| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
|
|
Changes with Apache 2.4.50
*) SECURITY: CVE-2021-41773: Path traversal and file disclosure
vulnerability in Apache HTTP Server 2.4.49 (cve.mitre.org)
A flaw was found in a change made to path normalization in
Apache HTTP Server 2.4.49. An attacker could use a path
traversal attack to map URLs to files outside the expected
document root.
If files outside of the document root are not protected by
"require all denied" these requests can succeed. Additionally
this flaw could leak the source of interpreted files like CGI
scripts.
This issue is known to be exploited in the wild.
This issue only affects Apache 2.4.49 and not earlier versions.
Credits: This issue was reported by Ash Daulton along with the
cPanel Security Team
*) SECURITY: CVE-2021-41524: null pointer dereference in h2 fuzzing
(cve.mitre.org)
While fuzzing the 2.4.49 httpd, a new null pointer dereference
was detected during HTTP/2 request processing,
allowing an external source to DoS the server. This requires a
specially crafted request.
The vulnerability was recently introduced in version 2.4.49. No
exploit is known to the project.
Credits: Apache httpd team would like to thank LI ZHI XIN from
NSFocus Security Team for reporting this issue.
*) core: AP_NORMALIZE_DECODE_UNRESERVED should normalize the second dot in
the uri-path when it's preceded by a dot.
*) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>'
fails (!= 0 exit), the renewal process is aborted and an error is
reported for the MDomain. This provides scripts that distribute
information in a cluster to abort early with bothering an ACME
server to validate a dns name that will not work. The common
retry logic will make another attempt in the future, as with
other failures.
Fixed a bug when adding private key specs to an already working
MDomain, see <https://github.com/icing/mod_md/issues/260>.
*) mod_proxy: Handle UDS URIs with empty hostname ("unix:///...") as if they
had no hostname ("unix:/...").
*) mod_md: fixed a bug in handling multiple parallel OCSP requests. These could
run into an assertion which terminated (and restarted) the child process where
the task was running. Eventually, all OCSP responses were collected, but not
in the way that things are supposed to work.
See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
The bug was possibly triggered when more than one OCSP status needed updating
at the same time. For example for several renewed certificates after a server
reload.
*) mod_rewrite: Fix UDS ("unix:") scheme for
*) event mpm: Correctly count active child processes in parent process if
child process dies due to MaxConnectionsPerChild.
*) mod_http2: when a server is restarted gracefully, any idle h2 worker
threads are shut down immediately.
Also, change OpenSSL API use for deprecations in OpenSSL 3.0.
Adds all other, never proposed code changes to make a clean
sync of http2 sources.
*) mod_dav: Correctly handle errors returned by dav providers on REPORT
requests.
*) core: do not install core input/output filters on secondary
connections.
*) core: Add ap_pre_connection() as a wrapper to ap_run_pre_connection()
and use it to prevent that failures in running the pre_connection
hook cause crashes afterwards.
*) mod_speling: Add CheckBasenameMatch.
|
|
3.10.0 (2021-10-05)
-------------------
* Support Python 3.10.
3.9.0 (2021-09-28)
------------------
* Support Django 4.0.
|
|
Django 3.2.8 fixes two bugs in 3.2.7.
Bugfixes
Fixed a bug in Django 3.2 that caused incorrect links on read-only fields in the admin.
Fixed a regression in Django 3.2 that caused incorrect selection of items across all pages when actions were placed both on the top and bottom of the admin change-list view.
|
|
Highlights
* improve performance, reduce memory use, bugfixes
* HTTP/2 smoother and lower memory use (in general)
* HTTP/2 tuning to better handle aggressive client initial requests
* reduce memory footprint; workaround poor glibc behavior; jemalloc is better
* mod_magnet lua performance improvements
* mod_dirlisting performance improvements and new caching option
* memory constraints for extreme edge cases in mod_dirlisting, mod_ssi, mod_webdav
* connect(), write(), read() time limits on backends (separate from client timeouts)
* lighttpd restarts if large discontinuity in time occurs (embedded systems)
* RFC7233 Range support for all non-streaming responses, not only static files
|
|
-Change buildsystem to use a ./configure script
-badwolf.1: Add tip to list dictionairies in enchant
-badwolf.h: Add WEBKIT_CHECK_VERSION
-Switch from libsoup-2.4 to glib's GUri
-badwolf.1: Fix gtk-doc css-properties URL
|
|
|
|
Upstream changes please visit:
https://phabricator.wikimedia.org/source/mediawiki/browse/REL1_36/RELEASE-NOTES-1.36
|
|
https://github.com/nahi/httpclient/pull/447
Bump PKGREVISION.
|
|
|
|
|
|
|
|
* Sync with www/firefox-92.0.1.
|
|
Changelog:
92.0.1
Fixed
* Fixes an issue where audio playback was not working on some Linux systems (
bug 1730499)
* Fixes issues with the findbar close button on different operating systems (
bug 1728368)
92.0
New
* More secure connections: Firefox can now automatically upgrade to HTTPS
using HTTPS RR as Alt-Svc headers.
