| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Changelog:
Tomcat 8.0.43 (violetagg)
Catalina
Add: 54618: Add support to the HttpHeaderSecurityFilter for the HSTS preload parameter. (markt)
Fix: 60876: Ensure that Set-Cookie headers generated by the Rfc6265CookieProcessor are aligned with the specification. Patch provided by Jim Griswold. (markt)
Fix: 60911: Ensure NPE will not be thrown when looking for SSL session ID. Based on a patch by Didier Gutacker. (violetagg)
Coyote
Fix: When using the NIO2 connector, ensure a WebSocket close frame is processed before the end of stream is processed to ensure that the end of stream is processed correctly. (markt)
Fix: 60852: Correctly spell compressible when used in configuration attributes and internal code. Based on a patch by Michael Osipov. (markt)
Fix: Improve sendfile handling when requests are pipelined. (markt)
Jasper
Fix: Improve the error handling for simple tags to ensure that the tag is released and destroyed once used. (remm, violetagg)
Fix: 60844: Correctly handle the error when fewer parameter values than required by the method are used to invoke an EL method expression. Patch provided by Daniel Gray. (markt)
jdbc-pool
Fix: 60764: Implement equals() and hashCode() in the StatementFacade in order to enable these methods to be called on the closed statements if any statement proxy is set. This behavior can be changed with useStatementFacade attribute. (kfujino)
Other
Fix: Refactor the build script and the NSIS installer script so that either NSIS 2.x or NSIS 3.x can be used to build the installer. This is primarily to re-enable building the installer on the Linux based CI system where the combination of NSIS 3.x and wine leads to failed installer builds. (markt)
2017-03-14 Tomcat 8.0.42 (markt)
Catalina
Update: 60596: Improve performance of DefaultServlet when sendfile feature is disabled on connector. (kkolinko)
Fix: Reduce the contention in the default InstanceManager implementation when multiple threads are managing objects and need to reference the annotation cache. (markt)
Add: Extend the JreMemoryLeakPreventionListener to provide protection against ForkJoinPool.commonPool() related memory leaks. (markt)
Code: 60674: Remove final marker from CorsFilter to enable sub-classing. (markt)
Fix: 60683: Security manager failure causing NPEs when doing IO on some JVMs. (csutherl)
Fix: 60688: Update the internal fork of Apache Commons BCEL to r1782855 to add early access Java 9 support to the annotation scanning code. (markt)
Fix: When HTTP TRACE requests are disabled on the Connector, ensure that the HTTP OPTIONS response from the WebDAV servlet does not include TRACE in the returned Allow header. (markt)
Fix: 60718: Improve error handling for asynchronous processing and correct a number of cases where the requestDestroyed() event was not being fired and an entry wasn't being made in the access logs. (markt)
Fix: 60722: Take account of the dispatchersUseEncodedPaths setting on the current Context when generating paths for dispatches triggered by AsyncContext.dispatch(). (markt)
Fix: 60728: Make the separator Tomcat uses in the Tomcat specific war:file:... URL protocol customizable via a system property. The separator is equivalent to the use of the ! character in jar:file:... URLs. The default separator of * remains unchanged. (markt)
Fix: 60798: Correct a bug in the handling of JARs in unpacked WARs that meant multiple attempts to read the same entry from a JAR in succession would fail for the second and subsequent attempts. (markt)
Fix: 60808: Ensure that the Map returned by ServletRequest.getParameterMap() is fully immutable. Based on a patch provided by woosan. (markt)
Fix: 60824: Correctly cache the Subject in the session - if there is a session - when running under a SecurityManager. Patch provided by Jan Engehausen. (markt)
Fix: Ensure request and response facades are used when firing application listeners. (markt/remm)
Coyote
Fix: Ensure that executor thread pools used with connectors pre-start the configured minimum number of idle threads. (markt)
Add: 60594: Allow some invalid characters that were recently restricted to be processed in requests by using the system property tomcat.util.http.parser.HttpParser.requestTargetAllow. (csutherl)
Fix: Modify the cookie header generated by the Rfc6265CookieProcessor so it always sends an Expires attribute as well as a Max-Age attribute to avoid problems with Microsoft browsers that do not support the Max-Age attribute. (markt)
