| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
WSDL parsing services package for Web Services for Python
|
|
Changes with nginx 1.13.12:
*) Bugfix: connections with gRPC backends might be closed unexpectedly
when returning a large response.
Changes with nginx 1.13.11:
*) Feature: the "proxy_protocol" parameter of the "listen" directive now
supports the PROXY protocol version 2.
*) Bugfix: nginx could not be built with OpenSSL 1.1.1 statically on
Linux.
*) Bugfix: in the "http_404", "http_500", etc. parameters of the
"proxy_next_upstream" directive.
|
|
push, rtmp
|
|
v6.2.1:
:pr:83: Fix regression, caused by inverted check for Windows OS.
Add more URLs to distribution metadata
v6.2.0:
:pr:37: Implement PEERCRED lookup over UNIX-socket HTTP connection.
Discover connected process' PID/UID/GID
Respect server switches: peercreds_enabled and peercreds_resolve_enabled
get_peer_creds and resolve_peer_creds methods on connection
peer_pid, peer_uid, peer_gid, peer_user and peer_group properties on connection
X_REMOTE_PID, X_REMOTE_UID, X_REMOTE_GID, X_REMOTE_USER (REMOTE_USER) and X_REMOTE_GROUP WSGI environment variables when enabled and supported
Per-connection caching to reduce lookup cost
|
|
3 months of bugfixes.
|
|
Version 2.1.3:
**Security fixes**
* Attributes that have URI values weren't properly sanitized if the
values contained character entities. Using character entities, it
was possible to construct a URI value with a scheme that was not
allowed that would slide through unsanitized.
This security issue was introduced in Bleach 2.1. Anyone using
Bleach 2.1 is highly encouraged to upgrade.
**Bug fixes**
* Fixed some other edge cases for attribute URI value sanitizing and
improved testing of this code.
|
|
v6.1.2
- :issue:81: Fix regression introduced by :pr:80.
* Restore :py:attr:storing bound socket
<cheroot.server.HTTPServer.bind_addr> in Windows broken by use of
:py:obj:socket.AF_UNIX
v6.1.1
- :pr:80: Fix regression introduced by :commit:68a5769.
* Get back support for :py:obj:socket.AF_UNIX in stored bound address in
:py:attr:cheroot.server.HTTPServer.bind_addr
|
|
v0.8.0:
Backwards incompatible changes:
h11 now performs stricter validation on outgoing header names and header values: illegal characters are now rejected (example: you can't put a newline into an HTTP header), and header values with leading/trailing whitespace are also rejected (previously h11 would silently discard the whitespace). All these checks were already performed on incoming headers; this just extends that to outgoing headers.
New features:
New method :meth:Connection.send_failed, to notify a :class:Connection object when data returned from :meth:Connection.send was not sent.
Bug fixes:
Make sure that when computing the framing headers for HEAD responses, we produce the same results as we would for the corresponding GET.
Error out if a request has multiple Host: headers.
Send the Host: header first, as recommended by RFC 7230.
The Expect: header is case-insensitive, so use case-insensitive matching when looking for 100-continue.
Other changes:
Better error messages in several cases.
Provide correct error_status_hint in exception raised when encountering an invalid Transfer-Encoding header.
For better compatibility with broken servers, h11 now tolerates responses where the reason phrase is missing (not just empty).
Various optimizations and documentation improvements.
|
|
Based on the wip package mostly worked on by leot@
with support by yhardy and a host of others.
pkgsrc changes:
- Add GCC_REQD to 5.0 as requested by webkit-gtk. Previously we had local
kludges/patches to disable IndexedDB support. Unfortunately in the last
releases is not so trivial to keep such patches so bump GCC_REQD as requested
by upstream to avoid further problems.
- Avoid `-DUSE_SYSTEM_MALLOC=ON'. It is no longer supported, at least on
NetBSD/amd64 due unsupported part of sysinfo() in Source/WTF/wtf/RAMSize.cpp
(add an XXX comment to document that)
- Add an `introspection' option (enabled by default) to permit to build
of webkit-gtk without gobject-introspection.
- Add patches to fix support for ppc, add support for sparc64.
From FreeBSD and OpenBSD ports.
- Address `Error sending IPC message: Message too long' that appears at least
on NetBSD via
patches/patch-Source_WebKit_Platform_IPC_unix_ConnectionUnix.cpp.
