Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Sync with seamonkey-2.16.
|
|
* enigmail is broken
Changelog:
SeaMonkey-specific changes
Reply to List is now supported.
SSL-related warning prompts (leaving or entering a secure site, viewing mixed content) have been replaced by less intrusive, non-modal notification bars.
See the changes page for minor changes.
Mozilla platform changes
Image quality has been improved through a new HTML scaling algorithm.
Canvas elements can export their content as an image blob using canvas.toBlob() now.
CSS @page is now supported.
CSS viewport-percentage length units have been implemented (vh, vw, vmin and vmax).
CSS text-transform now supports full-width.
Fixed several stability issues.
Fixed in SeaMonkey 2.16
MFSA 2013-28 Use-after-free, out of bounds read, and buffer overflow issues found using Address Sanitizer
MFSA 2013-27 Phishing on HTTPS connection through malicious proxy
MFSA 2013-26 Use-after-free in nsImageLoadingContent
MFSA 2013-25 Privacy leak in JavaScript Workers
MFSA 2013-24 Web content bypass of COW and SOW security wrappers
MFSA 2013-23 Wrapped WebIDL objects can be wrapped again
MFSA 2013-22 Out-of-bounds read in image rendering
MFSA 2013-21 Miscellaneous memory safety hazards (rv:19.0 / rv:17.0.3)
|
|
Security-fix release. Here's a brief summary of each issue and its resolution:
Issue: Host header poisoning: an attacker could cause Django to generate and display URLs that link to arbitrary domains. This could be used as part of a phishing attack. These releases fix this problem by introducing a new setting, ALLOWED_HOSTS, which specifies a whitelist of domains your site is known to respond to.
Important: by default Django 1.3.6 and 1.4.4 set ALLOWED_HOSTS to allow all hosts. This means that to actually fix the security vulnerability you should define this setting yourself immediately after upgrading.
Issue: Formset denial-of-service: an attacker can abuse Django's tracking of the number of forms in a formset to cause a denial-of-service attack. This has been fixed by adding a default maximum number of forms of 1,000. You can still manually specify a bigger max_num, if you wish, but 1,000 should be enough for anyone.
Issue: XML attacks: Django's serialization framework was vulnerable to attacks via XML entity expansion and external references; this is now fixed. However, if you're parsing arbitrary XML in other parts of your application, we recommend you look into the defusedxml Python packages which remedy this anywhere you parse XML, not just via Django's serialization framework.
Issue: Data leakage via admin history log: Django's admin interface could expose supposedly-hidden information via its history log. This has been fixed.
|
|
|
|
Fixes build on SunOS.
|
|
Sync with firefox-19.0.
|
|
|
|
Collection.
nginx (pronounced "engine X") is a lightweight web (HTTP) server/reverse proxy
and mail (IMAP/POP3) proxy written by Igor Sysoev.
nginx has been running for more than three years on many heavily loaded Russian
sites including Rambler (RamblerMedia.com). In March 2007 about 20% of all
Russian virtual hosts were served or proxied by nginx. According to Google
Online Security Blog nginx serves or proxies about 4% of all Internet virtual
hosts, although Netcraft shows much less percent.
The sources are licensed under a BSD-like license.
|
|
|
|
Serf 0.7.2 [2011-03-12, branch 0.7.x r1451]
Actually disable Nagle when creating a connection (r1441).
Return error when app asks for HTTPS over proxy connection (r1433).
Serf 0.7.1 [2011-01-25, branch 0.7.x r1431]
Fix memory leak when using SSL (r1408, r1416).
Fix build for blank apr-util directory (r1421).
Serf 0.7.0 [2010-08-25, r1407]
Fix double free abort when destroying request buckets.
Fix test server in unit test framework to avoid random test failures.
Allow older Serf programs which don't use the new authn framework to still
handle authn without forcing them to switch to the new framework. (r1401)
Remove the SERF_DECLARE macros, preferring a .DEF file for Windows
Barrier buckets now pass read_iovec to their wrapped bucket.
