*) Security: memory corruption might occur in a worker process on 32-bit
platforms while handling a specially crafted request by
ngx_http_spdy_module, potentially resulting in arbitrary code
execution (CVE-2014-0088); the bug had appeared in 1.5.10.
Thanks to Lucas Molas, researcher at Programa STIC, Fundación Dr.
Manuel Sadosky, Buenos Aires, Argentina.
*) Feature: the $ssl_session_reused variable.
*) Bugfix: the "client_max_body_size" directive might not work when
reading a request body using chunked transfer encoding; the bug had
appeared in 1.3.9.
Thanks to Lucas Molas.
*) Bugfix: a segmentation fault might occur in a worker process when
proxying WebSocket connections.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_spdy_module was used on 32-bit platforms; the bug had
appeared in 1.5.10.
*) Bugfix: the $upstream_status variable might contain wrong data if the
"proxy_cache_use_stale" or "proxy_cache_revalidate" directives were
used.
Thanks to Piotr Sikora.
*) Bugfix: a segmentation fault might occur in a worker process if
errors with code 400 were redirected to a named location using the
"error_page" directive.
*) Bugfix: nginx/Windows could not be built with Visual Studio 2013.
Changes with nginx 1.5.10 04 Feb 2014
*) Feature: the ngx_http_spdy_module now uses SPDY 3.1 protocol.
Thanks to Automattic and MaxCDN for sponsoring this work.
*) Feature: the ngx_http_mp4_module now skips tracks too short for a
seek requested.
*) Bugfix: a segmentation fault might occur in a worker process if the
$ssl_session_id variable was used in logs; the bug had appeared in
1.5.9.
*) Bugfix: the $date_local and $date_gmt variables used wrong format
outside of the ngx_http_ssi_filter_module.
*) Bugfix: client connections might be immediately closed if deferred
accept was used; the bug had appeared in 1.3.15.
*) Bugfix: alerts "getsockopt(TCP_FASTOPEN) ... failed" appeared in logs
during binary upgrade on Linux; the bug had appeared in 1.5.8.
Thanks to Piotr Sikora.
Changes with nginx 1.5.9 22 Jan 2014
*) Change: now nginx expects escaped URIs in "X-Accel-Redirect" headers.
*) Feature: the "ssl_buffer_size" directive.
*) Feature: the "limit_rate" directive can now be used to rate limit
responses sent in SPDY connections.
*) Feature: the "spdy_chunk_size" directive.
*) Feature: the "ssl_session_tickets" directive.
Thanks to Dirkjan Bussink.
*) Bugfix: the $ssl_session_id variable contained full session
serialized instead of just a session id.
Thanks to Ivan Risti?.
*) Bugfix: nginx incorrectly handled escaped "?" character in the
"include" SSI command.
*) Bugfix: the ngx_http_dav_module did not unescape destination URI of
the COPY and MOVE methods.
*) Bugfix: resolver did not understand domain names with a trailing dot.
Thanks to Yichun Zhang.
*) Bugfix: alerts "zero size buf in output" might appear in logs while
proxying; the bug had appeared in 1.3.9.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_spdy_module was used.
*) Bugfix: proxied WebSocket connections might hang right after
handshake if the select, poll, or /dev/poll methods were used.
*) Bugfix: the "xclient" directive of the mail proxy module incorrectly
handled IPv6 client addresses.
Changes with nginx 1.5.8 17 Dec 2013
*) Feature: IPv6 support in resolver.
*) Feature: the "listen" directive supports the "fastopen" parameter.
Thanks to Mathew Rodley.
*) Feature: SSL support in the ngx_http_uwsgi_module.
Thanks to Roberto De Ioris.
*) Feature: vim syntax highlighting scripts were added to contrib.
Thanks to Evan Miller.
*) Bugfix: a timeout might occur while reading client request body in an
SSL connection using chunked transfer encoding.
*) Bugfix: the "master_process" directive did not work correctly in
nginx/Windows.
*) Bugfix: the "setfib" parameter of the "listen" directive might not
work.
*) Bugfix: in the ngx_http_spdy_module.
Version 3.2.8 (2014-03-12)
--------------------------
### Fixed
Add the "href" values for active breadcrumb menus to the template (see #6796).
### Fixed
The file/page tree widget did not work properly in "edit multiple" mode (#6788).
### Fixed
Preserve the referer ID when clicking the "switch to edit" button (see #6127).
### Fixed
Encode e-mail addresses in the "explanation" form field (see #6771).
### Fixed
Use a placeholder image if no thumbnail can be created (see #6754).
### Fixed
Pass additional arguments to the "replaceInsertTags" hook (see #6672).
