| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The package was actually 3.7.0, but marked as 3.7.1.
Now, it does not depend on Java, and pulls the (pre-built) distfile from PyPI.
|
|
Upstream changes:
Highlights
MDL-59798 - Assignment: Show Due Date in calendar for teachers and managers
MDL-36580 - External Tool: backup/restore consumer key and secret (on the same site only)
MDL-57560 - Show file upload progress bar in Boost theme
MDL-37810 - List custom roles in the filter on Participants page
Security issues
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
Fixes and improvements
MDL-52131 - Respect comment format in questions manual comments when Plain text area editor is used
MDL-55849 - Assignment: Reopening a group assignment should not create additional attempts for each group member
MDL-59909 - Fixed error in ad-hoc refresh_mod_calendar_events_task that caused exceptions and very long cron run time
MDL-59780 - Restore MathJax filter settings that were lost in previous upgrades
MDL-54540 - External tool: Allow to switch to full screen mode
MDL-51892 - Better explaination of the reason for failed logins in the logs report
MDL-57055 - Label resource: allow to access "Label administration" without Administration block on the "Edit label" page
MDL-53244 - Show error message when incorrect CAPTCHA is entered on sign-up page
MDL-57477 - Fixed configuration of PHP 7 sessions using memcached (3.x.x)
MDL-59854 - Forum: Avoid creating duplicate subscriptions due to race conditions
MDL-60366 - Feedback: fixed upgrade script (introduced in 3.1.6 and 3.2.3) that deleted valid multiple anonymous attempts. If your site was affected, please follow MDL-60592 for the script that restores accidentally deleted data.
|
|
* Sync with www/firefox52-52.5.0
|
|
Changelog:
Security fixes:
#CVE-2017-7828: Use-after-free of PressShell while restyling layout
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when flushing and resizing
layout because the PressShell object has been freed while still
in use. This results in a potentially exploitable crash during
these operations.
References
Bug 1406750
Bug 1412252
#CVE-2017-7830: Cross-origin URL information leak through Resource Timing API
Reporter
Jun Kokatsu
Impact
high
Description
The Resource Timing API incorrectly revealed navigations in cross-origin
iframes. This is a same-origin policy violation and could allow for
data theft of URLs loaded by users.
References
Memory safety bugs fixed in Firefox 57
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, David
Keeler, Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer,
Philipp, Nicholas Nethercote, Oriol Brufau, André Bargull, Bob Clary,
Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and Ryan VanderMeulen
reported memory safety bugs present in Firefox 56 and Firefox ESR 52.4.
Some of these bugs showed evidence of memory corruption and we presume
that with enough effort that some of these could be exploited to
run arbitrary code.
References
Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
|
|
This notably fixes building with RELRO enabled (without cwrappers).
|
|
* Sync with www/firefox-57.0
|
|
Changelog: New
A completely new browsing engine, designed to take full advantage
of the processing power in modern devices
A redesigned interface with a clean, modern appearance, consistent
visual elements, and optimizations for touch screens
A unified address and search bar. New installs will see this
unified bar. Learn how to add the stand-alone search bar to
the toolbar
A revamped new tab page that includes top visited sites, recently
visited pages, and recommendations from Pocket (in the US,
Canada, and Germany)
An updated product tour to orient new and returning Firefox
users
AMD VP9 hardware video decoder support for improved video
playback with lower power consumption
An expanded section in preferences to manage all website
permissions
Fixed
Various security fixes
Changed
Firefox now exclusively supports extensions built using the
WebExtension API, and unsupported legacy extensions will no
longer work. Learn more about our efforts to improve the
performance and security of extensions
The browser's autoscroll feature, as well as scrolling by
keyboard input and touch-dragging of scrollbars, now use
asynchronous scrolling. These scrolling methods are now similar
to other input methods like mousewheel, and provide a smoother
scrolling experience
The content process now has a stricter security sandbox that
blocks filesystem reading and writing on Linux, similar to the
protections for Windows and macOS that shipped in Firefox 56
Middle mouse paste in the content area no longer navigates to
URLs by default on Unix systems
Removed the toolbar Share button. If you relied on this feature,
you can install the Share Backported extension instead.
