process has been generated.
The first third-party plugin using it is the 'apparmor' one:
https://github.com/unbit/uwsgi-apparmor
allowing you to apply an apparmor profile to a vassal
Broodlord improvements
^^^^^^^^^^^^^^^^^^^^^^
The broodlord subsystem has been improved with a new option: --vassal-sos that automatically ask for reinforcement when all of the workers of an instance are busy.
In addition to this a sysadmin can now manually ask for reinforcement sending the 'B' commando to the master fifo of an instance.
*) SECURITY: CVE-2014-0117 (cve.mitre.org)
mod_proxy: Fix crash in Connection header handling which
allowed a denial of service attack against a reverse proxy
with a threaded MPM.
*) SECURITY: CVE-2014-3523 (cve.mitre.org)
Fix a memory consumption denial of service in the WinNT MPM (used in all Windows
installations). Workaround: AcceptFilter <protocol> {none|connect}
*) SECURITY: CVE-2014-0226 (cve.mitre.org)
Fix a race condition in scoreboard handling, which could lead to
a heap buffer overflow.
*) SECURITY: CVE-2014-0118 (cve.mitre.org)
mod_deflate: The DEFLATE input filter (inflates request bodies) now
limits the length and compression ratio of inflated request bodies to avoid
denial of sevice via highly compressed bodies. See directives
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
and DeflateInflateRatioBurst.
*) SECURITY: CVE-2014-0231 (cve.mitre.org)
mod_cgid: Fix a denial of service against CGI scripts that do
not consume stdin that could lead to lingering HTTPD child processes
filling up the scoreboard and eventually hanging the server. By
default, the client I/O timeout (Timeout directive) now applies to
communication with scripts. The CGIDScriptTimeout directive can be
used to set a different timeout for communication with scripts.
*) mod_ssl: Extend the scope of SSLSessionCacheTimeout to sessions
resumed by TLS session resumption (RFC 5077).
*) mod_deflate: Don't fail when flushing inflated data to the user-agent
and that coincides with the end of stream ("Zlib error flushing inflate
buffer").
*) mod_proxy_ajp: Forward local IP address as a custom request attribute
like we already do for the remote port.
*) core: Include any error notes set by modules in the canned error
response for 403 errors.
*) mod_ssl: Set an error note for requests rejected due to
SSLStrictSNIVHostCheck.
*) mod_ssl: Fix issue with redirects to error documents when handling
SNI errors.
*) mod_ssl: Fix tmp DH parameter leak, adjust selection to prefer
larger keys and support up to 8192-bit keys.
*) mod_dav: Fix improper encoding in PROPFIND responses.
*) WinNT MPM: Improve error handling for termination events in child.
*) mod_proxy: When ping/pong is configured for a worker, don't send or
forward "100 Continue" (interim) response to the client if it does
not expect one.
*) mod_ldap: Be more conservative with the last-used time for
LDAPConnectionPoolTTL.
*) mod_ldap: LDAP connections used for authn were not respecting
LDAPConnectionPoolTTL.
*) mod_proxy_fcgi: Fix occasional high CPU when handling request bodies.
*) event MPM: Fix possible crashes (third-party modules accessing c->sbh)
or occasional missed mod_status updates under load.
*) mod_authnz_ldap: Support primitive LDAP servers do not accept
filters, such as "SDBM-backed LDAP" on z/OS, by allowing a special
filter "none" to be specified in AuthLDAPURL.
*) mod_deflate: Fix inflation of files larger than 4GB.
*) mod_deflate: Handle Zlib header and validation bytes received in multiple
chunks.
*) mod_proxy: Allow reverse-proxy to be set via explicit handler.
*) ab: support custom HTTP method with -m argument.
*) mod_proxy_balancer: Correctly encode user provided data in management
interface.
*) mod_proxy_fcgi: Support iobuffersize parameter.
*) mod_auth_form: Add a debug message when the fields on a form are not
recognised.
