| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
www/ruby-actionpack32: security fix
Revisions pulled up:
- databases/ruby-activerecord32/distinfo 1.24
- devel/ruby-activemodel32/distinfo 1.24
- devel/ruby-activesupport32/distinfo 1.24
- devel/ruby-railties32/distinfo 1.24
- lang/ruby/rails.mk 1.55
- mail/ruby-actionmailer32/distinfo 1.24
- www/ruby-actionpack32/distinfo 1.24
- www/ruby-activeresource32/distinfo 1.24
- www/ruby-rails32/distinfo 1.24
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Aug 21 05:55:08 UTC 2016
Modified Files:
pkgsrc/lang/ruby: rails.mk
Log Message:
Start update of Ruby on Rails to 3.2.22.4.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Aug 21 05:55:48 UTC 2016
Modified Files:
pkgsrc/devel/ruby-activesupport32: distinfo
Log Message:
Update ruby-activesupport32 to 3.2.22.4, no change except version.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Aug 21 05:56:35 UTC 2016
Modified Files:
pkgsrc/devel/ruby-activemodel32: distinfo
Log Message:
Update ruby-activemodel32 to 3.2.22.4, no change except version.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Aug 21 05:57:03 UTC 2016
Modified Files:
pkgsrc/databases/ruby-activerecord32: distinfo
Log Message:
Update ruby-activerecord32 to 3.2.22.4, no change except version.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Aug 21 05:57:30 UTC 2016
Modified Files:
pkgsrc/www/ruby-activeresource32: distinfo
Log Message:
Update ruby-activeresource32 to 3.2.22.4, no change except version.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Aug 21 05:58:46 UTC 2016
Modified Files:
pkgsrc/www/ruby-actionpack32: distinfo
Log Message:
Update ruby-actionpack32 to 3.2.22.4.
Fix CVE-2016-6316, XSS vulnerability in Action View.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Aug 21 05:59:16 UTC 2016
Modified Files:
pkgsrc/mail/ruby-actionmailer32: distinfo
Log Message:
Update ruby-actionmailer32 to 3.2.22.4, no change except version.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Aug 21 05:59:36 UTC 2016
Modified Files:
pkgsrc/devel/ruby-railties32: distinfo
Log Message:
Update ruby-railties32 to 3.2.22.4, no change except version.
---
Module Name: pkgsrc
Committed By: taca
Date: Sun Aug 21 06:00:48 UTC 2016
Modified Files:
pkgsrc/www/ruby-rails32: distinfo
Log Message:
Update ruby-rails32 to 3.2.22.4, no change except version.
|
|
www/apache24: security fix
Revisions pulled up:
- www/apache24/Makefile 1.48
- www/apache24/distinfo 1.26
- www/apache24/patches/patch-server_util__script.c 1.1
---
Module Name: pkgsrc
Committed By: wiz
Date: Fri Jul 29 11:11:25 UTC 2016
Modified Files:
pkgsrc/www/apache24: Makefile distinfo
Added Files:
pkgsrc/www/apache24/patches: patch-server_util__script.c
Log Message:
Fix httpoxy vulnerability.
Bump PKGREVISION.
|
|
www/curl: security fix
Revisions pulled up:
- www/curl/Makefile 1.168-1.169
- www/curl/PLIST 1.59
- www/curl/distinfo 1.120-1.121
---
Module Name: pkgsrc
Committed By: wiz
Date: Sun Jul 24 18:38:34 UTC 2016
Modified Files:
pkgsrc/www/curl: Makefile distinfo
Log Message:
Updated curl to 7.50.0.
Fixed in 7.50.0 - July 21 2016
Changes:
http: add CURLINFO_HTTP_VERSION and %{http_version}
Bugfixes:
memdebug: fix MSVC crash with -DMEMDEBUG_LOG_SYNC
openssl: fix build with OPENSSL_NO_COMP
mbedtls: removed unused variables
cmake: Added missing mbedTLS support
URL parser: allow URLs to use one, two or three slashes
curl: fix -q [regression]
openssl: Use correct buffer sizes for error messages
curl: fix SIGSEGV while parsing URL with too many globs
schannel: add CURLOPT_CERTINFO support
vtls: fix ssl session cache race condition
http: Fix HTTP/2 connection reuse [regression]
checksrc: Add LoadLibrary to the banned functions list
schannel: Disable ALPN on Windows < 8.1
configure: occasional ignorance of --enable-symbol-hiding with GCC
http2: test17xx are the first real HTTP/2 tests
resolve: add support for IPv6 DNS64/NAT64 Networks on OS X + iOS
curl_multi_socket_action.3: rewording
CURLOPT_POSTFIELDS.3: Clarify what happens when set empty
cmake: Fix build with winldap
openssl: fix cert check with non-DNS name fields present
curl.1: mention the units for the progress meter
openssl: use more 'const' to fix build warnings with 1.1.0 branch
cmake: now using BUILD_TESTING=ON/OFF
vtls: Only call add/getsession if session id is enabled
headers: forward declare CURL, CURLM and CURLSH as structs
configure: improve detection of CA bundle path on FreeBSD
SFTP: set a generic error when no SFTP one exists
curl_global_init.3: expand on the SSL and WIN32 bits purpose
conn: don't free easy handle data in handler->disconnect
cookie.c: Fix misleading indentation
library: Fix memory leaks found during static analysis
CURLMOPT_SOCKETFUNCTION.3: fix typo
curl_global_init: moved the "IPv6 works" check here
connect: disable TFO on Linux when using SSL
vauth: Fixed memory leak due to function returning without free
winbuild: fix embedded manifest option
---
Module Name: pkgsrc
Committed By: wiz
Date: Wed Aug 3 08:57:51 UTC 2016
Modified Files:
pkgsrc/www/curl: Makefile PLIST distinfo
Log Message:
Updated curl to 7.50.1.
