Age | Commit message (Collapse) | Author | Files | Lines |
|
|
|
Bug fix: Handle relative Location headers
|
|
* Bump PKGREVISION
* Fix PR pkg/52487
|
|
This release includes the following bugfixes:
o build: fix 'make install' with configure, install docs/libcurl/* too
o make install: add 8 missing man pages to the installation
o curl: do bounds check using a double comparison [1]
o dist: Add dictserver.py/negtelnetserver.py to release [2]
o digest_sspi: Don't reuse context if the user/passwd has changed [3]
o gitignore: ignore top-level .vs folder [4]
o build: check out *.sln files with Windows line endings [5]
o travis: verify "make install" [6]
o dist: fix the cmake build by shipping cmake_uninstall.cmake.in too [7]
o metalink: fix error: ‘*’ in boolean context, suggest ‘&&’ instead
o configure: use the threaded resolver backend by default if possible [8]
o mkhelp.pl: allow executing this script directly [9]
o maketgz: remove old *.dist files before making the tarball [10]
o openssl: remove CONST_ASN1_BIT_STRING [11]
o openssl: fix "error: this statement may fall through"
o proxy: fix memory leak in case of invalid proxy server name [12]
o curl/system.h: support more architectures (OpenRISC, ARC) [13]
o docs: fix typos [14]
o curl/system.h: add Oracle Solaris Studio [15]
o CURLINFO_TOTAL_TIME: could wrongly return 4200 seconds [16]
o docs: --connect-to clarified
o cmake: allow user to override CMAKE_DEBUG_POSTFIX [17]
o travis: test cmake build on tarball too
o redirect: make it handle absolute redirects to IDN names [18]
o curl/system.h: fix for gcc on PowerPC [19]
o curl --interface: fixed for IPV6 unique local addresses [20]
o cmake: threads detection improvements [21]
|
|
Changelog:
Tomcat 8.0.45 (violetagg)
Catalina
Fix: 61101: CORS filter should set Vary header in response. Submitted by Rick Riemer. (remm)
Add: 61105: Add a new JULI FileHandler configuration for specifying the maximum number of days to keep the log files. (violetagg)
Fix: 61125: Ensure that WarURLConnection returns the correct value for calls to getLastModified() as this is required for the correct detection of JSP modifications when the JSP is packaged in a WAR file. (markt)
Fix: Improve the SSLValve so it is able to handle client certificate headers from Nginx. Based on a patch by Lucas Ventura Carro. (markt)
Fix: 61154: Allow the Manager and Host Manager web applications to start by default when running under a security manager. This was accomplished by adding a custom permission, org.apache.catalina.security.DeployXmlPermission, that permits an application to use a META-INF/context.xml file and then granting that permission to the Manager and Host Manager. (markt)
Fix: 61173: Polish the javadoc for o.a.catalina.startup.Tomcat. Patch provided by peterhansson_se. (violetagg)
Add: A new configuration property crawlerIps is added to the o.a.catalina.valves.CrawlerSessionManagerValve. Using this property one can specify a regular expression that will be used to identify crawlers based on their IP address. Based on a patch provided by Tetradeus. (violetagg)
Fix: 61180: Log a warning message rather than an information message if it takes more than 100ms to initialised a SecureRandom instance for a web application to use to generate session identifiers. Patch provided by Piotr Chlebda. (markt)
Fix: 61185: When an asynchronous request is dispatched via AsyncContext.dispatch() ensure that getRequestURI() for the dispatched request matches that of the original request. (markt)
Fix: 61201: Ensure that the SCRIPT_NAME environment variable for CGI executables is populated in a consistent way regardless of how the CGI servlet is mapped to a request. (markt)
Fix: 61215: Correctly define addConnectorPort and invalidAuthenticationWhenDeny in the mbean-descriptors.xml file for the org.apache.catalina.valves package so that the attributes are accessible via JMX. (markt)
Coyote
Fix: 61086: Explicitly signal an empty request body for HTTP 205 responses. (markt)
Fix: Revert a change introduced in the fix for bug 60718 that changed the status code recorded in the access log when the client dropped the connection from 200 to 500. (markt)
Fix: Make asynchronous error handling more robust. In particular ensure that onError() is called for any registered AsyncListeners after an I/O error on a non-container thread. (markt)
Jasper
Fix: 44787: Improve error message when JSP compiler configuration options are not valid. (markt)
Fix: 61137: j.s.jsp.tagext.TagLibraryInfo#uri and j.s.jsp.tagext.TagLibraryInfo#prefix fields should not be final. Patch provided by Katya Todorova. (violetagg)
WebSocket
Fix: Correct the log message when a MessageHandler for PongMessage does not implement MessageHandler.Whole. (rjung)
Fix: Improve thread-safety of Futures used to report the result of sending WebSocket messages. (markt)
Fix: 61183: Correct a regression in the previous fix for 58624 that could trigger a deadlock depending on the locking strategy employed by the client code. (markt)
Web applications
Fix: Better document the meaning of the trimSpaces option for Jasper. (markt)
Fix: 61150: Configure the Manager and Host-Manager web applications to permit serialization and deserialization of CRSFPreventionFilter related session objects to avoid warning messages and/or stack traces on web application stop and/or start when running under a security manager. (markt)
Other
Add: 45832: Add HTTP DIGEST authentication support to the Catalina Ant tasks used to communicate with the Manager application. (markt)
Fix: 45879: Add the RELEASE-NOTES file to the root of the installation created by the Tomcat installer for Windows to make it easier for users to identify the installed Tomcat version. (markt)
Fix: 61055: Clarify the code comments in the rewrite valve to make clear that there are no plans to provide proxy support for this valve since Tomcat does not have proxy capbilities. (markt)
Fix: 61076: Document the altDDName attribute for the Context element. (markt)
Fix: Correct typo in Jar Scan Filter Configuration Reference. Issue reported via comments.apache.org. (violetagg)
Fix: 61145: Add missing @Documented annotation to annotations in the annotations API. Patch provided by Katya Todorova. (markt)
Fix: 61146: Add missing lookup() method to @EJB annotation in the annotations API. Patch provided by Katya Todorova. (markt)
Fix: Correct typo in Context Container Configuration Reference. Patch provided by Katya Todorova. (violetagg)
|
|
Changelog:
Tomcat 7.0.79 (violetagg)
Catalina
fix 61101: CORS filter should set Vary header in response. Submitted by Rick Riemer. (remm)
add 61105: Add a new JULI FileHandler configuration for specifying the maximum number of days to keep the log files. (violetagg)
fix Improve the SSLValve so it is able to handle client certificate headers from Nginx. Based on a patch by Lucas Ventura Carro. (markt)
fix 61154: Allow the Manager and Host Manager web applications to start by default when running under a security manager. This was accomplished by adding a custom permission, org.apache.catalina.security.DeployXmlPermission, that permits an application to use a META-INF/context.xml file and then granting that permission to the Manager and Host Manager. (markt)
fix 61173: Polish the javadoc for o.a.catalina.startup.Tomcat. Patch provided by peterhansson_se. (violetagg)
add A new configuration property crawlerIps is added to the o.a.catalina.valves.CrawlerSessionManagerValve. Using this property one can specify a regular expression that will be used to identify crawlers based on their IP address. Based on a patch provided by Tetradeus. (violetagg)
fix 61180: Log a warning message rather than an information message if it takes more than 100ms to initialised a SecureRandom instance for a web application to use to generate session identifiers. Patch provided by Piotr Chlebda. (markt)
fix 61185: When an asynchronous request is dispatched via AsyncContext.dispatch() ensure that getRequestURI() for the dispatched request matches that of the original request. (markt)
fix 61201: Ensure that the SCRIPT_NAME environment variable for CGI executables is populated in a consistent way regardless of how the CGI servlet is mapped to a request. (markt)
fix 61215: Correctly define addConnectorPort and invalidAuthenticationWhenDeny in the mbean-descriptors.xml file for the org.apache.catalina.valves package so that the attributes are accessible via JMX. (markt)
Coyote
fix 61086: Explicitly signal an empty request body for HTTP 205 responses. (markt)
fix Revert a change introduced in the fix for bug 60718 that changed the status code recorded in the access log when the client dropped the connection from 200 to 500. (markt)
fix Make asynchronous error handling more robust. In particular ensure that onError() is called for any registered AsyncListeners after an I/O error on a non-container thread. (markt)
Jasper
fix 44787: Improve error message when JSP compiler configuration options are not valid. (markt)
WebSocket
fix Correct the log message when a MessageHandler for PongMessage does not implement MessageHandler.Whole. (rjung)
fix Improve thread-safety of Futures used to report the result of sending WebSocket messages. (markt)
fix 61183: Correct a regression in the previous fix for 58624 that could trigger a deadlock depending on the locking strategy employed by the client code. (markt)
Web applications
fix Better document the meaning of the trimSpaces option for Jasper. (markt)
fix 61150: Configure the Manager and Host-Manager web applications to permit serialization and deserialization of CRSFPreventionFilter related session objects to avoid warning messages and/or stack traces on web application stop and/or start when running under a security manager. (markt)
Tribes
add Add JMX support for Tribes components. (kfujino)
Other
add 45832: Add HTTP DIGEST authentication support to the Catalina Ant tasks used to communicate with the Manager application. (markt)
fix 45879: Add the RELEASE-NOTES file to the root of the installation created by the Tomcat installer for Windows to make it easier for users to identify the installed Tomcat version. (markt)
fix 61076: Document the altDDName attribute for the Context element. (markt)
fix 61145: Add missing @Documented annotation to annotations in the annotations API. Patch provided by Katya Todorova. (markt)
fix 61146: Add missing lookup() method to @EJB annotation in the annotations API. Patch provided by Katya Todorova. (markt)
fix Correct typo in Context Container Configuration Reference. Patch provided by Katya Todorova. (violetagg)
|
|
Changelog:
Tomcat 8.5.20 (markt)
Catalina
Fix: Revert the fix for 49464 since it continued to trigger regressions. (markt)
Fix: Correct a bug in the PushBuilder implementation that meant push URLs containing %nn sequences were not correctly decoded. Identified by FindBugs. (markt)
Add: 61164: Add support for the %X pattern in the AccessLogValve that reports the connection status at the end of the request. Patch provided by Zemian Deng. (markt)
Fix: 61351: Correctly handle %nn decoding of URL patterns in web.xml and similar locations that may legitimately contain characters that are not permitted by RFC 3986. (markt)