Some older versions of the ATOK IME, including ATOK 2006, 2008,
2009 and 2010, can cause crashes and are therefore disabled on
the Windows 64-bit version of Firefox Quantum. To fix those
incompatibility issues, please use a newer version of ATOK or
one of other IMEs.
The default font for Japanese text is now Meiryo
Security fixes:
CVE-2017-7828: Use-after-free of PressShell while restyling layout
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when flushing and resizing
layout because the PressShell object has been freed while still in
use. This results in a potentially exploitable crash during these
operations.
References
Bug 1406750 Bug 1412252
#CVE-2017-7830: Cross-origin URL information leak through Resource
Timing API
Reporter
Jun Kokatsu
Impact
high
Description
The Resource Timing API incorrectly revealed navigations in
cross-origin iframes. This is a same-origin policy violation and
could allow for data theft of URLs loaded by users.
References
Bug 1408990
#CVE-2017-7831: Information disclosure of exposed properties on
JavaScript proxy objects
Reporter
Oriol Brufau
Impact
moderate
Description
A vulnerability where the security wrapper does not deny access to
some exposed properties using the deprecated exposedProps mechanism
on proxy objects. These properties should be explicitly unavailable
to proxy objects.
References
Bug 1392026
#CVE-2017-7832: Domain spoofing through use of dotless 'i' character
followed by accent markers
Reporter
Jonathan Kew
Impact
moderate
Description
The combined, single character, version of the letter 'i' with any
of the potential accents in unicode, such as acute or grave, can
be spoofed in the addressbar by the dotless version of 'i' followed
by the same accent as a second character with most font sets. This
allows for domain spoofing attacks because these combined domain
names do not display as punycode.
References
Bug 1408782
#CVE-2017-7833: Domain spoofing with Arabic and Indic vowel marker
characters
Reporter
Rayyan Bijoora
Impact
moderate
Description
Some Arabic and Indic vowel marker characters can be combined with
Latin characters in a domain name to eclipse the non-Latin character
with some font sets on the addressbar. The non-Latin character will
not be visible to most viewers. This allows for domain spoofing
attacks because these combined domain names do not display as
punycode.
References
Bug 1370497
#CVE-2017-7834: data: URLs opened in new tabs bypass CSP protections
Reporter
Jordi Chancel
Impact
moderate
Description
A data: URL loaded in a new tab did not inherit the Content Security
Policy (CSP) of the original page, allowing for bypasses of the
policy including the execution of JavaScript. In prior versions
when data: documents also inherited the context of the original
page this would allow for potential cross-site scripting (XSS)
attacks.
References
Bug 1358009
#CVE-2017-7835: Mixed content blocking incorrectly applies with
redirects
Reporter
Ben Kelly
Impact
moderate
Description
Mixed content blocking of insecure (HTTP) sub-resources in a secure
(HTTPS) document was not correctly applied for resources that
redirect from HTTPS to HTTP, allowing content that should be blocked,
such as scripts, to be loaded on a page.
References
Bug 1402363
#CVE-2017-7836: Pingsender dynamically loads libcurl on Linux and
OS X
Reporter
Ezra Caltum
Impact
moderate
Description
The "pingsender" executable used by the Firefox Health Report
dynamically loads a system copy of libcurl, which an attacker could
replace. This allows for privilege escalation as the replaced
libcurl code will run with Firefox's privileges. Note: This attack
requires an attacker have local system access and only affects OS
X and Linux. Windows systems are not affected.
References
Bug 1401339
#CVE-2017-7837: SVG loaded as <img> can use meta tags to set cookies
Reporter
Jun Kokatsu
Impact
moderate
Description
SVG loaded through <img> tags can use <meta> tags within the SVG
data to set cookies for that page.
