| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The seventh maintenance and security release of the Drupal 6 series. Only fixes for security vulnerabilities and other bugs have been committed. New features are only being added to the forthcoming Drupal 7.0 release.
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
* SA-2008-073 - Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed since the 6.6 release:
* - Patch #324118 by winterheart: fixed invalid XHTML being generated for forum topic listings.
* - Patch #329019 by dww, sun: fixed PHP warning.
* #315739 by sun: The theme name is in arg(4) on the block admin page, so only redirect to theme specific page if that is set.
* - Patch #329646 by Damien Tournoud: properly reset user_access().
* - Patch #255293 by Gribnif, maartenvg: incorrect regex causes some aggregated CSS to fail.
* #329998 by pwolanin: escape markup looking non-HTML tags in schema descriptions
* #258089 by JohnAlbin, Arancaytar, merlinofchaos: themes cannot have a preprocess function without a corresponding .tpl.php file
* #255150 by dropcube, tested by catch, asimmonds: content type names were double escaped on create content page
* #329660 by pwolanin: node_configure_validate() should be replaced with a #submit handler to conform to FormAPI rules
* #299742 by Darren Oh: missing #ahah support on checkboxes
* #193580 follow up by gpk: late but important changelog entry for Drupal 6.0
* #302638 by pwolanin: avoid running several no-op queries while the menu is being rebuilt; improves performance
* Rolling back #302638, it caused problems reported in #328110
* #319165 by Alex_Tutubalin: add explicit UTF-8 client encoding setting for PostgreSQL
* - Patch #277644 by lilou: documentation improvement.
* - Patch #335385 by Dave Reid: fixed maxlength of path alias fields to be consistent with the database.
* - Patch #337454 by earnie: fixed the phpdoc of drupal_render_form().
* - Patch #293370 by swentel et al: make block sorting work when there are more than 20 blocks.
* - Patch #325908 by kbahey: removed redundant cache flusing.
* - Patch #281131 by Damien Tournoud: document the missing quote in .htaccess.
* - Patch #336115 by Nedjo: better documentation for t().
* - Patch #342988 by ultimateboy: fixed order of attributes in PHPdoc.
* #324875 by pwolanin: improve HTTP_HOST checking, ensuring that the host is lowercased and only valid characters are allowed.
* #280934 follow up by pwolanin: harden the cookie handling in sess_regenerate() by setting our session cookie to be an HTTP only cookie, thus reducing the risk of session stealing via XSS
* #28776 by Uwe Hermann, Morbus Iff, jvandyk: Protect *.test files and SVN metafiles from being exposed under Drupal
* #299582 by hass: Remove outdated items from robots.txt and fix ordering of items to make stuff easier to find.
* #305653 by snowball43, cdale, Dave Reid, sun: All themes were disabled when update.php was run
* #344661 by Dave Reid: fix phpdoc documentation on translation_translation_link_alter()
* #333060 by neclimdul, merlinofchaos, dvessel: child themes did not inherit patterns correctly, so more specific template files are not detected
* #206138 by pwolanin et al: little documentation fix for node base module name handling
* #276111 by pwolanin, meba and myself: disallow possibly dangerous submissions in locale translations and imports
* #345167 by JacobSingh, pwolanin, Heine: drupal_http_request() includes an extra CRLF, not conformant to HTTP specs
http://drupal.org/node/345462
|
|
This release fixes security vulnerabilities. Sites are urged to upgrade immediately after reading the security announcement:
* SA-2008-073 - Drupal core - Multiple vulnerabilities
In addition to this security vulnerability, the following bugs have been fixed since the 5.12 release:
* #318102 by Damien Tournoud and Dave Reid: hook_exit() not invoked for some cached requests.
* #278821 by teezee. More isset() checking.
* #293612 by egfrith, Bart Jansens: let user_authenticate() be called without cookies previously set; allows web service modules to start a session with the authentication.