* Full-range color levels are now supported for video playback on many
systems.
* Mac users can now access the macOS share options from the Firefox File
menu.
* Support for images containing ICC v4 profiles is enabled on macOS.
Fixed
* Firefox performance with screen readers and other accessibility tools is no
longer severely degraded if Mozilla Thunderbird is installed or updated
after Firefox.
* macOS VoiceOver now correctly reports buttons and links marked as ??
expanded?? using the aria-expanded attribute.
* An open alert in a tab no longer causes performance issues in other tabs
using the same process.
* Various security fixes
Changed
* Canonical is now building the official Firefox snap. It's also now
available on two additional architectures, ARMhf and ARM64.
* The bookmark toolbar menus on macOS now follow Firefox visual styles.
* Certificate error pages have been redesigned for a better user experience.
* Continuing work to restructure Firefox??s JavaScript memory management to
be more performant and use less memory.
|
|
|
|
Nghttp2 v1.45.1
build
This release fixes packaging issues which lack some configuration files in tar archives.
Nghttp2 v1.45.0
lib
Stricter checks for :method: and :path pseudo header fields are introduced.
build
nghttp2 applications can be compiled with OpenSSL v3.0.0.
Fix warning about systemd when cmake is used.
Added build options to enable HTTP/3 and eBPF.
nghttpx
The experimental HTTP/3 support has been added.
“dnf” (= “do not forward”) parameter is added to backend option.
h2load
The experimental HTTP/3 support has been added.
SSLKEYLOGFILE environment variable support has been added.
|
|
1.26.7
------
* Fixed a bug with HTTPS hostname verification involving IP addresses and lack
of SNI.
* Fixed a bug where IPv6 braces weren't stripped during certificate hostname
matching.
|
|
|
|
|
|
|
|
Changes:
2.34.0
------
- Add support for HTTP/2 when building with libsoup3.
- Add support for CSS Scroll Snap.
- Add support for date and datetime-local input elements.
- Add support for display capture.
- Add support for ICC color management.
- Add support color-schemes CSS property.
- Add support for link preconnect when building with libsoup3.
- Add support for client side certificates when building with libsoup3.
- Add multi-track support to MSE media backend.
- Add new API to handle web process unresponsiveness.
- Add API to disable CORS on a web view for particular domains.
- Add new API to access/modify capture devices states.
- Add new API to configure the memory pressure handler.
|
|
This is only available on x86. Note that default fcntl implementation
is not only slower, it also leaks file descriptor on apachectl graceful.
|
|
|
|
v2.1.3
Fixed: Actually drop ';' as a query delimiter.
|
|
Fixed in 7.79.1
Bugfixes:
Curl_http2_setup: don't change connection data on repeat invokes
curl_multi_fdset: make FD_SET() not operate on sockets out of range
dist: provide lib/.checksrc in the tarball
FAQ: add GOPHERS + curl works on data, not files
hsts: CURLSTS_FAIL from hsts read callback should fail transfer
hsts: handle unlimited expiry
http: fix the broken >3 digit response code detection
strerror: use sys_errlist instead of strerror on Windows
test1184: disable
tests/sshserver.pl: make it work with openssh-8.7p1
|
|
|
|
|
|
|
|
|
|
|
|
ChangeLog unknown, inst/doc/Changes.html is outdated
|
|
Update description and home page, per request from the current
upstream developer of this package. Addresses a PR submitted as
https://github.com/NetBSD/pkgsrc/pull/88. While here, address a
pkglint warning that it's associated with the wrong category.