Add: 61366: Add a new attribute, localDataSource, to the JDBCStore that allows the Store to be configured to use a DataSource defined by the web application rather than the default of using a globally defined DataSource. Patch provided by Jonathan Horowitz. (markt)
Coyote
Fix: 61086: Ensure to explicitly signal an empty request body for HTTP 205 responses. Additional fix to r1795278. Based on a patch provided by Alexandr Saperov. (violetagg)
Update: 61345: Add a server listener that can be used to do system property replacement from the property source configured in the digester. (remm)
Add: Add additional logging to record problems that occur while waiting for the NIO pollers to stop during the Connector stop process. (markt)
Jasper
Fix: 61364: Ensure that files are closed after detecting encoding of JSPs so that files do not remain locked by the file system. (markt)
WebSocket
Add: 57767: Add support to the WebSocket client for following redirects when attempting to establish a WebSocket connection. Patch provided by J Fernandez. (markt)
2017-07-28 Tomcat 8.5.19 (markt)
Catalina
Fix: Performance improvements for service loader look-ups (and look-ups of other class loader resources) when the web application is deployed in a packed WAR file. (markt)
Fix: 61253: Add warn message when Digester.updateAttributes throws an exception instead of ignoring it. (csutherl)
Fix: Correct a further regression in the fix for 49464 that could cause an byte order mark character to appear at the start of content included by the DefaultServlet. (markt)
Fix: 61313: Make the read timeout configurable in the JNDIRealm and ensure that a read timeout will result in an attempt to fail over to the alternateURL. Based on patches by Peter Maloney and Felix Schumacher. (markt)
Web applications
Fix: Correct the documentation for how StandardRoot is configured. (markt)
Other
Fix: 61316: Fix corruption of UTF-16 encoded source files in released source distributions. (markt)
Tomcat 8.5.18 (markt)
Catalina
Fix: 61232: When log rotation is disabled only one separator will be used when generating the log file name. For example if the prefix is catalina. and the suffix is .log then the log file name will be catalina.log instead of catalina..log. Patch provided by Katya Stoycheva. (violetagg)
Fix: 61264: Correct a regression in the refactoring to use Charset rather than String to store request character encoding that prevented getReader() throwing an UnsupportedEncodingException if the user agent specifies an unsupported character encoding. (markt)
Fix: Correct a regression in the fix for 49464 that could cause an incorrect Content-Length header to be sent by the DefaultServlet if the encoding of a static is not consistent with the encoding of the response. (markt)
Coyote
Fix: Enable TLS connectors to use Java key stores that contain multiple keys where each key has a separate password. Based on a patch by Frank Taffelt. (markt)
Fix: Improve the handling of HTTP/2 stream resets due to excessive headers when a continuation frame is used. (markt)
Jasper
Add: 53031: Add support for the fork option when compiling JSPs with the Jasper Ant task and javac. (markt)
Other
Add: 52791: Add the ability to set the defaults used by the Windows installer from a configuration file. Patch provided by Sandra Madden. (markt)
Tomcat 8.5.17 (markt)
Catalina
Fix: 49464: Improve the Default Servlet's handling of static files when the file encoding is not compatible with the required response encoding. (markt)
Fix: 61214: Remove deleted attribute servlets from the Context MBean description. Patch provided by Alexis Hassler. (markt)
Fix: 61215: Correctly define addConnectorPort and invalidAuthenticationWhenDeny in the mbean-descriptors.xml file for the org.apache.catalina.valves package so that the attributes are accessible via JMX. (markt)
Fix: Make asynchronous error handling more robust. In particular ensure that onError() is called for any registered AsyncListeners after an I/O error on a non-container thread. (markt)
Fix: Additional permission for deleting files is granted to JULI as it is required by FileHandler when running under a Security Manager. The thread that cleans the log files is marked as daemon thread. (violetagg)
Fix: 61229: Correct a regression in 8.5.15 that broke WebDAV handling for resources with names that included a & character. (markt)
Coyote
Fix: Restore the ability to configure support for SSLv3. Enabling this protocol will trigger a warning in the logs since it is known to be insecure. (markt)
Fix: Do not log a warning when a null session is returned for an OpenSSL based TLS session since this is expected when session tickets are enabled. (markt)
Fix: When the access log valve logs a TLS related request attribute and the NIO2 connector is used with OpenSSL, ensure that the TLS attric SSL session access for the APR connector. (remm)
Add: To ease migration from 8.0.x to 8.5.x, if the HTTP or AJP BIO connector is explicitly configured, rather than failing to start the connector because BIO has been removed, automatically switch to tribute searchExternalFirst from the documentation since the attribute is no longer supported. (markt)
2017-06-26 Tomcat 8.5.16 (markt)
Catalina
Fix: 61072: Respect the documentation statements that allow using the platform default secure random for session id generation. (remm)
Fix: Correct the javadoc for o.a.c.connector.CoyoteAdapter#parseSessionCookiesId. Patch provided by John Andrew (XUZHOUWANG) via Github. (violetagg)
Fix: 61101: CORS filter should set Vary header in response. Submitted by Rick Riemer. (remm)
Add: 61105: Add a new JULI FileHandler configuration for specifying the maximum number of days to keep the log files. (violetagg)
Fix: 61125: Ensure that WarURLConnection returns the correct value for calls to getLastModified() as this is required for the correct detection of JSP modifications when the JSP is packaged in a WAR file. (markt)
Fix: Improve the SSLValve so it is able to handle client certificate headers from Nginx. Based on a patch by Lucas Ventura Carro. (markt)
Fix: 61134: Do not use '[' and ']' symbols around substituted text fragments when generating the default error pages. Patch provided by Katya Todorova. (violetagg)
Fix: 61154: Allow the Manager and Host Manager web applications to start by default when running under a security manager. This was accomplished by adding a custom permission, org.apache.catalina.security.DeployXmlPermission, that permits an application to use a META-INF/context.xml file and then granting that permission to the Manager and Host Manager. (markt)
Fix: 61173: Polish the javadoc for o.a.catalina.startup.Tomcat. Patch provided by peterhansson_se. (violetagg)
Add: A new configuration property crawlerIps is added to the o.a.catalina.valves.CrawlerSessionManagerValve. Using this property one can specify a regular expression that will be used to identify crawlers based on their IP address. Based on a patch provided by Tetradeus. (violetagg)
Fix: 61180: Log a warning message rather than an information message if it takes more than 100ms to initialised a SecureRandom instance for a web application to use to generate session identifiers. Patch provided by Piotr Chlebda. (markt)
Fix: 61185: When an asynchronous request is dispatched via AsyncContext.dispatch() ensure that getRequestURI() for the dispatched request matches that of the original request. (markt)
Fix: 61197: Ensure that the charset name used in the Content-Type header has exactly the same form as that provided by the application. This reverts a behavioural change in 8.5.15 that caused problems for some clients. (markt)
Fix: 61201: Ensure that the SCRIPT_NAME environment variable for CGI executables is populated in a consistent way regardless of how the CGI servlet is mapped to a request. (markt)
Coyote
Fix: 61086: Explicitly signal an empty request body for HTTP 205 responses. (markt)
Fix: 61120: Do not ignore path parameters when processing HTTP/2 requests. (markt)
Fix: Revert a change introduced in the fix for bug 60718 that changed the status code recorded in the access log when the client dropped the connection from 200 to 500. (markt)
Fix: Add additional syncs to the SSL session object provided by the OpenSSL engine so that a concurrent destruction cannot cause a JVM crash. (remm)
Fix: 61195: Backport, with deprecation where appropriate, the endpoint and protocol property changes from 9.0.x to ease migration from 8.5.x to 9.0.x. (markt)
Jasper
Fix: 44787: Improve error message when JSP compiler configuration options are not valid. (markt)
Fix: 61137: j.s.jsp.tagext.TagLibraryInfo#uri and j.s.jsp.tagext.TagLibraryInfo#prefix fields should not be final. Patch provided by Katya Todorova. (violetagg)
WebSocket
Fix: Correct the log message when a MessageHandler for PongMessage does not implement MessageHandler.Whole. (rjung)
Add: Introduce new API o.a.tomcat.websocket.WsSession#suspend/ o.a.tomcat.websocket.WsSession#resume that can be used to suspend/resume reading of the incoming messages. (violetagg)
Fix: Improve thread-safety of Futures used to report the result of sending WebSocket messages. (markt)
Fix: 61183: Correct a regression in the previous fix for 58624 that could trigger a deadlock depending on the locking strategy employed by the client code. (markt)
Web applications
Fix: Better document the meaning of the trimSpaces option for Jasper. (markt)
Fix: 61150: Configure the Manager and Host-Manager web applications to permit serialization and deserialization of CRSFPreventionFilter related session objects to avoid warning messages and/or stack traces on web application stop and/or start when running under a security manager. (markt)
Fix: Correct the TLS configuration documentation to remove SSLv2 and SSLv3 from the list of supported protocols. (markt)
Tribes
Add: Add JMX support for Tribes components. (kfujino)
Other
Add: 45832: Add HTTP DIGEST authentication support to the Catalina Ant tasks used to communicate with the Manager application. (markt)
Fix: 45879: Add the RELEASE-NOTES file to the root of the installation created by the Tomcat installer for Windows to make it easier for users to identify the installed Tomcat version. (markt)
Fix: 61055: Clarify the code comments in the rewrite valve to make clear that there are no plans to provide proxy support for this valve since Tomcat does not have proxy capabilities. (markt)
Fix: 61076: Document the altDDName attribute for the Context element. (markt)
Fix: Correct typo in Jar Scan Filter Configuration Reference. Issue reported via comments.apache.org. (violetagg)
Fix: 61145: Add missing @Documented annotation to annotations in the annotations API. Patch provided by Katya Todorova. (markt)
Fix: 61146: Add missing lookup() method to @EJB annotation in the annotations API. Patch provided by Katya Todorova. (markt)
Fix: Correct typo in Context Container Configuration Reference. Patch provided by Katya Todorova. (violetagg)
|
|
|
|
2.6 (2017-08-08)
++++++++++++++++
- Allows generation of IDNA and UTS 46 table data for different
versions of Unicode, by deriving properties directly from
Unicode data.