*) mod_cache: Preserve non-cacheable headers forwarded from an origin 304
response.
*) mod_proxy_wstunnel: Fix the use of SSL connections with the "wss:"
scheme.
*) mod_socache_shmcb: Correct counting of expirations for status display.
Expirations happening during retrieval were not counted.
*) mod_cache: Retry unconditional request with the full URL (including the
query-string) when the origin server's 304 response does not match the
conditions used to revalidate the stale entry.
*) mod_alias: Stop setting CONTEXT_PREFIX and CONTEXT_DOCUMENT environment
variables as a result of AliasMatch.
*) mod_cache: Don't add cached/revalidated entity headers to a 304 response.
*) mod_proxy_scgi: Support Unix sockets. ap_proxy_port_of_scheme():
Support default SCGI port (4000).
*) mod_cache: Fix AH00784 errors on Windows when the the CacheLock directive
is enabled.
*) mod_expires: don't add Expires header to error responses (4xx/5xx),
be they generated or forwarded.
*) mod_proxy_fcgi: Don't segfault when failing to connect to the backend.
(regression in 2.4.9 release)
*) mod_authn_socache: Fix crash at startup in certain configurations.
*) mod_ssl: restore argument structure for "exec"-type SSLPassPhraseDialog
programs to the form used in releases up to 2.4.7, and emulate
a backwards-compatible behavior for existing setups.
*) mod_ssl: Add SSLOCSPUseRequestNonce directive to control whether or not
OCSP requests should use a nonce to be checked against the responder's
one.
*) mod_ssl: "SSLEngine off" will now override a Listen-based default
and does disable mod_ssl for the vhost.
*) mod_lua: Enforce the max post size allowed via r:parsebody()
*) mod_lua: Use binary comparison to find boundaries for multipart
objects, as to not terminate our search prematurely when hitting
a NULL byte.
*) mod_ssl: add workaround for SSLCertificateFile when using OpenSSL
versions before 0.9.8h and not specifying an SSLCertificateChainFile
(regression introduced with 2.4.8).
*) mod_ssl: bring SNI behavior into better conformance with RFC 6066:
no longer send warning-level unrecognized_name(112) alerts,
and limit startup warnings to cases where an OpenSSL version
without TLS extension support is used.
*) mod_proxy_html: Avoid some possible memory access violation in case of
specially crafted files, when the ProxyHTMLMeta directive is turned on.
*) mod_auth_form: Make sure the optional functions are loaded even when
the AuthFormProvider isn't specified.
*) mod_ssl: avoid processing bogus SSLCertificateKeyFile values
(and logging garbled file names).
*) mod_ssl: fix merging of global and vhost-level settings with the
SSLCertificateFile, SSLCertificateKeyFile, and SSLOpenSSLConfCmd
directives.
*) mod_headers: Allow the "value" parameter of Header and RequestHeader to
contain an ap_expr expression if prefixed with "expr=".
*) rotatelogs: Avoid creation of zombie processes when -p is used on
Unix platforms.
*) mod_authnz_fcgi: New module to enable FastCGI authorizer
applications to authenticate and/or authorize clients.
*) mod_proxy: Do not try to parse the regular expressions passed by
ProxyPassMatch as URL as they do not follow their syntax.
*) mod_reqtimeout: Resolve unexpected timeouts on keepalive requests
under the Event MPM.
*) mod_proxy_fcgi: Fix sending of response without some HTTP headers
that might be set by filters.
*) mod_proxy_html: Do not delete the wrong data from HTML code when a
"http-equiv" meta tag specifies a Content-Type behind any other
"http-equiv" meta tag.
*) mod_proxy: Don't reuse a SSL backend connection whose requested SNI
differs.
*) Add suspend_connection and resume_connection hooks to notify modules
when the thread/connection relationship changes. (Should be implemented
for any third-party async MPMs.)
*) mod_proxy_wstunnel: Don't issue AH02447 and log a 500 on routine
hangups from websockets origin servers.