Jasper
Fix: Follow up to the fix for 58178. When creating the ELContext for a tag file, ensure that any registered ELContextListeners are fired. (markt)
Fix: Refactor code generated for JSPs to reduce the size of the code required for tags. (markt)
Update: Update to the Eclipse JDT Compiler 4.6.1. (markt)
Cluster
Add: Make the accessTimeout configurable in ClusterSingleSignOn. The accessTimeout is used as a timeout period for PING in replication map. (kfujino)
Fix: 60806: To avoid ClassNotFoundException, make sure that the web application class loader is passed to ReplicatedContext. (kfujino)
WebSocket
Fix: 60617: Correctly create a CONNECT request when establishing a WebSocket connection via a proxy. Patch provided by Svetlin Zarev. (markt)
Tribes
Fix: Ensure that NoRpcChannelReply messages are not received on RpcCallback. (kfujino)
Other
Update: Update the packaged version of the Tomcat Native Library to 1.2.12 to pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg)
Add: 60784: Update all unit tests that test the HTTP status line to check for the required space after the status code. Patch provided by Michael Osipov. (markt)
Update: Update the NSIS Installer used to build the Windows installer to version 3.01. (markt)
|
|
Changelog:
Tomcat 7.0.77 (violetagg)
Catalina
add 54618: Add support to the HttpHeaderSecurityFilter for the HSTS preload parameter. (markt)
fix 60911: Ensure NPE will not be thrown when looking for SSL session ID. Based on a patch by Didier Gutacker. (violetagg)
Coyote
fix When using the NIO2 connector, ensure a WebSocket close frame is processed before the end of stream is processed to ensure that the end of stream is processed correctly. (markt)
fix 60852: Correctly spell compressible when used in configuration attributes and internal code. Based on a patch by Michael Osipov. (markt)
fix Improve sendfile handling when requests are pipelined. (markt)
Jasper
fix Improve the error handling for simple tags to ensure that the tag is released and destroyed once used. (remm, violetagg)
fix 60844: Correctly handle the error when fewer parameter values than required by the method are used to invoke an EL method expression. Patch provided by Daniel Gray. (markt)
jdbc-pool
fix 60764: Implement equals() and hashCode() in the StatementFacade in order to enable these methods to be called on the closed statements if any statement proxy is set. This behavior can be changed with useStatementFacade attribute. (kfujino)
Tomcat 7.0.76 (markt) released 2017-03-16
Catalina
code Make it easier for sub-classes of Tomcat to modify the default web.xml settings by over-riding getDefaultWebXmlListener(). Patch provided by Aaron Anderson. (markt)
fix Reduce the contention in the default InstanceManager implementation when multiple threads are managing objects and need to reference the annotation cache. (markt)
code 60674: Remove final marker from CorsFilter to enable sub-classing. (markt)
fix 60683: Security manager failure causing NPEs when doing IO on some JVMs. (csutherl)
fix 60688: Update the internal fork of Apache Commons BCEL to r1782855 to add early access Java 9 support to the annotation scanning code. (markt)
fix 60718: Improve error handling for asynchronous processing and correct a number of cases where the requestDestroyed() event was not being fired and an entry wasn't being made in the access logs. (markt)
fix 60808: Ensure that the Map returned by ServletRequest.getParameterMap() is fully immutable. Based on a patch provided by woosan. (markt)
fix 60824: Correctly cache the Subject in the session - if there is a session - when running under a SecurityManager. Patch provided by Jan Engehausen. (markt)
fix Ensure request and response facades are used when firing application listeners. (markt/remm)
fix When HTTP TRACE requests are disabled on the Connector, ensure that the HTTP OPTIONS response from the WebDAV servlet does not include TRACE in the returned Allow header. (markt)
Coyote
fix Ensure that executor thread pools used with connectors pre-start the configured minimum number of idle threads. (markt)
add 60594: Allow some invalid characters that were recently restricted to be processed in requests by using the system property tomcat.util.http.parser.HttpParser.requestTargetAllow. (csutherl)
Jasper
fix Refactor code generated for JSPs to reduce the size of the code required for tags. (markt)
Cluster