Changes:
==================
WebKitGTK+ 2.18.6
==================
What's new in WebKitGTK+ 2.18.6?
- Fix deadlock in GStreamer video sink during shutdown when accelerated compositing is disabled.
- Several fixes and improvements in WebDriver.
- Security fixes: CVE-2018-4088, CVE-2017-13885, CVE-2017-7165, CVE-2017-13884, CVE-2017-7160,
CVE-2017-7153, CVE-2017-7153, CVE-2017-7161, CVE-2018-4096.
==================
WebKitGTK+ 2.18.5
==================
What's new in WebKitGTK+ 2.18.5?
- Disable SharedArrayBuffers from Web API.
- Reduce the precision of "high" resolution time to 1ms.
- Fix API documentation generation with newer gtk-doc.
- Security fixes: includes improvements to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).
==================
WebKitGTK+ 2.18.4
==================
What's new in WebKitGTK+ 2.18.4?
- Make WebDriver implementation more spec compliant.
- Fix a bug when trying to remove cookies before a web process is spawned.
- WebKitWebDriver process no longer links to libjavascriptcoregtk.
- Fix several memory leaks in GStreamer media backend.
- Security fixes: CVE-2017-13866, CVE-2017-13870, CVE-2017-7156, CVE-2017-13856.
==================
WebKitGTK+ 2.18.3
==================
What's new in WebKitGTK+ 2.18.3?
- Improve calculation of font metrics to prevent scrollbars from being shown unnecessarily in some cases.
- Fix handling of null capabilities in WebDriver implementation.
- Security fixes: CVE-2017-13798, CVE-2017-13788, CVE-2017-13803.
==================
WebKitGTK+ 2.18.2
==================
What's new in WebKitGTK+ 2.18.2?
- Fix rendering of arabic text.
- Fix a crash in the web process when decoding GIF images.
- Fix rendering of wind in Windy.com.
- Fix several crashes and rendering issues.
==================
WebKitGTK+ 2.18.1
==================
What's new in WebKitGTK+ 2.18.1?
- Improve performance of GIF animations.
- Fix garbled display in GMail.
- Fix rendering of several material design icons when using the web font.
- Fix flickering when resizing the window in Wayland.
- Prevent default kerberos authentication credentials from being used in ephemeral sessions.
- Fix a crash when webkit_web_resource_get_data() is cancelled.
- Correctly handle touchmove and touchend events in WebKitWebView.
- Fix the build with enchant 2.1.1.
- Fix the build in HPPA and Alpha.
- Fix several crashes and rendering issues.
==================
WebKitGTK+ 2.18.0
==================
What's new in WebKitGTK+ 2.18.0?
- Fix the API documentation generation.
- Fix the build in ARM with NEON.
- Fix the build for Clang with libc++.
==================
WebKitGTK+ 2.17.92
==================
What's new in WebKitGTK+ 2.17.92?
- Improve CPU usage when rendering under Wayland in accelerated compositing mode.
- Improve the memory consumption of the UI process under Wayland.
- Fix rendering issues in some web sites with accelerated compositing enabled.
- Fix a web process crash when closing the WebView.
- Initialize libgcrypt in the network process too.
- Show controls if a video element isn't allowed to play inline.
- Add support for cookies and screenshots commands in WebDriver.
- Fix several crashes and rendering issues.
- Translation updates: Brazilian Portuguese, Polish.
==================
WebKitGTK+ 2.17.91
==================
What's new in WebKitGTK+ 2.17.91?
- Fix proxy HTTP authentication for HTTPS requests.
- Stop kinetic scrolling when a zero movement is reached.
- Fix UI process crash when selecting text.
- Fix UI process crash when loading a favicon.
- Properly handle WebDriver click command on option elements.
- Fix web process crash when resizing the window with accelerated compositing enabled.
- Fix crashes in 32 bit systems due to incorrect use of GVariant.
- Fix several crashes and rendering issues.
==================
WebKitGTK+ 2.17.90
==================
What's new in WebKitGTK+ 2.17.90?
- WebCrypto API support is now enabled by default.
- Add API to provide browser information required by automation.
- Fix the expiration date of manually added cookies.
- Add support for alerts in WebDriver.
- WebKitDatabaseProcess binary has been renamed to WebKitStorageProcess.
