| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
www/contao35: security fix
Revisions pulled up:
- www/contao35/Makefile 1.40
- www/contao35/distinfo 1.32
---
Module Name: pkgsrc
Committed By: taca
Date: Tue Sep 18 15:10:58 UTC 2018
Modified Files:
pkgsrc/www/contao35: Makefile distinfo
Log Message:
www/contao35: update to 3.5.36
Version 3.5.36 (2018-09-18)
---------------------------
### Fixed
Prevent arbitrary code execution through .phar files (see CVE-2018-17057).
### Fixed
Correctly reset the autologin data upon logout (#8868).
### Fixed
Remove support for deprecated user password hashes (see #8889).
|
|
www/moodle: security update
Revisions pulled up:
- www/moodle/Makefile 1.67
- www/moodle/distinfo 1.52
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wen
Date: Sat Sep 15 13:10:00 UTC 2018
Modified Files:
pkgsrc/www/moodle: Makefile distinfo
Log Message:
Update to 3.5.2
Upstream changes:
Moodle 3.5.2 release notes
Releases > Moodle 3.5.2 release notes
Release date: 10 September 2018
Here is the full list of fixed issues in 3.5.2.
Contents
1 Highlights
2 Fixes and improvements
3 Security issues
4 See also
Highlights
MDL-61652 - Configuration as to who can download SAR data
MDL-62026 - Privacy officer can mark general enquiries as complete
MDL-62660 - Option to set a data request expiry time
MDL-57741 - Launch URL for Publish as LTI tool
MDL-57977 - Global search allows searching for users by alternate name
Fixes and improvements
MDL-60826 - Memory exhaustion error when trying to add/edit calendar event as admin
MDL-60874 - Clearer search results in user enrolment
MDL-62782 - Users with the capability mod/assign:viewgrades can also view uploaded feedback files
MDL-62849 - Filemanager: cannot manage files when there are folders
MDL-62534 - Empty course sections deleted when upgrading
MDL-62600 - Admin is misinformed that there are no data requests
MDL-61351 - Shibboleth logout does not handle file sessions correctly
MDL-62996 - Missing upgrade.php file on tool_dataprivacy may cause errors when upgrading from 3.3 or 3.4
MDL-62643 - Online text assignment submissions generate a blank HTML document for grading when no text is entered
MDL-61515 - The current core php-css-parser prefixing library does not support sass syntax "@supports"
MDL-61424 - When token is rejected from moodle.net provide option to unregister
MDL-59847 - Behaviour when city/country are hiddenfields and identityfields at the same time
MDL-62965 - User profile fields missing on signup page
MDL-62889 - Multiple fixes when redirecting to a URL after clicking on a notification
MDL-62989 - Data requests are listed by date requested for users
MDL-62896 - Some non-core plugins are missing their Additional label on the Plugin data registry page
MDL-62993 - External tool Message in Membership Service not in an Array
MDL-62969 - External tool LtiLinkMemberships URL is invalid
MDL-62581 - Boost Course restore screen styling improvements
MDL-62769 - "Statistics for question positions" graph shows last shown variant, not stats for overall question
MDL-62341 - 'Go back to previous page' link on All policies page
MDL-62746 - Boost core_tag modals content layout improvements
MDL-45389 - Forum index page alignment improvements
MDL-61707 - Pre-signup (minor check) session is not deleted upon signup
MDL-62852 - All policies page lists policy type and audience
Security issues
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
To generate a diff of this commit:
cvs rdiff -u -r1.66 -r1.67 pkgsrc/www/moodle/Makefile
cvs rdiff -u -r1.51 -r1.52 pkgsrc/www/moodle/distinfo
|
|
www/curl: security update
Revisions pulled up:
- www/curl/Makefile 1.201
- www/curl/distinfo 1.146
- www/curl/patches/patch-src_tool__cb__hdr.c deleted
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: wiz
Date: Wed Sep 5 06:49:26 UTC 2018
Modified Files:
pkgsrc/www/curl: Makefile distinfo
Removed Files:
pkgsrc/www/curl/patches: patch-src_tool__cb__hdr.c
Log Message:
curl: update to 7.61.1.
This release includes the following bugfixes:
o security advisory (CVE-2018-14618): NTLM password overflow via integer overflow [73]
o CURLINFO_SIZE_UPLOAD: fix missing counter update [46]
o CURLOPT_ACCEPT_ENCODING.3: list them comma-separated
o CURLOPT_SSL_CTX_FUNCTION.3: might cause accidental connection reuse [72]
o Curl_getoff_all_pipelines: improved for multiplexed [3]
o DEPRECATE: remove release date from 7.62.0
o HTTP: Don't attempt to needlessly decompress redirect body [30]
o INTERNALS: require GnuTLS >= 2.11.3 [62]
o README.md: add LGTM.com code quality grade for C/C++ [42]
o SSLCERTS: improve the openssl command line
o Silence GCC 8 cast-function-type warnings [47]
o ares: check for NULL in completed-callback [3]
o asyn-thread: Remove unused macro [40]
o auth: only pick CURLAUTH_BEARER if we *have* a Bearer token [15]
o auth: pick Bearer authentication whenever a token is available [15]
o cmake: CMake config files are defining CURL_STATICLIB for static builds [54]
o cmake: Respect BUILD_SHARED_LIBS [35]
o cmake: Update scripts to use consistent style [9]
o cmake: bumped minimum version to 3.4 [34]
o cmake: link curl to the OpenSSL targets instead of lib absolute paths [34]
o configure: conditionally enable pedantic-errors [64]
o configure: fix for -lpthread detection with OpenSSL and pkg-config [38]
o conn: remove the boolean 'inuse' field [3]
o content_encoding: accept up to 4 unknown trailer bytes after raw deflate data [5]
o cookie tests: treat files as text
o cookies: support creation-time attribute for cookies [75]
o curl: Fix segfault when -H @headerfile is empty [23]
o curl: add http code 408 to transient list for --retry [78]
o curl: fix time-of-check, time-of-use race in dir creation [71]
o curl: use Content-Disposition before the "URL end" for -OJ [29]
o curl: warn the user if a given file name looks like an option [56]
o curl_threads: silence bad-function-cast warning [69]
o darwinssl: add support for ALPN negotiation [7]
o docs/CURLOPT_URL: fix indentation [20]
o docs/CURLOPT_WRITEFUNCTION: size is always 1 [19]
o docs/SECURITY-PROCESS: mention bounty, drop pre-notify
o docs/examples: add hiperfifo example using linux epoll/timerfd [21]
o docs: add disallow-username-in-url.d and haproxy-protocol.d to dist [50]
o docs: clarify NO_PROXY env variable functionality [70]
o docs: improved the manual pages of some callbacks [48]
o docs: mention NULL is fine input to several functions [43]
o formdata: Remove unused macro HTTPPOST_CONTENTTYPE_DEFAULT [40]
o gopher: Do not translate `?' to `%09' [67]
o header output: switch off all styles, not just unbold [8]
o hostip: fix unused variable warning
o http2: Use correct format identifier for stream_id [77]
o http2: abort the send_callback if not setup yet [63]
o http2: avoid set_stream_user_data() before stream is assigned [61]
o http2: check nghttp2_session_set_stream_user_data return code [55]
o http2: clear the drain counter in Curl_http2_done [27]
o http2: make sure to send after RST_STREAM [58]
o http2: separate easy handle from connections better [12]
o http: fix for tiny "HTTP/0.9" response [51]
o http_proxy: Remove unused macro SELECT_TIMEOUT [40]
o lib/Makefile: only do symbol hiding if told to [32]
o lib1502: fix memory leak in torture test [44]
o lib1522: fix curl_easy_setopt argument type
o libcurl-thread.3: expand somewhat on the NO_SIGNAL motivation [66]
o mime: check Curl_rand_hex's return code [22]
o multi: always do the COMPLETED procedure/state [3]
o openssl: assume engine support in 1.0.0 or later [2]
o openssl: fix debug messages [39]
o projects: Improve Windows perl detection in batch scripts [49]
o retry: return error if rewind was necessary but didn't happen [28]
o reuse_conn(): memory leak - free old_conn->options [17]
o schannel: client certificate store opening fix [68]
o schannel: enable CALG_TLS1PRF for w32api >= 5.1
o schannel: fix MinGW compile break [1]
o sftp: don't send post-qoute sequence when retrying a connection [79]
o smb: fix memory leak on early failure [26]
o smb: fix memory-leak in URL parse error path [4]
o smb_getsock: always wait for write socket too [11]
o ssh-libssh: fix infinite connect loop on invalid private key [53]
o ssh-libssh: reduce excessive verbose output about pubkey auth [53]
o ssh-libssh: use FALLTHROUGH to silence gcc8 [76]
o ssl: set engine implicitly when a PKCS#11 URI is provided [36]
o sws: handle EINTR when calling select() [24]
o system_win32: fix version checking [16]
o telnet: Remove unused macros TELOPTS and TELCMDS [40]
o test1143: disable MSYS2's POSIX path conversion [10]
o test1148: disable if decimal separator is not point [65]
o test1307: (fnmatch testing) disabled [31]
o test1422: add required file feature [6]
o test1531: Add timeout [41]
o test1540: Remove unused macro TEST_HANG_TIMEOUT [40]
o test214: disable MSYS2's POSIX path conversion for URL
o test320: treat curl320.out file as binary [14]
o tests/http_pipe.py: Use /usr/bin/env to find python
o tests: Don't use Windows path %PWD for SSH tests [74]
o tests: fixes for Windows line endlings [13]
o tool_operate: Fix setting proxy TLS 1.3 ciphers
o travis: build darwinssl on macos 10.12 to fix linker errors [33]
o travis: execute "set -eo pipefail" for coverage build [45]
o travis: run a 'make checksrc' too [25]
o travis: update to GCC-8 [52]
o travis: verify that man pages can be regenerated [50]
o upload: allocate upload buffer on-demand [60]
o upload: change default UPLOAD_BUFSIZE to 64KB [60]
o urldata: remove unused pipe_broke struct field [57]
o vtls: reinstantiate engine on duplicated handles [59]
o windows: implement send buffer tuning [37]
o wolfSSL/CyaSSL: Fix memory leak in Curl_cyassl_random [18]
To generate a diff of this commit:
cvs rdiff -u -r1.200 -r1.201 pkgsrc/www/curl/Makefile
cvs rdiff -u -r1.145 -r1.146 pkgsrc/www/curl/distinfo
cvs rdiff -u -r1.1 -r0 pkgsrc/www/curl/patches/patch-src_tool__cb__hdr.c
|
|
www/drupal8: security fix
Revisions pulled up:
- www/drupal8/Makefile 1.8-1.10
- www/drupal8/PLIST 1.7-1.8
- www/drupal8/distinfo 1.8-1.9
---
Module Name: pkgsrc
Committed By: jperkin
Date: Wed Jul 4 13:40:45 UTC 2018
Modified Files:
pkgsrc/www/drupal8: Makefile
Log Message:
*: Move SUBST_STAGE from post-patch to pre-configure
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
---
Module Name: pkgsrc
Committed By: wen
Date: Mon Jul 16 02:21:49 UTC 2018
Modified Files:
pkgsrc/www/drupal8: Makefile PLIST distinfo
Log Message:
Update to 8.5.5
Upstream changes:
Release notes
This is a patch release of Drupal 8 and is ready for use on production sites. Learn more about Drupal 8.