- Ability to generate RFC 5892/IANA-style table data
- Diagnostic output of IDNA-related Unicode properties and
derived calculations for a given codepoint
- Support for idna.__version__ to report version
- Support for idna.idnadata.__version__ and
idna.uts46data.__version__ to report Unicode version of
underlying IDNA and UTS 46 data respectively.
|
|
1.86 2017-07-04 15:48:46Z
[FIXED]
- use 127.0.0.1 instead of 'localhost' in a test script to avoid the test
hanging due to ipv6 issues (GH#31, see also changes in 1.85)
|
|
6.04 2017-08-03 15:05:22Z
- Fix package version numbers
|
|
The PLIST lists "siegerc" and "urls.txt" under two different
locations under ${PREFIX}/share/examples/siege, but stage-install
only installs them into one of those locations. Remove the other
paths.
|
|
* Sync with www/firefox-55.0.1
|
|
Changelog:
Fixed
Fix a regression the tab restoration process (bug 1388160)
Fix a problem causing What's new pages not to be displayed (bug 1386224)
Fix a rendering issue with some PKCS#11 libraries (bug 1388370)
Disable the predictor prefetch (bug 1388160)
|
|
Changelog:
Version 10.0.2 May 30 2017
[major] Fix issue with database.xml migration being triggered twice on market app install - core/#27982
[major] Apps formerly marked as shipped can now be uninstalled - core/#27985
[major] Market now properly updates app version when using multiple apps paths - core/#28002
Version 10.0.1 May 23 2017
[major] Clear cached app info before installing app - core/#27953
[major] Fix to allow admin login when using home object store mode - core/#27963
[major] Skeleton files correct copied for shibboleth - core/#27935
[major] Automatically enable market app when upgrading from OC < 10 - core/#27930
[major] Fix issue where market would run app migrations twice in some scenarios - market/#76
[major] Fetch search terms from user backend (ex: LDAP) for more extended user search ability - core/#27906
[major] Added support for upload-only link shares - core/#27548
[major] When enabling default encryption module the admin must now explicitly choose encryption type (master key vs user key) - core/#27512
[major] Fix missing "publicuri" field when upgrading from 9.1.5 - core/#27754
[major] Add options to the user:sync command to handle missing accounts - core/#27798
[major] Maintenance mode now properly blocks syncing on new DAV endpoint - core/#27821
[major] Copy button for multiple link share now copies the correct link - core/#27863
[major] Fix upload issues with IE11 - core/#27875
[major] Allow apps to register multiple settings panels - core/#27885
[major] Account table doesn't sync from user backends that have no listing support - core/#27862
[major] Add events for password validation - core/#27883
[major] Add JS event after external storage mount config is loaded, for UI extensions - core/#27740
[major] Fix theming of setup page by autoloading default_enable theme apps - core/#27819
[major] Allow apps to register custom settings page sections in info.xml - core/#27634
[major] Add admin sharing option to restrict autocomplete to membership groups but still allow typing full name if known - core/#27869
[minor] Market app update now doesn't overwrite local git checkouts - core/#27973
[minor] Delete "appstoreenabled" config value when enabling market - core/#27956
[minor] Do not verify email address when entered by an admin on their personal page - core/#27921
[minor] Fix default share permission issue in public API core/#27927
[minor] Properly rethrow exception when error occurred when enabling an app - core/#27970
[minor] Remove own shares from "Shared with you" section - core/#27972
[minor] Fix updating to daily from 10.0.0 with web updater - updater/#422
[minor] Fix updating to 10.0.1 with web updater - core/#27965
[minor] Removed unused and non-working auto-login after setup - core/#27971
[minor] Fix SMB storage to return false if stat failed - core/#27859
[minor] Update swiftmailer - core/#27897
[minor] Escape filter in search - core/#27900
[minor] Fix file name output in error pages - core/#27808
[minor] Support for alternative login buttons through config.php - core/#27607
[minor] Example theme app renamed to "theme-example" by convention - core/#27632
[minor] Fix missing translation of built-in section names - core/#27645
[minor] Add ability to disable password reset form in config - core/#27676
[minor] Add support for themed radio buttons - core/#27681
[minor] Fix customjs extension handling for external storage apps - core/#27683
[minor] Fix upgrade error with mod_fcgid and PHP 7 - core/#27553
[minor] Remove sharing subtab when link sharing is disallowed - core/#27708
[minor] Add privacy warning in link shares panel - core/#27844
[minor] Fix files app name in navigation menu - core/#27843
[minor] Fix mimetype table code to ignore folder extensions - core/#27668
[minor] Automatically focus the password field in password reset page - core/#27889
[minor] Trashbin restore warnings due to missing entries now logged as debug - core/#27826
[minor] Remove obsolete repair step RemoveOldShares - core/#27737
[minor] "local link" was renamed to "private link" - core/#27594
[minor] Fix column sorting in public file list page - core/#27308
[minor] Don't display error when not connected to market - market/#51
[minor] Fix issue with some apps info formats - market/#49
[minor] Add ability to uninstall apps in market app UI - market/#67
[minor] Improve visual feedback when installing market apps - market/#64
[minor] Don't display license key in config report - configreport/#27
Version 10.0.0 Apr 27 2017
General
Allows users to add the app to the Android homescreen - core/#25438
Compatible with PHP 7.1 - core/#25436
MySQL 4-byte UTF8 support: (utf8mb4 for e.g. Emoticons) - core/#17978
Admin, personal pages and app management are now merged together into a single "Settings" entry - core/#26449
Admin page displays the output of the server's status.php - core/#27238
Also allow using email address for password recovery - core/#27168
Support Redis Cluster - core/#26407
ownCloud log entry reorder - core/#27562
ownCloud log file rules to split into separate files - core/#27443
occ scanner optimized memory usage for large scans by using autocommits - core/#27527
Filesystem
Ability to exclude folders from being processed, like snapshot folders - core/#19235
Checksum is computed on the fly and verified - core/#26655
Files App
Share Link can be copied to the clipboard - core/#25418
Display version sizes in versions panel - core/#26511
Transfer ownership now works for individual folders - core/#27343
Favorite star indicator now visible in the file lists related to sharing (ex: "Shared with you") - core/#19753
User management
Ability to disable users in the users page (enable column first under cog icon) - core/#27333
When changing personal email, an email confirmation is now sent - core/#7326
When password is changed through any means, the user will now receive an email - core/#27498
Change user preferences through OCC - core/#24770
External storage
"Local" storage type can now be disabled by sysadmin in config.php - core/#26653
External storage backends must use the core external storage API to work without files_external - core/#18160
FTP external storage moved to a separate app files_external_ftp
Dav App
CalDAV calendar public sharing - core/#2ultiple link shares - core/#27337
When a recipient moves a file or folder out of a received share, the owner now receives a backup in their trashbin - core/#27042
User avatars now visible in sharing autocomplete dropdown - core/#25976
Minor chang7473
provisioning API now also returns the user's home path - core/#26850
web updater shows link to changelog in admin page - core/#26796
For developers
Users from all user backends are now stored in a central account table, improves perform Added first login event - core/#26206
Added postLogout hook - core/#27048
New column in oc_jobs table to store last duration - core/#27144
Ability to specify offset and limit when doing a REPORT query on a files endpoint - core/#26507
Avatar API via WebDAV - core/#26872
Improve return value support for two factor auth providers API - core/#26593
Apps can now register Sabre plugins in info.xml - core/#26195
REPORT method for files endpoint now allows searching for favorites - core/#26099
Group backends can now return group display names (partial support, only used by sharing autocomplete) - core/#26750
|
|
Changelog:
Changes
Server
Over 100 fixes were merged in the server.
Update broken on PGSQL
Add brackets around concat statements so comparing the result works a…
Can't close PDF preview
Add a repair step to drop the account_terms table on oc migration
[stable12] Fix show password button for password change
[stable12] Enable postgres on drone again
fix overlay on show password
[stable12] Add new bundle
[stable12] proper logo height in emails for Outlook
scan.nextcloud.com causing exception in theming?
Long running php processes: LDAP timeout
X-XSS-Protection header invalid (NextCloud 12.0.0.29)
[stable12] Fix for mb strlen
[stable12] Fix error message on untrusted domain error page
[12] Fix renaming of non-renamble mounts
[12] Also repair storage id's when repairing invalid entries
[12] still remove the federated share even if we cant notify the remote
[stable12] Show warning if PHP 7.2 is used
[stable12] fix preview for public links
[stable12] Fix config.sample.php documentation
[stable12] Add recovery key on public upload
[stable12] Backport translation fixes
[stable12] Enable acceptance tests again on Drone 0.7
[stable12] Backport allow to theme emails
[stable 12] Add ellipsis for app titles in the app menu popover
[stable12] Fix emitting of legacy hook post_unshare
[stable12] Allow overwriting of IOS theming values
Update 3rdparty for "Fix infinite propfinds reporting files as direct…
[12] Fix invalid path repair step not getting all invalid entries
[stable12] Add test to check if new files are added to the root of the repository
[12] null users dont exist
[12] Fix scan permissions with nested permissions masks
[12] fix moving folders out of a cache jail
Moving shared folders doesn't work as expected
Write cert bundle to tmp file first
[12] properly block file upload to non-active filelist
nc beta 4 internal server error due to totp backup codes
[12] Fix propagating changes within jail wrapper
[12] dont die if we try to access the shared cache while setting up the shared storage
hint should not be clickable
Check if Circles is still here
[stable12] Allow dir-listing also when one child is blocked by access control
[stable12] Fix unselecting items on multi select dropdowns
[stable12] Fix remote share activity emails
[stable12] fix alignment of radio button and its label in encryption settings
Remote share emails doesn't show what's shared.