- Fix several crashes and rendering issues.
=================
WebKitGTK+ 2.17.5
=================
What's new in WebKitGTK+ 2.17.5?
- Add initial implementation of WebDriver.
- Enable GStreamerGL by default when building with GStreamer >= 1.10.
- Fix position of context menu in Wayland.
- Properly close cookies database at network process exit.
- Fix several crashes and rendering issues.
- Translation updates: Ukrainian.
=================
WebKitGTK+ 2.17.4
=================
What's new in WebKitGTK+ 2.17.4?
- Add API to allow overriding popup menus.
- Add kinetic scrolling support.
- Improve theme rendering performance when using GTK+ >= 3.20.
- Improve error message when webkit_web_view_run_javascript() fails due to a JavaScript exception.
- Fix artifacts when rendering large images.
- Fix blob downloads.
- Fix web process deadlock when seeking youtube videos.
- Fix alpha premultiplying when using cairo to draw the video frames.
- Fix web process deadlock when closing the remote inspector frontend.
- Update several web inspector icons.
- Fix several crashes and rendering issues.
- Translation updates: Spanish.
=================
WebKitGTK+ 2.17.3
=================
What's new in WebKitGTK+ 2.17.3?
- Add new API to create a WebKitContextMenuItem from a GAction.
- Fix graphics repaint hungs in accelerated compositing mode after a resize.
- Fix rendering glitches in HiDPI in long GitHub Gist pages when focusing the comments textarea.
- Remove Firefox user agent quirk for Google domains.
- Remove LATEST_RECORD_VERSION from GnuTLS priority string.
- Improve colors of inspector SVG icons.
- Fix several crashes and rendering issues.
- Translation updates: French.
=================
WebKitGTK+ 2.17.2
=================
What's new in WebKitGTK+ 2.17.2?
- Update user agent quirks to make Youtube and new Google login page work.
- Fix URL shown in the title of beforeunload dialogs.
- Focus first input field of HTTP authentication dialog.
- Fix rendering of PNG images when decoded in more than one chunk.
- Update several web inspector icons.
- Fix the build with OpenGL disabled.
- Fix several crashes and rendering issues.
=================
WebKitGTK+ 2.17.1
=================
What's new in WebKitGTK+ 2.17.1?
- Switch to use new remote inspector infraestructure instead of legacy Web Sockets based one.
- Add API to enable and handle Web Automation.
- Load large images asynchronously off the main theead.
- Use GtkFileChooserNative for open/save dialogs when available.
- Make file chooser run as modal by default if possible.
- Fix position of dropdown menus in Wayland.
- Keep URI fragments after a server redirection.
- Implement support for aria-haspopup and aria-autocomplete.
- Implement aria-value support for focusable separators.
- Fix playing of some live streams.
=================
WebKitGTK+ 2.15.4
=================
What's new in WebKitGTK+ 2.15.4?
- Make accelerating compositing mode on-demand again. By default it will only be used for websites
that require it, saving a lot of memory on websites that don't need it.
- Add API to manage hardware acceleration policy.
- Enable CSS Grid Layout by default.
- Add API to create ephemeral WebViews to replace the legacy private browsing setting that is now
deprecated.
- Handle HTTP authentication for downloads having a WebView associated.
- Add API to WebKitWebsiteDataManager to handle websites data.
- Fix BadDamage X errors happening when resizing the WebView.
- Fix several crashes and rendering issues.
=================
WebKitGTK+ 2.15.3
=================
What's new in WebKitGTK+ 2.15.3?
- Add API to set network proxy settings.
- Add API to set initial notification permissions.
- Add WebKitSecurityOrigin to the API.
- Add tag property to WebKitNotification.
- Create GLX OpenGL contexts using version 3.2 (core profile) when available to reduce the memory
consumption on Mesa based drivers.
- Improve memory pressure handler to reduce the CPU usage on memory pressure situations.
- Add support for key and code properties on keyboard events.
- More user agent string improvements to improve compatibility with several websites.
- Fix network process crashes when loading custom URI schemes.
- Fix web process crash when closing the web view in X11.
- Fix several crashes and rendering issues.
- Translation updates: German.
=================
WebKitGTK+ 2.15.2
=================
What's new in WebKitGTK+ 2.15.2?