This release only contains bug fixes, along with documentation and testing improvements. Translators should take note of a minor string change since the last release.
Known issues
View with user/% path breaks login/logout on 8.5.x - a regression from 8.4.x
Important: If you have not already upgraded to 8.5.0, read the Drupal 8.5.0 release notes before upgrading to 8.5.5.
Search the issue queue for all known issues.
Changes since 8.5.4:
#2921661 by heddn, maxocub, alexpott, phenaproxima, Jo Fitzgerald, badmetevils, quietone: Add support to migrate multilingual revisions
#2977945 by awm: typo in test_node_revision_links views yml file
Revert "Issue #2971338 by Jo Fitzgerald, quietone, joachim: MigrationLookupTest::testMultipleSourceIds() uses wrong class for mocking"
#2971338 by Jo Fitzgerald, quietone, joachim: MigrationLookupTest::testMultipleSourceIds() uses wrong class for mocking
#2887490 by michaellenahan, cilefen, rOprOprOp, catch: Activity Tracker cannot be enabled if there are unpublished nodes
#2982042 by progga: UUID component's composer.json has wrong description
#2860760 by Jo Fitzgerald, heddn, quietone, alexpott: Match setup() functionality of MigrateFileTest with MigratePrivateFileTest
#2979813 by Wim Leers, TwoD: Add TwoD as maintainer for the editor.module component
#2581557 by dawehner, mxh, xjm, sorabh.v6, JeroenT: Add ltrim($path, '/') in drupalGet method
#2635046 by neclimdul, dawehner, alexpott: run-test.sh doesn't work in directories with spaces
#2950158 by Vidushi Mehta, ankitjain28may, Shiva Srikanth T, ckrina, markconroy, Eli-T: Choose policy for defining font-weight on Umami theme
#2875679 by mondrake, daffie: BasicSyntaxTest::testConcatFields fails with contrib driver
#2933413 by Graber, alexpott, joelpittet, chanderbhushan, jchand: Improve test coverage of using bulk actions when the view has an exposed form using AJAX
#2978596 by visshu007, Chi: views_add_contextual_links() references to non existent views_preprocess_page() function
#2977175 by borisson_, PieterJanPut, tstoeckler, msankhala: DataDefinition::setConstraints() should be on DataDefinitionInterface
#2822611 by Mile23, Wim Leers, alexpott, Berdir, catch, dawehner, xjm, tstoeckler, borisson_: Document why UserInterface + FileInterface + MenuLinkContentInterface + … extend \Drupal\Core\Entity\ContentEntityInterface
#2969598 by msankhala, joachim: badly formatted sample code in docs for Select::orderBy()
Revert "Issue #2886609 by quietone, Jo Fitzgerald, jhodgdon, masipila, heddn, Gábor Hojtsy, mikeryan: Migrate D6 i18n loacalized translations of taxonomy terms"
#2975751 by msankhala, leolando.tan, joachim, claudiu.cristea: incorrect @return for Tables::getTableMapping()
#2927723 by longwave, artreaktor, chiranjeeb2410, ankitjain28may, cilefen, dawehner: The URL "/ " with trailing space is not getting recognized as
#2737773 by antongp, wturrell, pcambra, cilefen, Darvanen, cwells, manningpete, alexpott: Proper way to install Drupal, missing vendor folders, example.gitignore
#2943107 by mherchel, NicholasS, jordana, finnsky, tomphippen, smaz, markconroy, andrewmacpherson, kjay: Umami support for Internet Explorer 11
#2979166 by RajeevK, lomasr: Wrong documentation on SiteCacheContext class
#2749901 by MaskyS, kleog, priya.chat, harsha012, rakesh.gectcr, shobhit_juyal, snehi, SenthilMohith, neerajpandey, gawaksh, thompsizzle, ecrown, mohit1604, andrewmacpherson, surbz, rahulrasgon, riddhi.addweb: Add README.txt to Bartik theme
#2886609 by quietone, Jo Fitzgerald, jhodgdon, masipila, heddn, Gábor Hojtsy, mikeryan: Migrate D6 i18n loacalized translations of taxonomy terms
#2772251 by msankhala, markpavlitski, joachim: description for EntityForm::actions() could use rewording
#2978848 by claudiu.cristea, amateescu: EntityReferenceFieldItemList::referencedEntities() doesn't work for computed fields
#2073467 by maxocub, Jo Fitzgerald, pobster, masipila, plach, heddn, phenaproxima, catch: Migrate Drupal 7 Entity Translation settings to Drupal 8
#2877828 by msankhala, joachim: FormInterface::getFormId() should state restrictions on the returned ID string
#2855054 by alexpott, LoMo, wesleydv, Artusamak, gawaksh, xjm: User cancel link doesn't redirect to the homepage
#2936821 by msankhala, joachim, lomasr, marxjohnson: unclear docs in MigrateProcessInterface
#2951715 by dravenk, marvil07, rakesh.gectcr, davidsonjames, heddn, Jo Fitzgerald, quietone, alexpott, maxocub: Log message if static_map plugin skips the row
#2932777 by mondrake, borisson_, alexpott, daffie: Risky count() in SQLite Statement
#2951163 by nkoporec, Parvateesam, joachim: CachePluginBase::cacheGet()/::cacheSet() doesn't document @params or @return
---
Module Name: pkgsrc
Committed By: wen
Date: Wed Aug 15 10:52:46 UTC 2018
Modified Files:
pkgsrc/www/drupal8: Makefile PLIST distinfo
Log Message:
Update to 8.5.6
Upstream changes:
Drupal 8.5.6 Release notes
Maintenance and security release of the Drupal 8 series.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the notes below and the security announcement:
Drupal Core - 3rd-party libraries -SA-CORE-2018-005
No other fixes are included.
|
|
www/squid3: security fix
Revisions pulled up:
- www/squid3/Makefile 1.82
- www/squid3/distinfo 1.64
---
Module Name: pkgsrc
Committed By: taca
Date: Sat Aug 11 01:22:02 UTC 2018
Modified Files:
pkgsrc/www/squid3: Makefile distinfo
Log Message:
www/squid3: update to 3.5.29
Changes to squid-3.5.28 (15 Jul 2018):
- SQUID-2018:1: crash processing SSL-Bumped traffic containing ESI
- SQUID-2018:2: crash handling responses to internally generated requests
- SQUID-2018:3 / CVE-2018-1172: crash in ESI Response processing
- Bug 4861: HTTPMSGLOCK missing pointer safety
- Bug 4829: IPC shared memory leaks when disker queue overflows
- Bug 4767: SMP breaks IPv6 SNMP and cache manager queries
- Bug 2821: Ignore Content-Range in non-206 responses
- HTCP: Ignore HTCP packets with invalid URI
- SSL-Bump: fix authentication with schemes other than Basic
- TPROXY: Fix clientside_mark and client port logging
- Fix "Cannot assign requested address" for to-origin TPROXY FTP data
- Fix --with-netfilter-conntrack error message
- Validate mime icon URL before allocating store entries
- ... and many documentation changes
|
|
|
|
www/webkit-gtk: security fix
Revisions pulled up:
- www/webkit-gtk/Makefile 1.142
- www/webkit-gtk/PLIST 1.40
- www/webkit-gtk/distinfo 1.104
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Aug 17 10:37:58 UTC 2018
Modified Files:
pkgsrc/www/webkit-gtk: Makefile PLIST distinfo
Log Message:
webkit-gtk: update to 2.20.4.
What's new in WebKitGTK+ 2.20.4?
- Fix a crash when leaving accelerated compositing mode.
- Fix non-deterministic build failure due to missing JavaScriptCore/JSContextRef.h.