Fix HTTP header parsing to allow for empty header values.
Serf 0.6.1 [2010-05-14, r1370]
Generally: this release fixes problems with the 0.4.0 packaging.
Small compilation fix in outgoing.c for Windows builds.
Serf 0.6.0 [2010-05-14, r1363]
Not released.
Serf 0.5.0
Not released.
Serf 0.4.0 [2010-05-13, r1353]
[NOTE: this release misstated itself as 0.5.0; use a later release instead]
Provide authn framework, supporting Basic, Digest, Kerberos (SSPI, GSS),
along with proxy authn using Basic or Digest
Added experimental listener framework, along with test_server.c
Improvements and fixes to SSL support, including connection setup changes
Experimental support for unrequested, arriving ("async") responses
Experimental BWTP support using the async arrival feature
Headers are combined on read (not write), to ease certian classes of parsing
Experimental feature on aggregate buckets for a callback-on-empty
Fix the bucket allocator for when APR is using its pool debugging features
Proxy support in the serf_get testing utility
Fix to include the port number in the Host header
serf_get propagates errors from the response, instead of aborting (Issue 52)
Added serf_lib_version() for runtime version tests
Serf 0.3.1 [2010-02-14, r1320]
Fix loss of error on request->setup() callback. (Issue 47)
Support APR 2.x. (Issue 48)
Fixed slowdown in aggregate bucket with millions of child buckets.
Avoid hang in apr_pollset_poll() by unclosed connections after fork().
|
|
Full changes are a little bit many to write here, but it change its API
from prior to 1.0.
Please refer http://code.google.com/p/serf/source/browse/tags/1.1.1/CHANGES
for full changes.
|
|
Makefile + Makefile.common. nginx is highly backward compatible
and 99% of stable series Makefile applies to devel.
Bumping PKGREVISION
|
|
|
|
and it would be used by subversion16.
|
|
Sync with xulrunner-19.0.
|
|
|
|
Geeklog History/Changes:
Feb 19, 2013 (1.8.2sr1)
------------
This release addresses the following security issues:
- High-Tech Bridge Security Research Lab reported an XSS in the calendar_type
parameter in the Calendar plugin (HTB23143).
- Trustwave Spiderlabs reported XSS in the install script, the Configuration,
as well as in the Admin interfaces for the Polls plugin and the Topic editor
(TWSL2013-001).
Not security-related:
- Fixed Twitter OAuth login by switching to version 1.1 of the Twitter API
(feature request #0001506).
|
|
Drupal 7.20, 2013-02-20
-----------------------
- Fixed security issues (denial of service). See SA-CORE-2013-002.
|
|
under restricted pbulk.
|
|
|
|
buffer. Bump PKGREVISION
|
|
Version 3.0.5 (2013-02-19)
--------------------------
### Fixed
Removed the pixel unit from the video width and height attributes (see #5383).
### Fixed
Correctly load the language files (see #5384).
|
|
*) Change: now if the "include" directive with mask is used on Unix
systems, included files are sorted in alphabetical order.
*) Change: the "add_header" directive adds headers to 201 responses.
*) Feature: the "geo" directive now supports IPv6 addresses in CIDR
notation.
*) Feature: the "flush" and "gzip" parameters of the "access_log"
directive.
*) Feature: variables support in the "auth_basic" directive.
*) Feature: the $pipe, $request_length, $time_iso8601, and $time_local
variables can now be used not only in the "log_format" directive.
Thanks to Kiril Kalchev.
*) Feature: IPv6 support in the ngx_http_geoip_module.
Thanks to Gregor Kali¨nik.
*) Bugfix: nginx could not be built with the ngx_http_perl_module in
some cases.
*) Bugfix: a segmentation fault might occur in a worker process if the
ngx_http_xslt_module was used.
*) Bugfix: nginx could not be built on MacOSX in some cases.
Thanks to Piotr Sikora.
*) Bugfix: the "limit_rate" directive with high rates might result in
truncated responses on 32-bit platforms.