* #123556 by maartenvg and dvdweide. Do not show empty user info categories.
* #294450 by blakehall. Match up DB and form max length.
* More code style removing trivial differences with 6.x.
* #195161 by mcarbone with some modifications: only show 'login to post comments' if logging in actually lets you post comments. Backport by salvis.
* - Patch #342988 by ultimateboy: fixed order of attributes in PHPdoc.
* #280934 follow up by pwolanin: harden the cookie handling in sess_regenerate() by setting our session cookie to be an HTTP only cookie, thus reducing the risk of session stealing via XSS
* #324875 by pwolanin: improve HTTP_HOST checking, ensuring that the host is lowercased and only valid characters are allowed.
* #28776 by Uwe Hermann, Morbus Iff, jvandyk: Protect *.test files and SVN metafiles from being exposed under Drupal
* #299582 by hass: Remove outdated items from robots.txt and fix ordering of items to make stuff easier to find.
http://drupal.org/node/345467
|
|
|
|
|
|
- Add Chinese translation.
- Update Romanian and Swedish language translations.
|
|
- Remove description of using PostgreSQL for backend database
from files/README.
- Replace remained www/www to APACHE_USER/APACHE_GROUP in Makefile.
- Don't hardcord /typolight in files/typolight.conf.
Bump PKGREVISION.
|
|
Upstream changes:
0.19 03 Dec 2008
* fix bug where form error was not set correctly
|
|
Trac-0.11.2.1.ja1 (Nov 30, 2008)
* Merge Trac-0.11.2 and Trac-0.11.2.1
* Change encodings on Option's doc from unicode to UTF-8 for `pydoc`.
- trac/wiki/macros.py
- trac/attachment.py
- trac/db/api.py
- trac/env.py
- trac/mimeview/api.py
- trac/mimeview/enscript.py
- trac/mimeview/php.py
- trac/mimeview/pygments.py
- trac/mimeview/silvercity.py
- trac/notification.py
- trac/perm.py
- trac/search/web_ui.py
- trac/ticket/api.py
- trac/ticket/notification.py
- trac/ticket/query.py
- trac/ticket/report.py
- trac/ticket/roadmap.py
- trac/ticket/web_ui.py
- trac/timeline/web_ui.py
- trac/versioncontrol/api.py
- trac/versioncontrol/svn_authz.py
- trac/versioncontrol/svn_fs.py
- trac/versioncontrol/web_ui/browser.py
- trac/versioncontrol/web_ui/changeset.py
- trac/versioncontrol/web_ui/log.py
- trac/web/auth.py
- trac/web/chrome.py
- trac/web/main.py
- trac/wiki/api.py
Trac 0.11.2.1 (November 17, 2008)
http://svn.edgewall.org/repos/trac/tags/trac-0.11.2.1
Trac 0.11.2.1 fixes a Python 2.3 incompatibility introduced in Trac 0.11.2.
Python 2.4+ users already running Trac 0.11.2 do not need to upgrade.
Trac 0.11.2 (November 8, 2008)
http://svn.edgewall.org/repos/trac/tags/trac-0.11.2
Trac 0.11.2 contains two security fixes and a couple of bug fixes.
The following list contains only a few highlights:
Bug fixes:
* Fixes potential DOS vulnerability with certain wiki markup. Reported by
Matt Murphy.
* Improved HTML sanitizer filter to detect possible phishing attempts.
Reported by Simon Willison.
