| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
### 4.4.1 (2017-07-12)
* Prevent arbitrary PHP file inclusions in the back end (see CVE-2017-10993).
* Correctly handle subpalettes in "edit multiple" mode (see #946).
* Correctly show the DCA picker in the site structure (see #906).
* Correctly update the style sheets if a format definition is
enabled/disabled (see #893).
* Always show the "show from" and "show until" fields (see #908).
* Correctly set the "overwriteMeta" field during the database update (see
contao/core-bundle#888).
|
|
Version 3.5.28 (2017-07-12)
---------------------------
### Fixed
Prevent arbitrary PHP file inclusions in the back end (see CVE-2017-10993).
### Fixed
Improve the accessibility of the CAPTCHA widget (see #8709).
### Fixed
Fixed the iOS scrolling bug in the simple modal script (see #8708).
### Fixed
Correctly cache the unique keys in the SQL cache (see #8712).
|
|
|
|
|
|
Grafana is a web-based dashboard that allows you to query, visualize and
alert on metrics data stored in Graphite, InfluxFB, OpenTSDB or Prometheus.
|
|
*) COMPATIBILITY: mod_lua: Remove the undocumented exported 'apr_table'
global variable when using Lua 5.2 or later. This was exported as a
side effect from luaL_register, which is no longer supported as of
Lua 5.2 which deprecates pollution of the global namespace.
*) COMPATIBILITY: mod_http2: Disable and give warning when using Prefork.
The server will continue to run, but HTTP/2 will no longer be negotiated.
*) COMPATIBILITY: mod_proxy_fcgi: Revert to 2.4.20 FCGI behavior for the
default ProxyFCGIBackendType, fixing a regression with PHP-FPM.
*) mod_lua: Improve compatibility with Lua 5.1, 5.2 and 5.3.
*) mod_http2: Simplify ready queue, less memory and better performance. Update
mod_http2 version to 1.10.7.
*) Allow single-char field names inadvertently disallowed in 2.4.25.
*) htpasswd / htdigest: Do not apply the strict permissions of the temporary
passwd file to a possibly existing passwd file.
*) core: Avoid duplicate HEAD in Allow header.
This is a regression in 2.4.24 (unreleased), 2.4.25 and 2.4.26.
|
|
*) Allow single-char field names inadvertantly disallowed in 2.2.32.
Changes with Apache 2.2.33 (not released)
*) SECURITY: CVE-2017-7668 (cve.mitre.org)
The HTTP strict parsing changes added in 2.2.32 and 2.4.24 introduced a
bug in token list parsing, which allows ap_find_token() to search past
the end of its input string. By maliciously crafting a sequence of
request headers, an attacker may be able to cause a segmentation fault,
or to force ap_find_token() to return an incorrect value.
*) SECURITY: CVE-2017-3169 (cve.mitre.org)
mod_ssl may dereference a NULL pointer when third-party modules call
ap_hook_process_connection() during an HTTP request to an HTTPS port.
*) SECURITY: CVE-2017-3167 (cve.mitre.org)
Use of the ap_get_basic_auth_pw() by third-party modules outside of the
authentication phase may lead to authentication requirements being
bypassed.
*) SECURITY: CVE-2017-7679 (cve.mitre.org)
mod_mime can read one byte past the end of a buffer when sending a
malicious Content-Type response header.
*) Fix HttpProtocolOptions to inherit from global to VirtualHost scope.
|
|
|
|
Fix PR pkg/52392
|
|
Caddy is a HTTP/2 web server with automatic HTTPS.
Caddy was born out of the need for a "batteries-included" web server
that runs anywhere and doesn't have to take its configuration with it.
Caddy took inspiration from spark, nginx, lighttpd, Websocketd and
Vagrant, which provides a pleasant mixture of features from each of
them.
|
|
Reported by Thomas Mueller. Thank you.
|
|
|
|
* Release as a universal wheel.
* Convert readthedocs links for their .org -> .io migration for hosted projects.
|
|
that application, without starting up an HTTP server.
This provides convenient full-stack testing of applications written with any
WSGI-compatible framework.
|
|
|
|
Bugfix
- Request.host_url, Request.host_port and Request.domain now all understand and
know how to parse IPv6 Host headers sent by browsers.
|
|
|
|
|
|
Upstream changes:
Here is the full list of fixed issues in 3.3.1.