- Security fixes: CVE-2018-4261, CVE-2018-4262, CVE-2018-4263, CVE-2018-4264, CVE-2018-4265, CVE-2018-4266,
CVE-2018-4267, CVE-2018-4270, CVE-2018-4272, CVE-2018-4273, CVE-2018-4278, CVE-2018-4284.
|
|
The update from 1.2.37 works around an Apache cstratup crash on NetBSD 8.0
Complete Changelog
1.2.43
61733: LB: Propagate load factor changes applied by the status worker to a load balancer sub worker correctly to all processes. Based on a patch provided by Jonathan Oddy. (rjung)
fix ISAPI: Align the make files for 32-bit and 64-bit builds. (markt)
update Update config.guess and config.sub from http://git.savannah.gnu.org/cgit/config.git. (rjung)
update Update PCRE bundled with the ISAPI redirector to 8.41. (rjung)
fix Update the ISAPI redirector installation documentation to reflect the currently supported versions of Windows. (markt)
fix Align the normalization performed by the ISAPI redirector with that implemented by Tomcat. (markt)
1.2.42
fix Status: Fix displayed number of bytes read from and written to the backend when an AJP worker is used without a load balancer worker. (rjung)
fix Apache: Don't try to read remaining request body parts during clean up if reading the request body from the client already failed during earlier processing phases. (rjung)
fix 57485: Apache: Propagate errors reading the request body from the client to mod_jk so Tomcat sees an error rather than a truncated body. (markt)
fix 57836: ISAPI: Empty REMOTE_USER should not be translated to "". (rjung)
fix 58249: Add a note the the documentation that max_packet_size will be aligned to the next multiple of 1024 if a value is specified that is not a multiple of 1024. (markt)
update 58309: ISAPI: Update bundled pcre from version 5.0 to 8.38. (rjung)
fix 58286: Fix crash in mod_jk and in the ISAPI Redirector. The crash only happens on Windows when retrieving the jk-status for the HTML format (which is the default format). This regression was introduced by the fix to 54177. (rjung)
fix 58285: Don't use GCC atomics on platforms, for which GCC doesn't provide an atomics implementation. This regression was introduced by the fix to 44454 and 56703. (rjung)
fix 58425: Fix regression in 1.4.41 that prevented AJP 1.2 workers from initialising. Note that the AJP 1.2 protocol is deprecated. Patch provided by yagisita. (markt)
fix 58504: If a background thread is used to perform worker maintenance, ensure that maintenance runs are not skipped. Patch provided by Hiroto Shimizu. (markt)
fix 58608: ISAPI: Add a new registry option "flush_packets" that allows the flushing behaviour of IIS7+ to be controlled. The default is not to flush. Setting the option to "true" with cause IIS to write data to the client as each AJP packet is received. (markt)
fix 58813: ISAPI: Correctly release a mutex allowing the plugin to complete initialization. Prior to this fix, the incomplete initialization was causing a hang on shutdown. Patch provided by Matthew Reiter. (markt)
fix 58895: Correct an off-by-one error in the log messages for the number of attempts made to communicate with the backend server. Patch provided by Hiroto Shimizu. (markt)
fix 59164: Fix crash on first connection if a host name is specified for the worker that cannot be resolved to an IP address. (markt)
fix 59184: HTTPD: Avoid segmentation fault if mod_jk is configured with an invalid value for JkShmFile. This causes the server startup to fail. (markt)
fix Minor code clean-up and optimization. (markt)
1.2.40
fix AJP, LB: Reduce lock contention during maintenance function. This was observable when using a big number of AJP13 and LB workers, especially in combination with the Apache httpd prefork MPM. (rjung)
fix 57060: Allow building from outside of source tree. Patch contributed by Petr Sumbera. (rjung)
fix 56703: Status: Fix inflated counter for current number of backend connections especially when a connection timeout occurred on the backend. (rjung)
fix 56661: Fix Servlet API getLocalAddr(). Works for Tomcat 6.0.42, 7.0.55 and 8.0.11 and Apache and ISAPI plugins. (rjung)
update Status: Log old and new values when changing worker attributes. (rjung)
fix 56667: Status: Fix log message when changing activation state of all members. (rjung)
fix 56565: Fix IPV6 address resolve on non-dual network stacks. (mturk)
fix 50511: Reduce log level for "OPTIONS *" requests from warning to debug. (rjung)
fix Apache: Copy log notes instead of using references to prevent access to memory from closed pool. (rjung)
add Add option to control handling of multiple adjacent slashes in mount and unmount. New default is collapsing the slashes only in unmount. Configuration is done via new JkOption for Apache ("CollapseSlashesAll", "CollapseSlashesNone" or "CollapseSlashesUnmount") and via property "collapse_slashes" for IIS (values "all", "none", "unmount"). This is the fix for CVE-2014-8111. (rjung)
add Add more checks for shared memory allocation. (rjung)
add 56869: Status: Add maximum number of open backend connections to status worker. Patch contributed by Martin Knoblauch. (rjung)
add 56770: AJP: Add worker name to all log messages. Patch contributed by Martin Knoblauch. (rjung)
fix 50186: Docs: Clarify relation between "connection_pool_timeout" and "keepAliveTimeout" or "connectionTimeout" in the Tomcat AJP connector configuration. (rjung)
fix 52334: LB: Calculate worker recovery time based on last recovery attempt time instead of original error time after the first recovery attempt. (rjung)
fix 54596 part 1: IIS: Fix missing last character when parsing relative file names with no ".." directory components from configuration. (rjung)
fix 54596 part 2: IIS: Fix using relative file names in config with ".." path segments that go up the directory hierarchy higher than the starting point of the relative file name. (rjung)
fix Status: Add logging if status worker output was dropped due to insufficient buffer size. (rjung)
fix Reduce log buffer from 8KB to 1KB. Add logging in case of failed logging and add trailing "..." to lines which were likely truncated. (rjung)
update Replace fixed allocation of 32 entries for fail_on_status by dynamic allocation. (rjung)
add Enforce implementation restriction on maximal length "60" of worker attributes "name", "host", "route", "domain", "redirect", "session_cookie", "session_path" and "set_session_cookie". Checks were added to configuration file processing and configuration updates via the status worker. (rjung)
add 52483: Apache: Add debug logging for result of JkOptions configuration processing. (rjung)
fix 54177: Status: Use numeric time stamps instead of textual ones to avoid non-well-formed XML output. Textual timestamps are formatted according to locale settings and reencoding them to UTF-8 would be cumbersome. (rjung)
fix 56618: Status: Use percent decoding when reading query string parameters. For example this fixes editing IPv6 addresses via the status worker if the client encodes ":" as "%3A". Patch contributed by Christopher Schultz. (rjung)
fix 56452: Fix crash in debug logging for IPv6 adresses. Patch contributed by Christopher Schultz. (rjung)
fix 34526: Apache: Improve compatibility with mod_deflate request body inflation. An automatic detection of mod_deflate inflation is not implemented. Use the new Apache environment variable JK_IGNORE_CL instead, to let mod_jk ignore an existing Content-Length request header. (rjung)
update 44454: LB: Add warning to docs about problems with "busyness" load balancing method. (rjung)
fix 44454: Improve busy counter by using atomics. (rjung)
fix 56703: Status: Improve connected counter. Use atomics and for mod_jk (Apache) currectly count down connections closed by child processes that are stopped. (rjung)
fix 44571: Ensure that we return with status 503 if we can not get and endpoint for a worker. (rjung)
fix Apache: Improve log handling during graceful or normal restart. (rjung)
fix Don't update last access time of worker connections during optional checking of idle connections using CPing. Updating the time stamp breaks closing idle connections. (rjung)
fix Adjust linger parameters used during connection shutdown. (rjung)
fix Fix annoying redefine warnings for the autoconf PACKAGE defines during configure based builds. (rjung)
fix Status: Use multi-line table headers and fix invalid xml output. (rjung)
fix 44571: Implement an optional limit on concurrent requests allowed for a worker (attribute "busy_limit"). Original patch contributed by zealot0630 at gmail dot com. (rjung)
fix Correct log message "all endpoints are disconnected" to "no usable connection found, will create a new one". Tone done from info log level to debug for the common case. (rjung)
add 57536: AJP: Allow to configure connection source address. This should only be used on multi-homed hosts. The feature is experimental. (rjung)
add 57540: AJP: Forward name of SSL protocol used for handling the request (SSLv3, TLSv1, TLSv1.1, TLSv1.2). (rjung)
1.2.39
Fix forwarding of chunked requests, which is broken in version 1.2.39. (rjung)
fix 56352: Fix regression in memory release. (mturk)
fix Fix status worker display of worker IP address after name or port was changed. (rjung)
update 56297: Improve key hash function. Copied from APR. (rjung)
fix 55683: Remove quotes from quoted session cookies. (rjung)
fix 53542: ISAPI: Fix grammar in 503 error page. (rjung)
fix 55696: Crash on Mac OS X 10.9 during config parsing. (rjung)
1.2.38
update Deprecate nt_service from Apache Tomcat Connectors. (mturk)
fix 56133: Fix possible crash when a request fails during request body transfer to the back end and reply_timeout was set. Patch contributed by Hiroto Shimizu. (rjung)
fix Fix status worker not updating parameters for all members. (mturk)
fix 55853: HTTPD: Use the correct API for setting Content-Length. Patch contributed by areese yahoo-inc.com. (rjung)
add Add IPV6 support for connection to webserver. New directive prefer_ipv6 has been added to control the hostname resolution and preserve backward compatibility. (mturk)
add Add --disable-sock-cloexec to configure to disable use of SOCK_CLOEXEC (using FD_CLOEXEC + fnctl instead) so built modules will work with Linux kernels prior to 2.6.27. (timw)
update Clean up config file parsing. Worker names are now restricted to 60 bytes. (rjung)
update Allow to set a stickyness cookie in case a web framework breaks Tomcat's adding of the routing ID to the end of the JSESSIONID cookie. (rjung)
update Use max_packet_size also for request body forwarding. (rjung)
update Apache 2.4: By default forward logical client address as provided by mod_remoteip. When setting JkOptions ForwardPhysicalAddress mod_jk will instead forward the physical peer address. (rjung)
update Minor documentation improvements. (rjung)
|
|
www/apache24: security fix
Revisions pulled up:
- www/apache24/Makefile 1.69-1.70
- www/apache24/distinfo 1.36
- www/apache24/patches/patch-aa 1.2
---
Module Name: pkgsrc
Committed By: jperkin
Date: Wed Jul 4 13:40:45 UTC 2018
Modified Files:
pkgsrc/www/apache24: Makefile
Log Message:
*: Move SUBST_STAGE from post-patch to pre-configure
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
---
Module Name: pkgsrc
Committed By: adam
Date: Thu Jul 19 08:53:58 UTC 2018
Modified Files:
pkgsrc/www/apache24: Makefile distinfo
pkgsrc/www/apache24/patches: patch-aa
Log Message:
apache24: updated to 2.4.34
Apache 2.4.34
*) SECURITY: CVE-2018-8011 (cve.mitre.org)
mod_md: DoS via Coredumps on specially crafted requests
*) SECURITY: CVE-2018-1333 (cve.mitre.org)
mod_http2: DoS for HTTP/2 connections by specially crafted requests
*) Introduce zh-cn and zh-tw (simplified and traditional Chinese) error
document translations.