* MySQL db backend improvement (reconnect after idle timeout #4465)
* TicketQuery speed improvements (#6436)
* Fixes for RSS feeds (timeline entries no longer truncated #7316, no longer
download some feeds under Firefox #3899)
* Search now works for custom fields (#2530)
* Same order for ticket fields for new and existing tickets (#7018)
* Enforce fine-grained permission for "quickjump" search results (#7655)
* E-mail obfuscation was not done in a few remaining places (#7688, #6532)
* Uninstall of plugins from WebAdmin was not working - feature disabled
for now
* More robust pagination of results for reports and custom queries (#7424,
#7544)
* Support for newer version of pygments (#7622)
* Documentation updated (#7603, #7205, #7318)
Minor improvements:
* Better support for Wiki page hierarchy (show path #2780, link to
parent #2150)
* Custom query allow to search in description and other text fields (#4824)
|
|
Pkgsrc changes:
- Add dependencies for test target so most of this Perl module's
tests can be run
Upstream changes:
0.10 27 Oct 2008
* calling $form->reset or $form->clear will now refetch
objects from db for interrelated menus, re-populating the
options.
0.11 27 Oct 2008
* fix dbic tests so they skip the correct number of tests
0.12 17 Nov 2008
* support the new 'unqiue_value()' method in RDBOHelpers
and MoreHelpers, which will now override
show_related_field_using() when called in foreign_field_value().
0.13 24 Nov 2008
* fix autocomplete bug to call get_controller() rather than
simply controller()
* add map_to_column, map_from_column and map_class_controller_class
to RelInfo
* add as_hash() to RelInfo
|
|
|
|
2.24.2
Fix multi-dnd with gtk 2.14
Convert strings to UTF16 before passing them to nsIPrintSettings with
Gecko 1.9.
Analysis by Vincent Caron, fixes bug #549361.
Update Ukrainian translation.
Updated Brazilian Portuguese translation.
Updated Swedish translation
Added Asturian translation on behalf of Mikel Gonzalez
2.24.2.1
Re-dist with libtool 2.
|
|
actually still exists.
Changes since 2.01-10:
* Fixed problem with timing totals.
* Fixed referrer linking to avoid possible xss injection.
* Fixed month change detection error that caused incorrect report
dates when logs had a 'gap' longer than a year.
* Fixed buffer overrun possibility in parsing code and user agent
mangle logic.
* Added symbolic link checks for file I/O to prevent possible
privilege escalation exploits. Disallows reading from or writing
to any file that is a symlink. Thanks to Julien Danjou.
* Added code to preserve the history and incremental data files in
the event of a crash before writing to them completely. Thanks
to Robert Millan for the idea and initial code.
* Added native geolocation services, which fully supports both IPv4
and IPv6 lookups. Adds the configuration keywords 'GeoDB' and
'GeoDBDatabase' along with the '-j' and '-J' command line options.
* Added 'wcmgr', "The Webalizer (DNS) Cache file Manager" to the
distribution to provide cache file maintenance. See the supplied
man page for a description and usage information.
* Changed history code and main index page to allow for more than
12 months of reports to be displayed. Added the config keywords
'IndexMonths' (-K command line option), 'GraphMonths' (-k command
line option) and 'YearHeaders' to control how index is displayed.
* Changed Berkeley DB code to use current 4.x APIs.
* Added support for bzip2 compressed log files (.bz2) as a compile
time option (--enable-bz2). If enabled, bzipped files will be
decompressed automatically during processing.
* Added support for W3C formatted logs. Based on code submitted
by Klaus Reimer.
* Added GeoIP support as compile time option (--enable-geoip). Adds
'GeoIP' and 'GeoIPDatabase' config keywords, '-w' and '-W'
command line options. (http://www.maxmind.com/)
* Added IPv6 support. Based on initial code by Jose Carlos Meneiros
and modified to support Solaris and other problematic platforms.
* Added 'CacheIPs' config option to allow saving unresolved addresses
in the DNS cache.
* Added 'CacheTTL' config option which allows the DNS cache time to
live (TTL) value to be specified at run-time.
* Added 'SearchCaseI' config option to specify if search strings
should be treated as case insensitive or not. The default value,
'yes', causes search strings to be treated as case insensitive.
* Added 'HTAccess' config option. Allows writing a default .htaccess
file to the output directory.
