---------------
* 2.2.7 *
Bluefish 2.2.7 is mostly a bug fix release. It fixes rare crashes in the
autocompletion, the filebrowser, the htmlbar plugin preferences, and in
file-load-cancel, fixes a rare case of broken syntax highlighting after
multiple search/replace actions. It furthermore displays better
error/warning output when parsing language files. It also finally fixes
javascript regex syntax highlighting. The loading of files with corrupt
encoding has been improved, and project loading over sftp has been improved.
Various HTML5 tags have been added, and HTML5 is the default now for php,
cfml and other languages that can include html syntax. Saving and loading
of UTF-16 encoded files was broken and has been fixes. Various languages
have better support, such as javascript, css, html, pascal/deplhi, and html
has improved autocompletion. On OSX the keys for tab switching no longer
confict with some keyboard layouts, and behavior at shutdown was improved.
The upload/download feature has a new option to ignore backup files. The
home/end keys now work better on wrapped tekst. And finally the search and
replace dialog correctly shows the number of results when searching in files
on disk.
Not backwards compatible with 1.x. Now depends on php-propro and php-raphf.
Upstream changelog:
2.4.3
* Fixed bug #69357 (HTTP/1.1 100 Continue overriding subsequent 200 response
code with PUT request)
2.4.2
* Fixed bug 69076 (http\Url throws Exception on empty querystring)
* Fixed bug 69313 (http\Client doesn't send GET body)
+ Added libidn2 and UIDNA as fallbacks for IDN support
- Deferred warnings/exceptions of the client, so callbacks for the
currently failing requests will still be called
2.4.1
* Fixed build with PHP <= 5.4 (Remi)
2.4.0
* Split off pecl/apfd and pecl/json_post
2.3.2
* Fixed bug with http\QueryString::offsetSet() resetting the complete
query string
2.3.1
* Fixed build on platforms that need stddef.h to define ptrdiff_t
(e.g. CentOS 7.5)
2.3.0
+ Preliminiary HTTP2 support for http\Client (libcurl with nghttp2 support)
+ Improved performance of HTTP info parser (request/response line)
+ Improved performance of updating client observers
+ Improved performance of http\Env\Response output to streams
+ Improved the error messages of the header parser
+ Added http\Header\Parser class
+ Added http\Client::configure() method accepting an array with the following
options for libcurl:
. maxconnects (int, size of the connection cache)
. max_host_connections (int, max number of connections to a single host,
libcurl >= 7.30.0)
. max_pipeline_length (int, max number of requests in a pipeline,
libcurl >= 7.30.0)
. max_total_connections (int, max number of simultaneous open connections
of this client, libcurl >= 7.30.0)
. pipelining (bool, whether to enable HTTP/1.1 pipelining)
. chunk_length_penalty_size (int, chunk length threshold for pipelining,
libcurl >= 7.30.0)
. content_length_penalty_size (int, size threshold for pipelining,
libcurl >= 7.30.0)
. pipelining_server_bl (array, list of server software names to blacklist
for pipelining, libcurl >= 7.30.0)
. pipelining_site_bl (array, list of server host names to blacklist
for pipelining, libcurl >= 7.30.0)
. use_eventloop (bool, whether to use libevent, libcurl+libevent)
+ Added http\Client::getAvailableOptions() and
http\Client::getAvailableConfiguration() methods
+ Added support for HTTP2 if libcurl was built with nghttp2 support.