- Add new API to notify about dynamically added forms to Web Extensions.
- Implement selection interface and states for elements supporting aria-selected and for menu roles.
- Expose STATE_SINGLE_LINE and STATE_MULTI_LINE for ARIA searchbox role.
- Enable WebMemorySampler.
- Downloads started by context menu actions now have a web view associated.
- Fix a network process crash when main resource load is converted into a download.
- Fix several crashes and rendering issues.
=================
WebKitGTK+ 2.15.1
=================
What's new in WebKitGTK+ 2.15.1?
- GObject DOM bindings API marked as unstable has been removed.
- Expose WebKitDOMHTMLInputElement APIs for form autofill.
- Properly update WebKitWebView and WebKitWebPage URI properties when request is modified by
WebKitWebPage:send-request signal.
- Switch to use GMenu internally in the context menu implementation.
- Dot not leak the default WebKitWebsiteDataManager in WebKitWebContext.
- The network backend now always sniff contents for Downloads.
- Use eglGetPlatformDisplay when available instead of eglGetDisplay.
- Avoid strstr() when checking (E)GL extensions.
- Fix the build with ENABLE_OPENGL=OFF and allow to build on Wayland without OpenGL again.
- Fix several crashes and rendering issues.
=================
WebKitGTK+ 2.13.4
=================
What's new in WebKitGTK+ 2.13.4?
- Switched to use the threaded compositor. Accelerated compositing mode is now always enabled by default
and happens in a separate thread in the web process.
- Make web view background colors work in accelerated compositing mode.
- Fix several crashes and rendering issues.
=================
WebKitGTK+ 2.13.3
=================
What's new in WebKitGTK+ 2.13.3?
- Fix Web Process deadlocks when loading HLS videos.
- Make videos work when painted into a canvas when accelerated compositing is enabled.
- Fix flickering with animated GIFs.
- Fix a Web Process crash when video repaint is requested with GStreamer GL enabled.
- Reduce the amount of file descriptors that the Web Process keeps open.
- Make memory pressure handler work when cgroups are not available.
- Fix several crashes and rendering issues.
=================
WebKitGTK+ 2.13.2
=================
What's new in WebKitGTK+ 2.13.2?
- Properly redraw the web view when reparented in force compositing mode.
- Flip the volume control layout in media controls on RTL.
- Add support for video orientation to the GStreamer media backend.
- Fix several crashes and rendering issues.
=================
WebKitGTK+ 2.13.1
=================
What's new in WebKitGTK+ 2.13.1?
- CSS Grid Layout has been unprefixed and can be enabled as an experimental feature at runtime.
- The HTTP disk cache implements speculative resources revalidation.
- Add a new WebKitSetting to allow universal access from file URLs.
- Fix several crashes and rendering issues.
|
|
1.0.1:
Bug fixes.
|
|
This package provides routers and fields to create nested resources in the
Django Rest Framework. Nested resources are needed for full REST URL structure,
if one resource lives inside another.
|
|
Version 3.8.2:
Fix read_only + default unique_together validation.
authtoken.views import coreapi from rest_framework.compat, not directly.
Docs: Add missing argument 'detail' to Route
|
|
5.4.1
A security release to fix CVE-2018-8768.
5.4.0
Fix creating files and folders after navigating directories in the dashboard
Enable printing notebooks in colour, removing the CSS that made everything black and white
Limit the completion options displayed in the notebook to 1000, to avoid performance issues with very long lists
Accessibility improvements in tree.html
Added alt-text to the kernel logo image in the notebook UI
Added a test on Travis CI to flag if symlinks are accidentally introduced in the future. This should prevent the issue that necessitated :ref:release-5.3.1
Use lowercase letters for random IDs generated in our Javascript
Removed duplicate code setting TextCell.notebook
|
|
3.1.2:
Make LineTooLong exception more detailed about actual data size
Call on_chunk_sent when write_eof takes as a param the last chunk
|
|
1.9.5 - Parse updated IUAM Javascript challenge
|
|
Version 3.8.1:
Use old url_name behavior in route decorators
For list_route and detail_route maintain the old behavior of url_name,
basing it on the url_path instead of the function name.
Version 3.8:
Breaking Change: Alter read_only plus default behaviour.
Correct allow_null behaviour when required=False
Refactor dynamic route generation and improve viewset action introspectibility.