* Added ability to display flags in the top country table. Adds the
config keywords 'CountryFlags' and 'FlagDir', and -z command line
option.
* Added 'StripCGI' config option to configure how CGI variables on
the end of URLs are treated (can now be stripped or left in place).
* Added 'DefaultIndex' config option to enable/disable the use of
"index." as a default index name to be stripped from the end of URLs.
* Added 'TrimSquidURL' config option to allow squid log URLs to be
reduced in granularity by a user definable amount. Thanks to code
submitted by Stuart Gall.
* Added 'OmitPage' config option (and the '-O' command line switch)
to prevent specified URLs from being counted as pages even if they
otherwise would be. Thanks to code submitted by Adam Morton.
* Added 'IgnoreState' config option (and the -b command line switch)
to allow ignoring any existing incremental data file (similar to
the IgnoreHist/-i option).
* Changed logic to always generate summary report (index.html),
even if no records were processed.
* Added color support to allow changing graph colors. Based on the
Webalizer-usecolor code submitted by Benoit Rouits. Adds 11 new
config options, see the README file for complete descriptions.
* Added language 'lang=' specification in generated HTML files.
* Added 'LinkReferrer' config option to allow/disallow links in the
top referrers table.
* Added 'PagePrefix' config option to allow URL prefix matches to
be counted as pages, regardless of file extension or type. Thanks
to code submitted by Remco Van de Meent.
* Enabled large file support (LFS) to support logs greater than 2Gb
in size on systems that support LFS. Also increased the size of
most internal counters to handle larger sites.
* Minor changes to generated HTML output
* Updated language files country codes for current IANA TLDs
* Changed the meaning of the -v command line switch. It now
causes verbose information to be displayed at run-time
(Informational and Debug messages).
* Changed Group* config options to allow a quoted string for
the match string. This allows spaces to be embedded in the
string.
* Changed log record parsing logic to allow spaces in URLs.
* Made configuration keywords, boolean configuration values
(yes/no), and log file types case insensitive. Also fixed
defaults for invalid values to reflect documented defaults.
* Changed configure script to use --sysconfdir to specify the
location of the default webalizer.conf configuration file.
Also added support for DESTDIR during install to aid binary
package builds.
|
|
|
|
Changes:
* FIX) qCgiRequestParseQueries() - quoted boundary patch. (by Hidai
Kenichi)
* NEW) qStrUnchar() - remove character from head and tail of the
string.
* NEW) qDecoderVersion() - get the version string of qDecoder library.
* FIX) minor fixes related packaging.
|
|
|
|
* Add release date of each translation as comment in options.mk.
* Add some patch to use double quotation instead of singe quotation
which prevents parsing "\n" as newline.
* Update Russian and Serbian language translations which catch up to
TYPOlight 2.6.2.
* Add new Thai language translation.
|
|
|
|
|
|
General Public License (GPL). It's designed to be run on a large server
farm for a website that gets millions of hits per day. MediaWiki is an
extremely powerful, scalable software and a feature-rich wiki implementation,
that uses PHP to process and display data stored in its MySQL database.
|
|
This version is based on a new branch and may not be fully compatible
with older versions.
Changes since 7.0.1:
NEW) qDecoderSetUploadBase() - Initialize qDecoder() for progressive
uploading.
FIX) qDecoder() - Now qDecoder() supports progressive uploading and direct
file saving into disk.
NEW) qSedArgAddDirect() - For huge size(over 1024 - 1) value.
FIX) qSedArgAdd() - Adjust miss typed variable length. (1024*64 => 1024)
NEW) qGetTimeStr() - Generate date string formatted as 'YYYYMMDDhhmmss'.
NEW) qJavaScript() - Print out some JavaScript code.
NEW) qAwkStr() - Scanning pattern from string.