### Fixed
Correctly initialize the `Session` class (see #6747).
### Fixed
Do not use `Input::setGet()` in the event modules (see #6733).
### Fixed
Correctly shorten the CSS `background` property (see #6709).
### Fixed
Do not use `UNION SELECT` when searching for parent pages (see #6704).
### Fixed
Disable `zlib.output_compression` when sending files to the browser (see #6717).
### Fixed
Consider the event time in the event list module (see #6719).
### Fixed
Make the newsletter recipient address available in the template (see #5782).
### Fixed
Correctly handle Unicode characters in `Validator::isGooglePlusId` (see #6707).
### Fixed
Fixed the arguments of two `CalendarEventsModel` methods (see #6781).
### Fixed
Pass the "tableless" flag to the "form_message" template (see #6772).
### Fixed
Update the `swipe.js` script so the "continuous" option works (see #6762).
### Fixed
Improve the `Search::removeEntry()` method (see #6785).
### Fixed
Correctly set the cookie path in the front mode in debug mode (see #6723).
### Fixed
Point to `Frontend::addToUrl()` in front end templates (see #6736).
### Fixed
Do not stop the cron job execution after the first interval.
2014-03-09 (2.8.8rel.2)
* correct errata in test-files which cause broken links in break-out directory
in lynx.isc.org server -TD
* amend change from 2.8.8pre.2, to ensure that MinGW libraries already
declaring 'sleep()' will build -TD
* drop unused save/compress rules from makefile.in, because fixing umask for
these is pointless -TD
* modify makefile.in to establish sane umask value in the "install-doc" rule
(report by Rajeev V Pillai) -TD
* build-fix for NetBSD, whose curses library provides use_default_colors(),
but the package turns off the keymap feature (patch by Thomas Klausner).
The underlying issue seems to be a race; if the spawned git log
command finishes before trac kills it, the os.kill() throws an
exception which is not caught. Simply catch and ignore the exception.
I sent the patch to trac-devel@.
* Avoid assertions on Range requests that trigger Squid-generated errors.
* Protect MemBlob::append() against raw-space writes
* Copyright: Relicense helpers by Treehouse Networks Ltd.
* Portability: define CMSG related structures individually
* Fix helper ID number assignment
* Fixed stalled concurrent rock store reads by insuring their ID uniqueness.
* Bug 3186, Bug 3628: Digest authentication always sending stale=false for nonce
* dynamic_cert_mem_cache_size option related fixes
* Fix umask default on crash report generated email
* Fix pthread library detection on FreeBSD 10
* Bug 4029: intercepted HTTPS requests bypass caching checks
* Bug 4026: SSL and adaptation_access does not handle aborted connections
* Bug 4001: remove use of strsep()
* Move compat/unsafe.h protections from libcompat to source maintenance
* Bug 3969: user credentials cache lookup for Digest authentication broken
* Various fixes to configure for FreeBSD 10
* Regression Bug 3769: client_netmask not evaluated since Comm redesign
*) Bugfix: the "client_max_body_size" directive might not work when
reading a request body using chunked transfer encoding; the bug had
appeared in 1.3.9.
Thanks to Lucas Molas.
*) Bugfix: a segmentation fault might occur in a worker process when
proxying WebSocket connections.
This release fixes a security issue that was introduced with the 0.7.0 release. This issue affected the source-highlighting feature and could only be exploited, if the suPHP_PHPPath option was set. In this case local users which could create or edit .htaccess files could possibly execute arbitrary code with the privileges of the user the webserver was running as.
Changes with mod_fcgid 2.3.9
*) Revert fix for PR 53693, added in 2.3.8 but undocumented. Fix
issues with a minor optimization added in 2.3.8. [Jeff Trawick]
Changes with mod_fcgid 2.3.8
*) SECURITY: CVE-2013-4365 (cve.mitre.org)
Fix possible heap buffer overwrite. Reported and solved by:
[Robert Matthews <rob tigertech.com>]
*) Add experimental cmake-based build system for Windows. [Jeff Trawick]
*) Correctly parse quotation and escaped spaces in FcgidWrapper and the
AAA Authenticator/Authorizor/Access directives' command line argument,
as currently documented. PR 51194 [William Rowe]
*) Honor quoted FcgidCmdOptions arguments (notably for InitialEnv
assignments). PR 51657 [William Rowe]
*) Conform script response parsing with mod_cgid and ensure no response
body is sent when ap_meets_conditions() determines that request
conditions are met. [Chris Darroch]
*) Improve logging in access control hook functions. [Chris Darroch]
*) Avoid making internal sub-requests and processing Location headers
when in FCGI_AUTHORIZER mode, as the auth hook functions already
treat Location headers returned by scripts as an error since
redirections are not meaningful in this mode. [Chris Darroch]
Version 0.6.7
-----------------
Released on February 16, 2014
- Expose app instance in a command commands (manage.app). #83
- Show full help for submanagers if called without arguments. #85
- Fix ShowUrls command conflict. #88
0.9 (2014-02-20)
This release is compatible with webassets 0.9.
flask-assets now support Python 3, and drops support for Python 2.5.