[stable12] Ldap password renewal fixes for NC12
[stable12] Use PNG icons for activity emails and ios client
[stable12] Use the share_folder config for remote shares
[stable12] Don't load navigation entries of restricted apps
[stable12] Don't try to generate logs for chunking paths
[stable12] Don't log passwords on dav exceptions
Use translated Hint instead of english error on password policy
[stable12] Add info text about updates
[stable12] Use base url for cache prefix and SCSS caching
[stable12] Enhance the logging if the part file can not be renamed
[stable12] Improved logging for object storage and trashbin
[stable12] Fix more icon in apps menu on bright backgrounds
[stable12] Use realpath to obtain the webroot
[stable12] Don't create activities for email and password change before login
[stable12] Allow to force a language and set it via the ocs api
[stable12] Create users in non default backends first
Progress bar message completely wrong with multi-GB file upload
[stable12] Fix example theme
[stable12] Don't try to save the setting when its not an admin
Update layout.user.php
Fix upload remaining time and uploadrate value
[stable12] App menu fixes
[stable12] Allow to find local users by their email address
[stable12] Treat PHP Errors on User session regenerate
[stable12] Ldap attempt reconnect stable12
[stable12] allow users to send PropPatch request when calendar is group-shared with them
[stable12] urldecode group principals in Cal- and CardDAV backend
[stable12] Use the guest.css for the maintenance page as well
[stable12] Fixed a crash caused by Local::copyFromStorage() not conforming to Co…
[stable12] Make file name input tooltip error text change
Translate OAuth2 in stable12
[stable12] Localize contacts menu search input placeholder
[stable12] Prevent sending second WWW-Authenticate header
[stable12] don't try to encrypt/decrypt the certificate bundle
[stable12] allow PropPatch requests to contact_birthdays
[stable12] Fix username and avatar for external users
[stable12] Fix tag label removed when share view is opened
[stable12] Fix unknown share token error message
[stable12] no themed icon when dragging folder
[stable12] Add quota to the files view
"Unspecified share exception" instead of proper 404 page on unknown public share tokens
[stable12] fix "add to your nextcloud" input field
[stable12] Revert "allow admin to disable groups on personal page"
Bearer auth backend causes problems with several dav clients
[stable12] filter missing groups in share provider
[stable12] use the email address configured in Nextcloud as sender instead of the users email address
[stable12] execute eval in global scope, addresses #5314
[stable12] l10n improvements from transifex
[stable12] Treat PHP Errors on User session regenerate
[stable12] Ldap attempt reconnect stable12
[stable12] allow users to send PropPatch request when calendar is group-shared with them
[stable12] urldecode group principals in Cal- and CardDAV backend
[stable12] Use the guest.css for the maintenance page as well
[stable12] Fixed a crash caused by Local::copyFromStorage() not conforming to Co…
[stable12] Make file name input tooltip error text change
Translate OAuth2 in stable12
[stable12] Localize contacts menu search input placeholder
[stable12] Prevent sending second WWW-Authenticate header
[stable12] don't try to encrypt/decrypt the certificate bundle
[stable12] allow PropPatch requests to contact_birthdays
[stable12] Fix username and avatar for external users
[stable12] Fix tag label removed when share view is opened
[stable12] Fix unknown share token error message
[stable12] no themed icon when dragging folder
[stable12] Add quota to the files view
"Unspecified share exception" instead of proper 404 page on unknown public share tokens
[stable12] fix "add to your nextcloud" input field
[stable12] Revert "allow admin to disable groups on personal page"
Bearer auth backend causes problems with several dav clients
[stable12] filter missing groups in share provider
[stable12] use the email address configured in Nextcloud as sender instead of the users email address
[stable12] execute eval in global scope, addresses #5314
[stable12] l10n improvements from transifex
Activity
[stable12] Fix mimetype icon of deleted folders
[stable12] Use PNG icons for emails and ios client
[stable12] Ignore paths from chunking
Notifications
Allow to expand the message on click...
text editor
[stable12] Use text editor endpoint for previews
[stable12] Use CRLF line ending by default for better compatibility
Gallery
Fix link when opening from files
[stable12] Do not use propably outdated core translations
Fix the translation source
[stable12] Fix logged error if file ID is not available
[stable12] Merge JS for public pages
PDF viewer
missing context dir
Fix z index for small screen sizes
|
|
* Sync with www/firefox-55.0
* Add be locale
|
|
Changelog:
New
Launched Windows support for WebVR, bringing immersive experiences to the web. See examples and try working demos at Mozilla VR.
Added options that let users optimize recent performance improvements
Setting to enable Hardware VP9 acceleration on Windows 10 Anniversary Edition for better battery life and lower CPU usage while watching videos
Setting to modify the number of concurrent content processes for faster page loading and more responsive tab switching
Simplified installation process with a streamlined Windows stub installer
Firefox for Windows 64-bit is now installed by default on 64-bit systems with at least 2GB of RAM
Full installers with advanced installation options are still available
Improved address bar functionality
Search with any installed one-click search engine directly from the address bar
Search suggestions appear by default
When entering a hostname (like pinterest.com) in the URL bar, Firefox resolves to the secure version of the site (https://www.pinterest.com) instead of the insecure version (http://www.pinterest.com) when possible
Updated Sidebar for bookmarks, history, and synced tabs so it can appear at the right edge of the window as well as the left
Added support for stereo microphones with WebRTC
Pages can be simplified before printing from within Print Preview
Updated Firefox for OSX and macOS to allow users to assign custom keyboard shortcuts to Firefox menu items via System Preferences
Browsing sessions with a high number of tabs are now restored in an instant
Make screenshots of webpages, and save them locally or upload them to the cloud. This feature will undergo A/B testing and will not be visible for some users.
Added Belarusian (be) locale
Fixed
Various security fixes
Changed
Made the Adobe Flash plugin click-to-activate by default and allowed only on http:// and https:// URL schemes. (This change will not be visible to all users immediately. For more information see the Firefox plugin roadmap)
Firefox does not support downgrades, even though this may have worked in past versions. Users who install Firefox 55+ and later downgrade to an earlier version may experience issues with Firefox.
Modernized application update UI to be less intrusive and more aligned with the rest of the browser. Only users who have not restarted their browser 8 days after downloading an update or users who opted out of automatic updates will see this change.
Security fixes:
CVE-2017-7798: XUL injection in the style editor in devtools
Reporter
Frederik Braun
Impact
critical
Description
The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool.
References
Bug 1371586, 1372112
#CVE-2017-7800: Use-after-free in WebSockets during disconnection
Reporter
Looben Yang
Impact
critical
Description
A use-after-free vulnerability can occur in WebSockets when the object holding the connection is freed before the disconnection operation is finished. This results in an exploitable crash.
References
Bug 1374047
#CVE-2017-7801: Use-after-free with marquee during window resizing
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur while re-computing layout for a marquee element during window resizing where the updated style object is freed while still in use. This results in a potentially exploitable crash.
References
Bug 1371259
#CVE-2017-7809: Use-after-free while deleting attached editor DOM node
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when an editor DOM node is deleted prematurely during tree traversal while still bound to the document. This results in a potentially exploitable crash.
References
Bug 1380284
#CVE-2017-7784: Use-after-free with image observers
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when reading an image observer during frame reconstruction after the observer has been freed. This results in a potentially exploitable crash.
References
Bug 1376087
#CVE-2017-7802: Use-after-free resizing image elements
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when manipulating the DOM during the resize event of an image element. If these elements have been freed due to a lack of strong references, a potentially exploitable crash may occur when the freed elements are accessed.
References
Bug 1378147
#CVE-2017-7785: Buffer overflow manipulating ARIA attributes in DOM
Reporter
Nils
Impact
high
Description
A buffer overflow can occur when manipulating Accessible Rich Internet Applications (ARIA) attributes within the DOM. This results in a potentially exploitable crash.
References
Bug 1356985
#CVE-2017-7786: Buffer overflow while painting non-displayable SVG
Reporter
Nils
Impact
high
Description
A buffer overflow can occur when the image renderer attempts to paint non-displayable SVG elements. This results in a potentially exploitable crash.
References
Bug 1365189
#CVE-2017-7806: Use-after-free in layer manager with SVG
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when the layer manager is freed too early when rendering specific SVG content, resulting in a potentially exploitable crash.
References
Bug 1378113
#CVE-2017-7753: Out-of-bounds read with cached style data and pseudo-elements
Reporter
SkyLined
Impact
high
Description
An out-of-bounds read occurs when applying style rules to pseudo-elements, such as ::first-line, using cached style data.
References
Bug 1353312
#CVE-2017-7787: Same-origin policy bypass with iframes through page reloads
Reporter
Oliver Wagner
Impact
high
Description
Same-origin policy protections can be bypassed on pages with embedded iframes during page reloads, allowing the iframes to access content on the top level page, leading to information disclosure.
References
Bug 1322896
#CVE-2017-7807: Domain hijacking through AppCache fallback
Reporter
Mathias Karlsson
Impact
high
Description
A mechanism that uses AppCache to hijack a URL in a domain using fallback by serving the files from a sub-path on the domain. This has been addressed by requiring fallback files be inside the manifest directory.
References
Bug 1376459
#CVE-2017-7792: Buffer overflow viewing certificates with an extremely long OID
Reporter
Fraser Tweedale
Impact
high
Description
A buffer overflow will occur when viewing a certificate in the certificate manager if the certificate has an extremely long object identifier (OID). This results in a potentially exploitable crash.
References
Bug 1368652
#CVE-2017-7804: Memory protection bypass through WindowsDllDetourPatcher
Reporter
Stephen Fewer
Impact
high
Description
The destructor function for the WindowsDllDetourPatcher class can be re-purposed by malicious code in concert with another vulnerability to write arbitrary data to an attacker controlled location in memory. This can be used to bypass existing memory protections in this situation.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References
Bug 1372849
#CVE-2017-7791: Spoofing following page navigation with data: protocol and modal alerts
Reporter
Jose María Acuña
Impact
moderate
Description
On pages containing an iframe, the data: protocol can be used to create a modal alert that will render over arbitrary domains following page navigation, spoofing of the origin of the modal alert from the iframe content.
References
Bug 1365875
#CVE-2017-7808: CSP information leak with frame-ancestors containing paths
Reporter
Jun Kokatsu
Impact
moderate
Description
A content security policy (CSP) frame-ancestors directive containing origins with paths allows for comparisons against those paths instead of the origin. This results in a cross-origin information leak of this path information.
References
Bug 1367531
#CVE-2017-7782: WindowsDllDetourPatcher allocates memory without DEP protections
Reporter
Arthur Edelstein
Impact
moderate
Description
An error in the WindowsDllDetourPatcher where a RWX ("Read/Write/Execute") 4k block is allocated but never protected, violating DEP protections.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References
Bug 1344034
#CVE-2017-7781: Elliptic curve point addition error when using mixed Jacobian-affine coordinates
Reporter
Antonio Sanso
Impact
moderate
Description
An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result POINT_AT_INFINITY when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an incorrect shared secret.
References
Bug 1352039
#CVE-2017-7794: Linux file truncation via sandbox broker
Reporter
Jann Horn
Impact
moderate
Description
On Linux systems, if the content process is compromised, the sandbox broker will allow files to be truncated even though the sandbox explicitly only has read access to the local file system and no write permissions.
Note: This attack only affects the Linux operating system. Other operating systems are not affected.