FIX) qAwkOpen() - Compatibility increment
FIX) qAwkNext() - Expand array size to 1024(before 256)
FIX) qCountRead() - Compatibility increment
FIX) qCountSave() - Compatibility increment
FIX) qCountUpdate() - Compatibility increment
FIX) qDecoder() - Now qdecoder uses more smaller memory
FIX) qCheckFile() - Utility increment
New socket functions(unix only). Please refer the reference for more
details.
NEW) qSocketOpen()
NEW) qSocketClose()
NEW) qSocketWaitReadable()
NEW) qSocketRead()
NEW) qSocketGets()
NEW) qSocketWrite()
NEW) qSocketPuts()
NEW) qSocketPrintf()
NEW) qSocketSendFile()
NEW) qSocketSaveIntoFile()
NEW) qSocketSetNonblock()
NEW) qSocketConv2file()
|
|
GtkHTML-3.24.2 2008-11-24
-------------------------
Bug Fixes:
#472517: Always update the pop-up menu before showing it, whether we're clicking in a selection or not (Matthew Barnes)
|
|
|
|
Security fixes in this version:
MFSA 2008-59 Script access to .documentURI and .textContent in mail
MFSA 2008-58 Parsing error in E4X default namespace
MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals
MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation
MFSA 2008-55 Crash and remote code execution in nsFrameManager
MFSA 2008-54 Buffer overflow in http-index-format parser
MFSA 2008-53 XSS and JavaScript privilege escalation via session restore
MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
MFSA 2008-50 Crash and remote code execution via __proto__ tampering
MFSA 2008-49 Arbitrary code execution via Flash Player dynamic module unloading
MFSA 2008-48 Image stealing via canvas and HTTP redirect
MFSA 2008-47 Information stealing via local shortcut files
For more info, see http://www.seamonkey-project.org/releases/seamonkey1.1.13/
|
|
|
|
<pkgsrc-users@NetBSD.org> and only assign the "firefox-bin" package
to <grant@NetBSD.org> because that is the package he really created.
|
|
didn't create this package. He only got listed as maintainer via
"www/seamonkey-bin/Makefile.common".
|
|
|
|
Bump PKGREVISION
|
|
|
|
"Don't put emails directly on the page, they will be scraped"
Stuff that I'm sick of looking at "bob at smith dot com". Why can't
we just write emails in a way that looks normal to people, but is
very, very difficult to scrape off. Most email scrapers only use
very very simple parsing methods. And it isn't as if it is hard to
just do
# Before we search for email addresses...
$page =~ s/\s+at\s+/@/g;
$page =~ s/\s+dot\s+/./g;
This is an arms war dammit, and I want nukes!
|
|
Pkgsrc changes:
o Accept default TT options, don't set them explicitly.
o Add commented-out additional HOMEPAGE using search.cpan.org.
o Add a patch related to module bug
http://rt.cpan.org/Public/Bug/Display.html?id=39100
Thanks to Jens Rehsack for the update, provided in PR pkg/39600!
Upstream changes:
#------------------------------------------------------------------------
# Version 2.20 - 13th August 2008
#------------------------------------------------------------------------
* Updated all the documentation.
* Restored the GIF images that got mangled in the switch from CVS to
Subversion.
* Fixed the Makefile.PL to pre-glob the tests to keep things working
smoothly in Win32.
http://rt.cpan.org/Ticket/Display.html?id=25573
* Applied a patch to Template::Directives from Ben Morrow to fix the
SWITCH/CASE directive when matching strings containing regex metacharacters.
http://rt.cpan.org/Ticket/Display.html?id=24183
* Applied a patch to Template::Parser from Koichi Taniguchi to make it
treat TAGS with case sensitivity.
http://rt.cpan.org/Ticket/Display.html?id=19975
* Changed html_entity_filter_factory() in Template::Filters to only look for
Apache::Utils and HTML::Entities once.