References
Bug 1325923
#CVE-2017-7838: Failure of individual decoding of labels in
international domain names triggers punycode display of entire IDN
Reporter
Corey Bonnell
Impact
low
Description
Punycode format text will be displayed for entire qualified
international domain names in some instances when a sub-domain
triggers the punycode display instead of the primary domain being
displayed in native script and the sub-domain only displaying as
punycode. This could be used for limited spoofing attacks due to
user confusion.
References
Bug 1399540
#CVE-2017-7839: Control characters before javascript: URLs defeats
self-XSS prevention mechanism
Reporter
Eric Lawrence
Impact
low
Description
Control characters prepended before javascript: URLs pasted in the
addressbar can cause the leading characters to be ignored and the
pasted JavaScript to be executed instead of being blocked. This
could be used in social engineering and self-cross-site-scripting
(self-XSS) attacks where users are convinced to copy and paste text
into the addressbar.
References
Bug 1402896
#CVE-2017-7840: Exported bookmarks do not strip script elements
from user-supplied tags
Reporter
Hanno Bock
Impact
low
Description
JavaScript can be injected into an exported bookmarks file by
placing JavaScript code into user-supplied tags in saved bookmarks.
If the resulting exported HTML file is later opened in a browser
this JavaScript will be executed. This could be used in social
engineering and self-cross-scripting (self-XSS) attacks if users
were convinced to add malicious tags to bookmarks, export them,
and then open the resulting file.
References
Bug 1366420
#CVE-2017-7842: Referrer Policy is not always respected for <link>
elements
Reporter
Jun Kokatsu
Impact
low
Description
If a document's Referrer Policy attribute is set to "no-referrer"
sometimes two network requests are made for <link> elements
instead of one. One of these requests includes the referrer instead
of respecting the set policy to not include a referrer on requests.
References
Bug 1397064
#CVE-2017-7827: Memory safety bugs fixed in Firefox 57
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Boris Zbarsky, Carsten Book,
Christian Holler, Byron Campen, Jan de Mooij, Jason Kratzer,
Jesse Schwartzentruber, Marcia Knous, Randell Jesup, Tyson Smith,
and Ting-Yu Chou reported memory safety bugs present in Firefox 56.
Some of these bugs showed evidence of memory corruption and we presume
that with enough effort that some of these could be exploited to run
arbitrary code.
References
Memory safety bugs fixed in Firefox 57
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox
ESR 52.5
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, David
Keeler, Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer,
Philipp, Nicholas Nethercote, Oriol Brufau, André Bargull, Bob
Clary, Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and
Ryan VanderMeulen reported memory safety bugs present in Firefox
56 and Firefox ESR 52.4. Some of these bugs showed evidence of
memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
|
|
# Contao core bundle change log
### 4.4.8 (2017-11-15)
* Prevent SQL injections in the back end search panel (see CVE-2017-16558).
* Support class named services in System::import() and System::importStatic()
(see #1176).
* Only show pretty error screens on Contao routes (see #1149).
# Contao listing bundle change log
### 4.4.8 (2017-11-15)
* Prevent SQL injections in the listing module (see CVE-2017-16558).
|
|
Version 3.5.31 (2017-11-15)
---------------------------
### Fixed
Prevent SQL injections in the back end search panel (see CVE-2017-16558).
|
|
|
|
0.14.2:
Restore strict parameter as no-op in quote/unquote
0.14.1:
Restore strict parameter as no-op for sake of compatibility with aiohttp 2.2
0.14.0:
Drop strict mode
Fix “ValueError: Unallowed PCT %” when there’s a “%” in the url
|
|
List directories containing ${PKGBASE} in INSTALLATION_DIRS explicitly.
|
|
from maya@
|
|
|
|
Python language bindings for Selenium WebDriver.
The Selenium package is used to automate web browser interaction from Python.
|
|
|
|
* Sync with www/seamonkey-2.49.1
|
|
Changelog:
Based on Firefox 52.4.1
SeaMonkey-specific changes
SeaMonkey should no longer crash when you start it or try to use the mail feature on OS X 10.12 or greater.