References
Bug 1374281
#CVE-2017-7803: CSP containing 'sandbox' improperly applied
Reporter
Rhys Enniks
Impact
moderate
Description
When a page’s content security policy (CSP) header contains a sandbox directive, other directives are ignored. This results in the incorrect enforcement of CSP.
References
Bug 1377426
#CVE-2017-7799: Self-XSS XUL injection in about:webrtc
Reporter
Frederik Braun
Impact
moderate
Description
JavaScript in the about:webrtc page is not sanitized properly being being assigned to innerHTML. Data on this page is supplied by WebRTC usage and is not under third-party control, making this difficult to exploit, but the vulnerability could possibly be used for a cross-site scripting (XSS) attack.
References
Bug 1372509
#CVE-2017-7783: DOS attack through long username in URL
Reporter
Amit Sangra
Impact
low
Description
If a long user name is used in a username/password combination in a site URL (such as http://UserName:Password@example.com), the resulting modal prompt will hang in a non-responsive state or crash, causing a denial of service.
References
Bug 1360842
#CVE-2017-7788: Sandboxed about:srcdoc iframes do not inherit CSP directives
Reporter
Muneaki Nishimura
Impact
low
Description
When an iframe has a sandbox attribute and its content is specified using srcdoc, that content does not inherit the containing page's Content Security Policy (CSP) as it should unless the sandbox attribute included allow-same-origin.
References
Bug 1073952
#CVE-2017-7789: Failure to enable HSTS when two STS headers are sent for a connection
Reporter
Muneaki Nishimura
Impact
low
Description
If a server sends two Strict-Transport-Security (STS) headers for a single connection, they will be rejected as invalid and HTTP Strict Transport Security (HSTS) will not be enabled for the connection.
References
Bug 1074642
#CVE-2017-7790: Windows crash reporter reads extra memory for some non-null-terminated registry values
Reporter
Xiaoyin Liu
Impact
low
Description
On Windows systems, if non-null-terminated strings are copied into the crash reporter for some specific registry keys, stack memory data can be copied until a null is found. This can potentially contain private data from the local system.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References
Bug 1350460
#CVE-2017-7796: Windows updater can delete any file named update.log
Reporter
Matt Howell
Impact
low
Description
On Windows systems, the logger run by the Windows updater deletes the file "update.log" before it runs in order to write a new log of that name. The path to this file is supplied at the command line to the updater and could be used in concert with another local exploit to delete a different file named "update.log" instead of the one intended.
Note: This attack only affects Windows operating systems. Other operating systems are not affected.
References
Bug 1234401
#CVE-2017-7797: Response header name interning leaks across origins
Reporter
Anne van Kesteren
Impact
low
Description
Response header name interning does not have same-origin protections and these headers are stored in a global registry. This allows stored header names to be available cross-origin.
References
Bug 1334776
#CVE-2017-7780: Memory safety bugs fixed in Firefox 55
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Gary Kwong, Christian Holler, André Bargull, Bob Clary, Carsten Book, Emilio Cobos Álvarez, Masayuki Nakano, Sebastian Hengst, Franziskus Kiefer, Tyson Smith, and Ronald Crane reported memory safety bugs present in Firefox 54. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 55
#CVE-2017-7779: Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Masayuki Nakano, Gary Kwong, Ronald Crane, Andrew McCreight, Tyson Smith, Bevis Tseng, Christian Holler, Bryce Van Dyk, Dragana Damjanovic, Kartikaya Gupta, Philipp, Tristan Bourvon, and Andi-Bogdan Postelnicu reported memory safety bugs present in Firefox 54 and Firefox ESR 52.2. Some of these bugs showed evidence of memory corruption and we presume that with enough effort that some of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 55 and Firefox ESR 52.3
|
|
|
|
Curl and libcurl 7.55.0
Public curl releases: 167
Command line options: 210
curl_easy_setopt() options: 247
Public functions in libcurl: 61
Contributors: 1571
This release includes the following changes:
o curl: allow --header and --proxy-header read from file [7]
o getinfo: provide sizes as curl_off_t [6]
o curl: prevent binary output spewed to terminal [16]
o curl: added --request-target [22]
o libcurl: added CURLOPT_REQUEST_TARGET [22]
o curl: added --socks5-{basic,gssapi}: control socks5 auth [30]
o libcurl: added CURLOPT_SOCKS5_AUTH [30]
This release includes the following bugfixes:
o glob: do not parse after a strtoul() overflow range (CVE-2017-1000101) [85]
o tftp: reject file name lengths that don't fit (CVE-2017-1000100) [84]
o file: output the correct buffer to the user (CVE-2017-1000099) [83]
o includes: remove curl/curlbuild.h and curl/curlrules.h [1]
o dist: make the hugehelp.c not get regenerated unnecessarily [2]
o timers: store internal time stamps as time_t instead of doubles [3]
o progress: let "current speed" be UL + DL speeds combined [4]
o http-proxy: do the HTTP CONNECT process entirely non-blocking [5]
o lib/curl_setup.h: remove CURL_WANTS_CA_BUNDLE_ENV [8]
o fuzz: bring oss-fuzz initial code converted to C89 [10]
o configure: disable nghttp2 too if HTTP has been disabled
o mk-ca-bundle.pl: Check curl's exit code after certdata download [11]
o test1148: verify the -# progressbar [12]
o tests: stabilize test 2032 and 2033 [13]
o HTTPS-Proxy: don't offer h2 for https proxy connections [14]
o http-proxy: only attempt FTP over HTTP proxy [9]
o curl-compilers.m4: enable vla warning for clang [15]
o curl-compilers.m4: enable double-promotion warning [15]
o curl-compilers.m4: enable missing-variable-declarations clang warning [15]
o curl-compilers.m4: enable comma clang warning [15]
o Makefile.m32: enable -W for MinGW32 build [15]
o CURLOPT_PREQUOTE: not supported for SFTP [17]
o http2: fix OOM crash
o PIPELINING_SERVER_BL: cleanup the internal list use [18]
o mkhelp.pl: fix script name in usage text
o lib1521: add curl_easy_getinfo calls to the test set
o travis: do the distcheck test build out-of-tree as well
o if2ip: fix compiler warning in ISO C90 mode
o lib: fix the djgpp build [19]
o typecheck-gcc: add support for CURLINFO_OFF_T [20]
o travis: enable typecheck-gcc warnings [21]
o maketgz: switch to xz instead of lzma [23]
o CURLINFO_REDIRECT_URL.3: mention the CURLOPT_MAXREDIRS case
o curl-compilers.m4: fix unknown-warning-option on Apple clang [24]
o winbuild: fix boringssl build [25]
o curl/system.h: add check for XTENSA for 32bit gcc [26]
o test1537: fixed memory leak on OOM
o test1521: fix compiler warnings [27]
o curl: fix memory leak on test 1147 OOM [28]
o libtest/make: generate lib1521.c dynamically at build-time [29]
o curl_strequal.3: fix typo in SYNOPSIS [31]
o progress: prevent resetting t_starttransfer [32]
o openssl: improve fallback seed of PRNG with a time based hash [33]
o http2: improved PING frame handling [34]
o test1450: add simple testing for DICT [35]
o make: build the docs subdir only from within src [36]
o cmake: Added compatibility options for older Windows versions [37]
o gtls: fix build when sizeof(long) < sizeof(void *) [38]
o url: make the original string get used on subsequent transfers [39]
o timeval.c: Use long long constant type for timeval assignment [40]
o tool_sleep: typecast to avoid macos compiler warning
o travis.yml: use --enable-werror on debug builds [41]
o test1451: add SMB support to the testbed [42]
o configure: remove checks for 5 functions never used [43]
o configure: try ldap/lber in reversed order first [44]
o smb: fix build for djgpp/MSDOS [45]
o travis: install nghttp2 on linux builds [46]
o smb: add support for CURLOPT_FILETIME [47]
o cmake: fix send/recv argument scanner for windows [48]
o inet_pton: fix include on windows to get prototype [49]
o select.h: avoid macro redefinition harder
o cmake: if inet_pton is used, bump _WIN32_WINNT
o asyn-thread.c: fix unused variable warnings on macOS
o runtests: support "threaded-resolver" as a feature
o test506: skip if threaded-resolver
o cmake: remove spurious "-l" from linker flags [50]
o cmake: add CURL_WERROR for enabling "warning as errors"
o memdebug: don't setbuf() if the file open failed [51]
o curl_easy_escape.3: mention the (lack of) encoding [52]
o test1452: add telnet negotiation [53]
o CURLOPT_POSTFIELDS.3: explain the 100-continue magic better
o cmake: offer CMAKE_DEBUG_POSTFIX when building with MSVC [54]
o tests/valgrind.supp: supress OpenSSL false positive seen on travis [55]
o curl_setup_once: Remove ERRNO/SET_ERRNO macros [56]
o curl-compilers.m4: disable warning spam with Cygwin's clang [57]
o ldap: fix MinGW compiler warning [58]
o make: fix docs build on OpenBSD [59]
o curl_setup: always define WIN32_LEAN_AND_MEAN on Windows [60]
o system.h: include winsock2.h before windows.h
o winbuild: build with warning level 4 [61]
o rtspd: fix MSVC level 4 warning
o sockfilt: suppress conversion warning with explicit cast
o libtest: fix MSVC warning C4706
o darwinssl: fix pinnedpubkey build error [62]
o tests/server/resolve.c: fix deprecation warning [63]
o nss: fix a possible use-after-free in SelectClientCert() [64]
o checksrc: escape open brace in regex
o multi: mention integer overflow risk if using > 500 million sockets [65]
o darwinssl: fix --tlsv1.2 regression [66]
o timeval: struct curltime is a struct timeval replacement [67]
o curl_rtmp: fix a compiler warning [68]
o include.d: clarify that it concerns the response headers [69]
o cmake: support make uninstall [70]
o include.d: clarify --include is only for response headers [71]
o libcurl: Stop using error codes defined under CURL_NO_OLDIES [72]
o http: fix response code parser to avoid integer overflow [73]
o configure: fix the check for IdnToUnicode [74]
o multi: fix request timer management [75]
o curl_threads: fix MSVC compiler warning [76]
o travis: build on osx with openssl
o travis: build on osx with libressl
o CURLOPT_NETRC.3: mention the file name on windows
o cmake: set MSVC warning level to 4 [77]
o netrc: skip lines starting with '#' [78]
o darwinssl: fix curlssl_sha256sum() compiler warnings on first argument
o BUILD.WINDOWS: mention buildconf.bat for builds off git
o darwinssl: silence compiler warnings [79]
o travis: build on osx with darwinssl
o FTP: skip unnecessary CWD when in nocwd mode [80]
o gssapi: fix memory leak of output token in multi round context [81]
o getparameter: avoid returning uninitialized 'usedarg' [82]
o curl (debug build) easy_events: make event data static
o curl: detect and bail out early on parameter integer overflows [86]
o configure: fix recv/send/select detection on Android [87]
|
|
Bump the PKGREVISION where the package install script has changed
due to changes in MAKE_DIRS or OWN_DIRS.
|
|
WordPress 4.8.1 contains 29 maintenance fixes and enhancements to the 4.8 release series, chief among them are fixes to the rich Text widget and the introduction of the Custom HTML widget.