http://rt.cpan.org/Ticket/Display.html?id=19837
Template::Stash
---------------
* Applied a patch to Template::Stash from Jess Robinson which allows you
to call a list method on a single object and have it automatically
upgraded to a single item list. Changed the XS Stash to do the same.
http://lists.tt2.org/pipermail/templates/2006-November/009115.html
* Fixed a minor bug in the XS Stash which prevented it from updating
hash entries with empty, but defined keys. Thanks to Yitzchak
Scott-Thoennes for reporting the problem.
http://lists.tt2.org/pipermail/templates/2007-November/009819.html
* Applied a patch from Alexandr Ciornii to make the XS Stash compile
cleanly under VC++ 6.0 and with Sun's C compiler.
http://rt.cpan.org/Ticket/Display.html?id=20291
Template::Provider
------------------
* Fixed a minor bug in the Template::Provider code added in 2.19 that
caused errors in templates to only be reported once. Subsequent
fetches incorrectly returned 'not found' instead of repeating the
error.
* Made Template::Provider use File::Spec->catfile instead of using '/'
and letting Perl worry about Doing The Right Thing.
http://rt.cpan.org/Ticket/Display.html?id=34489
* Applied patch from Lyle Brooks to add binmode to the _template_content()
method in Template::Provider.
http://rt.cpan.org/Ticket/Display.html?id=38075
* Applied patch from Ted Carnahan to silence UNIVERSAL::isa warnings in
Template::Provider.
http://rt.cpan.org/Ticket/Display.html?id=25468
* Applied patch to Template::Provider from Andrew Hamlin which works around
a bug in Strawberry Perl on Win32.
http://rt.cpan.org/Ticket/Display.html?id=34578
Template::VMethods
------------------
* Applied a patch from Paul "LeoNerd" Evans to make the list.slice vmethod
work properly with negative indices.
http://lists.tt2.org/pipermail/templates/2008-March/010105.html
Plugins
-------
* Added the Math plugin and related files to the MANIFEST so they
actually get shipped out as part of the distribution. D'Oh!
http://rt.cpan.org/Ticket/Display.html?id=27375
* Added the Scalar plugin which adds the .scalar vmethod for calling
object methods and subroutines in scalar context.
* Added Template::Plugin::Assert which allows you to assert that values
are defined.
* Changed Template::Plugin::Filter to weaken the $self reference to avoid
circular references and memory leaks. Thanks to Masahiro Honma for
reporting the problem and suggesting the fix.
* Applied patch from Ronald J Kimball to make Template::Plugin::Date accept
dates with the year coming first.
http://lists.tt2.org/pipermail/templates/2007-July/009540.html
* Added C<1;> to the end of a few plugin modules that were missing it.
ttree
-----
* Changed the --accept option in ttree to match against the full file
path (relative to --src dir) rather than just the file name. This
makes it behave the same way as the --ignore option.
* Applied patch from Lyle Brooks to add binmode to the process()
call in ttree.
http://rt.cpan.org/Ticket/Display.html?id=38076
* Added a patch from Nigel Metheringham also to set binmode in ttree
but via a configuration option.
https://rt.cpan.org/Ticket/Display.html?id=30760
|
|
Change log
* Allow _ as a valid character in file names and URLs. Do not remove #
from file names. It only has a special meaning for URLs.
* Enable unlock on unload for inline edits
Updated packages and products
* Products.CMFPlone 3.1.7
* plone.i18n 1.0.7
* archetypes.kss 1.4.3
|
|
|
|
Pkgsrc changes:
- Remove now unneeded patch file.
Upstream changes:
1.11 13.11.2008
- removed =begin BUGS section in Pod that was preventing proper display
- fixed perlio layer for pass-through binary files
- ref to PodPOMWeb.css used wrong case (undetected on -Win32!)