*) event: avoid possible race conditions with modules on the child pool.
*) mod_proxy: Fix a corner case where the ProxyPassReverseCookieDomain or
ProxyPassReverseCookiePath directive could fail to update correctly
'domain=' or 'path=' in the 'Set-Cookie' header.
*) mod_ratelimit: fix behavior when proxing content.
*) core: Re-allow '_' (underscore) in hostnames.
*) mod_authz_core: If several parameters are used in a AuthzProviderAlias
directive, if these parameters are not enclosed in quotation mark, only
the first one is handled. The other ones are silently ignored.
Add a message to warn about such a spurious configuration.
*) mod_md: improvements and bugfixes
- MDNotifyCmd now takes additional parameter that are passed on to the called command.
- ACME challenges have better checks for interference with other modules
- ACME challenges are only handled for domains managed by the module, allowing
other ACME clients to operate for other domains in the server.
- better libressl integration
*) mod_proxy_wstunnel: Add default schema ports for 'ws' and 'wss'.
*) logging: Some early logging-related startup messages could be lost
when using syslog for the global ErrorLog.
*) mod_cache: Handle case of an invalid Expires header value RFC compliant
like the case of an Expires time in the past: allow to overwrite the
non-caching decision using CacheStoreExpired and respect Cache-Control
"max-age" and "s-maxage".
*) mod_xml2enc: Fix forwarding of error metadata/responses.
*) mod_proxy_http: Fix response header thrown away after the previous one
was considered too large and truncated.
*) core: Add and handle AP_GETLINE_NOSPC_EOL flag for ap_getline() family
of functions to consume the end of line when the buffer is exhausted.
*) mod_proxy_http: Add new worker parameter 'responsefieldsize' to
allow maximum HTTP response header size to be increased past 8192
bytes.
*) mod_ssl: Extend SSLOCSPEnable with mode 'leaf' that only checks the leaf
of a certificate chain.
*) http: Fix small memory leak per request when handling persistent
connections.
*) mod_proxy_html: Fix variable interpolation and memory allocation failure
in ProxyHTMLURLMap.
*) mod_remoteip: Fix RemoteIP{Trusted,Internal}ProxyList loading broken by 2.4.30.
*) mod_remoteip: When overriding the useragent address from X-Forwarded-For,
zero out what had been initialized as the connection-level port.
*) core: In ONE_PROCESS/debug mode, cleanup everything when exiting.
*) mod_proxy_balancer: Add hot spare member type and corresponding flag (R).
Hot spare members are used as drop-in replacements for unusable workers
in the same load balancer set. This differs from hot standbys which are
only used when all workers in a set are unusable.
*) suexec: Add --enable-suexec-capabilites support on Linux, to use
setuid/setgid capability bits rather than a setuid root binary.
*) suexec: Add support for logging to syslog as an alternative to
logging to a file; use --without-suexec-logfile --with-suexec-syslog.
*) mod_ssl: Restore 2.4.29 behaviour in SSL vhost merging/enabling
which broke some rare but previously-working configs.
*) core, log: improve sanity checks for the ErrorLog's syslog config, and
explicitly allow only lowercase 'syslog' settings.
*) mod_http2: accurate reporting of h2 data input/output per request via
mod_logio. Fixes an issue where output sizes where counted n-times on
reused slave connections.
*) mod_http2: Fix unnecessary timeout waits in case streams are aborted.
*) mod_http2: restoring the v1.10.16 keepalive timeout behaviour of mod_http2.
*) mod_proxy: Do not restrict the maximum pool size for backend connections
any longer by the maximum number of threads per process and use a better
default if mod_http2 is loaded.
*) mod_slotmem_shm: Add generation number to shm filename to fix races
with graceful restarts.
*) core: Preserve the original HTTP request method in the '%<m' LogFormat
when an path-based ErrorDocument is used.
*) mod_remoteip: make proxy-protocol work on slave connections, e.g. in
HTTP/2 requests.
*) mod_ssl: Fix merging of proxy SSL context outside <Proxy> sections,
regression introduced in 2.4.30.
*) mod_md: Fix compilation with OpenSSL before version 1.0.2.
*) mod_dumpio: do nothing below log level TRACE7.
*) mod_remoteip: Restore compatibility with APR 1.4 (apr_sockaddr_is_wildcard).
*) core: On ECBDIC platforms, some errors related to oversized headers
may be misreported or be logged as ASCII escapes.
*) mod_ssl: Fix cmake-based build.
*) core: Add <IfFile>, <IfDirective> and <IfSection> conditional
section containers.
|
|
archivers/php-zip: reset revision
databases/php-mssql: reset revision
databases/php-pdo_dblib: reset revision
databases/php-pdo_sqlite: reset revision
textproc/php-intl: reset revision
www/ap-php: reset revision
www/php-curl: reset revision
www/php-fpm: reset revision
Revisions pulled up:
- archivers/php-zip/Makefile 1.22
- databases/php-mssql/Makefile 1.31
- databases/php-pdo_dblib/Makefile 1.28
- databases/php-pdo_sqlite/Makefile 1.31-1.32
- textproc/php-intl/Makefile 1.37-1.38
- www/ap-php/Makefile 1.40-1.41
- www/php-curl/Makefile 1.39
- www/php-fpm/Makefile 1.24-1.25
---
Module Name: pkgsrc
Committed By: ryoon
Date: Fri Jul 20 03:34:33 UTC 2018
Modified Files:
pkgsrc/databases/php-pdo_sqlite: Makefile
pkgsrc/textproc/php-intl: Makefile
pkgsrc/www/ap-php: Makefile
pkgsrc/www/php-fpm: Makefile
Log Message:
Recursive revbump from textproc/icu-62.1
---
Module Name: pkgsrc
Committed By: taca
Date: Fri Jul 20 13:33:03 UTC 2018
Modified Files:
pkgsrc/archivers/php-zip: Makefile
pkgsrc/databases/php-mssql: Makefile
pkgsrc/databases/php-pdo_dblib: Makefile
pkgsrc/databases/php-pdo_sqlite: Makefile
pkgsrc/textproc/php-intl: Makefile
pkgsrc/www/ap-php: Makefile
pkgsrc/www/php-curl: Makefile
pkgsrc/www/php-fpm: Makefile
Log Message:
lang/php: reset PKGREVISION
Reset PKGREVISION with all php's version updates.
|
|
www/firefox60-l10n: build fix
Revisions pulled up:
- www/firefox60-l10n/distinfo 1.2
---
Module Name: pkgsrc
Committed By: ryoon
Date: Thu Jul 12 12:56:56 UTC 2018
Modified Files:
pkgsrc/www/firefox60-l10n: distinfo
Log Message:
Fix PR pkg/53428. Regen distinfo with changed PKGNAME
|
|
www/wordpress: security fix
Revisions pulled up:
- www/wordpress/Makefile 1.79-1.80
- www/wordpress/distinfo 1.64
---
Module Name: pkgsrc
Committed By: jperkin
Date: Wed Jul 4 13:40:45 UTC 2018
Modified Files:
pkgsrc/www/wordpress: Makefile
Log Message:
*: Move SUBST_STAGE from post-patch to pre-configure
Performing substitutions during post-patch breaks tools such as mkpatches,
making it very difficult to regenerate correct patches after making changes,
and often leading to substituted string replacements being committed.
---
Module Name: pkgsrc
Committed By: wen
Date: Sat Jul 7 02:55:25 UTC 2018
Modified Files:
pkgsrc/www/wordpress: Makefile distinfo
Log Message:
Update to 4.9.7
Upstream changes:
WordPress 4.9.7 is now available. This is a security and maintenance release for all versions since WordPress 3.7. We strongly encourage you to update your sites immediately.