Contents
1 Highlights
2 Security issues
3 Fixes and improvements
4 For developers
5 See also
Highlights
MDL-58136 - Show only "in progress" courses in the My courses list in Booost flat navigation
MDL-56046 - Fixed bug when downloading Quiz statistics report and other multiple-sheet reports
MDL-58646, MDL-59122 - Number of performance improvements in Boost cache rebuilding
MDL-58310, MDL-59312, MDL-58103 - Correctly display AJAX errors and ignore interrupted requests caused by page unload (occasional "undefined" popup)
MDL-44961 - When restoring course with rolling start date never change log dates
Security issues
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
Fixes and improvements
MDL-46322 - Assignment: Only enrolled users may be assigned as markers, if admins/managers can view course but are not enrolled they will not be assigned
MDL-58907 - Course overview: Remember last view mode (Timeline/Courses), add a setting for a default mode
MDL-58729 - Performance impovement in MySQL collation change script (follow up for Full UTF-8 Support in MySQL)
MDL-57957 - Assignment: Fixed bug with feedback files not being shown to students if assignment has no grading
MDL-57021 - Use normal password form field during sign up, adding new user and enrolling in a course
MDL-49988 - Wiki: line breaks in HTML source code should not affect page layout
MDL-58811 - Quiz: fixed bug preventing quiz duplication if questions have file links in their texts
For developers
MDL-58911 - Change of behavior when writing unittests for the dashboard events - now callback from module are executed in unittests same way they would be executed on the dashboard
|
|
Features
- Python 3.6 is now officially supported in Waitress
Bugfixes
- Add a work-around for libc issue on Linux not following the documented
standards. If getnameinfo() fails because of DNS not being available it
should return the IP address instead of the reverse DNS entry, however
instead getnameinfo() raises. We catch this, and ask getnameinfo()
for the same information again, explicitly asking for IP address instead of
reverse DNS hostname.
|
|
-----
* 26: Change six requirement to >=1.4.0
* 28: Py3k fixes
* 29: paste.wsgilib.add_close: Add __next__ method to support using `add_close` objects as iterators on Python 3.
* 30: tox.ini: Add py35 to envlist
* 31: Enable testing with pypy
* 33: tox.ini: Measure test coveraage
|
|
|
|
Approved by joerg@.
|
|
these packages pull in GCC_REQD+=4.9 via mozilla-common.mk, and
are very widely used (I suspect only www/firefox actually needs it)
this will take care of most of the fallout from major bumping
pkgsrc-gcc-libstdc++ to 7 on netbsd. these are the most widely
used packages setting GCC_REQD>4.8.
|
|
Bugs Fixed
Addition in mod_wsgi-express of --allow-override option in 4.5.16 caused --url-alias option to break.
|
|
|
|
based on the work done by the amazing folks at magicstack.
On top of being Flask-like, Sanic supports async request handlers. This means
you can use the new shiny async/await syntax from Python 3.5, making your code
non-blocking and speedy.
|
|
|
|
User-visible changes:
- Client-side bugfixes:
* cp/mv: improve error message when target is an unversioned dir
* merge: reduce memory usage with large amounts of mergeinfo
- Server-side bugfixes:
* 'svnadmin freeze': document the purpose more clearly
* dump: fix segfault when a revision has no revprops
* fsfs: improve error message upon failure to open rep-cache
* fsfs: never attempt to share directory representations
* fsfs: make consistency independent of hash algorithms
This change makes Subversion resilient to collision attacks, including
SHA-1 collision attacks such as <http://shattered.io/>. See also our
documentation at <https://subversion.apache.org/faq#shattered-sha1> and
<https://subversion.apache.org/docs/release-notes/1.9#shattered-sha1>.
- Client-side and server-side bugfixes:
* work around an APR bug related to file truncation
- Bindings bugfixes:
* javahl: follow redirects when opening a connection
Developer-visible changes:
- General:
* win_tests.py: make the --bin option work, rather than abort
(regression introduced in 1.9.2)
* windows: support building with 'zlibstat.lib' in install-layout
- API changes:
(none)
|
|
|
|
1.85 2017-06-28 22:06:00Z
========================================
[FIXED]
- use 127.0.0.1 instead of 'localhost' in a test to avoid the test hanging
due to ipv6 issues (GH#31)
- Remove private logic for taint checking (Dave Doyle)
- Fix Pod (simbabque)
- Bump Test::More prereq to get working subtest support (Karen Etheridge)
- Fix intermittent failures of taint.t (GH#108) (Kivanc Yazan)
- Fix kwalitee issues (GH#107) (Kivanc Yazan)
[ENHANCEMENTS]
- Print section titles if mech-dump --all is invoked (GH#81) (Сергей
Романов)
- Add cookbook docs on dumping a req without sending it (#115) (Grigor
Karavardanyan)
- Document that submit only submits current form (GH#114) (nawglan)
- Add Travis testing on Perl 5.26 (Karen Etheridge)
- Remove obsolete and unincremented $VERSIONs in test modules (Karen
Etheridge)
|
|
The runserver server_cls override no longer fails with more modern Django versions that pass an ipv6 parameter.