- fixed page titles when the name has no "-- description"
|
|
blessed by tsarna@.
|
|
|
|
- Fixed the following security issues:
MFSA 2008-58 Parsing error in E4X default namespace
MFSA 2008-57 -moz-binding property bypasses security checks on codebase
principals
MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin
violation
MFSA 2008-55 Crash and remote code execution in nsFrameManager
MFSA 2008-54 Buffer overflow in http-index-format parser
MFSA 2008-53 XSS and JavaScript privilege escalation via session restore
MFSA 2008-52 Crashes with evidence of memory corruption
(rv:1.9.0.4/1.8.1.18)
MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome
MFSA 2008-47 Information stealing via local shortcut files
- Fixed several stability issues.
- Official releases for the Icelandic and Thai languages are now available.
- Beta releases for the Bulgarian, Esperanto, Estonian, Latvian, Occitan,
and Welsh languages are available for testing.
- Updated the internal Public Suffix list.
- Fixed an issue where the IME input tool used to enter Japanese, Korean,
Chinese and Indic characters was covered by the "Add Bookmark" panel.
(bug 433340)
- Enabled additional EV root certificates. (bug 451305)
- Fixed an issue where some passwords saved using Firefox 3.0.2 did not
work properly. (bug 457358)
- In some cases, Firefox would not properly save proxy settings for
protocols other than HTTP. (bug 446536)
|
|
Initially it was simply bug fix release and please refer the URL for
full changes: http://wiki.typo3.org/TYPO3_4.2.3.
And now, it found out that two Cross Site Scripting (XSS) problem was
fixed by this release.
Regarding the issue in backend module "file": TYPO3 Security Bulletin
TYPO3-20081113-1: Cross-Site Scripting vulnerability in TYPO3 Core
<http://typo3.org/teams/security/security-bulletins/typo3-20081113-1/>
Regarding the issue in system extension "felogin": TYPO3 Security
Bulletin TYPO3-20081113-2: Cross-Site Scripting vulnerability in TYPO3 Core
<http://typo3.org/teams/security/security-bulletins/typo3-20081113-2/>
|
|
Security fixes in this version:
MFSA 2008-58 Parsing error in E4X default namespace
MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals
MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation
MFSA 2008-55 Crash and remote code execution in nsFrameManager
MFSA 2008-54 Buffer overflow in http-index-format parser
MFSA 2008-53 XSS and JavaScript privilege escalation via session restore
MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
MFSA 2008-50 Crash and remote code execution via __proto__ tampering
MFSA 2008-49 Arbitrary code execution via Flash Player dynamic module unloading
MFSA 2008-48 Image stealing via canvas and HTTP redirect
MFSA 2008-47 Information stealing via local shortcut files
For more info, see http://www.mozilla.com/en-US/firefox/2.0.0.18/releasenotes/
|
|
|
|
authenticate users by checking credentials via the Cyrus SASL library.
This may be interesting for setups where other daemons (e.g. for SMTP, IMAP
or LDAP) already running at a machine use SASL to authenticate users. The
module is also useful to authenticate users against databases that use shadow
passwords. You do not need to elevate Apache HTTPD's access rights to
superuser privileges.
|
|
* Added AuthExternalContext directive, which defines a string that will be
passed to the authenticator in the CONTEXT environment variable. This can
be set from the .htaccess file or the <Directory> block to give slightly
different behavior from the same authenticator in different directories.
Thanks to Olivier Thauvin <nanardon at mandriva dot org> for this patch.
* Rewrite external authenticator launching code to use Apache's cross-OS
process/thread library instead of directly calling Unix functions.
Theoretically this should get us much closer to being usable on non-
Unix platforms.
* Support alternate syntax for configuration, using DefineAuthExternal and
DefineAuthGroup commands.
* More detailed error logging.
* Much cleanup of documentation.
|
|
Trac 0.11.2 (November 8, 2008)
http://svn.edgewall.org/repos/trac/tags/trac-0.11.2
Trac 0.11.2 contains two security fixes and a couple of bug fixes.