Administration
* #40982 - Permalink Settings: custom structure field keyboard trap
Build/Test Tools
* #41327 - Bump Akismet External - 4.9 Edition
Comments
* #40975 - 'Empty Spam' and 'Empty Trash' comment buttons not displayed on mobile
Customize
* #40978 - Customizer Panel Footer border missing
* #40981 - Customizer: Menus: it is far too easy to mistakenly delete a menu because the "Delete Menu" link and the "Add Items" button are too close together
* #41158 - Increase tinymce panel z-index
* #41410 - Set `'filter' => 'content'` on starter content "business info" widget
Embeds
* #41019 - oEmbed: Update VideoPress oEmbed URL
* #41048 - `WP_oEmbed_Controller::get_proxy_item()` should remove `_wpnonce` from cached `$args`
* #41299 - oEmbed proxy fails to forward maxwidth and maxheight params
General
* #41056 - WP-API JS Client: Settings is incorrectly registered as a collection
Media
* #41231 - media-views.js: Cannot read .length of undefined (this.controller.$uploaderToggler.length)
REST API
* #38964 - Add filter to allow modifying response *after* embedded data is added
* #40886 - REST API: PUT requests fail on Nginx servers when fancy permalinks aren't enabled
Taxonomy
* #41010 - wp_get_object_terms() returns duplicate terms if more than one taxonomy is given in args
TinyMCE
* #41408 - TinyMCE: Images with link and caption look "broken" when selected
Widgets
* #40907 - Introduce widget dedicated for HTML code
* #40935 - Facebook Video Works On Preview But Not On Theme
* #40951 - New Text Widget - Switching Between Visual/Text Editor Strips Out Code
* #40960 - Widgets: The Text widget should respect the “Disable the visual editor when writing” setting
* #40972 - TinyMCE editor in Text widget does not have RTL contents
* #40974 - Updated text widget do not save text (when using paste)
* #40977 - Widgets: Query param for `loop` added for non-hosted external videos
* #40986 - Widgets: text widget and media widgets cannot be edited in accessibility mode
* #41021 - Text widget does not show Title field or TinyMCE editor
* #41361 - Text widget can raise JS error if customize-base is enqueued on widgets admin screen
* #41386 - Text Widget - Wording - Legacy Mode 4.8.1 beta
* #41392 - Theme styles for Text widget do not apply to Custom HTML widget
* #41394 - Text widget: Rename legacy mode to visual mode and improve back-compat for widget_text filters
|
|
Upstream changes:
0.205001 2017-07-11 08:03:21-05:00 America/Chicago
[ BUG FIXES ]
* GH #1332: Add check for old version of HTTP::XSCookies (Peter Mottram -
SysPete)
* GH #1336: Fix warnings on 5.10 and below. (Sawyer X)
* GH #1347: Add Perl versions 5.22-5.26 and appveyor to Travis-CI
configuration (Dave Jacoby)
[ ENHANCEMENTS ]
* GH #1281: Use Ref::Util in Core for all reference checks (Mickey
Nasriachi)
* GH #1338: Add message explaining how to run newly-created application
(Jonathan Cast)
[ DOCUMENTATION ]
* GH #1334: Fix prefix example in Cookbook (Abdullah Diab)
* GH #1335: Add missing word in request->host docs (Glenn Fowler)
* GH #1337: Fix link in SEE ALSO section of Dancer2::Core::Types (Stefan
Hornburg - Racke)
* GH #1341: Clarify plugin documentation (Stefan Hornburg - Racke)
* GH #1345, #1351, #1356: Fix password check code example in tutorial
(Jonathan Cast)
* GH #1355: Fix typo (Gregor Herrmann)
|
|
- CI improvements:
* Add basic working Circle CI v2 config
- Fix URI encoding bug introduced in 39
* Improve cheroot.test.helper.Controller to properly match unicode
v5.8.0
- CI improvements:
* Switch to native PyPy support in Travis CI
* Take into account PEP 257 compliant modules
* Build wheel in Appveyor and store it as an artifact
- Improve urllib support in ``_compat`` module
- 38 via 39: Improve URI parsing:
* Make it compliant with RFC 7230, RFC 7231 and RFC 2616
* Fix setting of ``environ['QUERY_STRING']`` in WSGI
* Introduce ``proxy_mode`` and ``strict_mode`` argument in ``server.HTTPRequest``
* Fix decoding of unicode URIs in WSGI 1.0 gateway
|
|
Don’t raise deprecation warning on loop.run_until_complete(client.close())
|
|
Fix error where transport.get_extra_info returned None
Remove uvloop requirement for gunicorn worker
Fix error where request.token() would fail if Authorization headers were not provided
Added an abort function to easily exit out of route handlers
Added a file_stream response handler
Add support for streaming large static files
Added streaming requests
Added websocket max_size and max_queue configuration
Fixed test client not working with HTTP2
Added match_info property to request class
Added support for recycling the gunicorn worker
Added an Unauthorized exception
Added a Forbidden exception
Added a graceful timeout when shutdown
|
|
Fix issue with synchronous session closing when using ClientSession as an asynchronous context manager.
|
|
* Minimum PHP version.
* Require php-pdo_mysql.
Bump PKGREVISION.
|
|
Bugfixes:
Fixed a regression in 1.11.3 on Python 2 where non-ASCII format values for date/time widgets results in an empty value in the widget’s HTML.
Fixed QuerySet.union() and difference() when combining with a queryset raising EmptyResultSet.
Fixed a regression in pickling of LazyObject on Python 2 when the wrapped object doesn’t have __reduce__().
Fixed crash in runserver’s autoreload with Python 2 on Windows with non-str environment variables.
Corrected Field.has_changed() to return False for disabled form fields: BooleanField, MultipleChoiceField, MultiValueField, FileField, ModelChoiceField, and ModelMultipleChoiceField.
Fixed QuerySet.count() for union(), difference(), and intersection() queries..
Fixed ClearableFileInput rendering as a subwidget of MultiWidget. Custom clearable_file_input.html widget templates will need to adapt for the fact that context values checkbox_name, checkbox_id, is_initial, input_text, initial_text, and clear_checkbox_label are now attributes of widget rather than appearing in the top-level context.
Fixed queryset crash when using a GenericRelation to a proxy model
|
|
Version 0.15
~~~~~~~~~~~~
Released on 2017-06-27.
* Add ``Freezer.freeze_yield()`` method to make progress reporting easier.
(Thanks to Miro Hrončok.)
Version 0.14
~~~~~~~~~~~~
Released on 2017-03-22.
* Add the ``FREEZER_SKIP_EXISTING`` configuration to skip generation
of files already in the build directory. (Thanks to Antoine Goutenoir.)
* Add shared superclass ``FrozenFlaskWarning`` for all warnings.
(Thanks to Miro Hrončok.)
|
|
|
|
|
|
|
|
|
|
pkgsrc chagne: correct DESCR.
The bugfix release fixes the issues with the new DCA picker.
|
|
|
|
|
|
Remove insecure Js2Py library (code execution risk)
Please upgrade to 1.8.0 immediately.
Versions 1.6.6 to 1.7.1 are vulnerable to code execution. If you are running a vulnerable version, a malicious website owner could craft a page which executes arbitrary Python code on the machine that runs this script. This can only occur if the website that the user attempts to scrape has specifically prepared a page to exploit vulnerable versions of cfscrape.
|
|
Update DEPENDS
Minor cleanup
Upstream changes:
1.72 2017-07-25
- Convert the dist to Dist::Zilla for authoring.
- Remove recommendation of Business::ISBN as urn/isbn.pm is deprecated
- Use Test::Needs instead of raw eval in urn-isbn.t
|
|
* Fix error when trying to open pages that contain HTML entities that
decode to unicode characters in their <head> sections
|
|
Sorry, the upstream changelog has not been updated in 4 years and the git
log output mostly refers to pull request numbers.
Mostly bug fixes, including one that improves compatibility with Ruby 2.3.0
(getting rid of "Object#timeout is deprecated, use Timeout.timeout" prints)
|
|
This reelase is compatible with PHP 7.x
Changes are listed at http://piwigo.org/basics/archive
|
|
*) Security: a specially crafted request might result in an integer
overflow and incorrect processing of ranges in the range filter,
potentially resulting in sensitive information leak (CVE-2017-7529).
Changes with nginx 1.13.2:
*) Change: nginx now returns 200 instead of 416 when a range starting
with 0 is requested from an empty file.
*) Feature: the "add_trailer" directive.
*) Bugfix: nginx could not be built on Cygwin and NetBSD; the bug had
appeared in 1.13.0.
*) Bugfix: nginx could not be built under MSYS2 / MinGW 64-bit.
*) Bugfix: a segmentation fault might occur in a worker process when
using SSI with many includes and proxy_pass with variables.
*) Bugfix: in the ngx_http_v2_module.
Changes with nginx 1.13.1:
*) Feature: now a hostname can be used as the "set_real_ip_from"
directive parameter.
*) Feature: vim syntax highlighting scripts improvements.
*) Feature: the "worker_cpu_affinity" directive now works on DragonFly
BSD.
*) Bugfix: SSL renegotiation on backend connections did not work when
using OpenSSL before 1.1.0.
*) Workaround: nginx could not be built with Oracle Developer Studio
12.5.
*) Workaround: now cache manager ignores long locked cache entries when
cleaning cache based on the "max_size" parameter.
*) Bugfix: client SSL connections were immediately closed if deferred
accept and the "proxy_protocol" parameter of the "listen" directive
were used.
*) Bugfix: in the "proxy_cache_background_update" directive.