*) mod_proxy_wstunnel: Don't pool backend websockets connections,
because we need to handshake every time.
*) mod_lua: Redesign how request record table access behaves,
in order to utilize the request record from within these tables.
*) mod_lua: Add r:wspeek for peeking at WebSocket frames.
*) mod_lua: Log an error when the initial parsing of a Lua file fails.
*) mod_lua: Reformat and escape script error output.
*) mod_lua: URL-escape cookie keys/values to prevent tainted cookie data
from causing response splitting.
*) mod_lua: Disallow newlines in table values inside the request_rec,
to prevent HTTP Response Splitting via tainted headers.
*) mod_lua: Remove the non-working early/late arguments for
LuaHookCheckUserID.
*) mod_lua: Change IVM storage to use shm
*) mod_lua: More verbose error logging when a handler function cannot be
found.
Changes to GoAccess 0.8.4 - Monday, September 08, 2014
* Added ability to handle nginx non-standard status code 444 as 404.
`--444-as-404`
* Added and updated operating systems, and browsers.
* Added excluded IP hits count to the general statistics panel on all reports.
* Added HTTP nonstandard code '444' to the status code list.
* Added the ability to count client errors (4xx) to the unique visitors count.
Now by default it omits client errors (4xx) from being added to the unique
visitors count as they are probably not welcomed visitors. 4xx errors are
always counted in panels other than visitors, OS & browsers.
`--4xx-to-unique-count`
* Removed request status field restriction. This allows parsing logs that contain
only a valid date, IPv4/6 and host.
* Fixed issue when excluding IPv4/v6 ranges.
* Fixed compile error due to missing include <sys/types.h> for type off_t
(gcc 4.1).
Changes to GoAccess 0.8.3 - Monday, July 28, 2014
* Fixed SEGFAULT when parsing a CLF log format and using --ignore-crawlers.
* Fixed parsing conflict between some Opera browsers and Chrome.
* Fixed parsing of several feed readers that are Firefox/Safari-based.
* Fixed Steam detection.
* Added Huawei to the browser's list and removed it from the OS's list.
Changes to GoAccess 0.8.2 - Monday, July 20, 2014
* Added ability to parse dates containing whitespaces in between,
e.g., Jul 15 20:13:59 (syslog format).
* Added a variety of browsers, game systems, feed readers, and podcasts.
* Added a '-V --version' command line option.
* Added missing up/down arrows to the help section.
* Added the ability to ignore crawlers using the '--ignore-crawlers' option.
* Added the ability to ignore multiple IPv4/v6 and IP ranges.
* Added the PATCH method according to RFC 5789.
* Fixed GeoLocation percent issue for the JSON, CSV and HTML outputs.
* Fixed memory leak when excluding one or multiple IPs.
Changes to GoAccess 0.8.1 - Monday, June 16, 2014
* Added ability to add/remove static files by extension through the config
file.
* Added ability to print backtrace on segmentation fault.
* Escaped JSON strings correctly according to [RFC4627].
* Fixed encoding issue when extracting keyphrases for some HTTP referers.
* Fixed issue where HTML bar graphs were not shown due to numeric locale.
* Fixed issue with URIs containing "\r?\n" thus breaking the corresponding
output.
* Make sure request string is URL decoded on all outputs.
* v2.04
Minor documentation fixes and explanation of the proposed split into
legacy/trunk branches. No code changes from 2.03_02.
* v2.03_02
The uploads have had a minor change which may solve the windows size
difference failures. More diagnostics were added to the failures if it
does not.
* v2.03_01
The test multi-part upload data in the test suite has been fixed to have
the correct (CRLF) line terminators. These tests should now pass for
Microsoft users.
The documentation has been amended to reflect the change of maintainer.
* v2.03 - May 25, 2014
Maintainer change: Pete Houston has taken over maintenance from Smylers.
A test suite has been created.