The following list contains only a few highlights:
Bug fixes:
* Fixes potential DOS vulnerability with certain wiki markup. Reported by
Matt Murphy.
* Improved HTML sanitizer filter to detect possible phishing attempts.
Reported by Simon Willison.
* MySQL db backend improvement (reconnect after idle timeout #4465)
* TicketQuery speed improvements (#6436)
* Fixes for RSS feeds (timeline entries no longer truncated #7316, no longer
download some feeds under Firefox #3899)
* Search now works for custom fields (#2530)
* Same order for ticket fields for new and existing tickets (#7018)
* Enforce fine-grained permission for "quickjump" search results (#7655)
* E-mail obfuscation was not done in a few remaining places (#7688, #6532)
* Uninstall of plugins from WebAdmin was not working - feature disabled
for now
* More robust pagination of results for reports and custom queries (#7424,
#7544)
* Support for newer version of pygments (#7622)
* Documentation updated (#7603, #7205, #7318)
Minor improvements:
* Better support for Wiki page hierarchy (show path #2780, link to
parent #2150)
* Custom query allow to search in description and other text fields (#4824)
|
|
Trac-0.11.1.ja2 (Nov 10, 2008)
* Merge security fixes.
- http://trac.edgewall.org/changeset/7657
- http://trac.edgewall.org/changeset/7658
* Fixes datetime presentation on TracReports.
- trac/db_default.py
- trac/ticket/report.py
- trac/ticket/templates/report.rss
- trac/wiki/default-pages/TracReports
* Fixes unicode handlings on TracError.
- trac/core.py
- trac/ticket/web_ui.py
|
|
18 June 2008
The configuration option anchor-as-name has been added.
|
|
- took maintainership
ChangeLog:
5.7015 2008-10-15 22:57:00
- Workaround change in LWP that broke a cookie test (RT #40037)
|
|
- took maintainership
- added depends on p5-Test-Warn
Changelog:
0.07 Wed Sep 24 17:08:34 EDT 2008
- Code was silently truncating storage to MySQL, rendering the
session unreadable. Patched to check DBIx::Class size from
column_info (if available)
- Wrap find_or_create calls in a transaction to (hopefully)
avoid issues with duplicate flash rows
|
|
- took maintainership
ChangeLog:
0.108 2008-09-25
Adding SimpleDB realm to simplify basic auth configuration
Changing user_class to user_model, per req. by mst to avoid confusing newbies.
0.107 2008-09-29
Fix the typo in exception during authenticate
Doc fixes and clarifications
Added missing dependency on Catalyst::Model::DBIC::Schema to Makefile.PL
0.105 2008-03-19
Throw an exception if no fields are provided during authenticate
- better than retrieving a random user.
- still possible to do an empty search by using searchargs
|
|
- took maintainership
Changelog:
0.10007 2008-10-23
- Updating config to allow for inclusion of realm ref's in the main
config hash rather than in a subref called 'realms'
0.10007 2008-08-17
- Update tests prereqs to include Test::Exception (RT #36339)
- Some documentation fixes (including RT #36062)
- Compatibility fix where the use of new style config and old
style Authentication::Store::Minimal would cause a crash
(Reported & fixed by Jos Boumans C<kane@cpan.org>)
- Documentation update on Password - to indicate proper field naming
- Decouple Authentication system from session. The realm class
now allows complete control over how a user is persisted across
requests.
- pod fixes (RT #36062, RT #36063)
|
|
- took maintainership
ChangeLog:
5.7014 04 Nov 2008
- Remove a reference to a FOREACH loop that did not exist (RT #39046)
- Changed some Template Toolkit links to perldoc links (RT #38354)
- Fix Template Toolkit website link (RT #37574)
- Fix part numbering (RT #37963)
- Improvements to the ACCEPT_CONTEXT docs in Manual::Intro
- Happy Election Day, America!
|