Fix formatting of the 3.7.4 release note
Docs: Update DRF Writable Nested Serializers references
Docs: Fixed typo in auth URLs example.
Improve composite field child errors
Disable HTML inputs for dict/list fields
Fix typo in HostNameVersioning doc
Use rsplit to get module and classname for imports
Formalize URLPatternsTestCase
Add exception translation test
Test staticfiles
Add drf-yasg to documentation and schema 3rd party packages
Remove unused compat._resolve_model()
Drop compat workaround for unsupported Python 3.2
Prefer iter(dict) over iter(dict.keys())
Pass python_requires argument to setuptools
Remove unused links from docs
Prefer https protocol for links in docs when available
Add HStoreField, postgres fields tests
Always fully qualify ValidationError in docs
Remove unreachable code from ManualSchema
Allowed customising API documentation code samples
Updated docs to use pip show
Load 'static' instead of 'staticfiles' in templates
Fixed a typo in fields docs
Refer to "NamespaceVersioning" instead of "NamespacedVersioning" in the documentation
ErrorDetail: add __eq__/__ne__ and __repr__
Replace background-attachment: fixed in docs
Make 404 & 403 responses consistent with exceptions.APIException output
Small fix to API documentation: schemas
Fix schema generation for PrimaryKeyRelatedField
Represent serializer DictField as an Object in schema
Added docs example reimplementing ObtainAuthToken
Add schema to the ObtainAuthToken view
Fix request formdata handling
Fix authtoken views imports
Update pytest, isort
Fixed active timezone handling for non ISO8601 datetimes.
Made TemplateHTMLRenderer render IntegerField inputs when value is 0.
Corrected endpoint in tutorial instructions
Add Django Rest Framework Role Filters to Third party packages
Use single copy of static assets. Update jQuery
Changes ternary conditionals to be PEP308 compliant
Added links to 'A Todo List API with React' and 'Blog API' tutorials
Fix comment typo in ModelSerializer
Add admin to installed apps to avoid test failures.
Fixed schema for UUIDField in SimpleMetadata.
Corrected docs on router include with namespaces.
Test using model objects for dotted source default
Allow traversing nullable related fields
Added: Tutorial: Django REST with React (Django 2.0)
Add LimitOffsetPagination.get_count to allow method override
Don't show hidden fields in metadata
Enable OrderingFilter to handle an empty tuple (or list) for the 'ordering' field.
Added generic 500 and 400 JSON error handlers.
|
|
- Fuse Panel support: fixes a few bugs with handling small log files
and with apps that don't output any messages.
- Python app support: fixes a Python 3 compatibility issue w.r.t.
writing data over the socket.
- macOS support: fixes a crash in the `passenger-config
compile-nginx-engine` command which only occurs on macOS >= 10.13.
- Fixes a small memory corruption issue (dangling pointer) in the
ApplicationPool subsystem.
- Improves support for the $TMPDIR environment variable by removing
leftover hardcoded references to /tmp. Closes GH-2052.
- Updated PCRE version to 8.42 (was: 8.41) across the board.
|
|
- Adds an option for dumping the web server config manifest to a given
file: `PassengerDumpConfigManifest` (Apache) /
`passenger_dump_config_manifest` (Nginx). This option is mostly useful
for Passenger developers.
- [Nginx] Fixes support for configurations that have two
`passenger_base_uri` options in a single virtual host, without
corresponding `passenger_app_group_name` and `passenger_app_root`
directives. Closes GH-2043.
- [Enterprise] Improved support for RAM-based pricing on Heroku (now
using officially recommended memory limit reporting via CGROUP).
- (added in CHANGELOG after release) Four new options to connect to
the new Fuse Panel: admin_panel_url, admin_panel_auth_type,
admin_panel_username, admin_panel_password
|
|
v0.0.11:
* Add should_upgrade() method
|
|
18.3.1
fix: endpoint configuration error messages
fix: various improvements to the new components API (including retries)
fix: pass unregisterProducer through to twisted to complement WebSocketAdapterProtocol.registerProducer
|
|
Django 1.11.12:
Bugfixes:
Fixed a regression in Django 1.11.8 where combining two annotated values_list() querysets with union(), difference(), or intersection() crashed due to mismatching columns.