Bugfixes:
TLS: switch off SSL session id when client cert is used
TLS: only reuse connections with the same client cert
curl_multi_cleanup: clear connection pointer for easy handles
include the CURLINFO_HTTP_VERSION man page into the release tarball
include the http2-server.pl script in the release tarball
test558: fix test by stripping file paths from FD lines
spnego: Corrected miss-placed * in Curl_auth_spnego_cleanup() declaration
tests: Fix for http/2 feature
cmake: Fix for schannel support
curl.h: make public types void * again
win32: fix a potential memory leak in Curl_load_library
travis: fix OSX build by re-installing libtool
mbedtls: Fix debug function name
|
|
www/ikiwiki: security update
Revisions pulled up:
- www/ikiwiki/Makefile 1.142
- www/ikiwiki/distinfo 1.114
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: schmonz
Date: Thu Jul 28 20:23:52 UTC 2016
Modified Files:
pkgsrc/www/ikiwiki: Makefile distinfo
Log Message:
Update to 3.20160728. From the changelog:
* Explicitly remove current working directory from Perl's library
search path, mitigating CVE-2016-1238 (see #588017)
* wrappers: allocate new environment dynamically, so we won't overrun
the array if third-party plugins add multiple environment variables.
* Standards-Version: 3.9.8 (no changes required)
To generate a diff of this commit:
cvs rdiff -u -r1.141 -r1.142 pkgsrc/www/ikiwiki/Makefile
cvs rdiff -u -r1.113 -r1.114 pkgsrc/www/ikiwiki/distinfo
|
|
www/contao41: security patch
contao41 no longer exists in pkgsrc HEAD, so this is not properly
a pullup but maintenance of a vulnerable package on the branch.
The patch replaces contao41 'asset/mediaelement' by
contao-mediaelement.js-2.21.2.tar.gz
|
|
www/contao42: security update
Revisions pulled up:
- www/contao42/Makefile 1.2
- www/contao42/PLIST 1.2
- www/contao42/distinfo 1.2
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Sun Jul 17 14:00:25 UTC 2016
Modified Files:
pkgsrc/www/contao42: Makefile PLIST distinfo
Log Message:
Update contao42 to 4.2.1.
### 4.2.1 (2016-07-15)
* Strip soft hyphens when indexing a page (see contao/core#8389).
* Do not run the command scheduler if the installation is incomplete (see #541).
* Do not index randomly ordered image galleries.
* Fix the filter menu layout on mobile devices.
* Provide the back end fonts in different variants (see #523).
* Fix the message markup in the member templates.
* Correctly load the language strings in the pretty error screen listener.
To generate a diff of this commit:
cvs rdiff -u -r1.1 -r1.2 pkgsrc/www/contao42/Makefile \
pkgsrc/www/contao42/PLIST pkgsrc/www/contao42/distinfo
|
|
www/contao35: security update
Revisions pulled up:
- www/contao35/Makefile 1.15
- www/contao35/PLIST 1.9
- www/contao35/distinfo 1.12
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Sun Jul 17 13:58:00 UTC 2016
Modified Files:
pkgsrc/www/contao35: Makefile PLIST distinfo
Log Message:
Update contao35 to 3.5.15, including fix for CVE-2016-4567.
Version 3.5.15 (2016-07-15)
---------------------------
### Fixed
Strip soft hyphens when indexing a page (see #8389).
### Fixed
Update mediaelement.js to version 2.21.2 (fixes CVE-2016-4567).
To generate a diff of this commit:
cvs rdiff -u -r1.14 -r1.15 pkgsrc/www/contao35/Makefile
cvs rdiff -u -r1.8 -r1.9 pkgsrc/www/contao35/PLIST
cvs rdiff -u -r1.11 -r1.12 pkgsrc/www/contao35/distinfo
|
|
www/apache24: security update
Revisions pulled up:
- www/apache24/Makefile 1.46
- www/apache24/PLIST 1.22
- www/apache24/distinfo 1.25
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: taca
Date: Tue Jul 5 16:13:53 UTC 2016
Modified Files:
pkgsrc/www/apache24: Makefile PLIST distinfo
Log Message:
Update apache24 to 2.4.23.
(NOTE: Versions 2.4.22 and 2.4.21 were not released.)
Changes from 2.4.20 are too many to write here, please refer CHANGES file.
And Apache 2.4.23 fixes CVE-2016-4979; X509 Client certificate based
authentication can be bypassed when HTTP/2 is used.
To generate a diff of this commit:
cvs rdiff -u -r1.45 -r1.46 pkgsrc/www/apache24/Makefile
cvs rdiff -u -r1.21 -r1.22 pkgsrc/www/apache24/PLIST
cvs rdiff -u -r1.24 -r1.25 pkgsrc/www/apache24/distinfo
|
|
www/links: security update
www/links-gui: security update
Revisions pulled up:
- www/links-gui/Makefile 1.75
- www/links/Makefile 1.65
- www/links/Makefile.common 1.65
- www/links/distinfo 1.65
- www/links/patches/patch-ab 1.9
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: leot
Date: Sun Jul 3 10:58:03 UTC 2016
Modified Files:
pkgsrc/www/links: Makefile Makefile.common distinfo
pkgsrc/www/links-gui: Makefile
pkgsrc/www/links/patches: patch-ab
Log Message:
Update www/links{,-gui} to 2.13
Changes:
=== RELEASE 2.13 ===
Sat Jun 18 14:15:55 CEST 2016 mikulas:
Page up and page down scroll slightly less than a page
Fri Jun 17 23:57:23 CEST 2016 mikulas:
Use domain list from publicsuffix.org to prevent setting cookies on
public domains.