add Make the accessTimeout configurable in ClusterSingleSignOn. The accessTimeout is used as a timeout period for PING in replication map. (kfujino)
fix 60806: To avoid ClassNotFoundException, make sure that the web application class loader is passed to ReplicatedContext. (kfujino)
WebSocket
fix 60617: Correctly create a CONNECT request when establishing a WebSocket connection via a proxy. Patch provided by Svetlin Zarev. (markt)
Tribes
fix Ensure that NoRpcChannelReply messages are not received on RpcCallback. (kfujino)
fix 60722: Take account of the dispatchersUseEncodedPaths setting on the current Context when generating paths for dispatches triggered by AsyncContext.dispatch(). (markt)
Other
fix 60620: Fix configuration of Eclipse projects, broken by introduction of SafeForkJoinWorkerThreadFactory helper class. This class cannot be built with Java 6. (kkolinko)
update Update the packaged version of the Tomcat Native Library to 1.2.12 to pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg)
add 60784: Update all unit tests that test the HTTP status line to check for the required space after the status code. Patch provided by Michael Osipov. (markt)
update Update the NSIS Installer used to build the Windows installer to version 3.01. (markt)
fix Refactor the build script and the NSIS installer script so that either NSIS 2.x or NSIS 3.x can be used to build the installer. This is primarily to re-enable building the installer on the Linux based CI system where the combination of NSIS 3.x and wine leads to failed installer builds. (markt)
Tomcat 7.0.75 (violetagg) released 2017-01-24
Cluster
add Make the accessTimeout configurable in BackupManager. The accessTimeout is used as a timeout period for PING in replication map. (kfujino)
Web applications
fix Ensure the ASF logo image is correctly displayed in docs and host-manager applications. (violetagg)
Tomcat 7.0.74 (violetagg) not released
Catalina
add 53602: Add HTTP status code 451 (RFC 7725) to the list of HTTP status codes recognised by Tomcat. (markt)
fix Correctly handle the configClass attribute of a Host when embedding Tomcat. (markt)
fix 60379: Dispose of the GSS credential once it is no longer required. Patch provided by Michael Osipov. (markt)
fix 60380: Ensure that a call to HttpServletRequest#logout() triggers a call to TomcatPrincipal#logout(). Based on a patch by Michael Osipov. (markt)
fix 60387: Correct the javadoc for o.a.catalina.AccessLog.setRequestAttributesEnabled. The default value is different for the different implementations. (violetagg)
code 60393: Use consistent parameter naming in implementations of Realm#authenticate(GSSContext, boolean). (markt)
fix 60395: Log when an Authenticator passes an incomplete GSSContext to a Realm since it indicates a bug in the Authenticator. Patch provided by Michael Osipov. (markt)
update Update the warnings that reference required options for running on Java 9 to use the latest syntax for those options. (markt)
fix 60513: Fix thread safety issue with RMI cleanup code. (remm)
add 60620: Extend thed memory leaks. (markt)
Coyote
fix Ensure that the endpoint is able to unlock the acceptor thread during shutdown if the endpoint is configured to listen to any local address of a specific type such as 0.0.0.0 or ::. (markt)
fix Ensue is enabled by default for APR. (markt)
fix Prevent read time out when the file is deleted while serving the response. The issue was observed only with APR Connector and sendfile enabled. (violetagg)
fix Improve the logic that selects an to unlock the Acceptor to take account of platforms what do not listen on all local addresses when configured with an address of 0.0.0.0 or ::. (markt)
fix 60409: When unable to complete sendfile request, ensure the Processor will be added to the(markt)
fix 60431: Improve handling of varargs in UEL expressions. Based on a patch by Ben Wolfe. (markt)
fix 60497: Restore previous tag reuse behavior following the use of try/finally. (remm)
fix Improve the error handling for simple tags to ensure that the tag is released and destroyed once used. (remm)
fix 60497: Follow up fix using a better variable name for the tag reuse flag. (remm)
fix Revert use of try/finally for simple tags. (remm)
Web applications
fix Correct a typo in Host Configuration Reference. Issue reported via comments.apache.org. (violetagg)
add In the documentation web application, be explicit that clustering requires a secure network for all of the cluster network traffic. (markt)
update Update the ASF logos to the new versions.