You were not always prompted for authentication in SeaMonkey 2.48 under certain scenarios resulting in login failures. The problem, tracked in bug 1347857, has been fixed.
Mail and News: The way images are included in a compose window has changed. Images are now included as data URIs and not as references to parts of other messages or operating system files. This allows better interoperability with office packages such as MS Office or LibreOffice. Images linked from locations on the internet will no longer be downloaded and attached to the message automatically. This can be changed globally by setting the preference mail.compose.attach_http_images.
Language support for nb-NO has been re-added.
SeaMonkey now uses gtk3 on Linux. If you experience a problem because of this please file a bug and link it to Switch Linux builds to GTK3 with SeaMonkey 2.49. Pleae try another OS theme first. Some of them are buggy and cause problems with SeaMonkey, Thunderbird and Firefox.
Quotes are now colored differently in Mails bug 1374708.
Under OSX the left panes in Bookmarks Manager, MailNews and Address Book are now styled like finder panes. See bug 1095904.
Quotes are now colored differently in Mails up to 5 levels deep depending on your OS. See bug 1374708. This may break custom themes for email composition because a new style sheet named "messageQuotes.css" has been added.
|
|
* Sync with www/firefox52-52.4.1
|
|
Changelog:
Fixed
Fixed a crash when playing videos on macOS 10.13
Fixed a crash when using the color picker on macOS 10.13
|
|
6.29 2017-11-06
- Fix some version numbers
6.28 2017-11-06
- Remove last use of Geopt::Std (Sergey Remanov) (GH #267)
- Include unmatched connect error in status string (Patrik Lundin) (GH #269)
- Fix insecure open FILEHANDLE,EXPR (Takumi Akiyama) (GH #270)
|
|
0.18 2017-11-03T15:01:43Z
- Added URI::redshift to support db:redshift: URIs, thanks to a pull
request from Steve Caldwell (PR #12).
- Added URI::exasol, thanks to Johan Wärlander.
|
|
7.55 2017-11-06
- Added -role flag to Mojo::Base. (jberger)
- Improved tablify function in Mojo::Util to work with non-rectangular arrays.
(CandyAngel, jabberwok)
- Improved Windows compatibility of Mojo::Server::Daemon.
7.54 2017-11-05
- Fixed a bug in Mojo::Promise where promise chains could not recover from
rejections.
7.53 2017-11-04
- Added module Mojo::Promise.
- Improved Mojo::IOLoop::Delay to be a subclass of Mojo::Promise.
7.52 2017-11-02
- Added delete_p, get_p, head_p, options_p, patch_p, post_p, put_p and start_p
methods to Mojo::UserAgent.
7.51 2017-10-31
- Added -signatures flag to Mojo::Base and Mojolicious::Lite.
- Added support for new HTTP status code.
- Improved ojo to enable subroutine signatures automatically on Perl 5.20+.
7.50 2017-10-30
- Deprecated error and finish events in Mojo::IOLoop::Delay. Since there is no
good way to warn our users about this deprecation, it will be in effect
until the next major release. Where we will also change the base class from
Mojo::EventEmitter to Mojo::Base.
- Improved documentation browser with links to MetaCPAN.
7.49 2017-10-28
- Deprecated Mojo::IOLoop::Delay::data and Mojo::IOLoop::Delay::remaining.
- Added Promises/A+ support. Note that Mojo::IOLoop::Delay previously
inherited a catch method from Mojo::EventEmitter that was passed the error
message as second argument instead of the first, so you might have to change
$delay->catch(sub { my ($delay, $error) = @_; ... });
to
$delay->catch(sub { my ($error) = @_; ... });
- Added all, catch, finally, race and then methods to Mojo::IOLoop::Delay.