Also fix a bug that existed in previous links versions:
bla.com could register cookie for la.com or a.com
Sat Jun 11 17:59:17 CEST 2016 mikulas:
Fixed non-working mouse wheel on Syllable
Workaround for getaddrinfo bug on Syllable
Sat Jun 11 15:16:41 CEST 2016 mikulas:
Support horizontal scroll wheel on Windows
Tue Jun 7 19:10:11 CEST 2016 mikulas:
Fixed a bug in the X driver that characters with unicode codes 128-255
could not be entered with some locales
Thu Jun 2 19:19:56 CEST 2016 mikulas:
Security bug fixed: Use separate unix domain socket for anonymous
instances, so that the anonymous instance won't connect to non-anonymous
one
Sun May 8 21:20:38 CEST 2016 mikulas:
<samp> element
Sun May 8 20:33:37 CEST 2016 mikulas:
In case of certification verification failure, don't pop up multiple
dialog windows asking for the same server
Sun Mar 13 19:10:27 CET 2016 mikulas:
Do not lookup .onion addresses directly, as specified by rfc7686
Wed Jan 13 01:16:49 CET 2016 Jakub Bogusz <qboosh%pld-linux.org@localhost>:
Updated Polish Translation
Wed Oct 21 19:25:09 CEST 2015 mikulas:
Security enhancement: Warn if the SSL/TLS method was downgraded
To generate a diff of this commit:
cvs rdiff -u -r1.64 -r1.65 pkgsrc/www/links/Makefile \
pkgsrc/www/links/Makefile.common pkgsrc/www/links/distinfo
cvs rdiff -u -r1.74 -r1.75 pkgsrc/www/links-gui/Makefile
cvs rdiff -u -r1.8 -r1.9 pkgsrc/www/links/patches/patch-ab
|
|
* Replace interpreter of tools/migrate-2.0.x-2.1.0.php, too.
* Change post-patch target to pre-configure for easier maintenance of
patch files.
* Drop execute bit from lib/syncobjects/syncresolverecipient.php.
|
|
As www/wordpress, this is a maintenance and security release.
I could not find Japanese version specific changes.
|
|
|
|
|
|
Upstream changes:
- Allow linking webkit pacrunner against javascriptcore-4.0 (webkit2).
- Allow to disable building of the KDE module (-DWITH_KDE=ON/OFF).
- Fix compilation errors with CLang on MacOSX.
- bindings: perl: Add an option to explicitly link against libperl.so Some
distributions want to do it, other prefer not to, the library is anyway in
context of perl.
- config_kde: Add a basic cache and invalidation: performance improvement for
the KDE module.
Upgrade during freeze to fix upstream regression with Qt4 and Qt5 clashes.
Requested by Ralf Nolden <nolden@kde.org>
Approved by <pkgsrc-pmc>.
|
|
|
|
|
|
|
|
libecap move to C++11.
|
|
|
|
https://wordpress.org/news/2016/06/wordpress-4-5-3/
|
|
|
|
./curlopt-constants.c:19:58: error: non-void function 'constant' should return a value [-Wreturn-type]
if (strEQ(name, "DID_MEMORY_FUNC_TYPEDEFS")) return CURL_DID_MEMORY_FUNC_TYPEDEFS;
^
|
|
the Makefile. Changes include:
* Fix content type selection for XML content
* Send gzip trailer in Deflatemod
* Log more details about SSL accept errors
* Support the Content-Disposition header
* Optimize buffering
|
|
Reported by joerg@, thanks
|
|
|
|
|
|
Contao is an Open Source Content Management Framework developed by Leo Feyer
and distributed under the LGPL license (see GPL.txt and LGPL.txt for more
information). It was formerly known as TYPOlight Open Source CMS.
Its open architecture allows everybody to extend the system to fit his
needs. Contao specializes in accessible websites and is accessbile
itself (front end and back end), rendering valid HTML5 or XHTML pages.
Contao 4.2 is third minor release of Contao 4, which has incompatible API
from Contao 3.
* Now Contao is Symfony bundle.
* Contao 4 dose not use .htaccess files for protexting directory.
* DocumentRoot is "web" subdirecotry.
* XHTML support has gone, HTML5 only.
* Schema.org markup support.
Additionally, these new features.
* Tree view supports filter support.
* File manager support file searching.
* Vimeo video is also supported additinally Youtube.
|
|
|
|
|
|
* Fix PKGNAME
* Sync with firefox45-45.2.0
|
|
Changelog:
Fixed
Graphics-related crashes (Bugs 1261320, 1224199)
Various security fixes
Unicode support for AutoConfig API (Bug 1271032)
Web compatibility fix for addEventListener API (Bug 1266194)
Fixed in Firefox ESR 45.2
2016-58 Entering fullscreen and persistent pointerlock without user permission
2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction
2016-55 File overwrite and privilege escalation through Mozilla Windows updater
2016-53 Out-of-bounds write with WebGL shader
2016-52 Addressbar spoofing though the SELECT element
2016-51 Use-after-free deleting tables from a contenteditable document
2016-50 Buffer overflow parsing HTML5 fragments
2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
|
|
|
|
URI::ws - WebSocket support for URI package.
|
|
|
|
|
|
eCAP is a software interface that allows a network application,
such as an HTTP proxy or an ICAP server, to outsource content
analysis and adaptation to a loadable module. For each applicable
protocol message being processed, an eCAP-enabled host application
supplies the message details to the adaptation module and gets back
an adapted message, a "not interested" response, or a "block this
message now!" instruction. These exchanges often include message
bodies.
