* Bug 3121: memory leak in DigestAuth: AuthUser object is locked twice
* Bug 3113: Consuming too much memory when uploading files
* Bug 3110: 'reply_body_max_size none' does not work with x-forwarded-for
* Bug 3096: Consuming too much memory when delaying traffic
* Bug 3091: Bypassed ICAP errors are not counted as service failures
* Bug 3090: Polish FTP login error handing
* Bug 3068: cache_dir capacity and usage overflows
* Bug 3028: Permit wbinfo_group.pl to authenticate Kerberos users with NT domain
* Bug 427: HTTP Compliance: Support If-Match and If-None-Match requests
* Fix memory leak in adaptation_access
* Fix /dev/poll and poll() selection priority
* Fix PREFIX/var/run creation during install
* Fix cachemgr http_port config report display
* Add upgrade help process for obsolete options
* Accept RFC 2965 Set-Cookie2 / Cookie2 headers as 'known'
* HTTP/1.1: entry is stale if request has max-age=0
* HTTP/1.1: do not forward TRACE with Max-Forwards: 0 after REQMOD
* Toolchain update to support newer auto-tools
* ... and updated error page translations
* ... and updated documentation
* ... and some code optimization/simplification polish
on different sites. Django CMS handles the navigation rendering for you in
multiple languages with internationalization (i18n) slugs, and the navigation
can be extended by your own models. Pages are rendered with a template that
has placeholders which get filled via plugins.
By sane, we mean that the status of every migration is tracked individually,
rather than just the number of the top migration reached; this means South
can detect when you have an unapplied migration that's sitting in the middle
of a whole load of applied ones, and will let you apply it straight off,
or let you roll back to it, and apply from there forward.
which is fully compatible with the current Django templating infrastructure.
This new way should be easy, clean and require as little boilerplate code as
possible while still staying as powerful as possible.
Features:
* Class based template tags.
* Template tag argument parser.
* Declarative way to define arguments.
* Supports (theoretically infinite) parse-until blocks.
* Extensible!
ok by pettai@.
Changes:
1. New version of the slideshow module now uses PicLens to provide a rich, full screen slideshow.
2. Comment module now offers moderation and Akismet support to help weed out spam comments.
3. New email notification module allowing users to configure events they wish to get notified for. You can watch albums for changes, items for new comments, etc.
4. New Jpegtran module to support rotation and cropping of jpeg images with no loss in image quality.
5. New SnapGalaxy module for prints from snapgalaxy.com.
6. Registration module can now send a welcome email to new users upon account activation.
7. EXIF block now uses AJAX to switch between summary and detail display.
8. External image block now has a "rawImage" mode to return a single binary image instead of HTML output.
9. Support in RSS module for Media RSS format and random RSS streams.
10. Remote module now bundles the Gallery Remote client and makes it available via Java Web Start. Users with a Java enabled browser can then launch Gallery Remote with a single click instead of manually downloading and installing.
11. Hybrid theme now uses automatic navigation between pages in its image viewer and slideshow. This means the slideshow will show all images in the album, moving between album pages as needed. Requesting the next/previous image in the image viewer will also load a new album page as needed.
12. Webcam module now accepts file:// URLs to retrieve image from local filesystem.
13. Dcraw module now supports Adobe Digital Negative (dng) files, when used with dcraw v7.0 or newer.
14. Added support for Windows Vista in PublishXP module.
15. New database backup feature. Backup at start of upgrade, or anytime from Site Admin / Maintenance. Restore a backup from lib/support interface.
16. Can now put Gallery into maintenance mode from Site Admin / Maintenance. Setting in config.php file is still available too.
17. New event logging system records Gallery errors, viewable in the Site Admin interface.
18. Themes can now override module template files, allowing a themed look to more aspects of the application.
19. New Language Manager that allows the addition or removal of translations.
20. User interface changes.
* Use AJAX to speed up deleting comments(spam) on items/albums.
* Use quick DHTML confirm dialog for deleting single items. Dialog offers link to bulk delete several items from an album.
* Use YUI ItemTree instead of plain select box to select target album when moving items, creating replicas or link items.
21. Performance and stability improvements.
* Smarty templates now permanently cached by default. Turn this off in Site Admin / Performance when working on tpl files, so changes take effect immediately during development.
* Avoid reading EXIF data multiple times in Carbon theme.
* Some added caching in GalleryUrlGenerator.
* Use progress bar when adding items to avoid server or browser timeouts. Particularly helpful when adding many items from local server.
* Restructuring to greatly reduce the number of directories for language files.
* Refactor of translator hints to avoid some processing when translations are not used (en_US).
* Faster plugin and language package downloads.
* Refactor of event system working towards a performance improvement in the next release.
22. New database options.
* Support for SQLite 3.x
* Support for PostgreSQL schemas
23. New install package options.
* English only variants of installation downloads. The minimal is English only. In addition, Typical and Full are available in English language only variants.
* Greatly reduced the number of directories for language files.