*) Workaround: now the "tcp_nodelay" directive sets the TCP_NODELAY
option before an SSL handshake.
|
|
|
|
*) Security: a specially crafted request might result in an integer
overflow and incorrect processing of ranges in the range filter,
potentially resulting in sensitive information leak (CVE-2017-7529).
PkgSrc:
*) Updated external modules
*) Added RTMP module (Media Streaming Server)
|
|
new: lots of improvements of components API, including asyncio support
|
|
|
|
go14 has no relro support AFAICT.
go-1.8.3 has if you use -buildmode=pie, but it claims it's not supported
on Linux.
Disable relro checking for go packages until bsiegert has time to
look at this.
|
|
Upstream changes:
RELEASE-NOTES-1.29
== MediaWiki 1.29 ==
=== Configuration changes in 1.29 ===
* Default cookie expiration time has been reduced to 30 days. Login cookie
expiration time is kept at 180 days.
* A new configuration variable has been added: $wgCookieSetOnAutoblock. This
determines whether to set a cookie when a user is autoblocked. Doing so means
that a blocked user, even after logging out and moving to a new IP address,
will still be blocked.
* The resetpassword right and associated password reset capture feature has
been removed.
* The $error parameter to the EmailUser hook should be set to a Status object
or boolean false. This should be compatible with at least MediaWiki 1.23 if
not earlier. Returning a raw HTML string is now deprecated.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
code for ApiBase::parseMsg() will no longer work.
* ApiBase::$messageMap is no longer public. Code attempting to access it will
result in a PHP fatal error.
* $wgUserEmailUseReplyTo is now true by default to work around restrictive DMARC
policies.
* Subpages are now enabled by default in the Template namespace. Set
$wgNamespacesWithSubpages[NS_TEMPLATE] to false to keep the old behavior.
* $wgRunJobsAsync is now false by default (T142751). This change only affects
wikis with $wgJobRunRate > 0.
* (T158474) "Unknown user" has been added to $wgReservedUsernames.
* (T156983) $wgRateLimitsExcludedIPs now accepts CIDR ranges as well as single IPs.
* $wgDummyLanguageCodes is deprecated. Additional language code mappings may be
added to $wgExtraLanguageCodes instead.
* (T161453) LocalisationCache will no longer use the temporary directory in it's
fallback chain when trying to work out where to write the cache.
* The user right 'editusercssjs' (deprecated in 1.16) was removed. Use
'editusercss' and 'edituserjs' in $wgGroupPermissions and elsewhere instead.
=== New features in 1.29 ===
* (T5233) A cookie can now be set when a user is autoblocked, to track that user
if they move to a new IP address. This is disabled by default.
* Added ILocalizedException interface to standardize the use of localized
exceptions, largely so the API can handle them more sensibly.
* Blocks created automatically by MediaWiki, such as for configured proxies or
dnsbls, are now indicated as such and use a new i18n message when displayed.
* Added new $wgHTTPImportTimeout setting. Sets timeout for
downloading the XML dump during a transwiki import in seconds.
* Parser limit report is now available in machine-readable format to JavaScript
via mw.config.get('wgPageParseReport').
* Added $wgSoftBlockRanges, to allow for automatically blocking anonymous edits
from certain IP ranges (e.g. private IPs).
* (T59603) Added new magic word {{PAGELANGUAGE}} which returns the language code
of the page being parsed.
* HTML5 form validation attributes will no longer be suppressed. Originally
browsers had poor support for them, but modern browsers handle them fine.
This might affect some forms that used them and only worked because the
attributes were not actually being set.
* Expiry times can now be specified when users are added to user groups.
* Completely new user interface for the RecentChanges page, which
structures filters into user-friendly groups. This has corresponding
changes to how filters are registered by core and extensions.
* The edit form now uses pretty OOjs UI buttons, checkboxes and summary input.
Because this change can cause problems for extensions and on-wiki
scripts depending on the exact HTML, the old version is still available
and can be used by setting $wgOOUIEditPage = false; in LocalSettings.php.
This will be removed later and OOjs UI will become the only option.
To make testing easier, users can also force either mode by adding
&ooui=true or &ooui=false to the action=edit URL.
=== External library changes in 1.29 ===
==== Upgraded external libraries ====
* Updated QUnit from v1.22.0 to v1.23.1.
* Updated cssjanus from v1.1.2 to v1.2.0.
* Updated psr/log from v1.0.0 to v1.0.2.
* Update Moment.js from v2.8.4 to v2.15.0.
* Updated oyejorge/less.php from v1.7.0.10 to v1.7.0.14.
* Updated monolog from v1.18.2 to 1.22.1.
* Updated wikimedia/composer-merge-plugin from v1.3.1 to v1.4.0.
* Updated OOjs from v1.1.10 to v2.0.0.
==== New external libraries ====
* Added wikimedia/timestamp v1.0.0.
* Added wikimedia/remex-html v1.0.1.
==== Removed and replaced external libraries ====
=== Bug fixes in 1.29 ===
* (T62604) Core parser functions returning a number now format the number according
to the page content language, not wiki content language.
* (T27187) Search suggestions based on jquery.suggestions will now correctly only
highlight prefix matches in the results.
* (T157035) "new mw.Uri()" was ignoring options when using default URI.
* Special:Allpages can no longer be filtered by redirect in miser mode.
* (T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
* (T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect
to interwiki links.
* (T144845) SECURITY: XSS in SearchHighlighter::highlightText() when
$wgAdvancedSearchHighlighting is true.
* (T125177) SECURITY: API parameters may now be marked as "sensitive" to keep
their values out of the logs.
* (T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF
token.
* (T156184) SECURITY: Escape content model/format url parameter in message.
* (T151735) SECURITY: SVG filter evasion using default attribute values in DTD
declaration.
* (T161453) SECURITY: LocalisationCache will no longer use the temporary directory
in it's fallback chain when trying to work out where to write the cache.
* (T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion
syntax's link parameter.
* (T108138) SECURITY: Sysops can undelete pages, although the page is protected against
it.
=== Action API changes in 1.29 ===
* Submitting sensitive authentication request parameters to action=login,
action=clientlogin, action=createaccount, action=linkaccount, and
action=changeauthenticationdata in the query string is now an error. They
should be submitted in the POST body instead.
* The capture option for action=resetpassword has been removed
* action=clearhasmsg now requires a POST.
* (T47843) API errors and warnings may be requested in non-English languages
using the new 'errorformat', 'errorlang', and 'errorsuselocal' parameters.
* API error codes may have changed. Most notably, errors from modules using
parameter prefixes (e.g. all query submodules) will no longer be prefixed.
* ApiPageSet-using modules will report the 'invalidreason' using the specified
'errorformat'.
* action=emailuser may return a "Warnings" status, and now returns 'warnings' and
'errors' subelements (as applicable) instead of 'message'.
* action=imagerotate returns an 'errors' subelement rather than 'errormessage'.
* action=move now reports errors when moving the talk page as an array under
key 'talkmove-errors', rather than using 'talkmove-error-code' and
'talkmove-error-info'. The format for subpage move errors has also changed.
* action=revisiondelete no longer includes a "rendered" property on warnings
and errors for each item. Use errorformat=wikitext if you're wanting parsed
output.
* action=rollback no longer returns a "messageHtml" property. Use
errorformat=html if you're wanting HTML formatting of error messages.
* action=upload now reports optional stash failures as an array under key
'stasherrors' rather than a 'stashfailed' text string.
* action=watch reports 'errors' and 'warnings' instead of a single 'error', and
no longer returns a 'message' on success.
* Added action=validatepassword to validate passwords for the account creation
and password change forms.
* action=purge now requires a POST.
* There is a new `languagevariants` siprop for action=query&meta=siteinfo,
which returns a list of languages with active LanguageConverter instances.
* action=query&query=allpages will no longer filter redirects using a database
query in miser mode. This may result in less results being returned than were
requested.
=== Action API internal changes in 1.29 ===
* New methods were added to ApiBase to handle errors and warnings using i18n
keys. Methods for using hard-coded English messages were deprecated:
* ApiBase::dieUsage() was deprecated
* ApiBase::dieUsageMsg() was deprecated
* ApiBase::dieUsageMsgOrDebug() was deprecated
* ApiBase::getErrorFromStatus() was deprecated
* ApiBase::parseMsg() was deprecated
* ApiBase::setWarning() was deprecated
* ApiBase::$messageMap is no longer public. Code attempting to access it will
result in a PHP fatal error.
* The $message parameter to the ApiCheckCanExecute hook should be set to an
ApiMessage. This is compatible with MediaWiki 1.27 and later. Returning a
code for ApiBase::parseMsg() will no longer work.
* UsageException is deprecated in favor of ApiUsageException. For the time
being ApiUsageException is a subclass of UsageException to allow things that
catch only UsageException to still function properly.
* If, for some strange reason, code was using an ApiErrorFormatter instead of
ApiErrorFormatter_BackCompat, note that the result format has changed and
various methods now take a module path rather than a module name.
* ApiMessageTrait::getApiCode() now strips 'apierror-' and 'apiwarn-' prefixes
from the message key, and maps some message keys for backwards compatibility.
* API parameters may now be marked as "sensitive" to keep their values out of
the logs.
=== extension.json changes in 1.29 ===
* Extensions must set a value for "manifest_version" in their extension.json
or skin.json files. See
<https://www.mediawiki.org/wiki/Manual:Extension.json/Schema#manifest_version>
for details.
* Extensions can now specify dependencies upon other extensions by using the
"requires" key. See
<https://www.mediawiki.org/wiki/Manual:Extension.json/Schema#requires> for
more details.
* (T151136) Functions set as the "callback" now recieve that extension's credits
information as the first argument.
* (T149597) "PasswordPolicy" can be set in extension.json.
=== Languages updated in 1.29 ===
MediaWiki supports over 350 languages. Many localisations are updated
regularly. Below only new and removed languages are listed, as well as
changes to languages because of Phabricator reports.
* Based as always on linguistic studies on intelligibility and language
knowledge by geography, language fallbacks have been expanded. When a
translation is missing in the user's preferred interface language, the
corresponding translation for the fallback language will be used instead.
English will only be used as last resort when there are no translations.
Some configurations (such as date formats and gender namespaces) have also
been updated when using the fallback language's configuration was inadequate.
The new or reinstated language fallbacks are (after cs ↔ sk in 1.28):
ca ↔ oc; hsb ↔ dsb; io → eo; mdf → ru; pnt → el; roa-tara → it; rup → ro;
sh → bs, sr-el, hr.