The adaptation module can also exchange meta-information with the
host application to supply additional details such as configuration
options, a reason behind the decision to ignore a message, or a
detected virus name.
If you are familiar with the ICAP protocol (RFC 3507), then you
may think of eCAP as an "embedded ICAP", where network interactions
with an ICAP server are replaced with function calls to an adaptation
module.
The libecap library implements the eCAP API in C++.
|
|
|
|
- Fix for a reflected XSS issue in the metrics API
- Other minor improvements and fixes
|
|
Drupal 7.44, 2016-06-15
-----------------------
- Fixed security issues (privilege escalation). See SA-CORE-2016-002.
|
|
Should fix build on platforms with gcc<4.9.0.
Bump PKGREVISION.
|
|
|
|
Version 3.5.14 (2016-06-16)
---------------------------
### Fixed
Validate the settings when loading a recurring event (see #8286).
### Fixed
Also check for the back end cookie when loading from cache (see #8249).
### Fixed
Unset "mode" and "pid" upon save and edit (see #8292).
### Fixed
Always use the relative path in DC_Folder (see #8370).
|
|
Version 3.5.13 (2016-06-15)
---------------------------
### Fixed
Use the correct empty value when resetting copied fields (see #8365).
### Fixed
Remove the "required" attribute if a subpalette is closed (see #8192).
### Fixed
Correctly generate the feed links in a multi-domain setup (see #8329).
### Fixed
Correctly calculate the maximum file size for DropZone (see #8098).
### Fixed
Do not adjust the start date of a multi-day event (see #8194).
### Fixed
Versionize and show password changes (see #8301).
### Fixed
Make File::$dirname an absolute path again (see #8325).
### Fixed
Store the full URLs in the search index (see contao/core-bundle#491).
### Fixed
Standardize the group names in the checkbox widget (see #8002).
### Fixed
Prevent models from being registered twice (see #8224).
### Fixed
Prevent horizontal scrolling in the ACE editor (see #8328).
### Fixed
Correctly render the breadcrumb links in the template editor (see #8341).
### Fixed
Remove the role attributes from the navigation templates (see #8343).
### Fixed
Do not add `role="tablist"` to the accordion container (see #8344).
|
|
why it's here as well)
|
|
Huge number of fixes listed at
http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
Highlights of fixes:
* Fix: RMI Target related memory leaks are avoidable which makes them
an application bug that needs to be fixed rather than a JRE bug to
work around. Therefore, start logging RMI Target related memory
leaks on web application stop. Add an option that controls if the
check for these leaks is made. Log a warning if running on Java 9
with this check enabled but without the command line option it
requires. (markt)
* Fix: Ensure NPE will not be thrown during deployment when scanning
jar files without MANIFEST.MF file. (violetagg)
* Fix: 59604: Correct the assumption made in the URL decoding that
the default platform encoding is always compatible with ISO-8859-1.
This assumption is not always valid, e.g. on z/OS. (markt)
* Fix: 59608: Skip over any invalid Class-Path attribute from JAR
manifests. Log errors at debug level due to many bad libraries.
(remm)
* Fix: Ensure that requests with HTTP method names that are not
tokens (as required by RFC 7231) are rejected with a 400 response.
(markt)
* Fix: When an asynchronous request is processed by the AJP
connector, ensure that request processing has fully completed
before starting the next request. (markt)
* Fix: If an async dispatch results in the completion of request
processing, ensure that any remaining request body is swallowed
before starting the processing of the next request else the
remaining body may be read as the start of the next request leading
to a 400 response. (markt)
* Fix: Fix a memory leak in the expression language implementation
that caused the class loader of the first web application to use
expressions to be pinned in memory. (markt)
* Fix: Correctly configure the base path for a resources directory
provided by an expanded JAR file. Patch provided by hengyunabc.
(markt)
* Fix: 59317: Ensure that HttpServletRequest.getRequestURI() returns
an encoded URI rather than a decoded URI after a dispatch. (markt)
Highlights of non-fixes:
* Update: Update the internal fork of Commons DBCP 2 to r1743696
(2.1.1 plus additional fixes). (markt)
* Update: Update the internal fork of Commons Pool 2 to r1743697
(2.4.2 plus additional fixes). (markt)
* Update: Update the internal fork of Commons File Upload to r1743698
(1.3.1 plus additional fixes). (markt)
* Update: Update the option code coverage tool Cobertura to 2.1.1 so
it is easier to compare the change in lines of code between 8.0.x
and 9.0.x. (markt)
* Add: Add a new environment variable JSSE_OPTS that is intended to
be used to pass JVM wide configuration to the JSSE implementation.
The default value is -Djdk.tls.ephemeralDHKeySize=2048 which
protects against weak Diffie-Hellman keys with Java 8. (markt)
* Update: Exclude ciphers that use RSA keys from the default cipher
list since they do not support forward secrecy. (markt)
* Update: Update the packaged version of the Tomcat Native Library to
1.2.7 to pick up the Windows binaries that are based on OpenSSL
1.0.2h and APR 1.5.2. (markt)
|
|
* Sync with firefox-47.0
|
|
* Remove macOS patches, because I cannot confirm them sadly
Changelog:
New
Support for Google’s Widevine CDM on Windows and Mac OS X so streaming services like Amazon Video can switch from Silverlight to encrypted HTML5 video.