- Updated jQuery to version 3.2.1.
|
|
0.14 Sat, 28 Oct 2017 14:53:00 +0100
- Further improvements to the path handling to fix a bug with
specifying the base directory using a relative path. Closes:
https://rt.cpan.org/Public/Bug/Display.html?id=123428
|
|
4.37 2017-11-01
[ FIX ]
- Fix incorrect quoting of ? in ->url (GH #112, GH #222, with
thanks to Reuben Thomas)
|
|
|
|
|
|
Geckodriver provides the HTTP API described by the W3C WebDriver protocol to
communicate with Gecko browsers, such as Firefox. It translates calls into
the Firefox remote protocol by acting as a proxy between the local- and remote
ends. This is used by browser automation frameworks such as Selenium.
|
|
Version 3.7.3:
Fix AppRegistryNotReady error importing contrib.auth views
Version 3.7.2:
Fixed Django 2.1 compatibility due to removal of django.contrib.auth.login()/logout() views.
Add missing import for TextLexer.
Adding examples and documentation for caching
Include date and date-time format for schema generation
Use triple backticks for markdown code blocks
Interactive docs - make bottom sidebar items sticky
Clarify pagination system check
Stop JSONBoundField mangling invalid JSON
Have JSONField render as textarea in Browsable API
Schema: Exclude OPTIONS/HEAD for ViewSet actions
Fix ordering for dotted sources
Fix: Fields with allow_null=True should imply a default serialization value
Ensure Location header is strictly a 'str', not subclass.
Add import to example in api-guide/parsers
Catch OverflowError for "out of range" datetimes
Add djangorestframework-rapidjson to third party packages
Increase test coverage for drf_create_token command
Add trove classifier for Python 3.6 support.
Add pip cache support to the Travis CI configuration
Rename [wheel] section to [bdist_wheel] as the former is legacy
Fix invalid escape sequence deprecation warnings
Add interactive docs error template
Add rounding parameter to DecimalField
Fix all BytesWarning caught during tests
Use dict and set literals instead of calls to dict() and set()
Change ImageField validation pattern, use validators from DjangoImageField
Fix processing unicode symbols in query_string by Python 2
|
|
|
|
5.2.1
Add more border width to codemirror cursor.
Fix nbconvert handler.
Fix the prompt_area argument of the output area constructor.
Handle a compound extension in new_untitled.
Allow disabling offline message buffering
|
|
|
|
Drupal is a free web Content Management System (CMS) that allows an
individual or a community of users to easily publish, manage and organize a
wide variety of content on a website.
Drupal is ready to go from the moment you download it. It even has an
easy-to-use web installer! The built-in functionality, combined with dozens
of freely available add-on modules, will enable features such as: Content
Management Systems, Blogs, Collaborative authoring environments, Forums,
Peer-to-peer networking, Newsletters, Podcasting, Picture galleries, File
uploads/downloads and much more.
|
|
|
|
(Accidently forgotten in the last commit, whoops!)
|
|
- Install bin/gunicorn and bin/gunicorn_paster with the PYVERSSUFFIX appended at
the end in order to be used by both Python 2 and a Python 3 package
- Adjust PLIST for bin/gunicorn{,_paster} and for all the files installed as
part of DOCDIR and EXAMPLESDIR
PKGREVISION++
|
|
4.0:
Warning: Version 4.0 enables compression with the permessage-deflate extension.
In August 2017, Firefox and Chrome support it, but not Safari and IE.
Compression should improve performance but it increases RAM and CPU use.
If you want to disable compression, add compression=None when calling :func:`~server.serve()` or :func:`~client.connect()`.
Warning: Version 4.0 removes the ``state_name`` attribute of protocols.
Use protocol.state.name instead of protocol.state_name.
Also:
:class:`~protocol.WebSocketCommonProtocol` instances can be used as asynchronous iterators on Python ≥ 3.6. They yield incoming messages.
Added :func:`~websockets.server.unix_serve` for listening on Unix sockets.
Added the :attr:`~websockets.server.WebSocketServer.sockets` attribute.
Reorganized and extended documentation.
Aborted connections if they don't close within the configured timeout.
Rewrote connection termination to increase robustness in edge cases.
Stopped leaking pending tasks when :meth:`~asyncio.Task.cancel` is called on a connection while it's being closed.
Reduced verbosity of "Failing the WebSocket connection" logs.