Fixed a regression in Django 1.11 where an empty choice could be initially selected for the SelectMultiple and CheckboxSelectMultiple widgets
|
|
Django 2.0.4:
Bugfixes:
Fixed a crash when filtering with an Exists() annotation of a queryset containing a single field.
Fixed admin autocomplete widget’s translations for zh-hans and zh-hant languages.
Corrected admin’s autocomplete widget to add a space after custom classes.
Fixed PasswordResetConfirmView crash when using a user model with a UUIDField primary key and the reset URL contains an encoded primary key value that decodes to an invalid UUID.
Fixed a regression in Django 1.11.8 where combining two annotated values_list() querysets with union(), difference(), or intersection() crashed due to mismatching columns.
Fixed a regression in Django 1.11 where an empty choice could be initially selected for the SelectMultiple and CheckboxSelectMultiple widgets.
Fixed a regression in Django 2.0 where OpenLayersWidget deserialization ignored the widget map’s SRID and assumed 4326
|
|
I cannot provide effective CDM module.
|
|
0.11.3
No changes, just reupload of 0.11.2 after fixing automatic release conditions in Travis.
0.11.2
proxy: py3 NameError basestring
0.11.1
Fix HTTP(S)ConnectionWithTimeout AttributeError proxy_info
0.11.0
Add DigiCert Global Root G2 serial 033af1e6a711a9a0bb2864b11d09fae5
python3 proxy support
If no_proxy environment value ends with comma then proxy is not used
fix UnicodeDecodeError using socks5 proxy
Respect NO_PROXY env var in proxy_info_from_url
NO_PROXY=bar was matching foobar (suffix without dot delimiter)
New behavior matches curl/wget:
- no_proxy=foo.bar will only skip proxy for exact hostname match
- no_proxy=.wild.card will skip proxy for any.subdomains.wild.card
Bugfix for Content-Encoding: deflate
|
|
3.1.1:
Support asynchronous iterators (and asynchronous generators as well) in both client and server API as request / response BODY payloads.
|
|
|
|
|
|
ok wiz@ for committing during freeze
|
|
sorry for breakage, I had the plist check disabled.
|
|
|
|
Fixes remote code execution vulnerability (CVE-2018-7600)
No other fixes are included.
|
|
Fixes remote code execution vulnerability (CVE-2018-7600)
No other changes are included in this release.
|
|
What's new in Drupal 8.5.0?
This new version makes Media module available for all, improves
migrations significantly, stabilizes the Content Moderation and
Settings Tray modules, serves dynamic pages faster with BigPipe enabled
by default, and introduces a new experimental entity layout user
interface. The release includes several very important fixes for
workflows of content translations and supports running on PHP 7.2.
|
|
|
|
|
|
|
|
CVE-2018-5148: Use-after-free in compositor
A use-after-free vulnerability can occur in the compositor during certain
graphics operations when a raw pointer is used instead of a reference
counted one. This results in a potentially exploitable crash.
|
|
A use-after-free vulnerability can occur in the compositor during
certain graphics operations when a raw pointer is used instead of a
reference counted one. This results in a potentially exploitable crash
Bug 1440717 - Use RefPtr for CompositingRenderTargetOGL::mGL. r=Bas, a=ritu
PKGREVISION++
|
|
|
|
CVE-2018-5148: Use-after-free in compositor
Invalid page rendering with hardware acceleration enabled (Bug 1435472)
Windows 7 users with touch screens or certain 3rd party desktop applications which interact with Firefox through accessibility services may experience random browser crashes. Known 3rd party applicatioins with issues: StickyPassword, Windows 7 touch screen. (Bug 1424505)
Browser keyboard shortcuts (eg copy Ctrl+C) don't work on sites that use those keys with resistFingerprinting enabled (Bug 1433592)
High CPU / memory churn caused by third-party software on some computers (Bug 1446280)
Users who have configured an "automatic proxy configuration URL" and want to reload their proxy settings from the URL will find the Reload button disabled in the Connection Settings dialog when they select Preferences/Options > Network Proxy > Settings... (Bug 1445991)
URL Fragment Identifiers Break Service Worker Responses (Bug 1443850)
User's trying to cancel a print around the time it completes will continue to get intermittent crashes (Bug 1441598)
Broken getUserMedia (audio) on DragonFly, FreeBSD, NetBSD, OpenBSD. Video chat apps either wouldn't work or be always muted (Bug 1444074)
|
|
|
|
Changes with Apache 2.4.33
*) core: Fix request timeout logging and possible crash for error_log hooks.