+ Added http\Client\Curl\HTTP_VERSION_2_0 constant (libcurl >= 7.33.0)
+ Added http\Client\Curl\TLS_AUTH_SRP constant (libcurl >= 7.21.4)
+ Added pinned_publickey SSL request option (libcurl >= 7.39.0)
+ Added tlsauthtype, tlsauthuser and tlsauthpass SSL request option
(libcurl >= 7.21.4)
+ Added verifystatus (a.k.a OCSP) SSL request option (libcurl >= 7.41.0)
+ Added proxyheader request option (libcurl >= 7.37.0)
+ Added unix_socket_path request option (libcurl >= 7.40.0)
* Fixed compress request option
* Fixed parsing authorities of CONNECT messages
* Fixed parsing Content-Range messages
* Fixed http\Env\Response to default to chunked encoding over streams
* Fixed superfluous output of Content-Length:0 headers
* Fixed persistent easy handles to be only created for persistent
multi handles
* Fixed the header parser to accept not-yet-complete header lines
* Fixed http\Message::toStream() crash in ZTS mode
* Fixed the message stream parser to handle intermediary data bigger than 4k
* Fixed the message stream parser to handle single header lines without EOL
* Fixed http\Message\Body to not generate stat based etags
for temporary streams
- Deprecated http\Client::enablePipelining(), use
http\Client::configure(["pipelining" => true]) instead
- Deprecated http\Client::enableEvents(), use
http\Client::configure(["use_eventloop" => true]) instead
- Removed the cookies entry from the transfer info, wich was very slow
and generated a Netscape formatted list of cookies
- Changed the header parser to reject illegal characters
2.2.1
* Fixed Bug #69000 (http\Url breaks down with very long URL query strings)
2.2.0
- var_dump(http\Message) no longer automatically creates an empty body
+ Added http\Message\Parser class
+ Made http\Client::once() and http\Client::wait() available when using events
+ Added http\Url::PARSE_MBLOC, http\Url::PARSE_MBUTF8,
http\Url::PARSE_TOIDN and http\Url::PARSE_TOPCT constants
+ Added http\Env\Response::setCookie()
+ Added http\Env\Request::getCookie()
2.1.4
* Fixed bug #68353 (QsoSSL support removed in libcurl 7.39)
* Fixed bug #68149 (duplicate content-length with libcurl < 7.23)
* Fixed bug #66891 (Unexpected HTTP 401 after NTLM authentication)
2.1.3
* Fix build with libcurl < 7.26 (Remi)
2.1.2
+ Added missing request option constants: POSTREDIR_303, AUTH_SPNEGO
(libcurl >= 7.38.0), SSL_VERSION_TLSv1_{0,1,2} (libcurl >= 7.34)
* Fixed bug #68083 (PUT method not working after DELETE)
* Fixed bug #68009 (Segmentation fault after calling exit(0) after a request)
* Fixed bug #68000 (Extension does not build on FreeBSD)
2.1.1
* Fix httpVersion retrieval on bigendian (Remi)
* Fix etag/crc32b on bigendian (Remi)
2.1.0
- Removed port and scheme guessing of http\Url for portability
* Fixed PHP-5.3 compatibility
* Fixed PHP-5.4 compatibility
* Fixed possible bus error on shutdown when using events
* Fixed sovereignty of clients when using events
* Fixed a possible crash with http\Encoding\Stream\Dechunk::decode($unencoded)
* Fixed a leak in http\Client\Curl options
* Fixed bug #67733 (Compile error with libevent 2.x)
+ Added RFC5987 support in http\Params
+ Improved synthetic HTTP message parsing performace for ~20%
+ Added request options if libcurl has builtin c-ares support:
dns_interface, dns_local_ip4, dns_local_ip6 (all libcurl >= 7.33.0)
+ Added request options:
expect_100_timeout (libcurl >= 7.36.0), tcp_nodelay
+ Added transfer info:
curlcode, tls_session (libcurl >= 7.34.0), only available during transfer
2.0.7
* General improvements to the test suite
* Fixed http\Env\Response::send() ignoring some write errors
* Fixed bug #67528 (RFC compliant default user agent)
* Fixed a garbage collector issue with JSON POSTs
* Fixed refcount issue and double free of message bodies
* Fixed use after free if the http\Client::enqueue() closure returns TRUE
* Fixed bug #67584 (http\Client\Response not initialized as response
on failure)
2.0.6
+ Added "uploaded" progress state
* Fixed bug #67089 (Segmentaion fault with ZTS)
* Fixed compatibility with PHP-5.6+
* Fixed re-use of request messages which content length remained untouched
when the body was reset
2.0.5
* Fix rare crash with uninitialized CURLOPT_HTTPHEADER
* Fix build with -Werror=format-security (Remi)
* Fix build with extenal libs needed by libcurl
2.0.4
* Removed the pecl/event conflict
* Fixed bug #66388 (Crash on POST with Content-Length:0 and untouched body)
2.0.3
* Fixed typo
2.0.2
* Fixed bug #66250 (shutdown crash as shared extension)
2.0.1
* Fixed a bug with multiple ob_start(http\Env\Response) while
replacing the body
* Fixed build on Windows with libevent2
2.0.0
Extended HTTP support. Again. Keep in mind that it's got the major version 2,
because it's incompatible with pecl_http v1.