BUG FIX: Cleared up some uninitialised value warnings emitted when query
strings are missing an entire key-value pair eg: "&foo=bar" (issue
38448).
BUG FIX: If the user calls parse_form_data as a class method without a
query string, the method now gives up early and silently
(issue 6180).
BUG FIX: In form-data uploads, the boundary string was not properly
escaped and therefore would not match when it contained
metacharacters (issue 29053).
BUG FIX: The content type for url-encoded forms now matches on the MIME
type only, so additional charset fields are allowed (issues 16236,
34827 and 41666).
BUG FIX: Leading/trailling whitespace is now stripped from cookie names
and values.
BUG FIX: Cookies now no longer need to be separated by whitespace.
Commas can now be used as separators too. (issue 32329).
BUG FIX: The semicolon is now a permitted delimiter in the query string
along with the ampersand (issue 8212).
Version 0.77 -- 2014-08-05
o re-release to remove build artifacts that should not have been shipped
Version 0.76 -- 2014-08-05
o On Android, set TMPDIR before calling configure (RT#97680, Brian Fraser)
Version 0.75 -- 2014-07-17
o deprecated APIs removed (chansen)
o broken PP implementation removed (chansen)
o retooled distribution so FCGI.pm and FCGI.xs exist as-is, rather than
being generated by FCGI.PL and FCGI.XL (chansen)
Upstream changes:
RELEASE 0.12
New SimpleTemplate parser implementation * Support for multi-line code blocks (<% ... %>). * The keywords include and rebase are functions now and can accept variable template names.
The new BaseRequest.route() property returns the Route that originally matched the request.
Removed the BaseRequest.MAX_PARAMS limit. The hash collision bug in CPythons dict() implementation was fixed over a year ago. If you are still using Python 2.5 in production, consider upgrading or at least make sure that you get security fixed from your distributor.
New ConfigDict API (see Configuration (DRAFT))
This module generates tokens to help protect against a website attack
known as Cross-Site Request Forgery (CSRF, also known as XSRF). CSRF
is an attack where an attacker fools a browser into make a request to
a web server for which that browser will automatically include some
form of credentials (cookies, cached HTTP Basic authentication, etc.),
thus abusing the web server's trust in the user for malicious use.
The most common CSRF mitigation is sending a special, hard-to-guess
token with every request, and then require that any request that is
not idempotent (i.e., has side effects) must be accompanied with such
a token. This mitigation depends critically on the fact that while an
attacker can easily make the victim's browser make a request, the
browser security model (same-origin policy, or SOP for short) prevents
third-party sites from reading the results of that request.
Upstream changes:
5.37 2014-09-03
- Improved Mojo::Template performance slightly.
- Fixed .ep template bug where the stash value "c" could no longer be used.
5.36 2014-09-02
- Improved Mojo::Template performance.
5.35 2014-08-30
- Improved monkey_patch to be able to name generated functions.
5.34 2014-08-29
- Added original_remote_address attribute to Mojo::Transaction.
- Fixed bug where Mojolicious::Commands would change @ARGV when loaded.
=================
WebKitGTK+ 2.4.5
=================
What's new in WebKitGTK+ 2.4.5?
- Do not freeze the UI process while scanning plugins if there's a
GTK+ 3 plugin installed.
- Fix a crash when drag and drop to a WebKitWebView.
- Fix a crash when navigating away from a web page containing an ogg
video.
- Fix slow motion rendering problem in GStreamer media backend due
to integer rounding.
- Make sure the plugins cache is always used even if the cache
directory doesn’t exist.
- Fix toggle buttons rendering with recent GTK+ versions.
- Do not use GtkWindow:resize-grip-visible with recent GTK+
versions.
- Add support for little-endian PowerPC64.
Version 3.3.5 (2014-08-27)
--------------------------
### Fixed
Do not output an empty `label` tag (see #7249).
### Fixed
Allow floating point numbers in "number" input fields (see #7257).