*) mod_slomem_shm: Fix failure to create balancers's slotmems in Windows MPM,
where children processes need to attach them instead since they are owned
by the parent process already.
*) ab: try all destination socket addresses returned by
apr_sockaddr_info_get instead of failing on first one when not available.
Needed for instance if localhost resolves to both ::1 and 127.0.0.1
e.g. if both are in /etc/hosts.
*) ab: Use only one connection to determine working destination socket
address.
*) ab: LibreSSL doesn't have or require Windows applink.c.
*) htpasswd/htdigest: Disable support for bcrypt on EBCDIC platforms.
apr-util's bcrypt implementation doesn't tolerate EBCDIC.
*) htpasswd/htdbm: report the right limit when get_password() overflows.
*) htpasswd: Don't fail in -v mode if password file is unwritable.
*) htpasswd: don't point to (unused) stack memory on output
to make static analysers happy.
Changes with Apache 2.4.32
*) mod_access_compat: Fail if a comment is found in an Allow or Deny
directive.
*) mod_authz_host: Ignore comments after "Require host", logging a
warning, or logging an error if the line is otherwise empty.
*) rotatelogs: Fix expansion of %Z in localtime (-l) mode, and fix
Y2K38 bug.
*) mod_ssl: Support SSL DN raw variable extraction without conversion
to UTF-8, using _RAW suffix on variable names.
*) ab: Fix https:// connection failures (regression in 2.4.30); fix
crash generating CSV output for large -n.
Changes with Apache 2.4.31
*) mod_proxy_fcgi: Add the support for mod_proxy's flushpackets and flushwait
parameters.
*) mod_ldap: Avoid possible crashes, hangs, and busy loops due to
improper merging of the cache lock in vhost config.
*) mpm_event: Do lingering close in worker(s).
*) mpm_queue: Put fdqueue code in common for MPMs event and worker.
Changes with Apache 2.4.30
*) SECURITY: CVE-2017-15710 (cve.mitre.org)
Out of bound write in mod_authnz_ldap with AuthLDAPCharsetConfig enabled
*) CVE-2018-1283 (cve.mitre.org)
mod_session: CGI-like applications that intend to read from mod_session's
'SessionEnv ON' could be fooled into reading user-supplied data instead.
*) SECURITY: CVE-2018-1303 (cve.mitre.org)
mod_cache_socache: Fix request headers parsing to avoid a possible crash
with specially crafted input data.
*) CVE-2018-1301 (cve.mitre.org)
core: Possible crash with excessively long HTTP request headers.
Impractical to exploit with a production build and production LogLevel.
*) mod_authnz_ldap: Fix language long names detection as short name.
*) mod_proxy: Worker schemes and hostnames which are too large are no
longer fatal errors; it is logged and the truncated values are stored.
*) CVE-2017-15715 (cve.mitre.org)
core: Configure the regular expression engine to match '$' to the end of
the input string only, excluding matching the end of any embedded
newline characters. Behavior can be changed with new directive
'RegexDefaultOptions'.
*) SECURITY: CVE-2018-1312 (cve.mitre.org)
mod_auth_digest: Fix generation of nonce values to prevent replay
attacks across servers using a common Digest domain. This change
may cause problems if used with round robin load balancers.
*) mod_proxy: Allow setting options to globally defined balancer from
ProxyPass used in VirtualHost. Balancers are now merged using the new
merge_balancers method which merges the balancers options.
*) logresolve: Fix incorrect behavior or segfault if -c flag is used
Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823259
*) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla).
Add ability for PROXY protocol processing to be optional to donated code.
See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt
*) mod_proxy, mod_ssl: Handle SSLProxy* directives in <Proxy> sections,
allowing per backend TLS configuration.
*) mod_proxy_uwsgi: Add in UWSGI proxy (sub)module.
*) mod_proxy_balancer,mod_slotmem_shm: Rework SHM reuse/deletion to not
depend on the number of restarts (non-Unix systems) and preserve shared
*) CVE-2018-1302 (cve.mitre.org)
mod_http2: Potential crash w/ mod_http2.
names as much as possible on configuration changes for SHMs and persisted
files.