Thanks to Alexey Antropov.
*) Bugfix: a segmentation fault might occur in a worker process if the
"if" directive was used.
Thanks to Piotr Sikora.
*) Bugfix: a "100 Continue" response was issued with "413 Request Entity
Too Large" responses.
*) Bugfix: the "image_filter", "image_filter_jpeg_quality" and
"image_filter_sharpen" directives might be inherited incorrectly.
Thanks to Ian Babrou.
*) Bugfix: "crypt_r() failed" errors might appear if the "auth_basic"
directive was used on Linux.
*) Bugfix: in backup servers handling.
Thanks to Thomas Chen.
*) Bugfix: proxied HEAD requests might return incorrect response if the
"gzip" directive was used.
*) Bugfix: a segmentation fault occurred on start or during
reconfiguration if the "keepalive" directive was specified more than
once in a single upstream block.
*) Bugfix: in the "proxy_method" directive.
*) Bugfix: a segmentation fault might occur in a worker process if
resolver was used with the poll method.
*) Bugfix: nginx might hog CPU during SSL handshake with a backend if
the select, poll, or /dev/poll methods were used.
*) Bugfix: the "[crit] SSL_write() failed (SSL:)" error.
*) Bugfix: in the "fastcgi_keep_conn" directive.
+ updated MESSAGES in order to show a working logrotate.
|
|
|
|
Update Japanese and Swedish language files.
|
|
|
|
Upstream changes:
1.3110 06.10.2012
[ BUG FIXES ]
* GH #817, #823, #825: Removing Clone from core. Pure-perl environments
supported again (Sawyer X).
* GH #755, #819, #827, #828: HTTP::Headers accepted by dancer_response
(Roberto Patriarca, Dagfinn Ilmari Mannsåker, draxil, perlpong).
[ ENHANCEMENTS ]
* GH #826: The version of wallflower shipped with Dancer has been removed.
It was well out of date. BooK is now maintaining it as a more general
solution under the name App::Wallflower. (BooK)
* GH #834: Provide empty Headers object if not defined (Yanick Champoux).
* GH #840, #841: Dancer::Plugin::Ajax now has content_type (Lee Carmichael).
[ DOCUMENTATION ]
* GH #821: Pointing to new homepage (alfie).
* GH #822: Typos in documentation (Stefan Hornburg - racke).
* GH #824: Fix in Dancer/Session.pm (pdl).
* GH #830: Fix Github links to https:// (Olivier Mengué).
* GH #838: Error in Dancer::Plugin::Ajax Documentation (Lee Carmichael).
* GH #839: Typo (goblin).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
It is part of Ruby on Rails 3.0 which isn't supported any more.
|
|
It is part of Ruby on Rails 3.0 which isn't supported any more.
|
|
|
|
It is part of Ruby on Rails 3.0 which isn't supported any more.
|
|
|
|
|
|
|
|
|
|
|
|
This relase contains fix for CVE-2012-6112(TinyMCE), too.
Version 3.0.4 (2013-02-14)
--------------------------
### Fixed
Correctly split the words when adding to the search index (see #5363).
### Fixed
If an eagerly loaded relation does not exist, return `null` instead of an empty
model in `Model::getRelated()` (see #5356).
### Fixed
Throw an exception if the file system and the database are out of sync and
show a meaningful error message (see #5101).
### Fixed
Return an associative array in `Model_Collection::fetchEach()` if the requested
field is **not** `id` (see #5134).
### Fixed
Make eagerly loaded "pageTree" fields mandatory again (see #4866).
### Fixed
Do not use forward pages as upper page in the book navigation (see #5074).
### Fixed
Correctly show the "empty news list" note (see #5304).
### Fixed
Correctly sort values by an external order field (see #5322).
### Fixed
Define the login status constants in the back end (see #4099, #5279).
### Fixed
Make sure the drag'n'drop hints do not overlay the field labels (see #5338).
### Fixed
Apply the color picker to single fields as well (see #5240).