24. Upgraded to newer versions of several bundled software packages: YUI! 2.3.1, ADOdb 4.98, Smarty 2.6.20, GetID3 1.7.7, BBCode 0.3.3.
25. Updates to improve compatibility with PHP 5.3.
26. Many bugs fixed.
* Security fix for ASP.NET (XSP / mod_mono) source code disclosure
(CVE-2010-4225)
* Backport ParallelFx improvements from master (jlaval)
* Fix state check for short-circuiting with SupportRecursion in
ReaderWriterLockSlim #655361 (jlaval)
* Increment Count even on single-processor in SpinWait.
Fix#624849. (jlaval)
* Update ThreadLocal to use default(T) for initialization with
parameterless ctor. Fix#658689. (jlaval)
This release has essentially security fixes, covering the following
CVEs:
CVE-2010-4198 CVE-2010-4197 CVE-2010-4204 CVE-2010-4206
CVE-2010-1791 CVE-2010-3812 CVE-2010-3813
(plus 2 patches from upstream which fix crashes)
* tag: Do not include tagbase in rss/atom category tags. (Giuseppe Bilotta)
* tag: Improve display of tags with a slash in their names.
(Giuseppe Bilotta)
* Fix redirect to use a full url. Was broken (in theory) by baseurl
changes in last release.
* Fix `<base>` output by cgi to have a full url again, broken by last
release.
* Fix permalinks to recentchanges items and comments, broken by last
release.
* Export three cgi env vars needed for CGI->url to work. Fixed
openid breakage from last release.
* Removed `IkiWiki::misctemplate()` function. Any plugins using
it should use `IkiWiki::cgitemplate()` instead.
Version 2.9.3 (2011-01-06)
--------------------------
- Fixed: custom templates were not always shown in "override all" mode (#2725)
- Fixed: prevent the X_FORWARDED_FOR header against XSS attacks (#2751)
- Fixed: preserve the selector fields in the personal data module (#2609)
- Fixed: skip mounted folders in the file manager if they do not exist (#2708)
- Fixed: the quick navigation modules failed to work when aliases were
disabled (#2718)
- Fixed some minor issues
Jan 2, 2011 (1.7.1sr1)
------------
This release addresses the following security issue:
Aung Khant of the YGN Ethical Hacker Group reported an XSS in the admin's
configuration panel.
* Better support for serving the same site on multiple urls. (Such as
a http and a https url, or a ipv4 and an ipv6 url.)
(Thanks, smcv)
* API: urlto without a defined second parameter now generates an url
that starts with "/" (when possible; eg when the site's url and cgiurl
are on the same domain).
* Now when users log in via https, ikiwiki sends a secure cookie, that can
only be used over https. If the user switches to using http, they will
need to re-login. (smcv)
* inline: Display feed buttons for nested inlines, linking to the inlined
page's feed. (Giuseppe Bilotta)
* goldtype: New theme, based on blueview, contributed by Lars Wirzenius.
* po: do not override homepage title when it was overridden. (intrigeri)
* Set HTML::Template's parent_global_vars option to allow using parameters
like title_overridden that do not appear on the template. (intrigeri)
(See https://rt.cpan.org/Public/Bug/Display.html?id=64158)
* inline: Force an absolute page location when the inline postform is used.
* editpage, comment: Clean up title when editing or creating a page or
comment.
* teximg: Use `[` and `]` instead of not recommended `$$`. (Paul Menzel)
Closes: #596084
* monotone: Improve version parsing to support patch and development
versions of the monotone binary. (tommyd3mdi)
* highlight: Support highlight 3.2+svn19 (note that released version 3.2
is not supported). Closes: #605779 (David Bremner)
* Add a second parameter to the rcs_diff hook, and avoid bloating memory
reading in enormous commits.
* git: Fix bug involving attempting to web revert a commit that included
changes to attachments.
Updating during the freeze for bugfixes to this leaf package.
ChangeLog:
* Fix XSS vulnerabilities in the KSES library: Don't be case sensitive to
attribute names. Handle padded entities when checking for bad protocols.
Normalize entities before checking for bad protocols in esc_url().
fix essential problem when a header contains multiple encoded strings
with diffreent charset.
* Suprress some error of undefined variables.
* pkgsrc change: change ${FD_DIR}/tmp from SPECIAL_PERMS to OWN_DIRS_PERMS.
Bump PKGREVISION.
For full changes, please refer http://wiki.typo3.org/wiki/TYPO3_4.4.6.