|
|
* Sync with www/firefox52-52.2.1
|
|
Changelog:
52.2.1
Printing text does not work on Windows when Direct2D is disabled (Bug 1318845)
52.2.0
#CVE-2017-5472: Use-after-free using destroyed node when regenerating trees
#CVE-2017-7749: Use-after-free during docshell reloading
#CVE-2017-7750: Use-after-free with track elements
#CVE-2017-7751: Use-after-free with content viewer listeners
#CVE-2017-7752: Use-after-free with IME input
#CVE-2017-7754: Out-of-bounds read in WebGL with ImageInfo object
#CVE-2017-7755: Privilege escalation through Firefox Installer with same directory DLL files
#CVE-2017-7756: Use-after-free and use-after-scope logging XHR header errors
#CVE-2017-7757: Use-after-free in IndexedDB
#CVE-2017-7778: Vulnerabilities in the Graphite 2 library
#CVE-2017-7758: Out-of-bounds read in Opus encoder
#CVE-2017-7760: File manipulation and privilege escalation via callback parameter in Mozilla Windows Updater and Maintenance Service
#CVE-2017-7761: File deletion and privilege escalation through Mozilla Maintenance Service helper.exe application
#CVE-2017-7763: Mac fonts render some unicode characters as spaces
#CVE-2017-7764: Domain spoofing with combination of Canadian Syllabics and other unicode blocks
#CVE-2017-7765: Mark of the Web bypass when saving executable files
#CVE-2017-7766: File execution and privilege escalation through updater.ini, Mozilla Windows Updater, and Mozilla Maintenance Service
#CVE-2017-7767: Privilege escalation and arbitrary file overwrites through Mozilla Windows Updater and Mozilla Maintenance Service
#CVE-2017-7768: 32 byte arbitrary file read through Mozilla Maintenance Service
#CVE-2017-5470: Memory safety bugs fixed in Firefox 54 and Firefox ESR 52.252.2.0
52.1.2
FIx hangs when using a proxy with NTLM authentication (bug 1360574)
|
|
|
|
* Sync with www/firefox-54.0.1
|
|
Changelog:
Fixed
Fix a display issue of tab title (bug 1357656)
Fix a display issue of opening new tab (bug 1371995)
Fix a display issue when opening multiple tabs (bug 1371962)
Fix a tab display issue when downloading files (bug 1373109)
Fix a PDF printing issue (bug 1366744)
Fix a Netflix issue on Linux (bug 1375708)
|
|
Documentation
We have received several patches to fix grammer and typos.
The broken out-of-tree build has been also fixed.
nghttp
We fixed the bug that HTTP Upgrade fails if HTTP response does not have reason-phrase.
nghttpx
The default minimum TLS version is now TLSv1.2. This is because the default cipher list only contains cipher suites which are compatible with it.
|
|
Bugfixes
Removed an incorrect deprecation warning about a missing renderer argument if a Widget.render() method accepts **kwargs.
Fixed a regression causing Model.__init__() to crash if a field has an instance only descriptor.
Fixed an incorrect DisallowedModelAdminLookup exception when using a nested reverse relation in list_filter.
Fixed admin’s FieldListFilter.get_queryset() crash on invalid input.
Fixed invalid HTML for a required AdminFileWidget.
Fixed model initialization to set the name of class-based model indexes for models that only inherit models.Model.
Fixed crash in admin’s inlines when a model has an inherited non-editable primary key.
Fixed QuerySet.union(), intersection(), and difference() when combining with an EmptyQuerySet.
Prevented Paginator’s unordered object list warning from evaluating a QuerySet.
Fixed the value of redirect_field_name in LoginView’s template context. It’s now an empty string (as it is for the original function-based login() view) if the corresponding parameter isn’t sent in a request (in particular, when the login page is accessed directly).
Prevented attribute values in the django/forms/widgets/attrs.html template from being localized so that numeric attributes (e.g. max and min) of NumberInput work correctly.
Removed casting of the option value to a string in the template context of the CheckboxSelectMultiple, NullBooleanSelect, RadioSelect, SelectMultiple, and Select widgets. In Django 1.11.1, casting was added in Python to avoid localization of numeric values in Django templates, but this made some use cases more difficult. Casting is now done in the template using the |stringformat:'s' filter.
Prevented a primary key alteration from adding a foreign key constraint if db_constraint=False.
Fixed UnboundLocalError crash in RenameField with nonexistent field.
Fixed a regression preventing a model field’s limit_choices_to from being evaluated when a ModelForm is instantiated.
|
|
Fix standard visibility macro use.
|
|
|
|
|
|
|
|
Fixes joyent/pkgsrc/issues/515
|
|
|
|
|
|
|
|
|
|
|