- Support for Flask-S3 (Erik Taubeneck).
- Support latest Flask-Script (Chris Hacken).
* Use the reference for the mime type to get the format
Fixes: CVE-2014-0082
* Escape format, negative_format and units options of number helpers
Fixes: CVE-2014-0081
*) Bugfix: the $ssl_session_id variable contained full session
serialized instead of just a session id.
Thanks to Ivan Risti\u0107.
*) Bugfix: client connections might be immediately closed if deferred
accept was used; the bug had appeared in 1.3.15.
*) Bugfix: alerts "zero size buf in output" might appear in logs while
proxying; the bug had appeared in 1.3.9.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_spdy_module was used.
*) Bugfix: proxied WebSocket connections might hang right after
handshake if the select, poll, or /dev/poll methods were used.
*) Bugfix: a timeout might occur while reading client request body in an
SSL connection using chunked transfer encoding.
*) Bugfix: memory leak in nginx/Windows.
Bugfixes
* fixed python3 support on older compilers/libc
* allow starting in spooler-only mode
* fixed cache bitmap support and added test suite (credits: Danila Shtan)
* fixed ftime log var
* added async remote signal management
* fixed end-for and end-if
* fixed loop in internal-routing response chain
* fixed pypy execute_source usage
* logpipe: Don\u2019t setsid() twice (credits: INADA Naoki)
New features and improvements
CGI plugin
The plugin has been improved to support streaming.
In addition to this the long-awaited async support is finally ready. Now you can
have CGI concurrency without spawning a gazillion of expensive threads/processes
Check: Running CGI scripts on uWSGI
PSGI loading improvements
The PSGI loader now tries to use Plack::Util::load_psgi() function instead of
simple eval. This addresses various inconsistences in the environment (like the
double parsing/compilation/execution of psgi scripts).
If the Plack module is not available, a simple do-based code is used (very
similar to load_psgi)
* Added useragent config setting. Closes: #737121
Thanks, Tuomas Jormola
* po: Add html_lang_code and html_lang_dir template variables
for the language code and direction of text.
Thanks, Mesar Hameed
* Allow up to 8 levels of nested directives, rather than previous 3
in directive infinite loop guard.
* git diffurl: Do not escape / in paths to changed files, in order to
interoperate with cgit (gitweb works either way)
Thanks, intrigeri.
* git: Explicity push master branch, as will be needed by git 2.0's
change to push.default=matching by default.
Thanks, smcv
* Deal with nasty issue with gettext clobbering $@ while printing
error message containing it.
Thanks, smcv
* Cleanup of the openid login widget, including replacing of hotlinked
images from openid providers with embedded, freely licensed artwork.
Thanks, smcv
* Improve templates testing.
Thanks, smcv
* python proxy: Avoid utf-8 related crash.
Thanks, Antoine Beaupré
* Special thanks to Simon McVittie for being the patchmeister for this
release.
Add LICENSE
Upstream changes:
2012-10-25 Mattias Holmlund
Version 1.1
Unlink temporary cachefiles if we fail to give them a proper name
Resolves https://rt.cpan.org/Ticket/Display.html?id=60065
Handle multiple simultaneous cache cleanups
Hopefully resolves https://rt.cpan.org/Public/Bug/Display.html?id=77015
Handle caching of zero-size documents
Resolves https://rt.cpan.org/Public/Bug/Display.html?id=76785
Populate $response->message with the default message for the code
Patch from Graham Barr
Ensure response has access to request when fetching from cache
Patch from Graham Barr.
Handle undefined content from servers.