Tribes
fix Reduce the warning logs for a message received from a different domain in order to avoid excessive log outputs. (kfujino)
add Add log message that PING message has received beyond the timeout period. (kfujino)
fix When a PING message that beyond the time-out period has been received, make sure that valid member is added to the map membership. (kfujino)
WebSocket
fix 60437: Avoid possible handshake overflows in the websocket client. (remm)
jdbc-pool
add 58816: Implement the statistics of jdbc-pool. The stats infos are borrowedCount, returnedCount, createdCount, releasedCount, reconnectedCount, releasedIdleCount and removeAbandonedCount. (kfujino)
fix 60194: If validationQuery is not specified, connection validation is done by calling the isValid() method. (kfujino)
fix 60398: Fix testcase of TestSlowQueryReport. (kfujino)
add Enable reset the statistics without restarting the pool. (kfujino)
Other
fix 60366: Change catalina.bat to use directly LOGGING_MANAGER and LOGGING_CONFIG variables in order to configure logging, instead of modifying JAVA_OPTS. Patch provided by Petter Isberg. (violetagg)
add New property is added test.verbose in order to control whether the output of the tests is displayed on the console or not. Patch provided by Emmanuel Bourg. (violetagg)
update Update the ASF logos used in the Apache Tomcat installer for Windows to use the new versions.
fix Spelling corrections provided by Josh Soref. (violetagg)
Tomcat 7.0.73 (violetagg) released 2016-11-14
Catalina
fix 60117: Ensure that the name of LogLevel is localized when using OneLineFormatter. Patch provided by Tatsuya Bessho. (kfujino)
add 60151: Improve the exception error messages when a ResourceLink fails to specify the type, specifies an unknown type or specifies the wrong type. (markt)
fix 60167: Ignore empty lines in /etc/passwd files when using the PasswdUserDatabase. (markt)
fix Improve the access checks for linked global resources to handle the case where the current class loader is a child of the web application class loader. (markt)
fix 60199: Log a warning if deserialization issues prevent a session attribute from being loaded. (markt)
fix Correctly test for control characters when reading the provided shutdown password. (markt)
fix When configuring the JMX remote listener, specify the allowed types for the credentials. (markt)
Coyote
fix 60123: Avoid potential threading issues that could cause excessively large vales to be returned for the processing time of a current request. (markt)
fix 60174: Log instances of HeadersTooLargeException during request processing. (markt)
fix Correct the HTTP header parser so that DEL is not treated as a valid token character. (markt)
fix 60319: When using an Executor, disconnect it from the Connector attributes maxThreads, minSpareThreads and threadPriority to enable the configuration settings to be consistently reported. These Connector attributes will be reported as -1 when an Executor is in use. The values used by the executor may be set and obtained via the Executor. (markt)
fix If an I/O error occurs during async processing on a non-container thread, ensure that the onError() event is triggered. (markt)
fix Improve detection of I/O errors during async processing on non-container threads and trigger async error handling when they are detected. (markt)
add Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. (markt)
Web applications
add Add an example of using the classesToInitialize attribute of the JreMemoryLeakPreventionListener to the documentation web application. Based on a patch by Cris Berneburg. (markt)
fix 60192: Correct a typo in the status output of the Manager application. Patch provided by Radhakrishna Pemmasani. (markt)
fix Correct a typo in HTTP Connector How-To. Issue reported via comments.apache.org. (violetagg)
fix Fix default value of validationInterval attribute in jdbc-pool. (kfujino)
fix Correct a typo in CGI How-To. Issue reported via comments.apache.org. (violetagg)
fix 60344: Add a note to BUILDING.txt regarding using the source bundle with the correct line endings. (markt)
Tribes
fix When the proxy node sends a backup retrieve message, ensure that using the channelSendOptions that has been set rather than the default channelSendOptions. (kfujino)
jdbc-pool
fix 60099: Ensure that use all method arguments as a cache key when using StatementCache. (kfujino)
fix 60139: Correct Javadocs for PoolConfiguration.getValidationInterval and setValidationInterval. Reported by Phillip Webb. (kfujino)
Other
add Add documentation to the bin/catalina.bat script to remind users that environment variables don't affect the configuration of Tomcat when run as a Windows Service. Based upon a documentation patch by James H.H. Lampert. (schultz)
Tomcat 7.0.72 (violetagg) released 2016-09-19
Catalina
fix Ensure Digester.useContextClassLoader is considered in case the class loader is used. (violetagg)
Jasper
fix 60101: Remove preloading of the class that was deleted. (violetagg)
jdbc-pool
fix Notify jmx when returning the connection that has been marked suspect. (kfujino)
fix Ensure that the POOL_EMPTY notification has been added to the jmx notification types. (kfujino)
Other
update Update the packaged version of the Tomcat Native Library to 1.2.10 to pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt)
Tomcat 7.0.71 (violetagg) not released