2010-12-28 Benjamin Mack <benni@typo3.org>
* Release of TYPO3 4.4.6
2010-12-28 Benjamin Mack <benni@typo3.org>
* Revert change #16614 (rev. 9684): common.js resets TYPO3 namespace /
Fixed regression #16831: 'Ext' is undefinded, Line: 81, js/common.js
2010-12-26 Tobias Liebig <mail_typo3@etobi.de>
* Fixed bug #16661: include TSRef changes for t3editor code completion
(thanks to Christian Kartnig)
2010-12-23 Jigal van Hemert <jigal@xs4all.nl>
* Fixed bug #16825: Fatal error in lang.php (thanks to Georg Ringer)
2010-12-21 Francois Suter <francois.suter@typo3.org>
* Fixed bug #16786: Versioning: Generating preview link not working
(thanks to Frederic Gaus)
2010-12-21 Stanislas Rolland <typo3@sjbr.ca>
* Fixed bug #16760: RTE transformation removes all span tags on save
after upgrade TYPO3 4.4.5
2010-12-20 Tolleiv Nietsch <typo3@tolleiv.de>
* Fixed bug #16134: TYPO3 doesn't always fix permissions for new files
2010-12-19 Steffen Gebert <steffen@steffen-gebert.de>
* Fixed bug #16777: Test failure in t3lib_extmgmTest if tests are
located in typo3_src/tests/ instead of tests/ (Thanks to Oliver
Klee)
* Fixed bug #16790: Typo in topbar CSS
2010-12-17 Susanne Moog <typo3@susanne-moog.de>
* Fixed bug #5186: fixed rendering of multi-column image rows (thanks
to Michael B«ärgi)
2010-12-17 Steffen Kamper <steffen@typo3.org>
* Fixed bug #14500: Bug: Unit test failures in
t3lib_matchCondition_backend_testcase (Thanks to Oliver Klee)
2010-12-17 Francois Suter <francois.suter@typo3.org>
* Fixed bug #16470: Scheduler fails to calculateNextValue a turn of
the year (thanks to Tobias H«Óvelborn and Christian Kuhn)
2010-12-17 Ingo Renner <ingo@typo3.org>
* Fixed issue #16764: Insufficient information about which class is
failing to implement interfaces in tslib_cObj->start()
- Fix a bug in the admin interface that could leak informations to
users with staff privileges bypassing lookup arguments in the query
string.
- Fix a bug for running the test suite in a multi-db setup
- Deprecated django.contrib.gis.tests.run_gis_tests()
by Christopher M. Fuhrman.
MASTER_SITES don't work with ftp(1), thus commented out.
Version 1.0.12 (released 02-Jun-2010)
* fix exception caused by trying to HTML-escape non-string data (issue #454)
Version 1.0.11 (released 29-Mar-2010)
* security fix: escape user-provided search_re input to avoid XSS attack
alternative from mk/jpeg.buildlink3.mk
This allows selection of an alternative jpeg library (namely the x86 MMX,
SSE, SSE2 accelerated libjpeg-turbo) via JPEG_DEFAULT=libjpeg-turbo, and
follows the current standard model for alternatives (fam, motif, fuse etc).
The mechanical edits were applied via the following script:
#!/bin/sh
for d in */*; do
[ -d "$d" ] || continue
for i in "$d/"Makefile* "$d/"*.mk; do
case "$i" in *.orig|*"*"*) continue;; esac
out="$d/x"
sed -e 's;graphics/jpeg/buildlink3\.mk;mk/jpeg.buildlink3.mk;g' \
-e 's;BUILDLINK_PREFIX\.jpeg;JPEGBASE;g' \
< "$i" > "$out"
if cmp -s "$i" "$out"; then
rm -f "$out"
else
echo "Edited $i"
mv -f "$i" "$i.orig" && mv "$out" "$i"
fi
done
done
Changes:
* Added --noconfigure switch to testcurl.pl
* Added --xattr option
* Added CURLOPT_RESOLVE and --resolve
* Added CURLAUTH_ONLY
* Added version-check.pl to the examples dir
Bugfixes:
* check for libcurl features for some command line options
* Curl_setopt: disallow CURLOPT_USE_SSL without SSL support
* http_chunks: remove debug output
* URL-parsing: consider ? a divider
* SSH: avoid using the libssh2_ prefix
* SSH: use libssh2_session_handshake() to work on win64
* ftp: prevent server from hanging on closed data connection
when stopping a transfer before the end of the full transfer
(ranges)
* LDAP: detect non-binary attributes properly
* ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT
* gnutls->handshake: improved timeout handling
* security: Pass the right parameter to init
* krb5: Use GSS_ERROR to check for error
* TFTP: resend the correct data
* configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected
* GnuTLS: now detects socket errors on Windows
* symbols-in-versions: updated en masse
* added a couple examples that were missing from the tar ball
* Curl_send/recv_plain: return errno on failure
* Curl_wait_for_resolv (for c-ares): correct timeout
* ossl_connect_common: detect connection re-use
* configure: Prevent link errors with --librtmp
* openldap: use remote port in URL passed to ldap_init_fd()
* url: provide dead_connection flag in Curl_handler::disconnect
* lots of compiler warning fixes
* ssh: fix a download resume point calculation
* fix getinfo CURLINFO_LOCAL* for reused connections
* multi: the returned running handles conuter could turn negative
* multi: only ever consider pipelining for connections doing HTTP(S)