Allowed extra_headers to override Server and User-Agent headers.
|
|
WordPress versions 4.8.2 and earlier are affected by an issue where
$wpdb->prepare() can create unexpected and unsafe queries leading to potential
SQL injection (SQLi). WordPress core is not directly vulnerable to this issue,
but we’ve added hardening to prevent plugins and themes from accidentally
causing a vulnerability. Reported by Anthony Ferrara.
|
|
|
|
2.3.2:
Fix passing client max size on cloning request obj.
Fix ClientConnectorSSLError and ClientProxyConnectionError for proxy connector.
Drop generated _http_parser shared object from tarball distribution.
Fix connector convert OSError to ClientConnectorError.
Fix connection attempts for multiple dns hosts.
Fix ValueError for AF_INET6 sockets if a preexisting INET6 socket to the aiohttp.web.run_app function.
_SessionRequestContextManager closes the session properly now.
Rename from_env to trust_env in client reference.
2.3.1:
Relax attribute lookup in warning about old-styled middleware
|
|
0.3.6:
* Use html5-parser for parsing HTML, when available instead of html5lib
for a big performance boost.
* Fix error when trying to submit forms with non-ascii values on systems
where the default encoding is ascii.
* Fix errors on python environments with broken threading
|
|
v1.0.1
Added: Add dictionary representations of Path, Query, Fragment, and furl objects
via an asdict() method.
v1.0.0
Added: Test against Python 3.6.
Changed: Bumped the version number to v1.0 to signify that furl is a mature and
stable library. Furl has been marked Production/Stable in setup.py for a long
time anyhow -- it's high time for the version number to catch up.
|
|
1.11.7:
Bugfixes
* Prevented cache.get_or_set() from caching None if the default argument is a callable that returns None.
* Fixed the Basque DATE_FORMAT string.
* Made QuerySet.reverse() affect nulls_first and nulls_last.
* Fixed unquoted table names in Subquery SQL when using OuterRef
|
|
Notable changes:
- A fix for CVE-2017-12617.
- Add ExtractingRoot, a new WebResourceRoot implementation that extracts
JARs to the work directory for improved performance when deploying
packed WAR files.
- Update the packaged version of the Tomcat Native Library to 1.2.14
Full changelog:
https://tomcat.apache.org/tomcat-8.0-doc/changelog.html
|
|
Notable changes:
- A fix for CVE-2017-12617.
- Update the packaged version of the Tomcat Native Library to 1.2.14
Full changelog:
https://tomcat.apache.org/tomcat-7.0-doc/changelog.html
|
|
|
|
Upstream changes:
1.58 2017-10-29
- Redid the release because of some dzil issues. 1.57 might be a little
wonky.
1.57 2017-10-29
[ BUG FIXES ]
- Fix test failures under 5.26.0+ due to "." no longer being in @INC. PR
By Kent Fredric. GH #6. Fixed RT #121443.
|
|
Bump PKGREVISION
|
|
|
|
Changes with nginx 1.13.6 10 Oct 2017
*) Bugfix: switching to the next upstream server in the stream module
did not work when using the "ssl_preread" directive.
*) Bugfix: in the ngx_http_v2_module.
Thanks to Piotr Sikora.
*) Bugfix: nginx did not support dates after the year 2038 on 32-bit
platforms with 64-bit time_t.
*) Bugfix: in handling of dates prior to the year 1970 and after the
year 10000.
*) Bugfix: in the stream module timeouts waiting for UDP datagrams from
upstream servers were not logged or logged at the "info" level
instead of "error".
*) Bugfix: when using HTTP/2 nginx might return the 400 response without
logging the reason.
*) Bugfix: in processing of corrupted cache files.
*) Bugfix: cache control headers were ignored when caching errors
intercepted by error_page.
*) Bugfix: when using HTTP/2 client request body might be corrupted.
*) Bugfix: in handling of client addresses when using unix domain
sockets.
*) Bugfix: nginx hogged CPU when using the "hash ... consistent"
directive in the upstream block if large weights were used and all or
most of the servers were unavailable.
|