* Introduces the http namespace.
* Message bodies have been remodeled to use PHP temporary streams instead
of in-memory buffers.
* The utterly misunderstood HttpResponse class has been reimplemented
as http\Env\Response inheriting http\Message.
* Currently, there's only one Exception class left, http\Exception.
* Errors triggered by the extension can be configured statically by
http\Object::$defaultErrorHandling or inherited http\Object->errorHandling.
* The request ecosystem has been modularized to support different libraries,
though for the moment only libcurl is supported.
Matcha SNS is Social Networking Service (SNS) software for intranet
and the Internet SNS. This software has Japanese UI only.
It is formerly known as sencha-sns.
Upstream changes:
6.07 2015-04-07
- Fixed Windows bug in "daemon.t".
6.06 2015-04-06
- Added element_count_is method to Test::Mojo. (Zoffix)
- Added "chat.pl" to example scripts.
- Improved Mojo::DOM::CSS to handle attribute selectors with single quotes
correctly.
6.05 2015-03-24
- Fixed circular require bug in Mojo::Base and Mojo::Util.
6.04 2015-03-23
- Improved Mojo::Reactor::EV and Mojo::Reactor::Poll to fail more
consistently.
- Improved Mojo::Base performance slightly.
- Fixed a few bugs in Mojo::DOM::CSS that required class, id and attribute
selectors, as well as pseudo-classes, to be in a specific order.
6.03 2015-03-16
- Added support for overriding the HTTP request method with the _method query
parameter.
- Added suggested_method method to Mojolicious::Routes::Route.
- Improved portability of some tests.
6.02 2015-03-09
- Added daemon attribute to Mojo::Server::Morbo.
- Improved portability of Mojo::Server::Morbo.
- Fixed empty template handling in Mojo::Template.
6.01 2015-03-03
- Added content_with helper to Mojolicious::Plugin::DefaultHelpers.
- Relaxed request-line handling in Mojo::Message::Request.
- Fixed code name in version command and built-in templates.
Quoting database identifiers with backticks as is done in 2.17 is
not portable, and only works with a MySQL backend. Instead, use
the DBI quote_identifier method as hinted in
https://rt.cpan.org/Public/Bug/Display.html?id=101561
Bump PKGREVISION to 1.
Upstream changes:
MediaWiki 1.24.2
This is a security and maintenance release of the MediaWiki 1.24 branch.
Changes since 1.24.1
(bug T85848, bug T71210) SECURITY: Don't parse XMP blocks that contain XML entities, to prevent various DoS attacks.
(bug T85848) SECURITY: Don't allow directly calling Xml::isWellFormed, to reduce likelihood of DoS.
(bug T88310) SECURITY: Always expand xml entities when checking SVG's.
(bug T73394) SECURITY: Escape > in Html::expandAttributes to prevent XSS.
(bug T85855) SECURITY: Don't execute another user's CSS or JS on preview.
(bug T64685) SECURITY: Allow setting maximal password length to prevent DoS when using PBKDF2.
(bug T85349, bug T85850, bug T86711) SECURITY: Multiple issues fixed in SVG filtering to prevent XSS and protect viewer's privacy.
Fix case of SpecialAllPages/SpecialAllMessages in SpecialPageFactory to fix loading these special pages when $wgAutoloadAttemptLowercase is false.
(bug T70087) Fix Special:ActiveUsers page for installations using PostgreSQL.
(bug T76254) Fix deleting of pages with PostgreSQL. Requires a schema change and running update.php to fix.
Changelog:
Fixed in Firefox ESR 31.6
2015-40 Same-origin bypass through anchor navigation
2015-37 CORS requests should not follow 30x redirections after preflight
2015-33 resource:// documents can load privileged pages
2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)
* Bump nspr requirement.