Enable VP9 video codec for users with fast machines
Embedded YouTube videos now play with HTML5 video if Flash is not installed.
View and search open tabs from your smartphone or another computer in a sidebar
Allow no-cache on back/forward navigations for https resources
Latgalu [ltg] locale added. Wikipedia tells us there are 164,500 daily speakers.
Fixed
Various security fixes
Changed
FUEL (Firefox User Extension Library) has been removed. Add-ons relying on it will stop working.
The browser.sessionstore.restore_on_demand preference has been reset to its default value (true) to avoid e10s performance problems. Because faster is better!
The Firefox click-to-activate plugin whitelist has been removed.
XRender is no longer used for rendering web content on Linux as this may cause a regression in remote X performance
Developer
Web platform changes
View, start,and debug registered Service Workers in the Service Workers developer tool
Simulate Push messages in the Service Workers developer tool
'Start' button for service workers in about:debugging to start registered Service Workers
Changes that can affect add-on compatibility
Added support for ChaCha20/Poly1305 cipher suites
Custom user agents supported in Responsive Design Mode
Smart multi-line input in the Web Console
Developer Information
HTML5
cuechange events are now available on TextTrack objects
WebCrypto: PBKDF2 supports SHA-2 hash algorithms
WebCrypto: RSA-PSS signature support
Fixed in Firefox 47
2016-61 Network Security Services (NSS) vulnerabilities
2016-60 Java applets bypass CSP protections
2016-59 Information disclosure of disabled plugins through CSS pseudo-classes
2016-58 Entering fullscreen and persistent pointerlock without user permission
2016-57 Incorrect icon displayed on permissions notifications
2016-56 Use-after-free when textures are used in WebGL operations after recycle pool destruction
2016-55 File overwrite and privilege escalation through Mozilla Windows updater
2016-54 Partial same-origin-policy through setting location.host through data URI
2016-53 Out-of-bounds write with WebGL shader
2016-52 Addressbar spoofing though the SELECT element
2016-51 Use-after-free deleting tables from a contenteditable document
2016-50 Buffer overflow parsing HTML5 fragments
2016-49 Miscellaneous memory safety hazards (rv:47.0 / rv:45.2)
|
|
Changes with nginx 1.11.1
- Security: a segmentation fault might occur in a worker process
while writing a specially crafted request body to a temporary
file (CVE-2016-4450); the bug had appeared in 1.3.9.
Changes with nginx 1.11.0
- Feature: the "transparent" parameter of the "proxy_bind",
"fastcgi_bind", "memcached_bind", "scgi_bind", and "uwsgi_bind"
directives.
- Feature: the $request_id variable.
- Feature: the "map" directive supports combinations of multiple
variables as resulting values.
- Feature: now nginx checks if EPOLLRDHUP events are supported by
kernel, and optimizes connection handling accordingly if the
"epoll" method is used.
- Feature: the "ssl_certificate" and "ssl_certificate_key"
directives can be specified multiple times to load certificates
of different types (for example, RSA and ECDSA).
- Feature: the "ssl_ecdh_curve" directive now allows specifying a
list of curves when using OpenSSL 1.0.2 or newer; by default
a list built into OpenSSL is used.
- Change: to use DHE ciphers it is now required to specify
parameters using the "ssl_dhparam" directive.
- Feature: the $proxy_protocol_port variable.
- Feature: the $realip_remote_port variable in the
ngx_http_realip_module.
- Feature: the ngx_http_realip_module is now able to set the
client port in addition to the address.
- Change: the "421 Misdirected Request" response now used when
rejecting requests to a virtual server different from one
negotiated during an SSL handshake; this improves interoperability
with some HTTP/2 clients when using client certificates.
- Change: HTTP/2 clients can now start sending request body
immediately; the "http2_body_preread_size" directive controls
size of the buffer used before nginx will start reading client
request body.
- Bugfix: cached error responses were not updated when using the
"proxy_cache_bypass" directive.
Changes with nginx 1.9.15
- Bugfix: "recv() failed" errors might occur when using HHVM as a
FastCGI server.
- Bugfix: when using HTTP/2 and the "limit_req" or "auth_request"
directives a timeout or a "client violated flow control" error
might occur while reading client request body; the bug had appeared
in 1.9.14.
- Workaround: a response might not be shown by some browsers if
HTTP/2 was used and client request body was not fully read; the
bug had appeared in 1.9.14.
- Bugfix: connections might hang when using the "aio threads"
directive.
Thanks to Mindaugas Rasiukevicius.
Changes with nginx 1.9.14
- Feature: OpenSSL 1.1.0 compatibility.
- Feature: the "proxy_request_buffering",
"fastcgi_request_buffering",
"scgi_request_buffering", and "uwsgi_request_buffering"
directives now work with HTTP/2.
- Bugfix: "zero size buf in output" alerts might appear in logs
when using HTTP/2.
- Bugfix: the "client_max_body_size" directive might work
incorrectly when using HTTP/2.
- Bugfix: of minor bugs in logging.
Changes with nginx 1.9.13
- Change: non-idempotent requests (POST, LOCK, PATCH) are no
longer passed to the next server by default if a request has
been sent to a backend; the "non_idempotent" parameter of the
"proxy_next_upstream" directive explicitly allows retrying such
requests.
- Feature: the ngx_http_perl_module can be built dynamically.
- Feature: UDP support in the stream module.
- Feature: the "aio_write" directive.
- Feature: now cache manager monitors number of elements in caches
and tries to avoid cache keys zone overflows.
- Bugfix: "task already active" and "second aio post" alerts might
appear in logs when using the "sendfile" and "aio" directives
with subrequests.