Catalina
fix 57705: Add debug logging for requests denied by the remote host and remote address valves and filters. Based on a patch by Graham Leggett. (markt)
update Change the default of the sessionCookiePathUsesTrailingSlash attribute of the Context element to false since the problems caused when a Servlet is mapped to /* are more significant than the security risk of not enabling this option by default. (markt)
fix 59708: Modify the LockOutRealm logic. Valid authentication attempts during the lock out period will no longer reset the lock out timer to zero. (markt)
fix Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
fix Ensure that reading the singleThreadModel attribute of a StandardWrapper via JMX does not trigger initialisation of the associated servlet. With some frameworks this can trigger an unexpected initialisation thread and if initilisation is not thread-safe the initialisation can then fail. (markt)
fix By default, treat paths used to obtain a request dispatcher as encoded. This behaviour can be changed per web application via the dispatchersUseEncodedPaths attribute of the Context. (markt)
fix 59839: Apply roleSearchAsUser to all nested searches in JNDIRealm. (fschumacher)
add Provide a mechanism that enables the container to check if a component (typically a web application) has been granted a given permission when running under a SecurityManager without the current execution stack having to have passed through the component. Use this new mechanism to extend SecurityManager protection to the system property replacement feature of the digester. (markt)
add When retrieving an object via a ResourceLink, ensure that the object obtained is of the expected type. (markt)
fix 59866: When scanning WEB-INF/classes for annotations, don't scan the contents of WEB-INF/classes/META-INF (if present) since classes will never be loaded from that location. (markt)
fix 59912: Fix an edge case in input stream handling where an IOException could be thrown when reading a POST body. (markt)
fix 59966: Do not start the web application if the error page configuration in web.xml is invalid. (markt)
fix Switch the CGI servlet to the standard logging mechanism and remove support for the debug attribute. (markt)
add Add a new initialisation parameter, envHttpHeaders, to the CGI Servlet to mitigate httpoxy (CVE-2016-5388) by default and to provide a mechanism that can be used to mitigate any future, similar issues. (markt)
add When adding and removing ResourceLinks dynamically, ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be. (markt)
fix 60008: When processing CORs requests, treat any origin with a URI scheme of file as a valid origin. (markt)
fix Improve handling of exceptions during a Lifecycle events triggered by a state transition. The exception is now caught and the component is now placed into the FAILED state. (markt)
fix Fix a file descriptor leak when reading the global web.xml. (markt)
fix 60041: Better error message if a JAR is deleted while a web application is running. Note: Deleting a JAR while the application is running is not supported and errors are expected. Based on a patch by gehui. (markt)
Coyote
fix Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
fix 59904: Add a limit (default 200) for the number of cookies allowed per request. Based on a patch by gehui. (markt)
fix Make timing attacks against the Realm implementations harder. (schultz)
add Refactor the code that implements the requirement that a call to complete() or dispatch() made from a non-container thread before the container initiated thread that called startAsync() completes must be delayed until the container initiated thread has completed. Rather than implementing this by blocking the non-container thread, extend the internal state machine to track this. This removes the possibility that blocking the non-container thread could trigger a deadlock. (markt)
Jasper
fix Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
fix Improve the error handling for custom tags to ensure that the tag is returned to the pool or released and destroyed once used. (markt)
fix Fixed StringIndexOutOfBoundsException. Based on a patch provided by wuwen via Github. (violetagg)
WebSocket
fix Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
fix 59868: Clarify the documentation for the Manager web application to make clearer that the host name and IP address in the server section are the primary host name and IP address. (markt)
fix 59908: Ensure that a reason phrase is included in the close message if a session is closed due to a timeout. (markt)
Web Applications
fix Do not log an additional case of IOExceptions in the error handler for the Drawboard WebSocket example when the root cause is the client disconnecting since the logs add no value. (markt)
fix 59642: Mention the localDataSource in the DataSourceRealm section of the Realm How-To. (markt)
fix Follow-up to the fix for 59399. Ensure that the new attribute transportGuaranteeRedirectStatus is documented for all Realms. Also document the NullRealm and when it is automatically created for an Engine. (markt)
fix MBeans Descriptors How-To is moved to mbeans-descriptors-howto.html. Patch provided by Radoslav Husar. (violetagg)
fix 60034: Correct a typo in the Manager How-To page of the documentation web application. (markt)
Tribes