Changelog:
New Heartbeat user rating system - your feedback about Firefox
New Yandex set as default search provider for the Turkish locale
New Bing search now uses HTTPS for secure searching
New Improved protection against site impersonation via OneCRL centralized certificate revocation
New Opportunistically encrypt HTTP traffic where the server supports HTTP/2 AltSvc
Changed Disabled insecure TLS version fallback for site security
Changed Extended SSL error reporting for reporting non-certificate errors
Changed TLS False Start optimization now requires a cipher suite using AEAD construction
Changed Improved certificate and TLS communication security by removing support for DSA
Changed Improved performance of WebGL rendering on Windows
HTML5 Implemented a subset of the Media Source Extensions (MSE) API to allow native HTML5 playback on YouTube (Windows only)
HTML5 Added support for CSS display:contents
HTML5 IndexedDB now accessible from worker threads
HTML5 New SDP/JSEP implementation in WebRTC
Developer Debug tabs opened in Chrome Desktop, Chrome for Android, and Safari for iOS
Developer New Inspector animations panel to control element animations
Developer New Security Panel included in Network Panel
Developer Debugger panel support for chrome:// and about:// URIs
Developer Added logging of weak ciphers to the web console
Fixed Various security fixes
Fixed in Firefox 37
2015-42 Windows can retain access to privileged content on navigation to unprivileged pages
2015-41 PRNG weakness allows for DNS poisoning on Android
2015-40 Same-origin bypass through anchor navigation
2015-39 Use-after-free due to type confusion flaws
2015-38 Memory corruption crashes in Off Main Thread Compositing
2015-37 CORS requests should not follow 30x redirections after preflight
2015-36 Incorrect memory management for simple-type arrays in WebRTC
2015-35 Cursor clickjacking with flash and images
2015-34 Out of bounds read in QCMS library
2015-33 resource:// documents can load privileged pages
2015-32 Add-on lightweight theme installation approval bypassed through MITM attack
2015-31 Use-after-free when using the Fluendo MP3 GStreamer plugin
2015-30 Miscellaneous memory safety hazards (rv:37.0 / rv:31.6)
[20150317]
Bugfixes
Don't lower security standards with gcc 4.9 (Riccardo Magliocchetti)
Perl/PSGI make sure that at least two params are passed to xs_input_seek (Ivan Kruglov)
Per/PSGI fixed multiple interpreters usage
spooler: fixed scandir usage
fixed exception handler arguments management
fixed 'log-master' + 'daemonize2' disables all logging
fixed http Range header management
New Features
safeexec hook
this is like 'exec' but do not exit on error even if the executed command returns a non-zero value
backported --emperor-wrapper-fallback and --emperor-wrapper-override
the --emperor-wrapper-fallback option allows you to specify an alternative binary to execute when running a vassal and the default binary_path is not found (or returns an error). (you can specify it multiple times)
The --emperor-wrapper-override is similar but 'overrides' the default wrapper (you can specify it multiple times)
added support for UNIX sockets to rsyslog
The rsyslog logger can now get a unix socket as address (arguments starting with a slash are recognized as a unix path)
forcecl transformation
this transformation works like 'fixcl' but generates the Content-Length header even if Content-Length has been listed for removal.
Flask-Limiter provides rate limiting features to flask routes. It has support
for a configurable backend for storage with current implementations for in-
memory, redis and memcache.
4.14 2015-04-01
[ RELEASE NOTES ]
- This release removes the AUTOLOAD and compile optimisations from CGI.pm
that were introduced into CGI.pm twenty (20) years ago as a response to
its large size, which meant there was a significant compile time penalty.
- This optimisation is no longer relevant and makes the code difficult to
deal with as well as making test coverage metrics incorrect. Benchmarks
show that advantages of AUTOLOAD / lazy loading / deferred compile are
less than 0.05s, which will be dwarfed by just about any meaningful code
in a cgi script. If this is an issue for you then you should look at
running CGI.pm in a persistent environment (FCGI, etc)
- To offset some of the time added by removing the AUTOLOAD functionality
the dependencies have been made runtime rather than compile time. The
POD has also been split into its own file. CGI.pm now contains around
4000 lines of code, which compared to some modules on CPAN isn't really
that much
- This essentially deprecates the -compile pragma and ->compile method. The
-compile pragma will no longer do anything, whereas the ->compile method
will raise a deprecation warning. More importantly this also REMOVES the
-any pragma because as per the documentation this pragma needed to be
"used with care or not at all" and allowing arbitrary HTML tags is almost
certainly a bad idea. If you are using the -any pragma and using arbitrary
tags (or have typo's in your code) your code will *BREAK*
- Although this release should be back compatible (with the exception of any
code using the -any pragma) you are encouraged to test it throughly as if
you are doing anything out of the ordinary with CGI.pm (i.e. have bugs
that may have been masked by the AUTOLOAD feature) you may see some issues.