- Bugfix: "zero size buf in output" alerts might appear in logs if
caching was used and a client closed a connection prematurely.
- Bugfix: connections with clients might be closed needlessly if
caching was used.
Thanks to Justin Li.
- Bugfix: nginx might hog CPU if the "sendfile" directive was used
on Linux or Solaris and a file being sent was changed during
sending.
- Bugfix: connections might hang when using the "sendfile" and
"aio threads" directives.
- Bugfix: in the "proxy_pass", "fastcgi_pass", "scgi_pass", and
"uwsgi_pass" directives when using variables.
Thanks to Piotr Sikora.
- Bugfix: in the ngx_http_sub_filter_module.
- Bugfix: if an error occurred in a cached backend connection, the
request was passed to the next server regardless of the
proxy_next_upstream directive.
- Bugfix: "CreateFile() failed" errors when creating temporary
files on Windows.
Changes with nginx 1.9.12
- Feature: Huffman encoding of response headers in HTTP/2.
Thanks to Vlad Krasnov.
- Feature: the "worker_cpu_affinity" directive now supports more
than 64 CPUs.
- Bugfix: compatibility with 3rd party C++ modules; the bug had
appeared in 1.9.11.
Thanks to Piotr Sikora.
- Bugfix: nginx could not be built statically with OpenSSL on
Linux; the bug had appeared in 1.9.11.
- Bugfix: the "add_header ... always" directive with an empty
value did not delete "Last-Modified" and "ETag" header lines
from error responses.
- Workaround: "called a function you should not call" and
"shutdown while in init" messages might appear in logs when
using OpenSSL 1.0.2f.
- Bugfix: invalid headers might be logged incorrectly.
- Bugfix: socket leak when using HTTP/2.
- Bugfix: in the ngx_http_v2_module.
Changes with nginx 1.9.11
- Feature: TCP support in resolver.
- Feature: dynamic modules.
- Bugfix: the $request_length variable did not include size of
request headers when using HTTP/2.
- Bugfix: in the ngx_http_v2_module.
|
|
Update 3rd party modules in options.mk.
Changes with nginx 1.10.1
- Security: a segmentation fault might occur in a worker process while
writing a specially crafted request body to a temporary file
(CVE-2016-4450); the bug had appeared in 1.3.9.
Changes with nginx 1.10.0
- 1.10.x stable branch.
Changes with nginx 1.9.15
- Bugfix: "recv() failed" errors might occur when using HHVM as a
FastCGI server.
- Bugfix: when using HTTP/2 and the "limit_req" or "auth_request"
directives a timeout or a "client violated flow control" error might
occur while reading client request body; the bug had appeared in
1.9.14.
- Workaround: a response might not be shown by some browsers if HTTP/2
was used and client request body was not fully read; the bug had
appeared in 1.9.14.
- Bugfix: connections might hang when using the "aio threads"
directive.
Thanks to Mindaugas Rasiukevicius.
Changes with nginx 1.9.14
- Feature: OpenSSL 1.1.0 compatibility.
- Feature: the "proxy_request_buffering", "fastcgi_request_buffering",
"scgi_request_buffering", and "uwsgi_request_buffering" directives
now work with HTTP/2.
- Bugfix: "zero size buf in output" alerts might appear in logs when
using HTTP/2.
- Bugfix: the "client_max_body_size" directive might work incorrectly
when using HTTP/2.
- Bugfix: of minor bugs in logging.
Changes with nginx 1.9.13
- Change: non-idempotent requests (POST, LOCK, PATCH) are no longer
passed to the next server by default if a request has been sent to a
backend; the "non_idempotent" parameter of the "proxy_next_upstream"
directive explicitly allows retrying such requests.
- Feature: the ngx_http_perl_module can be built dynamically.
- Feature: UDP support in the stream module.
- Feature: the "aio_write" directive.
- Feature: now cache manager monitors number of elements in caches and
tries to avoid cache keys zone overflows.
- Bugfix: "task already active" and "second aio post" alerts might
appear in logs when using the "sendfile" and "aio" directives with
subrequests.
- Bugfix: "zero size buf in output" alerts might appear in logs if
caching was used and a client closed a connection prematurely.
- Bugfix: connections with clients might be closed needlessly if
caching was used.
Thanks to Justin Li.
- Bugfix: nginx might hog CPU if the "sendfile" directive was used on
Linux or Solaris and a file being sent was changed during sending.
- Bugfix: connections might hang when using the "sendfile" and "aio
threads" directives.
- Bugfix: in the "proxy_pass", "fastcgi_pass", "scgi_pass", and
"uwsgi_pass" directives when using variables.
Thanks to Piotr Sikora.
- Bugfix: in the ngx_http_sub_filter_module.
- Bugfix: if an error occurred in a cached backend connection, the
request was passed to the next server regardless of the
proxy_next_upstream directive.
- Bugfix: "CreateFile() failed" errors when creating temporary files
on
Windows.
Changes with nginx 1.9.12
- Feature: Huffman encoding of response headers in HTTP/2.
Thanks to Vlad Krasnov.
- Feature: the "worker_cpu_affinity" directive now supports more than
64 CPUs.
- Bugfix: compatibility with 3rd party C++ modules; the bug had
appeared in 1.9.11.
Thanks to Piotr Sikora.
- Bugfix: nginx could not be built statically with OpenSSL on Linux;
the bug had appeared in 1.9.11.
- Bugfix: the "add_header ... always" directive with an empty value
did
not delete "Last-Modified" and "ETag" header lines from error
responses.
- Workaround: "called a function you should not call" and "shutdown
while in init" messages might appear in logs when using OpenSSL
1.0.2f.
