### 4.4.1 (2017-07-12)
* Prevent arbitrary PHP file inclusions in the back end (see CVE-2017-10993).
* Correctly handle subpalettes in "edit multiple" mode (see #946).
* Correctly show the DCA picker in the site structure (see #906).
* Correctly update the style sheets if a format definition is
enabled/disabled (see #893).
* Always show the "show from" and "show until" fields (see #908).
* Correctly set the "overwriteMeta" field during the database update (see
contao/core-bundle#888).
Version 3.5.28 (2017-07-12)
---------------------------
### Fixed
Prevent arbitrary PHP file inclusions in the back end (see CVE-2017-10993).
### Fixed
Improve the accessibility of the CAPTCHA widget (see #8709).
### Fixed
Fixed the iOS scrolling bug in the simple modal script (see #8708).
### Fixed
Correctly cache the unique keys in the SQL cache (see #8712).
* mirror: improved performance of --scan-all-first for big trees.
* mirror: new --flat option to flatten the target directory structure.
* mmv: new command for file moving; redirect mv to mmv in certain cases.
* fixed compilation with newer openssl (1.1.0 and later).
* du: allow multiple --exclude options to be combined.
* new setting cmd:nullglob for `glob' command prefix.
* http: use proppatch to set last-modified property.
* new settings net:connection-limit-timer and ftp:too-many-re.
* ftp: dynamically ajust connection limit.
* ftp: fixed core dump on LINK/SYMLINK when the command is not supported.
* get1: fixed -o option.
* sftp,fish: connect-program setting is now passed to the shell for execution.
* get/mget/put/mput: add -P option for parallel transfers and long options.
* appimage: new make target for making an AppImage file.
* fixed "local glob".
*) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
global variable when using Lua 5.2 or later. This was exported as a
side effect from luaL_register, which is no longer supported as of
Lua 5.2 which deprecates pollution of the global namespace.
*) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
The server will continue to run, but HTTP/2 will no longer be negotiated.
*) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
default ProxyFCGIBackendType, fixing a regression with PHP-FPM.
*) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
*) mod_http2: Simplify ready queue, less memory and better performance. Update
mod_http2 version to 1.10.7.
*) Allow single-char field names inadvertently disallowed in 2.4.25.
*) htpasswd / htdigest: Do not apply the strict permissions of the temporary
passwd file to a possibly existing passwd file.
*) core: Avoid duplicate HEAD in Allow header.
This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
*) Allow single-char field names inadvertantly disallowed in 2.2.32.
Changes with Apache 2.2.33 (not released)
*) SECURITY: CVE-2017-7668 (cve.mitre.org)
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.
*) SECURITY: CVE-2017-3169 (cve.mitre.org)
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
*) SECURITY: CVE-2017-3167 (cve.mitre.org)
Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.
*) SECURITY: CVE-2017-7679 (cve.mitre.org)
mod_mime can read one byte past the end of a buffer when sending a
malicious Content-Type response header.
*) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
VeriFast is a research prototype of a tool for modular formal
verification of correctness properties of single-threaded and
multithreaded C and Java programs annotated with preconditions and
postconditions written in separation logic.
This is recommended by Kiwamu Okabe in Japan NetBSD Users' Group BOF 2017
at the University of Tokyo.
Caddy is a HTTP/2 web server with automatic HTTPS.
Caddy was born out of the need for a "batteries-included" web server
that runs anywhere and doesn't have to take its configuration with it.
Caddy took inspiration from spark, nginx, lighttpd, Websocketd and
Vagrant, which provides a pleasant mixture of features from each of
them.
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node up to
collision attacks which could result in a Denial of Service. We have
temporarily disabled snapshots until a more robust solution is found
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which
is used for parsing NAPTR responses, could be triggered to read memory
outside of the given input buffer if the passed in DNS response packet
was crafted in a particular way. This patch checks that there is
enough data for the required elements of an NAPTR record (2 int16, 3
bytes for string lengths) before processing a record.
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node up to
collision attacks which could result in a Denial of Service. We have
temporarily disabled snapshots until a more robust solution is found
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which
is used for parsing NAPTR responses, could be triggered to read memory
outside of the given input buffer if the passed in DNS response packet
was crafted in a particular way. This patch checks that there is
enough data for the required elements of an NAPTR record (2 int16, 3
bytes for string lengths) before processing a record.
- Disable V8 snapshots - The hashseed embedded in the snapshot is
currently the same for all runs of the binary. This opens node up to
collision attacks which could result in a Denial of Service. We have
temporarily disabled snapshots until a more robust solution is found
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which
is used for parsing NAPTR responses, could be triggered to read memory
outside of the given input buffer if the passed in DNS response packet
was crafted in a particular way. This patch checks that there is
enough data for the required elements of an NAPTR record (2 int16, 3
bytes for string lengths) before processing a record. (David Drysdale)