WordPress versions 4.9.6 and earlier are affected by a media issue that could potentially allow a user with certain capabilities to attempt to delete files outside the uploads directory.
Thank you to Slavco for reporting the original issue and Matt Barry for reporting related issues.
Seventeen other bugs were fixed in WordPress 4.9.7. Particularly of note were:
Taxonomy: Improve cache handling for term queries.
Posts, Post Types: Clear post password cookie when logging out.
Widgets: Allow basic HTML tags in sidebar descriptions on Widgets admin screen.
Community Events Dashboard: Always show the nearest WordCamp if one is coming up, even if there are multiple Meetups happening first.
Privacy: Make sure default privacy policy content does not cause a fatal error when flushing rewrite rules outside of the admin context.
|
|
www/curl: security update
Revisions pulled up:
- www/curl/Makefile 1.197
- www/curl/PLIST 1.70
- www/curl/distinfo 1.144
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: adam
Date: Wed Jul 11 18:13:26 UTC 2018
Modified Files:
pkgsrc/www/curl: Makefile PLIST distinfo
Log Message:
curl: updated to 7.61.0
Curl and libcurl 7.61.0
This release includes the following changes:
* getinfo: add microsecond precise timers for seven intervals
* curl: show headers in bold, switch off with --no-styled-output
* httpauth: add support for Bearer tokens
* Add CURLOPT_TLS13_CIPHERS and CURLOPT_PROXY_TLS13_CIPHERS
* curl: --tls13-ciphers and --proxy-tls13-ciphers
* Add CURLOPT_DISALLOW_USERNAME_IN_URL
* curl: --disallow-username-in-url
This release includes the following bugfixes:
* CVE-2018-0500: smtp: fix SMTP send buffer overflow
* schannel: disable client cert option if APIs not available
* schannel: disable manual verify if APIs not available
* tests/libtest/Makefile: Do not unconditionally add gcc-specific flags
* openssl: acknowledge --tls-max for default version too
* stub_gssapi: fix 'unused parameter' warnings
* examples/progressfunc: make it build on both new and old libcurls
* docs: mention it is HA Proxy protocol "version 1"
* curl_fnmatch: only allow two asterisks for matching
* docs: clarify CURLOPT_HTTPGET
* configure: replace a AC_TRY_RUN with CURL_RUN_IFELSE
* configure: do compile-time SIZEOF checks instead of run-time
* checksrc: make sure sizeof() is used *with* parentheses
* CURLOPT_ACCEPT_ENCODING.3: add brotli and clarify a bit
* schannel: make CAinfo parsing resilient to CR/LF
* tftp: make sure error is zero terminated before printfing it
* http resume: skip body if http code 416 (range error) is ignored
* configure: add basic test of --with-ssl prefix
* cmake: set -d postfix for debug builds
* multi: provide a socket to wait for in Curl_protocol_getsock
* content_encoding: handle zlib versions too old for Z_BLOCK
* winbuild: only delete OUTFILE if it exists
* winbuild: In MakefileBuild.vc fix typo DISTDIR->DIRDIST
* schannel: add failf calls for client certificate failures
* cmake: Fix the test for fsetxattr and strerror_r
* curl.1: Fix cmdline-opts reference errors
* cmdline-opts/gen.pl: warn if mutexes: or see-also: list non-existing options
* cmake: check for getpwuid_r
* configure: fix ssh2 linking when built with a static mbedtls
* psl: use latest psl and refresh it periodically
* fnmatch: insist on escaped bracket to match
* KNOWN_BUGS: restore text regarding 2101
* INSTALL: LDFLAGS=-Wl,-R/usr/local/ssl/lib
* configure: override AR_FLAGS to silence warning
* os400: implement mime api EBCDIC wrappers
* curl.rc: embed manifest for correct Windows version detection
* strictness: correct {infof, failf} format specifiers
* tests: update .gitignore for libtests
* configure: check for declaration of getpwuid_r
* fnmatch: use the system one if available
* CURLOPT_RESOLVE: always purge old entry first
* multi: remove a potentially bad DEBUGF()
* curl_addrinfo: use same #ifdef conditions in source as header
* build: remove the Borland specific makefiles
* axTLS: not considered fit for use
* cmdline-opts/cert-type.d: mention "p12" as a recognized type
* system.h: add support for IBM xlc C compiler
* tests/libtest: Add lib1521 to nodist_SOURCES
* mk-ca-bundle.pl: leave certificate name untouched
* boringssl + schannel: undef X509_NAME in lib/schannel.h
* openssl: assume engine support in 1.0.1 or later
* cppcheck: fix warnings
* test 46: make test pass after year 2025
* schannel: support selecting ciphers
* Curl_debug: remove dead printhost code
* test 1455: unflakified
* Curl_init_do: handle NULL connection pointer passed in
* progress: remove a set of unused defines
* mk-ca-bundle.pl: make -u delete certdata.txt if found not changed
* GOVERNANCE.md: explains how this project is run
* configure: use pkg-config for c-ares detection
* configure: enhance ability to build with static openssl
* maketgz: fix sed issues on OSX
* multi: fix memory leak when stopped during name resolve
* CURLOPT_INTERFACE.3: interface names not supported on Windows
* url: fix dangling conn->data pointer
* cmake: allow multiple SSL backends
* system.h: fix for gcc on 32 bit OpenServer
* ConnectionExists: make sure conn->data is set when "taking" a connection
* multi: fix crash due to dangling entry in connect-pending list
* CURLOPT_SSL_VERIFYPEER.3: Add performance note
* netrc: use a larger buffer to support longer passwords
* url: check Curl_conncache_add_conn return code
* configure: Add dependent libraries after crypto
* easy_perform: faster local name resolves by using *multi_timeout()
* getnameinfo: not used, removed all configure checks
* travis: add a build using the synchronous name resolver
* CURLINFO_TLS_SSL_PTR.3: improve the example
* openssl: allow TLS 1.3 by default
* openssl: make the requested TLS version the *minimum* wanted
* openssl: Remove some dead code
* telnet: fix clang warnings
* DEPRECATE: new doc describing planned item removals
* example/crawler.c: simple crawler based on libxml2
* libssh: goto DISCONNECT state on error, not SESSION_FREE
* CMake: Remove unused functions
* darwinssl: allow High Sierra users to build the code using GCC
* scripts: include _curl as part of CLEANFILES
* examples: fix -Wformat warnings
* curl_setup: include <winerror.h> before <windows.h>
* schannel: make more cipher options conditional
* CMake: remove redundant and old end-of-block syntax
* post303.d: clarify that this is an RFC violation
To generate a diff of this commit:
cvs rdiff -u -r1.196 -r1.197 pkgsrc/www/curl/Makefile
cvs rdiff -u -r1.69 -r1.70 pkgsrc/www/curl/PLIST
cvs rdiff -u -r1.143 -r1.144 pkgsrc/www/curl/distinfo
|
|
|
|
Reported from rjs@.
|
|
|
|
|
|
This package contains language packs for www/firefox60.
|
|
Mozilla Firefox is a free, open-source and cross-platform web browser
for Windows, Linux, MacOS X and many other operating systems.
It is fast and easy to use, and offers many advantages over other web
browsers, such as tabbed browsing and the ability to block pop-up
windows.
Firefox also offers excellent bookmark and history management, and it
can be extended by developers using industry standards such as XML,
CSS, JavaScript, C++, etc. Many extensions are available.
This package provides Firefox 60 ESR.
Securty fixes:
#CVE-2018-12359: Buffer overflow using computed size of canvas element
#CVE-2018-12360: Use-after-free when using focus()
#CVE-2018-12361: Integer overflow in SwizzleData
#CVE-2018-12362: Integer overflow in SSSE3 scaler
#CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture
#CVE-2018-12363: Use-after-free when appending DOM nodes
#CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
#CVE-2018-12365: Compromised IPC child process can list local filenames
#CVE-2018-12371: Integer overflow in Skia library during edge builder allocation
#CVE-2018-12366: Invalid data handling during QCMS transformations
#CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming
#CVE-2018-12368: No warning when opening executable SettingContent-ms files
#CVE-2018-12369: WebExtension security permission checks bypassed by embedded experiments
#CVE-2018-5187: Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1
#CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9
|
|
* Sync with www/firefox-61.0
|
|
Changelog:
New
Enhanced performance:
Faster page rendering with Quantum CSS improvements and the new
retained display list feature
Faster switching between tabs on Windows and Linux
WebExtensions now run in their own process on MacOS
Convenient access to more search engines: You can now add search engines
to the address bar "Search with" tool from the page action menu when on
a webpage that provides an OpenSearch plugin
Share links from Firefox for MacOS more easily: You can now share the URL
of an active tab from the page actions menu in the address bar
Improved security:
On-by-default support for the latest draft of the TLS 1.3 specification
Access to FTP subresources inside http(s) pages has been blocked
A more consistent user experience: Improvements for dark theme support
across the entire Firefox user interface
More customization for tab management: added support to allow WebExtensions
to hide tabs
Improved bookmark syncing
Fixed
Various security fixes
Changed
The settings for customizing your homepage and new tab page in Firefox
have been added to a new Preferences section that can be accessed from
Firefox at about:preferences#home. The settings can also be accessed via
the gear icon on the New Tab page.