|
|
0.7.5 (2021-06-12)
* Do not change the encoding of strings passed to Driver#text
0.7.4 (2021-05-24)
* Optimise conversions between strings and byte arrays and related encoding
operations, to reduce amount of allocation and copying
|
|
3.26.1: 2021-09-17
* CPP Lexer
Add year and date chrono literals, add std::complex literals, fix chrono
literals with digit separator (#1665 by swheaton)
* Factor and GHC Core Lexer
Fix catastrophic backtrack (#1690 by Ravlen)
* JSL Lexer
Fix single line block comments, scoped variables and functions (#1663 by
BenPH)
* YAML Lexer
Fix YAML key containing special character (#1667 by tancnle)
* Fix Ruby 2.7 keyword parameter deprecation warning (#1597 by stanhu)
* Updated README (#1666 by dchacke)
|
|
5.4.0 (2021-07-28)
Features
* Better/expanded names for threadpool threads (#2657)
* Allow pkg_config for OpenSSL (#2648, #1412)
* Add rack_url_scheme to Puma::DSL, allows setting of rack.url_scheme header
(#2586, #2569)
Bugfixes
* Binder#parse - allow for symlinked unix path, add create_activated_fds
debug ENV (#2643, #2638)
* Fix deprecation warning: minissl.c - Use Random.bytes if available (#2642)
* Client certificates: set session id context while creating SSLContext
(#2633)
* Fix deadlock issue in thread pool (#2656)
Refactor
* Replace IO.select with IO#wait_* when checking a single IO (#2666)
|
|
2.8.2 (2021-08-06)
Dependencies
* Update dependency on Addressable from ~>2.7 to ~>2.8. (#584) @yidingww
|
|
2.12.0 (2021-08-11)
Features
* Support empty HTML5 data attributes. [#215]
2.11.0 (2021-07-31)
Features
* Allow HTML5 element wbr.
* Allow all CSS property values for border-collapse. [#201]
Changes
* Deprecating Loofah::HTML5::SafeList::VOID_ELEMENTS which is not a
canonical list of void HTML4 or HTML5 elements.
* Removed some elements from Loofah::HTML5::SafeList::VOID_ELEMENTS that
either are not acceptable elements or aren't considered "void" by libxml2.
|
|
0.11.1 (2021-05-24)
* Prevent the client hanging if close() is called when already closing
|
|
1.1.0 (2021-07-31)
Features
* Use wrapped exception in Faraday::ParsingError to improve legibility of
the error (#255, @d-m-u)
Bugs fixed
* Use JSON.generate instead of .dump in request middleware (#266,
@Be-ngt-oH)
Chores and misc
* Add rubocop-package and drop git ls-files in gemspec (#263, @utkarsh2102)
|
|
1.7.2 (2021-09-13)
* Fix deprecation warning (#1323)
1.8.0 (2021-09-18)
Features
* Backport authorization procs (#1322, @jarl-dk)
|
|
1.49.0 (2021-09-01)
* Feature - Code Generated Changes, see ./build_tools or aws-sdk-core's
CHANGELOG.md for details.
|
|
3.121.0 (2021-09-02)
* Feature - Add support for S3 Multi-region access point configuration.
3.120.0 (2021-09-01)
* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 1.9,
2.0, 2.1, and 2.2.
|
|
1.4.0 (2021-09-02)
* Feature - add signing_algorithm option with sigv4 default.
1.3.0 (2021-09-01)
* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 1.9,
2.0, 2.1, and 2.2.
|
|
1.503.0 (2021-09-17)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.502.0 (2021-09-16)
* Feature - Added support for enumerating regions for Aws::KafkaConnect.
1.501.0 (2021-09-13)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.500.0 (2021-09-10)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.499.0 (2021-09-09)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.498.0 (2021-09-08)
* Feature - Added support for enumerating regions for
Aws::OpenSearchService.
1.497.0 (2021-09-07)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.496.0 (2021-09-03)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.495.0 (2021-09-02)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
1.494.0 (2021-09-01)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 1.9,
2.0, 2.1, and 2.2.
1.493.0 (2021-08-31)
* Feature - Updated the partitions source data the determines the AWS
service regions and endpoints.
|
|
1.2.0 (2021-09-01)
* Feature - AWS SDK for Ruby no longer supports Ruby runtime versions 1.9,
2.0, 2.1, and 2.2.
|
|
Old-style Go package, not useful on its own, nothing depends on this.
|
|
2.4.4
-----
This release contains numerous bug fixes, updated dependencies, and QoL
improvements.
Update: This release contains a known regression in the combination of encode
and reverse_proxy modules; please use v2.4.5 instead.
2.4.5
-----
A hotfix for a regression introduced in v2.4.4 related to combining the encode
and reverse_proxy directives.
|
|
|