### Fixed
Correctly close the SimpleModal overlay with the escape key (see #5297).
### Updated
Update TinyMCE to version 3.5.8 (see #5273).
### Fixed
Correctly check for nested arrays in `Widget::isValidOption()` (see #5328).
### Fixed
Preserve the order of multi source fields when exporting a theme (see #5237).
### Fixed
Also check whether the target exists when creating new folders (see #5260).
### Fixed
Load the core `autoload.php` files first (see #5261).
### Fixed
Support `null` as column default value in the DCA (see #5252).
### New
Added the `$blnDoNotCreate` option to the `Files` class, which makes the class
write to a temporary file first and then move it to its destination in one
atomic operation. This fixes some cache issues (see #5307).
### Fixed
Handle `@` blocks when importing style sheets (see #5250).
### Fixed
Show the newsletter list even if there is no jumpTo page configured in the
channel and show the enclosures in the newsletter reader (see #5233).
### Fixed
Added an option to load model relations uncached (see #5248, #5102). Also fixed
the `array_merge()` order so the default options can be overriden.
### Updated
Updated SimplePie to version 1.3.1 (see #5207).
### Updated
Updated SwiftMailer to version 4.3.0 (see #5263).
### Fixed
The jQuery accordion script did not work with minified markup (see #5245).
### Fixed
Removed the "spaceToUnderscore" option from all alias fields (see #5266).
### Fixed
The media content element now supports .ogg files (see #5282).
### Fixed
Do not rewrite requests for .mp3, .mp4, .webm or .ogv files (see #5258, #5284).
### Fixed
Correctly determin the last run of the command scheduler (see #5278).
### Fixed
Make the jQuery accordion behave like the MooTools version (see #5251).
### Fixed
Added support for more advanced media queries (see #5236).
### Fixed
Added the missing `UserGroupModel` class (see #5218).
### Fixed
Handle the case that `glob()` returns `false` (see #5226).
### Fixed
The table sorter did not work if jQuery and MooTools were active (see #5228).
### Fixed
Copy all content elements if pages are duplicated with childs (see #5241).
### Fixed
Added lazy template loading for newsletter mail templates.
|
|
|
|
about trac/ja-trac database differences (which I now perceive as smaller).
|
|
(I'm assuming that if I can't follow this, at least some others will
be confused as well.)
This is a comment-only change.
|
|
|
|
The only significant packaging change is to drop the dependency on
py-subversion. It's still needed to use subversion repositories, but
use of svn is now optional.
Update provided by Martin Resnick of BBN, with minor tweaks by me.
Trac 1.0 'Cell' (September 7, 2012)
http://svn.edgewall.org/repos/trac/tags/trac-1.0
Trac 1.0 is a major release adding refreshed user interface and
improved DVCS repository support as the most visible changes.
The following list contains only a few highlights:
- The default theme looks more modern, especially on recent browsers
(no effort has been made to make it look better on older browsers
like IE6 or 7)
- The TracHacks GitPlugin has been donated by Herbert Valerio Riedel
to the Trac project (many thanks!) and is now maintained here as an
optional component
- As a consequence, the Subversion support has been moved below
`tracopt.versioncontrol` as well
- The Git and Mercurial log view feature a visualization of the
branching structure
- Usability improvements for the tickets, with a better support for
conflict detection and resolution
- Integration of the TracHacks BatchModifyPlugin, contributed by
Brian Meeker (many thanks!) and is now maintained there as a
default component
- jQuery/UI integration, featuring a date picker for date fields
- Improved integration with Pygments syntax highlighting
- ... and numerous smaller features added and bugs fixed since 0.12!
|
|
= Changelog
== Version 3.0.1 - 2013-02-06
* Switch to using puma for the webserver
* Switch to using simplecov for coverage testing
* Update all gem dependencies
* Update to fixme project template
* Convert to minitest
== Version 2.1.0 - 2011-03-17
* Update to Launchy 1.0.0
* Update to Thin 1.2.8
|