Security fixes:
#CVE-2018-12359: Buffer overflow using computed size of canvas element
#CVE-2018-12360: Use-after-free when using focus()
#CVE-2018-12361: Integer overflow in SwizzleData
#CVE-2018-12358: Same-origin bypass using service worker and redirection
#CVE-2018-12362: Integer overflow in SSSE3 scaler
#CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture
#CVE-2018-12363: Use-after-free when appending DOM nodes
#CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
#CVE-2018-12365: Compromised IPC child process can list local filenames
#CVE-2018-12371: Integer overflow in Skia library during edge builder allocation
#CVE-2018-12366: Invalid data handling during QCMS transformations
#CVE-2018-12367: Timing attack mitigation of PerformanceNavigationTiming
#CVE-2018-12368: No warning when opening executable SettingContent-ms files
#CVE-2018-12369: WebExtension security permission checks bypassed by embedded experiments
#CVE-2018-12370: SameSite cookie protections bypassed when exiting Reader View
#CVE-2018-5186: Memory safety bugs fixed in Firefox 61
#CVE-2018-5187: Memory safety bugs fixed in Firefox 60 and Firefox ESR 60.1
#CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9
|
|
|
|
remove patches for security fixes now upstream.
seamonkey is now based on firefox 52.7.3 ESR.
SeaMonkey 2.49.3 shares most parts of the mail and news code with Thunderbird.
Please read the Thunderbird 52.7.0 release notes for specific changes and
security fixes in this release.
SeaMonkey-specific changes
seamonkey official linux builds are based on GTK3 (no change for us)
|
|
|
|
CVE-2018-12359: Buffer overflow using computed size of canvas element
CVE-2018-12360: Use-after-free when using focus()
CVE-2018-12362: Integer overflow in SSSE3 scaler
CVE-2018-5156: Media recorder segmentation fault when track type is changed during capture
CVE-2018-12363: Use-after-free when appending DOM nodes
CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
CVE-2018-12365: Compromised IPC child process can list local filenames
CVE-2018-12366: Invalid data handling during QCMS transformations
CVE-2018-12368: No warning when opening executable SettingContent-ms files
CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, and Firefox ESR 52.9
|
|
This release is small fix for compatibility.
Contao 4.5.10 is available 2018/06/26 09:29 by Leo Feyer
Contao version 4.5.10 is available. The bugfix release restores the
compatibility with Symfony 3.4.12.
|
|
This release is small fix for compatibility.
Contao 4.4.20 is available 2018/06/26 08:48 by Leo Feyer
Contao version 4.4.20 is available. The bugfix release restores the
compatibility with Symfony 3.4.12.
|
|
With stock pkgsrc this still fails to build due to lang/clang, but using
joyent/clang6 produces a working build that appears to function well.
|
|
Changelog:
Changes
Allow setting notify credentials in environment (server#9788)
Make the token expiration also work for autocasting 0 (server#9803)
Enable caldav for webdav subtree public-calendars (server#9820)
|
|
* Support emacs26
Changelog:
Busfixes, improvements and remove supports for obsolete services.
|
|
|
|
5.4.2:
Unknown changes.
Changes with libwww 5.4.1
* Removed the expat source code in favor of linking against
the global system expat library to avoid having to track
security advisories in that library
* Updated expat to 2.2.0
* Updated autotools to the current versions
* Library/src/HTSQL.c: add missing mysql_init to HTSQL_connect reported by Xavier Torne
* configure.ac, Library/src/Makefile.am, Library/cvs2sql/Makefile.am,
Robot/src/Makefile.am:
modify configure scripts for mysql_config based autoconf processing
* Library/src/HTSQL.c, Library/src/HTSQL.html, Library/src/HTSQLLog.c: remove
mysql directory from include directiv
* Robot/src/RobotMain.c: added flag MR_KEEP_META for -lm last modified option
detected by Jan Hutaø
* Robot/src/RobotMain.c: added flag MR_KEEP_META for -title option
detected by Jan Hutaø
* close leak in HTBound process_boundary() detected by Sam Varshavchik
using valgrind; excised old #if 0 snippets from HTMIME.c
* Library/src/HTCookie.c: add private function HTCookie_splitPair to
split a KEY=VALUE pair, from Jesse Morgan
* configure.ac: remove unecessary check for appkit.h as
suggested by Roger Persson
* Library/src/wwwsys.html: change genuine angle bracket characters
into the angle bracket entities, thanks to Bobby Jack
* Library/src/HT*.html, Library/src/SSL/HT*.html: wrap
all header files with extern "C"
* Library/src/HTFile, configure.ac: add a basis for
addressing Ben's security concerns
* Library/src/HTBound.c: libwww security advisory fix from
Sam Varshavchik, fix double-counting of processed bytes,
rewrote HTBoundary_put_block, to fix problematic HTTP 1.1
byte range requests
* Library/src/: HTAlert.c, HTHeader.c, HTInit.c, HTNet.c,
HTProfil.c, HTProt.c, HTTrans.c: Patch to greatly speed up
repeated requests, from Arthur Smith
* Library/src/HTSQL.c: modifications to compile without using
deprecated mysql functions
* config/: config.sub, ltmain.sh: updates for recent version of
libtool
* INSTALL.html, Library/src/HTEvtLst.c: cleaning
* libwww-config.in: include -lwwwssl, thanks to mgoddard at
itgs-presearch.com
* Library/src/SSL/HTSSLWriter.c: avoids an eternal loop in libwww
* Library/src/SSL/HTSSL.html, Robot/src/RobotMain.c: fix for webbot
-v option check and documentation addition
* configure.ac, Library/src/SSL/HTSSL.c,
Library/src/SSL/windows/wwwssl.def, Robot/src/HTRobMan.html,
Robot/src/Makefile.am, Robot/src/RobotMain.c: basic support for
client side certificates using PEM format
* Library/src/SSL/: HTSSL.c, HTSSLReader.c, HTSSLWriter.c: add
openssl to include for ssl.h and rand.h
* config/: config.guess, config.sub, ltmain.sh: update after
running libtoolize
* Robot/src/Makefile.am: use SSL directory for libwwwssl.la
* Robot/src/RobotMain.c: include HTSSL.h
* configure.ac: fix aclocal underquoting warnings
* Robot/src/: RobotMain.c, Makefile.am: update to enable https
protocol
* Library/src/HTTPReq.c: fixed , to _ in HTTRACE call
* Library/src/HTTPReq.c: removed LIBWWW_USEIDN, because unnecessary
* modules/idn/unicode_template.c: forgot one file
* Library/src/HTDNS.html: moved IDN to main branch
* Library/src/HTDNS.c: moved IDN to main branch
* Library/src/HTTPReq.c: added "LIBWWW_USEIDN" conditional
* Library/src/HTTPReq.c: moved IDN to main branch
* Library/Overview.html: JK: Added the libwww survey results
|
|
3.3.2:
Unknown changes
3.3.1:
Bug fixes
* Fixed test for classmethod with Django TestCases again
Compatibility
* Support Django 2.1 (no changes necessary)
|
|
0.57 20180604
+ Add "images" command to list all images
+ Allow other user agent objects like WWW::Mechanize::Chrome
Use it from the command line as
perl -Ilib -MWWW::Mechanize::Chrome \
-MWWW::Mechanize::Shell \
-e"shell(agent => WWW::Mechanize::Chrome->new())"
|
|
7.85 2018-06-17
- Removed deprecated build_tx, config, handler and log methods from Mojo.
- Added promisify method to Mojo::UserAgent::Transactor.
- Improved Mojolicious::Command to die on template errors.
7.84 2018-06-05
- Fixed a bug where test servers would be started when reusing a
Mojo::UserAgent object after fork.
7.83 2018-06-02
- Replaced MOJO_DAEMON_DEBUG and MOJO_USERAGENT_DEBUG environment variables
with MOJO_SERVER_DEBUG and MOJO_CLIENT_DEBUG. (anparker)
- Updated IO::Socket::SSL requirement to 2.009 for ALPN support.
- Added modules Mojo::IOLoop::Stream::HTTPClient,
Mojo::IOLoop::Stream::HTTPServer, Mojo::IOLoop::Stream::WebSocketClient and
Mojo::IOLoop::Stream::WebSocketServer. (anparker)
- Added transition method to Mojo::IOLoop. (anparker)
- Added close_connections method to Mojo::Server::Daemon. (anparker)
- Added stream_class and tls_protocols arguments to client and server methods
in Mojo::IOLoop. (anparker, sri)
- Fixed a small render_maybe argument localization bug.
7.82 2018-05-27
- Removed experimental status from new_tag and selector methods in Mojo::DOM.
- Improved Mojo::Server::PSGI with support for the before_server_start hook.
- Fixed a bug where render_maybe in Mojolicious::Controller could not render
multiple alternatives properly because arguments were not localized.
7.81 2018-05-21
- Added request_id attribute to Mojo::Message::Request.
- Improved all built in templates to contain a comment with their request id.
- Improved some log messages to contain a request id.
7.80 2018-05-20
- Many users expected that Mojo::UserAgent would verify all TLS certificates
by default. Unfortunately that has not been the case so far, but will change
with this release in an effort to strengthen security. By default
Mojo::UserAgent will now reject all invalid TLS certificates. To return to
the previous behavior you can use the new insecure attribute.
$ua->insecure(1);
To make testing easier, Test::Mojo will default to having the insecure
attribute activated. And with the get command you can use the new -k option.
mojo get -k https://127.0.0.1:3000
That also means that Mojo::IOLoop::TLS will no longer have a default
tls_verify value. To disable TLS certificate verification there you can use
the value 0x00.
$tls->negotiate(tls_verify => 0x00);
- Added insecure attribute to Mojo::UserAgent.
- Added EXPERIMENTAL server method to Mojolicious.