- Bugfix: invalid headers might be logged incorrectly.
- Bugfix: socket leak when using HTTP/2.
- Bugfix: in the ngx_http_v2_module.
Changes with nginx 1.9.11
- Feature: TCP support in resolver.
- Feature: dynamic modules.
- Bugfix: the $request_length variable did not include size of request
headers when using HTTP/2.
- Bugfix: in the ngx_http_v2_module.
Changes with nginx 1.9.10
- Security: invalid pointer dereference might occur during DNS server
response processing if the "resolver" directive was used, allowing an
attacker who is able to forge UDP packets from the DNS server to
cause segmentation fault in a worker process (CVE-2016-0742).
- Security: use-after-free condition might occur during CNAME response
processing if the "resolver" directive was used, allowing an attacker
who is able to trigger name resolution to cause segmentation fault in
a worker process, or might have potential other impact
(CVE-2016-0746).
- Security: CNAME resolution was insufficiently limited if the
"resolver" directive was used, allowing an attacker who is able to
trigger arbitrary name resolution to cause excessive resource
consumption in worker processes (CVE-2016-0747).
- Feature: the "auto" parameter of the "worker_cpu_affinity"
directive.
- Bugfix: the "proxy_protocol" parameter of the "listen" directive did
not work with IPv6 listen sockets.
- Bugfix: connections to upstream servers might be cached incorrectly
when using the "keepalive" directive.
- Bugfix: proxying used the HTTP method of the original request after
an "X-Accel-Redirect" redirection.
Changes with nginx 1.9.9
- Bugfix: proxying to unix domain sockets did not work when using
variables; the bug had appeared in 1.9.8.
Changes with nginx 1.9.8
- Feature: pwritev() support.
- Feature: the "include" directive inside the "upstream" block.
- Feature: the ngx_http_slice_module.
- Bugfix: a segmentation fault might occur in a worker process when
using LibreSSL; the bug had appeared in 1.9.6.
- Bugfix: nginx could not be built on OS X in some cases.
Changes with nginx 1.9.7
- Feature: the "nohostname" parameter of logging to syslog.
- Feature: the "proxy_cache_convert_head" directive.
- Feature: the $realip_remote_addr variable in the
ngx_http_realip_module.
- Bugfix: the "expires" directive might not work when using variables.
- Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2; the bug had appeared in 1.9.6.
- Bugfix: if nginx was built with the ngx_http_v2_module it was
possible to use the HTTP/2 protocol even if the "http2" parameter of
the "listen" directive was not specified.
- Bugfix: in the ngx_http_v2_module.
Changes with nginx 1.9.6
- Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2.
Thanks to Piotr Sikora and Denis Andzakovic.
- Bugfix: the $server_protocol variable was empty when using HTTP/2.
- Bugfix: backend SSL connections in the stream module might be timed
out unexpectedly.
- Bugfix: a segmentation fault might occur in a worker process if
different ssl_session_cache settings were used in different virtual
servers.
- Bugfix: nginx/Windows could not be built with MinGW gcc; the bug had
appeared in 1.9.4.
Thanks to Kouhei Sutou.
- Bugfix: time was not updated when the timer_resolution directive was
used on Windows.
- Miscellaneous minor fixes and improvements.
Thanks to Markus Linnala, Kurtis Nusbaum and Piotr Sikora.
Changes with nginx 1.9.5
- Feature: the ngx_http_v2_module (replaces ngx_http_spdy_module).
Thanks to Dropbox and Automattic for sponsoring this work.
- Change: now the "output_buffers" directive uses two buffers by
default.
- Change: now nginx limits subrequests recursion, not simultaneous
subrequests.
- Change: now nginx checks the whole cache key when returning a
response from cache.
Thanks to Gena Makhomed and Sergey Brester.
- Bugfix: "header already sent" alerts might appear in logs when using
cache; the bug had appeared in 1.7.5.
- Bugfix: "writev() failed (4: Interrupted system call)" errors might
appear in logs when using CephFS and the "timer_resolution" directive
on Linux.
- Bugfix: in invalid configurations handling.
Thanks to Markus Linnala.
- Bugfix: a segmentation fault occurred in a worker process if the
"sub_filter" directive was used at http level; the bug had appeared
in 1.9.4.
Changes with nginx 1.9.4
- Change: the "proxy_downstream_buffer" and "proxy_upstream_buffer"
directives of the stream module are replaced with the
"proxy_buffer_size" directive.
- Feature: the "tcp_nodelay" directive in the stream module.
- Feature: multiple "sub_filter" directives can be used
simultaneously.
- Feature: variables support in the search string of the "sub_filter"
directive.
- Workaround: configuration testing might fail under Linux OpenVZ.
Thanks to Gena Makhomed.
- Bugfix: old worker processes might hog CPU after reconfiguration
with
a large number of worker_connections.
- Bugfix: a segmentation fault might occur in a worker process if the
"try_files" and "alias" directives were used inside a location given
by a regular expression; the bug had appeared in 1.7.1.
- Bugfix: the "try_files" directive inside a nested location given by
a regular expression worked incorrectly if the "alias" directive was
used in the outer location.
- Bugfix: in hash table initialization error handling.
- Bugfix: nginx could not be built with Visual Studio 2015.
Changes with nginx 1.9.3
- Change: duplicate "http", "mail", and "stream" blocks are now
disallowed.
- Feature: connection limiting in the stream module.
- Feature: data rate limiting in the stream module.
- Bugfix: the "zone" directive inside the "upstream" block did not
work on Windows.