### Fixed
Do not adjust the start time of past events (see #7121).
### Fixed
Reset the image margins if it exceeds the maximum image size (see #7245).
### Fixed
Reset `$blnPreventSaving` when a model is cloned (see #7243).
### Fixed
Do not reload after storing `CURRENT_ID` in the session (see #7240).
### Fixed
Correctly validate the page number of the versions menu (see #7235).
### Fixed
Handle underscores in the Google+ vanity name (see #7241).
### Fixed
Correctly handle the `rem` unit when importing style sheets (see #7220).
### Fixed
Fix two issues with the extension repository theme.
Version 3.2.14 (2014-08-27)
---------------------------
### Fixed
Allow floating point numbers in "number" input fields (see #7257).
### Fixed
Do not adjust the start time of past events (see #7121).
### Fixed
Reset the image margins if it exceeds the maximum image size (see #7245).
### Fixed
Reset `$blnPreventSaving` when a model is cloned (see #7243).
### Fixed
Do not reload after storing `CURRENT_ID` in the session (see #7240).
### Fixed
Correctly validate the page number of the versions menu (see #7235).
### Fixed
Handle underscores in the Google+ vanity name (see #7241).
### Fixed
Correctly handle the `rem` unit when importing style sheets (see #7220).
### Fixed
Fix two issues with the extension repository theme.
kerberos_ldap_group: Fix 'error during setup of Kerberos credential cache'
Ignore Range headers with unidentifiable byte-range values
Use v3 for fake certificate if we add _any_ certificate extension.
Fix regression in rev.13156
Fix %USER_CA_CERT_* and %CA_CERT_ external_acl formating codes
Enable compile-time override for MAXTCPLISTENPORTS
ntlm_sspi_auth: fix various build errors
negotiate_wrapper: vfork is not portable
Windows: fix iphlpapi.h include case-sensitivity
Windows: correct libsspwin32 API for SSP_LogonUser()
negotiate_sspi_auth: Portability fixes for MinGW
ext_lm_group_acl: portability fixes for MinGW
SourceFormat Enforcement
Bug 4080: worker hangs when client identd is not responding
Bug 3966: Add KeyEncipherment when ssl-bump substitues RSA for EC.
Reduce cache_effective_user was leaking $HOME memory
Upstream changes:
5.33 2014-08-24
- Improved Mojo::Date to be able to handle higher precision times.
- Improved Mojo::ByteStream performance.
5.32 2014-08-21
- Added to_datetime method to Mojo::Date.
- Improved Mojo::Date to support RFC 3339.
5.31 2014-08-19
- Improved Mojolicious::Static to allow custom content types.
- Improved url_for performance.
5.30 2014-08-17
- Improved Mojolicious::Static to only handle GET and HEAD requests.
- Improved Mojo::URL performance.
- Improved url_for performance slightly.
- Fixed bug where DATA sections sometimes got corrupted after forking, which
caused applications to fail randomly.
- Fixed Mojo::IOLoop::Client to use a timeout for every connection.
5.29 2014-08-16
- Added helpers method to Mojolicious::Controller.
- Improved performance of .ep templates slightly.
- Fixed "0" value bug in Mojolicious::Plugin::EPRenderer.
We had 2 previously undetected regressions in 3.0.4. These are now fixed.
One small new feature also snuck into this release: apphooks and plugin registration now work as decorators.
If you are running 3.0.4 please upgrade.
- reversion.register() can now be used as a class decorator
- Danish translation
- Improvements to Travis CI integration
- Simplified Chinese translation
- Minor bugfixes and documentation improvement
Security fixes:
* Issue: reverse() can generate URLs pointing to other hosts (CVE-2014-0480)
* Issue: file upload denial of service (CVE-2014-0481)
* Issue: RemoteUserMiddleware session hijacking (CVE-2014-0482)
* Issue: data leakage via querystring manipulation in admin (CVE-2014-0483)