- References: GH #162, GH #137, GH #164
[ FEATURES ]
- CGI::Carp now has $CGI::Carp::FULL_PATH for displaying the full path to the
offending script in error messages
- CGI now has env_query_string() for getting the value of QUERY_STRING from the
environment and not that fiddled with by CGI.pm (which is what query_string()
does) (GH #161)
- CGI::ENCODE_ENTITIES var added to control which chracters are encoded by the
call to the HTML::Entities module - defaults to &<>"\x8b\x9b' (GH #157)
[ SPEC / BUG FIXES ]
- Add the multi_param method to :cgi export (thanks to xblitz for the patch
and tests. GH #167)
- Fix warning for lack of HTTP_USER_AGENT in CGI::Carp (GH #168)
- Fix imports when called from CGI::Fast, restores the import of CGI functions
into the callers namespace for users of CGI::Fast (GH leejo/cgi-fast#11 and
GH leejo/cgi-fast#12)
[ INTERNALS ]
- Remove dependency on constant - internal DEBUG, XHTML_DTD and EBCDIC
constants changes to $_DEBUG, $_XHTML_DTD, and $_EBCDIC
[ DOCUMENTATION ]
- Add missing documentation for env variable fetching routines (GH #163)
0.9.2 (2014-12-05)
Fixes:
HTML escape SQL queries when syntax highlighting is not available
Use case-insensitive comparison to normalize filenames on Windows
Fix exception when SQL query contained non-ASCII characters
0.9.1 (2014-11-24)
Fixes:
Fix SQL queries with byte strings on Python 3
Fix displaying values whose repr() contains unprintable characters
NEWS since last version imported in pkgsrc
Version 0.10.0
---------------------------------------------------------------------------
* Make sure that we fail in the unlikely case where OpenSSL is not able
to provide us with a secure session id.
* Increase the number of key-value pairs in the session to 2048.
* Add MellonMergeEnvVars-option to store multi-valued attributes in
a single environment variable, separated with ';'.
* Bugfixes:
* Fix the [MAP] option for MellonCond.
* Fix cookie deletion for the session cookie. (Logout is not dependent
on the cookie being deleted, so this only fixes the cookie showing
up after the session is deleted.)
Version 0.9.1
---------------------------------------------------------------------------
* Bugfixes:
* Fix session offset calculation that prevented us from having
active sessions at once.
* Run mod_auth_mellon request handler before most other handlers,
so that other handlers cannot block it by accident.
Version 0.9.0
---------------------------------------------------------------------------
* Set the AssertionConsumerServiceURL attribute in authentication
requests.
* Bugfixes:
* Fix use of uninitialized data during logout.
* Fix session entry overflow leading to segmentation faults.
* Fix looking up sessions by NameID, which is used during logout.
Version 0.8.1
---------------------------------------------------------------------------
This is a security release with fixes backported from version 0.9.1.
It turned out that session overflow bugs fixes in version 0.9.0 and
0.9.1 can lead to information disclosure, where data from one session
is leaked to another session. Depending on how this data is used by the
web application, this may lead to data from one session being disclosed
to an user in a different session. (CVE-2014-8566)
In addition to the information disclosure, this release contains some
fixes for logout processing, where logout requests would crash the
Apache web server. (CVE-2014-8567)
Version 0.8.0
---------------------------------------------------------------------------
* Add support for receiving HTTP-Artifact identifiers as POST data.
* Simplify caching headers.
* Map login errors into more appropriate HTTP error codes than
400 Bad Request.
* Add MellonNoSuccessErrorPage option to redirect to a error page on login
failure.
* Turn session storage into a dynamic pool of memory, which means that
attribute values (and other items) can have arbitrary sizes as long as
they fit in the session as a whole.
* Various bugfixes:
* Fix for compatibility with recent versions of CURL.
* Fix broken option MellonDoNotVerifyLogoutSignature.
* Fix deadlock that could occur during logout processing.
* Fix some compile warnings.
* Fix some NULL derefernce bugs that may lead to segmentation faults.
* Fix a minor memory leak during IdP metadata loading.
Version 0.7.0
---------------------------------------------------------------------------
* Add MellonSPentityId to control entityId in autogenerated metadata
* Fix compatibility with Apache 2.4.
* Handle empty RelayState the same as missing RelayState.
* Add MellonSetEvnNoPrefix directive to set environment variables
without "MELLON_"-prefix.