- Added EXPERIMENTAL before_server_start hook.
- Added -k option to get command.
- Fixed a bug where Mojo::DOM could only reuse Mojo::DOM objects containing
root nodes.
7.79 2018-05-14
- Added EXPERIMENTAL selector method to Mojo::DOM.
- Added reply->file helper to Mojolicious::Plugin::DefaultHelpers.
7.78 2018-05-11
- Deprecated delay helper in Mojolicious::Plugin::DefaultHelpers.
- Added EXPERIMENTAL new_tag method to Mojo::DOM. (jberger, sri)
- Added EXPERIMENTAL tag method to Mojo::DOM::HTML.
- Added EXPERIMENTAL tag_to_html function to Mojo::DOM::HTML.
- Improved performance of all DOM manipulation methods in Mojo::DOM
significantly when reusing Mojo::DOM objects.
- Fixed a Windows directory traversal security issue. (dmanto)
|
|
2.32 Fri Jun 22 15:57:39 CDT 2018
Note that this very well may be the final release of HTML::Lint that I
make. I've been spending my time on HTML::Tidy5, which works on HTML5,
checks for more problems, and is much faster. If you're interested in
maintaining HTML::Lint, send me email at andy@petdance.com. I'm not
sure I want to hand it off to anyone yet, but we can discuss.
[ENHANCEMENTS]
Allow "weblint -" to read from STDIN. Thanks, Frank Dana.
|
|
H2O version 2.2.5:
This is a bug-fix release of the 2.2 series with following changes from 2.2.4, including one vulnerability fix.
[security fix][access-log] fix buffer overflow CVE-2018-0608
[fastcgi] index file name must be part of SCRIPT_NAME
[http2] do not compress cookies less than 20 bytes long
[http2] stop opening new push streams after receiving GOAWAY
[http2] fix conformance issues
[mruby] drop the link rel=preload header with a x-http2-push-only attribute
[mruby] allow loading a file that shares the basename with one of the preloaded files
[proxy] fix I/O error when receiving multiple informational responses
[ssl] fix bug that prevents record size growing to maximum when latency optimization is disabled
[ssl] fix compatibility issues with libressl 2.7
[ssl] update picotls to support TLS 1.3 draft-26
|
|
wslay v1.1.0:
* Fix compilation of examples
Since 3.4 nettle defines base64_encode_raw like this:
void base64_encode_raw(char *dst, size_t length, const uint8_t *src);
* check for 0 length before memcpy:
* Skip UTF-8 validation for PMCE fragments
If the message was marked with rsv1 on the initial frame then we
should skip utf-8 validation on subsequent continuation frames as
well.
* Allow RSV1 bit in event-based API for PMCE - RFC 7692
Add a new function wslay_event_set_allowed_rsv_bits which only accpet
RSV1 for now (or 0 to disable).
Skip UTF-8 validation on frames with RSV1 set as it is too early for that.
Add extended versions of wslay_event_queue_msg functions which also
take the reserved bits to set for this message.
* fixed missing malloc guard
* Fix argc check.
* CMake support
|
|
Should fix misc/yelp3 and others.
|
|
Upstream changes:
Releases for Drupal core
API version
drupal 8.5.4
Posted by catch on 6 June 2018
Release notes
This is a patch release of Drupal 8 and is ready for use on production sites
|
|
From the changelog:
This release implements management of calendar delegations via CalDAV
(for example with iCal). It also makes some necessary changes to keep the
Debian packages buildable.
Bug Fixes
=========
* Apache config: add PT to follow alias
* UI: create external bindings with type set (fix: #132)
* Fix group-member-set and group-membership queries on proxy resources
* Correctly handle durations without units like "PT"
* Fix common etag match code, use it everywhere
Other Changes
=============
* Document $c->hide_bound and $c->disable_caldav_proxy_propfind_collections
config options, as well as the most important debug options
* Advertise support for CalDAV principal-match REPORT
* Implement managing calendar delegations from iCal (caldav-proxy)
* LDAP sync: reactivate users present in LDAP, use php ldap explode in
order to be compatible with any DN (!42, !43)
* Improved handling of modifications to attendees' instances of events
* Various updates to API documentation and code cleanup
* Switch to doxygen for api docs
|
|
- patch-Makefile.PL contained an extra `|' that leads to not exposing several
CURLOPT symbols as reported by Graham Jenkins via PR pkg/53388.
- Cleanup a bit the Makefile and do append extra CFLAGS
Bump PKGREVISION
|
|
Changelog:
Changes in 10.0.8
Dear ownCloud administrator, please find below the changes and known issues in ownCloud Server 10.0.8 that need your attention. You can also read the full ownCloud Server changelog for further details on what has changed.
PHP 5.6 deprecation
PHP 5.6/7.0 active support has ended on January 19th 2017 / December 3rd 2017 and security support will be dropped by the end of 2018. Many libraries used by ownCloud (including the QA-Suite PHPUnit) will therefore not be maintained actively anymore which forces ownCloud to drop support in one of the next minor server versions as well. Please make sure to upgrade to PHP 7.1 as soon as possible. See the system requirements in the ownCloud documentation.
Personal note for public link mail notification
One of the usability enhancements of ownCloud Server 10.0.8 is the possibility for users to add a personal note when sending public links via mail. When using customized mail templates it is necessary to either adapt the shipped original template to the customizations or to add the code block for the personal note to customized templates in order to display the personal note in the mail notifications.
New mail notifications feature
ownCloud Server 10.0.8 introduces a new extensible notification framework. Apart from technical changes under the hood the Notifications app can now also send mails for all notifications that previously were only displayed within the web interfaces (notification bell) or on the Desktop client (notifications API) like incoming federated share or Custom Group notifications, for example. In the “General” settings section users can configure whether they want to receive mails for all notifications, only for those that require an action or decide not to get notifications via mail (by default users will only receive notifications when an action is required).
LDAP-related improvements
When disabling or deleting user accounts in LDAP, the administrator can choose to either delete or disable respective accounts in ownCloud when executing occ user:sync (-m, --missing-account-action=MISSING-ACCOUNT-ACTION). User accounts that are disabled in ownCloud can now be re-enabled automatically when running occ user:sync if they are enabled in LDAP. When this behavior is desired administrators just need to add the -r, --re-enable option to their cron jobs or when manually executing occ user:sync.
Furthermore it is now possible to execute occ user:sync only for single (-u, --uid=UID) or seen (-s, --seenOnly) users (users that are present in the database and have logged in at least once). These new options provide more granularity for administrators in terms of managing occ user:sync performance.
Another notable change in behavior of occ user:sync is that administrators now have to explicitly specify the option -c, --showCount to display the number of users to be synchronized.
New events for audit logging
New events have been added to be used for audit logging, among others. These include configuration changes by administrators and users, file comments (add/edit/delete) and updating existing public links. When logs are forwarded to external analyzers like Splunk, administrators can check to add the new events. The latest version of the Auditing extension (admin_audit) is required.
New command to verify and repair file checksums
With ownCloud 10 file integrity checking by computing and matching checksums has been introduced to ensure that transferred files arrive at their target in the exact state as their origin. In some rare cases wrong checksums can be written to the database leading to synchronization issues with e.g. the Desktop Client. To mitigate such situations a new command occ files:checksums:verify has been introduced. The command recalculates checksums either for all files of a user or for files within a specified path, and compares them with the values in the database. Naturally the command also offers an option to repair incorrect checksum values (-r, --repair). Please check the available options by executing occ files:checksums:verify --help. Note: Executing this command might take some time depending on the file count.
New config setting to specify minimum characters for sharing autocomplete
For security reasons the default value for minimum characters to trigger the sharing autocomplete mechanism has been set to “4” (previously it was set to “2”). This is to prevent people from easily downloading lots of email addresses or user names by requesting their first letters through the API. As it is a trade-off between security and usability for some scenarios this high security level might not be desirable. Therefore the value now is configurable via the config.php option 'user.search_min_length' => 4,. Please check which value fits your needs best.
New option to granularly configure public link password enforcement
With ownCloud 10 the “File Drop” feature has been merged with public link permissions. This kind of public link does not give recipients access to any content, but it gives them the possibility to “drop files”. As a result, it might not always be desirable to enforce password protection for such shares. Given that, passwords for public links can now be enforced based on permissions (read-only, read & write, upload only/File Drop). Please check the administration settings “Sharing” section and configure as desired.
New option to exclude apps from integrity check
By verifying signature files the integrity check ensures that the code running in an ownCloud instance has not been altered by third parties. Naturally this check can only be successful for code that has been obtained from official ownCloud sources. When providing custom apps (like theme apps) that do not have a signature, the integrity check will fail and notify the administrator. These apps can now be excluded from the integrity check by using the config.php option 'integrity.ignore.missing.app.signature' => ['app_id1', 'app_id2', 'app_id3'],. See config.sample.php for more information.
New occ command to modify user details
It is now possible to modify user details like display names or mail addresses via the command occ user:modify. Please append --help for more information.
occ files:scan can now be executed for groups
Apart from using the occ files:scan command for single users and whole instances it can now be executed for groups using -g, --groups=GROUPS. Please append --help for more information.
New configurable default format for syslog
When using syslog as the log type ('log_type' => 'syslog', in config.php) the default format hahe new format and config.sample.php on how to change it.
New config option to enable fallback to HTTP for federated shares
For security reasons federated sharing (sharing between different ownCloud instances) strictly requires HTTPS (SSL/TLS). When this g.federation.allowHttpFallback' => false, to true in config.php.