*) mod_http2: obsolete code removed, no more events on beam pool destruction,
discourage content encoders on http2-status response (where they do not work).
*) mpm_event: Let the listener thread do its maintenance job on resources
shortage.
*) mpm_event: Wakeup the listener to re-enable listening sockets.
*) mod_ssl: The SSLCompression directive will now give an error if used
with an OpenSSL build which does not support any compression methods.
*) mpm_event,worker: Mask signals for threads created by modules in child
init, so that they don't receive (implicitely) the ones meant for the MPM.
*) mod_md: new experimental, module for managing domains across virtual hosts,
implementing the Let's Encrypt ACMEv1 protocol to signup and renew
certificates. Please read the modules documentation for further instructions
on how to use it.
*) mod_proxy_html: skip documents shorter than 4 bytes
*) core, mpm_event: Avoid a small memory leak of the scoreboard handle, for
the lifetime of the connection, each time it is processed by MPM event.
*) mpm_event: Update scoreboard status for KeepAlive state.
*) mod_ldap: Fix a case where a full LDAP cache would continually fail to
purge old entries and log AH01323.
*) mpm_event: close connections not reported as handled by any module to
avoid losing track of them and leaking scoreboard entries.
*) core: A signal received while stopping could have crashed the main
process.
*) mod_ssl: support for mod_md added.
*) mod_proxy_html: process parsed comments immediately.
Fixes bug (seen in the wild when used with IBM's HTTPD bundle)
where parsed comments may be lost.
*) mod_proxy_html: introduce doctype for HTML 5
*) mod_proxy_html: fix typo-bug processing "strict" vs "transitional"
HTML/XHTML.
*) mpm_event: avoid a very unlikely race condition between the listener and
the workers when the latter fails to add a connection to the pollset.
*) core: silently ignore a not existent file path when IncludeOptional
is used.
*) mod_macro: fix usability of globally defined macros in .htaccess files.
*) mod_rewrite, core: add the Vary header when a condition evaluates to true
and the related RewriteRule is used in a Directory context
(triggering an internal redirect).
*) ab: Make the TLS layer aware that the underlying socket is nonblocking,
and use/handle POLLOUT where needed to avoid busy IOs and recover write
errors when appropriate.
*) ab: Keep reading nonblocking to exhaust TCP or SSL buffers when previous
read was incomplete (the SSL case can cause the next poll() to timeout
since data are buffered already).
*) mod_http2: avoid unnecessary data retrieval for a trace log. Allow certain
information retrievals on null bucket beams where it makes sense.
|
|
|
|
1.88 2018-03-23 15:37:25Z
========================================
[FIXED]
- tick() now dies if checkbox is not found (GH#248) (Olaf Alders)
[DOCUMENTATION]
- Clarify behaviour of submit_form when with_fields is supplied as an arg (GH#247) (Olaf Alders)
- Document some "Best Practices" (GH#246) (Olaf Alders)
- Update links in Pod. Suggest LWP::ConsoleLogger rather than LWP::Debug (GH#244) (Olaf Alders)
|
|
0.3.2:
- Compatibility Django 2.0
|
|
|
|
|
|
|
|
1.15:
Improve comments.
Close unwanted file descriptors.
In scgi_server.py, spawn_child() is called at startup to start the
first child and also from delegate_request() when more children are
needed. In the latter case, the parameter 'conn' is passed to
spawn_child() so that the newly-created child knows to close the
file descriptor it has inherited but doesn't need.
The bug is that in the latter case the new child also inherits
various other file descriptors which are not similarly closed,
namely the Unix sockets to its elder siblings, and the TCP listener
socket.
Improve Apache 2 mod_scgi error messages.
If the connection is aborted while sending the response, log an
error but don't generate an internal server error. This can happen
if the client closes the connection before the entire response has
been read. There's nothing the server can do about it.
When an error occurs while reading the response headers, don't
log an error since ap_scan_script_header_err_brigade() has already
done so.
|
|
## 2.2.2 / 2018-03-22
Make public `Loofah::HTML5::Scrub.force_correct_attribute_escaping!`,
which was previously a private method. This is so that downstream gems
(like rails-html-sanitizer) can use this logic directly for their own
attribute scrubbers should they need to address CVE-2018-8048.
|