* (T137376) New language support: Atikamekw (atj).
* (T163600) New language support: Dinka (din).
* (T155957) Talk Namespaces for Javanese language (jv) have been updated.
==== No fallback for Ukrainian ====
* (T39314) The fallback from Ukrainian to Russian was removed. The Ukrainian
language will now use the default fallback language: English. When a translation
to Ukrainian is not available, an English string will be shown.
=== Other changes in 1.29 ===
* Database::getSearchEngine() (deprecated in 1.28) was removed. Use
SearchEngineFactory::getSearchEngineClass() instead.
* $wgSessionsInMemcached (deprecated in 1.20) was removed. No replacement is
required as all sessions are stored in Object Cache now.
* MWHttpRequest::execute() should be considered to return a StatusValue; the
Status return type is deprecated.
* User::edits() (deprecated in 1.21) was removed.
* Xml::escapeJsString() (deprecated in 1.21) was removed.
* Article::getText() and Article::prepareTextForEdit() (deprecated in 1.21)
were removed.
* Article::getAutosummary() and WikiPage::getAutosummary() (deprecated in 1.21)
were removed.
* Hook ArticleViewCustom (deprecated in 1.21) was removed. Use ArticleContentViewCustom
instead.
* Hooks EditPageGetDiffText and ShowRawCssJs (deprecated in 1.21) were removed.
* Class RevisiondeleteAction (deprecated in 1.25) was removed.
* WikiPage::prepareTextForEdit() (deprecated in 1.21) was removed.
* WikiPage::getText() (deprecated in 1.21) was removed.
* Article::fetchContent() (deprecated in 1.21) was removed.
* User::getPassword() (deprecated in 1.27) was removed.
* User::getTemporaryPassword() (deprecated in 1.27) was removed.
* User::isPasswordReminderThrottled() (deprecated in 1.27) was removed.
* Class FSRepo (deprecated in 1.19) was removed.
* WebRequest::checkSessionCookie() (deprecated in 1.27) was removed. Use
\MediaWiki\Session\SessionManager::singleton()->getPersistedSessionId() instead.
* Class ImageGallery (deprecated in 1.22) was removed.
Use ImageGalleryBase::factory instead.
* Title::moveNoAuth() (deprecated in 1.25) was removed. Use MovePage class instead.
* Hook UnknownAction (deprecated in 1.19) was actually deprecated (it will now
emit warnings). Create a subclass of Action and add it to $wgActions instead.
* WikiRevision::getText() (deprecated since 1.21) is no longer marked deprecated.
* Linker::getInterwikiLinkAttributes() (deprecated since 1.25) was removed.
* Linker::getInternalLinkAttributes() (deprecated since 1.25) was removed.
* Linker::getInternalLinkAttributesObj() (deprecated since 1.25) was removed.
* Linker::getLinkAttributesInternal() (deprecated since 1.25) was removed.
* RedisConnectionPool::handleException (deprecated since 1.23) was removed.
* The static properties mw.Api.errors and mw.Api.warnings, containing incomplete
and outdated lists of errors/warnings returned by the API, are now deprecated.
* wiki.phtml entry point was removed. Refer to index.php instead. If you want "wiki.phtml"
URLs to continue to work, set up redirects. In Apache, this can be done by enabling
mod_rewrite and adding the following rules to your configuration:
RewriteEngine On
RewriteBase /
RewriteRule ^/w/wiki\.phtml$ /w/index.php [R=301,L]
* Hook ArticleAfterFetchContent (deprecated in 1.21) was removed.
Use ArticleAfterFetchContentObject instead.
* Hook ArticleInsertComplete (deprecated in 1.21) was removed.
Use PageContentInsertComplete instead.
* Hook ArticleSave (deprecated in 1.21) was removed.
Use PageContentSave instead.
* Hook ArticleSaveComplete (deprecated in 1.21) was removed.
Use PageContentSaveComplete instead.
* Hook EditFilterMerged (deprecated in 1.21) was removed.
Use EditFilterMergedContent instead.
* Hook EditPageGetPreviewText (deprecated in 1.21) was removed.
Use EditPageGetPreviewContent instead.
* Hook TitleIsCssOrJsPage (deprecated in 1.21) was removed.
Use ContentHandlerDefaultModelFor instead.
* Hook TitleIsWikitextPage (deprecated in 1.21) was removed.
Use ContentHandlerDefaultModelFor instead.
* Article::getContent() (deprecated in 1.21) was removed.
* Revision::getText() (deprecated in 1.21) was removed.
* Article::doEdit() and WikiPage::doEdit() (deprecated in 1.21) were removed.
* Parser::replaceUnusualEscapes() (deprecated in 1.24) was removed.
* Article::doEditContent() was marked as deprecated, to be removed in 1.30
or later.
* ContentHandler::runLegacyHooks() was removed.
* refreshLinks.php now can be limited to a particular category with --category=...
or a tracking category with --tracking-category=...
* User-like objects that are passed to SpecialUserRights and its subclasses are
now required to have a getGroupMemberships() method. See UserRightsProxy for
an example.
* User::$mGroups (instance variable) was marked private. Use User::getGroups()
instead.
* User::getGroupName(), User::getGroupMember(), User:getGroupPage(),
User::makeGroupLinkHTML(), and User::makeGroupLinkWiki() were deprecated.
Use equivalent methods on the UserGroupMembership class.
* Maintenance scripts and tests that call User::addGroup() must now ensure that
User objects have been added to the database prior to calling addGroup().
* Protected function UsersPager::getGroups() was removed, and protected function
UsersPager::buildGroupLink() was changed from a static to an instance method.
* The third parameter ($cache) to the UsersPagerDoBatchLookups hook was changed;
see docs/hooks.txt.
* User::crypt() (deprecated in 1.24) was removed.
* User::comparePasswords() (deprecated in 1.24) was removed.
* ArchivedFile::getUserText() (deprecated in 1.23) was removed.
* HTMLFileCache::newFromTitle() (deprecated in 1.24) was removed.
* BREAKING CHANGE: Internal signature changes to ChangesListSpecialPage
and subclasses. It should only break if you call buildMainQueryConds
(changed to buildQuery with new signature) or doMainQuery (new
signature). Subclasses are likely to call at least doMainQuery
(possibly both), but other classes might too, because they were
public.
Also, some related hooks were deprecated, but this is not yet a
breaking change.
* Removed 'jquery.arrowSteps' module. (deprecated since 1.28)
* The 'jquery.autoEllipsis' ResourceLoader module is now deprecated.
* WikiRevision::$fileIsTemp was deprecated.
* WikiRevision::$importer was deprecated.
* WikiRevision::$user was deprecated.
* Article::getLastPurgeTimestamp(), WikiPage::getLastPurgeTimestamp(), and the
WikiPage::PURGE_* constants are deprecated, and the functions will always
return false. They were a hack for an issue that has since been fixed.
* Hook 'EditPageBeforeEditChecks' is now deprecated. Instead use the new hook
'EditPageGetCheckboxesDefinition', or 'EditPage::showStandardInputs:options'
if you don't actually care about checkboxes and just want to add some HTML
to the page.
* Selflinks are now rendered as href-less <a> tags with the class mw-selflink
rather than <strong> tags. The old class name, "selflink", was deprecated
and will be removed in a future release. (T160480)
* (T156184) $wgRawHtml will no longer apply to internationalization messages.
* Browser support for non-ES5 JavaScript browsers, including Android 2,
Opera <12.10, and Internet Explorer 9, was lowered from Grade A to Grade C.
* Removed wikibits global methods deprecated since MediaWiki 1.17 (T122755):
is_gecko, is_chrome_mac, is_chrome, webkit_version, is_safari_win, is_safari,
webkit_match, is_ff2, ff2_bugs, is_ff2_win, is_ff2_x11, opera95_bugs,
opera7_bugs, opera6_bugs, is_opera_95, is_opera_preseven, is_opera,
ie6_bugs, clientPC, changeText, killEvt, addHandler, hookEvent,
addClickHandler, removeHandler, getElementsByClassName, getInnerText,
setupCheckboxShiftClick, addCheckboxClickHandlers, mwEditButtons,
mwCustomEditButtons, injectSpinner, removeSpinner, escapeQuotes,
escapeQuotesHTML, jsMsg, addPortletLink, appendCSS, tooltipAccessKeyPrefix,
tooltipAccessKeyRegexp, updateTooltipAccessKeys.
* The ID of the <li> element containing the login link has changed from
'pt-login' to 'pt-login-private' in private wikis.
* The old, neglected "bulletin board style toolbar" in the edit form is now
deprecated (T30856). This old code dates from 2006, and was replaced in the
MediaWiki release tarball and in Wikimedia production by the WikiEditor
extension in 2010. It is only shown to users if no other editor was
installed, and leads to confusion.
* (T92459) Loading ResourceLoader modules containing JavaScript through
addModuleStyles() is deprecated and will log a warning server-side.
== Compatibility ==
MediaWiki 1.29 requires PHP 5.5.9 or later. There is experimental support for
HHVM 3.6.5 or later.
MySQL/MariaDB is the recommended DBMS. PostgreSQL or SQLite can also be used,
but support for them is somewhat less mature. There is experimental support for
Oracle and Microsoft SQL Server.
The supported versions are:
* MySQL 5.0.3 or later
* PostgreSQL 8.3 or later
* SQLite 3.3.7 or later
* Oracle 9.0.1 or later
* Microsoft SQL Server 2005 (9.00.1399)
== Upgrading ==
1.29 has several database changes since 1.28, and will not work without schema
updates. Note that due to changes to some very large tables like the revision
table, the schema update may take quite long (minutes on a medium sized site,
many hours on a large site).
Don't forget to always back up your database before upgrading!
See the file UPGRADE for more detailed upgrade instructions, including
important information when upgrading from versions prior to 1.11.
For notes on 1.28.x and older releases, see HISTORY.
|
|
Re-release of 0.14.2 due to a release engineering mistake.
No changes other than the version number.
Nevow 0.14.1:
Nevow will now correctly map the MIME type of SVG files even if the
platform registry does not have such a mapping.
Athena no longer logs widget instantiation on initial page load.
Nevow's test suite is now compatible with Twisted 16.3.
Athena will no longer cause spurious errors resulting from page
disconnection.
Athena will now ignore responses to already-responded remote calls
during page shutdown.
|