- Bugfix: compatibility with LibreSSL in the stream module.
Thanks to Piotr Sikora.
- Bugfix: in the "--builddir" configure parameter.
Thanks to Piotr Sikora.
- Bugfix: the "ssl_stapling_file" directive did not work; the bug had
appeared in 1.9.2.
Thanks to Faidon Liambotis and Brandon Black.
- Bugfix: a segmentation fault might occur in a worker process if the
"ssl_stapling" directive was used; the bug had appeared in 1.9.2.
Thanks to Matthew Baldwin.
Changes with nginx 1.9.2
- Feature: the "backlog" parameter of the "listen" directives of the
mail proxy and stream modules.
- Feature: the "allow" and "deny" directives in the stream module.
- Feature: the "proxy_bind" directive in the stream module.
- Feature: the "proxy_protocol" directive in the stream module.
- Feature: the -T switch.
- Feature: the REQUEST_SCHEME parameter added to the fastcgi.conf,
fastcgi_params, scgi_params, and uwsgi_params standard configuration
files.
- Bugfix: the "reuseport" parameter of the "listen" directive of the
stream module did not work.
- Bugfix: OCSP stapling might return an expired OCSP response in some
cases.
Changes with nginx 1.9.1
- Change: now SSLv3 protocol is disabled by default.
- Change: some long deprecated directives are not supported anymore.
- Feature: the "reuseport" parameter of the "listen" directive.
Thanks to Yingqi Lu at Intel and Sepherosa Ziehau.
- Feature: the $upstream_connect_time variable.
- Bugfix: in the "hash" directive on big-endian platforms.
- Bugfix: nginx might fail to start on some old Linux variants; the
bug had appeared in 1.7.11.
- Bugfix: in IP address parsing.
Thanks to Sergey Polovko.
Changes with nginx 1.9.0
- Change: obsolete aio and rtsig event methods have been removed.
- Feature: the "zone" directive inside the "upstream" block.
- Feature: the stream module.
- Feature: byte ranges support in the ngx_http_memcached_module.
Thanks to Martin Mlynar.
- Feature: shared memory can now be used on Windows versions with
address space layout randomization.
Thanks to Sergey Brester.
- Feature: the "error_log" directive can now be used on mail and
server levels in mail proxy.
- Bugfix: the "proxy_protocol" parameter of the "listen" directive did
not work if not specified in the first "listen" directive for a
listen socket.
|
|
2.3.12 (2016-06-10)
-------------------
Enhancements
- [web] updated CKEditor to version 4.5.9
- [web] CKEditor: switched to the minimalist skin
- [web] CKEditor: added the base64image plugin
- [web] CKEditor: added the pastefromword plugin (#2295, #3313)
- [web] added Turkish (Turkey) (tr_TR) translation - thanks to Sinan Kurşunoğlu
Bug fixes
- [core] sanity checks for events with bogus timezone offsets
- [core] strip X- tags when securing content (#3695)
- [core] properly handle flattened timezone definitions (#2690)
- [eas] when using EAS/ItemOperations, use IMAP PEEK operation
- [web] fixed recipients when replying from a message in the Sent mailbox (#2625)
- [web] fixed localizable strings in Card viewer
- [web] properly encode HTML attributes in Contacts module to avoid XSS issues
- [web] handle c_mail field format of quick record of contacts of v3 (#3443)
- [web] fixed all-day events covering a timezone change (#3457)
- [web] fixed display of invitation with a category (#3590)
2.3.11 (2016-04-XX)
-------------------
Bug fixes
- properly escape organizer name when using EAS (#3615)
- properly escape wide characters (#3616)
- calendars list when creating a new component in a calendar in which the user
can't delete components
- avoid double-appending domains in cache for multi-domain configurations (#3614)
- encode CR in EAS payload (#3626)
- password change during login process when using ppolicy
- correctly set answered/forwarded flags during EAS smart operations
- don't mark calendar invitations as read when fetching messages using EAS
- fixed messages archiving as zip file
- fixed multidomain issue with non-unique ID accross domains (#3625)
- fixed bogus headers generation when stripping folded bcc header (#3664)
- fixed issue with multi-value org units (#3630)
- fixed senstive range of checkboxes in appointment editor (#3665)
2.3.10 (2016-04-05)
-------------------
New features
- new user-based rate-limiting support for all SOGo requests (#3188)
Bug fixes
- respect the LDAP attributes mapping in the list view
- handle empty body data when forwarding mails (#3581)
- correctly set EAS message class for S/MIME messages (#3576)
- we now handle the default classifications for tasks (#3541)
- handle FilterType changes using EAS (#3543)
- handle Dovecot's mail_shared_explicit_inbox parameter when using EAS
- prevent concurrent Sync ops from same EAS device (#3603)
- handle EAS loop termination when SOGo is being shutdown (#3604)
- avoid marking mails as read when archiving a folder (#2792)
- now cache heartbeat interval and folders list during EAS Ping ops (#3606)
- sanitize non-us-ascii 7bit emails when using EAS (#3592)
2.3.9 (2016-03-16)
------------------
New features
- you can now limit the file upload size using the WOMaxUploadSize
configuration parameter (integer value in kilobytes) (#3510, #3135)
Enhancements
- allow resources to prevent invitations (#3410)
- now support EAS MIME truncation
- added Lithuanan (lt) translation - thanks to Mantas Liobė
Bug fixes
- allow EAS attachments get on 2nd-level mailboxes (#3505)
- fixed EAS bday shift (#3518)
- prefer SOGoRefreshViewCheck to SOGoMailMessageCheck (#3465)
- properly unfold long mail headers (#3152)
|