Add LICENSE
Add missing BUILD_DEPENDS for regress test
Upstream changes:
0.23 2013/11/03
* Added REAL_SERVERS check to t/proxy-with-https.t
- Thanks to Gregor Herrmann, Debian Perl Group, for the patch
0.22 2013/09/12
* Added repository cpan metadata to Makefile.PL
- Thanks to David Steinbrunner for the patch
0.21 2013/08/29
* Updated Changes file to meet CPAN::Changes::Spec
* FIxed unparseable date for version 0.02
0.20 2013/07/18
* Updates Changes file to meet CPAN::Changes::Spec
* Changed and standardized date formats
* Changed name from CHANGES to Changes
* Added author/release test to check this going forward
0.19 2013/07/17
* Added ssl_options support
* Increased Net::HTTPS::NB requirement to 0.13
- Thanks to Heikki Vatiainen for the patch
0.18 2013/05/27
* Fixed typo in POD
- Added THANKS for Florian (fschlich)
0.17 2013/04/20
* Added local_addr and local_port support
* Standardised test names
* Added THANKS for github user c00ler-
0.16 2013/04/04
* Fixed CPAN Testers bug in bad-hosts.t
0.15 2013/04/04
* Two bug fixes provided by Josef Toman:
* Fixed header handling to use header_field_names()
* Replaced _make_url_absolute with URI::new_abs()
0.14 2013/04/01
* More diagnostics in bad-hosts.t on failure
0.13 2013/03/29
* Fixed t/real-servers.t to work whether or not Net::HTTPS::NB is available
0.12 2013/03/29
* New logic for making https requests through a proxy
* Made tests run ok in parallel by using different ports per test
* Set explicit SSL_verify_mode in real-servers.t
* Minor update to code comment about is_proxy mode
0.11 2012/11/13
* Use high ports to prevent test failure when 8080 is already used
* Travis config
0.10 2012/03/08
* added support for https requests - thanks Naveed Massjouni
Upstream changes:
0.16 Sat Aug 10 17:52:00 GMT 2013
- Added link to repository (D. Steinbrunner)
0.15 Mon Oct 1 19:14:05 GMT 2012
- Fix bugs in :contains("string") (Aaron Crane)
Add missing DEPENDS
Upstream changes:
1.00 2013-12-16
- TT template files changed - update them if you use a local copy.
Template file 'label_tag' renamed to 'label_element' - old file can
be deleted. 'field' file changed. New 'errors' file.
- TT no longer listed as a prerequisite. If you use the TT files,
you must add 'Template' to your own app's prereqs.
- Element::reCAPTCHA and Constraint::reCAPTCHA moved out to separate
distribution.
- HTML::FormFu::MultiForm moved out to separate distribution.
- auto_container_class(), auto_label_class(), auto_comment_class(),
auto_container_error_class(), auto_container_per_error_class(),
auto_error_class() no longer have default values.
See "RESTORING LEGACY HTML CLASSES" in HTML::FormFu docs to restore
previous behaviour.
- auto_label_class() no longer adds class to container.
auto_label_class() now adds class to label tag.
new auto_container_label_class() adds class to container.
See "RESTORING LEGACY HTML CLASSES" in HTML::FormFu docs to restore
previous behaviour.
- auto_comment_class() no longer adds class to both container and comment.
auto_comment_class() now only adds class to comment tag.
new auto_container_comment_class() adds class to container.
See "RESTORING LEGACY HTML CLASSES" in HTML::FormFu docs to restore
previous behaviour.
- Bug fix: param_value() form method now matches documented behaviour -
returns undef when field has errors. (Reported by Hailin Hu).
- New Element::Email and Element::URL HTML5 input fields.
- Role::Element::Input has new datalist_options(), datalist_values(),
datalist_id() and auto_datalist_id() methods to support HTML5 datalists.
auto_datalist_id() is an inherited accessor which can be set on the
Form, MultiForm, or Block.
- Form and Elements has new title() attribute short-cut.
- Constraint::Regex has new anchored() accessor.
- New Input attribute accessors: placeholder(), pattern(), autocomplete().
- New Input boolean attribute accessors: autofocus(), multiple(), required().
- New Field inherited accessors: auto_container_per_error_class(),
auto_error_container_class(), auto_error_container_per_error_class(),
error_tag(), error_container_tag
- Constraints have new experimental method fetch_error_message().
- All field elements have new method error_filename().
- default_args() now supports 'Block', 'Field', 'Input' pseudo-elements,
'|' alternatives, and '+' and '-' ancestor modifiers.
- New Czech (cs) I18N translation by Jan Grmela.
- mk_inherited_accessors() now also creates a *_no_inherit() method.
- Experimental new roles() form method.
- form methods start(), end() now respect render_method - no longer
force use of tt templates.
- Bug fix: del_attribute() on empty attribute no longer sets the attribute.
- All attribute accessors generated with mk_attrs() now have *_loc variants.
- form methods start(), end() now respect render_method - no longer
force use of tt templates.
- Tests now always require Test::Aggregate::Nested.
Re-enable aggregate tests on Win32.
Don't run all tests twice under both aggregate and t/ (doh!)