Migration related to auth_tokens (app passwords)
Upgrading to 10.0.8 includes migrations related to auth_tokens (app passwords). When users have created app passwords as separate passwords l autocomplete for public link share dialog
When the “Sharing” settings option Allow users to send mail notifications for shared files for public links is enabled, users can send public links via mail from within the web interface. The behavior of the autocomplete when entering mail addresses in the public link share dialog has been changed. Previously the autocomplete queried for local users, users from federated address books and contacts from CardDAV/Contacts App. As public links are not intended for sharing between ownCloud users (local/federated), those have been removed. Contacts synchronized via CardDAV or created in the Contacts app will still appear as suggestions.
Notifications sent by occ can now include links
The command occ notifications:generate can be used to send notifications to individual users or groups. With 10.0.8 it is also capable of including links to such notifications using the -l, --link=LINK option. Please append --help for more information. There is also Announcementcenter to conduct such tasks from the web interface but it is currently limited to send notifications to all users. For now administrators can use the occ command if more granularity is required.
Global option for CORS domains
For security reasons ownCloud has a Same-Origin-Policy that prevents requests to ownCloud resources from other domains than the domain the backend server is hosted on. If ownCloud resources should be accessible from other domains, e.g. for a separate web frontend operated on a different domain, administrators can now globally specify policy exceptions via CORS (Cross-Origin Resource Sharing) using 'cors.allowed-domains' in config.php. Please check config.sample.php for more information.
Solved known issues
Bogus “Login failed” log entries have been removed (see 10.0.7 known issues)
The Provisioning API can now properly set default or zero quota
User quota settings can be queried through Provisioning API
A regression preventing a user from setting their e-mail address in the settings page has been fixed
File deletion as a guest user works correctly (trash bin permissions are checked correctly)
Known issues
Issues with multiple theme apps and Mail Template Editor
As of ownCloud Server 10.0.5 it is only possible to have one theme app enabled simultaneously. When a theme app is enabled and the administrator attempts to enable a second one this will result in an error. However, when also having the Mail Template Editor enabled in this scenario the administrators “General” settings section will be displayed incorrectly. As a remedy administrators can either uninstall the second theme app or disable the Mail Template Editor app.
occ transfer:ownership does not transfer public link shares if they were created by the target user (reshare).
For developers
The global JS variable “oc_current_user” was removed. Please use the public method “OC.getCurrentUser()” instead.
Lots of new Symfony events have been added for various user actions, see changelog for details. Documentation ticket: <https://github.com/owncloud/documentation/issues/3738>`_
When requesting a private link there is a new HTTP response header “Webdav-Location” that contains the Webdav path to the requested file while the “Location” still points at the frontend URL for viewing the file.
Changes in 10.0.7
ownCloud Server 10.0.7 is a hotfix follow-up release that takes care of an issue regarding OAuth authentication.
Please consider the ownCloud Server 10.0.5 release notes.
Known issues
When using application passwords, log entries related to “Login Failed” will appear and can be ignored. For people using fail2ban or other account locking tools based on log parsing, please apply this patch with patch -p1 < 50c78a4bf4c2ab4194f40111b8a34b7e9cc17a14.patch (original pull request here).
Changes in 10.0.6
ownCloud Server 10.0.6 is a hotfix follow-up release that takes care of an issue during the build process (https://github.com/owncloud/core/pull/30265). Please consider the ownCloud Server 10.0.5 release notes.
Changes in 10.0.5
Dear ownCloud administrator, please find below the changes and known issues in ownCloud Server 10.0.5 that need your attention. You can also read the full ownCloud Server changelog for further details on what has changed.
Technology preview for PHP 7.2 support
ownCloud catches up with new web technologies. This has mainly been introduced for the open-source community to test and give feedback. PHP 7.2 is not yet supported nor recommended for production scenarios. ownCloud is going to fully support PHP 7.2 with the next major release.
php-intl now is a hard requirement
Please make sure to have the PHP extension installed before upgrading.
Changed: Only allow a single active theme app
The theming behavior has been changed so that only a single theme can be active concurrently. This change ensures that themes can not interfere in any way (e.g., override default theming in an arbitrary order). Please make sure to have the desired theme enabled after upgrading.
Removed old Dropbox external storage backend (Dropbox API v1)
Please switch to the new External Storage: Dropbox app (https://marketplace.owncloud.com/apps/files_external_dropbox) with Dropbox API v2 support to continue providing Dropbox external storages to your users.
Fixed: Only set CORS headers on WebDAV endpoint when Origin header is specified
ownCloud Server 10.0.4 known issue is resolved.
Fixes and improvements for the Mail Template Editor
Known issues are resolved: Mail Template Editor works again, got support for app themes and additional templates were added for customization.
Mail Template Editor is still bundled with ownCloud Server but will soon be released as a separate app to ownCloud Marketplace.
Changelog: https://github.com/owncloud/templateeditor/blob/release/0.2.0/CHANGELOG.md
Known issues
When using application passwords, log entries related to “Login Failed” will appear, please upgrade to 10.0.7 and check the fix mentionned in its release notes.
Changes in 10.0.4¶
Dear ownCloud administrator, please find below the changes and known issues in ownCloud Server 10.0.4 that need your attention. You can also read the full ownCloud Server 10.0.4 changelog for further details on what has changed.
More granular sharing restrictions
The “Restrict users to only share with users in their groups” option, in the Sharing settings, restricts users to only share with groups which they are a member of, while simultaneously prohibiting sharing with single users that do not belong to any of the users’ groups.
To make this more granular, we split this option into two parts and added “Restrict users to only share with groups they are member of”, which differentiates between users and groups. Doing so makes it possible to restrict users from sharing with all users of an installation, limiting them to only being able to share with groups which they are a member of, and vice versa.
Configurable solution for indistinguishable user display names
The ownCloud sharing dialog displays users according to their display name. As users can choose their display name in self-service (which can be disabled in config.php) and display names are not unique, it is possible that a user can’t distinguish sharing results. To cover this case the displayed user identifiers are now configurable. In the Sharing settings administrators can now configure the display of either mail addresses or user ids.
Added “occ files:scan” repair mode to repair filecache inconsistencies
We recommend to use this command when directed to do so in the upgrade process. Please refer to the occ command’s files:scan –repair documentation for more information.
Detailed mode for “occ security:routes”
Administrators can use the output of this command when using a network firewall, to check the appropriateness of configured rules or to get assistance when setting up.
Added mode of operations to differentiate between single-instance or clustered setup
As ownCloud needs to behave differently when operating in a clustered setup versus a single instance setup, the new config.php option operation.mode has been added. It can take one of two values: single-instance and clustered-instance. For example: 'operation.mode' => 'clustered-instance',.
Currently the Market App (ownCloud Marketplace integration) does not support clustered setups and can do harm when used for installing or updating apps. The new config setting prevents this and other actions that are undesired in cluster mode.
When operating in a clustered setup, it is mandatory to set this option. Please check the config_sample_php_parameters documentation for more information.
Added occ dav:cleanup-chunks command to clean up expired uploads
When file uploads are interrupted for any reason, already uploaded file parts (chunks) remain in the underlying storage so that the file upload can resume in a future upload attempt. However, resuming an upload is only possible until the partial upload is expired and deleted, respectively.
To clean up chunks (expire and delete) originating from unfinished uploads, administrators can use this newly introduced command. The default expiry time is two days, but it can be specified as a parameter to the command. It is recommended to configure CRON to execute this background job regularly.
It is not included in the regular ownCloud background jobs so that the administrators have more flexibility in scheduling it. Please check the background jobs configuration documentation for more information.
Administrators can now exclude files from integrity check in config.php¶
When administrators did intentional changes to the ownCloud code they now have the ability to exclude certain files from the integrity checker. Please check “config.sample.php” for the usage of 'integrity.excluded.files'.
Modification time value of files is now 64 bits long
When upgrading to 10.0.4 migrations may increase update duration dependent on number of files.
Updated minimum supported browser versions
Users with outdated browsers might get warnings. See the list of supported browser versions.
Known issues
When using application passwords, log entries related to “Login Failed” will appear, please upgrade to 10.0.7 and check the fix mentioned in its release notes.
10.0.3 resolved known issues
SFTP external storages with key pair mode work again
Added support for MariaDB 10.2.7+
Encryption panel in admin settings fixed to properly detect current mode after upgrade to ownCloud 10
Removed double quotes from boolean values in status.php output
Known issues
Impersonate app 0.1.1 does not work with ownCloud Server 10.0.4. Please update to Impersonate 0.1.2 to be able to use the feature with ownCloud 10.0.4.
Mounting ownCloud storage via davfs does not work
|
|
|
|
Tinyproxy version 1.8.4
Most notably, this release removes the limitation of a single Listen address of not listening on the wildcard address and a DoS (CVE-2012-3505).
Among several other bug fixes, this release fixes a bunch of issues found by coverity (scan.coverity.com).
Bugs resolved since version 1.8.3
fix algorithmic complexity DoS in hashmap
fix failing CONNECT requests with IPv6 literal addresses
fix invalid free for GET requests to IPv6 literal addresses
support multiple Listen statements in configuration
support listening on ipv4 and ipv6 wildcard if no Listen specified
fix crash when writing to log file fails
fix build with autoconf >= 2.69
|
|
changes unknown
|
|
changes unknown
|
|
changes unknown
|
|
changes unknown
|
|
Nevow 0.14.4:
Bugfixes
Divmod.Runtime.getAttribute now works again on newer Microsoft Edge versions.
|