add Add log message when the ping has timed-out. (kfujino)
fix If the ping message has been received at the AbstractReplicatedMap#leftOver method, ensure that notify the member is alive than ignore it. (kfujino)
jdbc-pool
fix Fix the duplicated connection release when connection verification failed. (kfujino)
fix Ensure that do not remove the abandoned connection that has been already released. (kfujino)
fix In order to avoid the unintended skip of PoolCleaner, remove the check code of the execution interval in the task that has been scheduled. (kfujino)
fix 59849: Ensure that the connection verification is executed by initSQL (if required) if the borrowing PooledConnection has not been initialized. (kfujino)
fix 59850: Ensure that the ResultSet is closed when enabling the StatementCache interceptor. (kfujino)
fix 59923: Reduce the default value of validationInterval in order to avoid the potential issue that continues to return an invalid connection after database restart. (kfujino)
fix Ensure that the ResultSet is returned as Proxy object when enabling the StatementDecoratorInterceptor. (kfujino)
fix 60043: Ensure that the suspectTimeout works without removing connection when the removeAbandoned is disabled. (kfujino)
fix Add log message of when returning the connection that has been marked suspect. (kfujino)
fix Correct Javadoc for ConnectionPool.suspect(). Based on a patch by Yahya Cahyadi. (markt)
Other
add Use the mirror network rather than the ASF master site to download the current ASF dependencies. (markt)
update Update the packaged version of the Tomcat Native Library to 1.2.8 to pick up the latest fixes and make 1.2.8 the minimum recommended version. (markt)
fix Fixed typos in mbeans-descriptors.xml files. (violetagg)
update Update the internal fork of Commons BCEL to r1757132 to align with the BCEL 6 release. (markt)
update Update the internal fork of Commons Codec to r1757174. Code formatting changes only. (markt)
update Update the internal fork of Commons FileUpload to afdedc9. This pulls in a fix to improve the performance with large multipart boundaries. (markt)
fix Update the download location for Objenesis. (violetagg)
Tomcat 7.0.70 (violetagg) released 2016-06-20
Catalina
fix 59219: Ensure AsyncListener.onError() is called if an Exception is thrown during async processing. (markt)
fix 59220: Ensure that AsyncListener.onComplete() is called if the async request times out and the response is already committed. (markt)
fix 59261: ServletRequest.getAsyncContext() now throws an IllegalStateException as required by the Servlet specification if the request is not in asynchronous mode when called. (markt)
fix 59310: Do not add a Content-Length: 0 header for custom responses to HEAD requests that do not set a Content-Length value. (markt)
fix When normalizing paths, improve the handling when paths end with /. or /.. and ensure that input and output are consistent with respect to whether or not they end with /. (markt)
fix 59317: Ensure that HttpServletRequest.getRequestURI() returns an encoded URI rather than a decoded URI after a dispatch. (markt)
fix Ensure that the value for the header X-Frame-Options is constructed correctly according to the specification when ALLOW-FROM option is used. (violetagg)
add 59399: Add a new option to the Realm implementations that ship with Tomcat that allows the HTTP status code used for HTTP -> HTTPS redirects to be controlled per Realm. (markt)
fix 59449: In ContainerBase, ensure that the process to remove a child container is the reverse of the process to add one. Patch provided by Huxing Zhang. (markt)
fix RMI Target related memory leaks are avoidable which makes them an application bug that needs to be fixed rather than a JRE bug to work around. Therefore, start logging RMI Target related memory leaks on web application stop. Add an option that controls if the check for these leaks is made. Log a warning if running on Java 9 with this check enabled but without the command line option it requires. (markt)
fix Fix a potential concurrency issue with the web application class loader and concurrent reads and writes of the resource cache. (markt)
fix 59619: Within the web application class loader, always use path as the key for the resource cache to improve the hit ratio. This also fixes a problem exposed by the fix for 56777 that enabled file based configuration resources to be loaded from the class path. (markt)
fix Fix error message when failed to register MBean. (kfujino)
Coyote
fix 58970: Fix a connection counting bug in the NIO connector that meant some dropped connections were not removed from the current connection count. (markt)
fix 59289: Do not recycle upgrade processors in unexpected close situations. (remm)
fix Ensure that requests with HTTP method names that are not tokens (as required by RFC 7231) are rejected with a 400 response. (markt)
fix When an asynchronous request is processed by the AJP connector, ensure that request processing has fully completed before starting the next request. (markt)
fix If an async dispatch results in the completion of request processing, ensure that any remaining request body is swallowed before starting the processing of the next request else the remaining body may be read as the start of the next request leading to a 400 response. (markt)
Jasper
fix Fix a memory leak in the expression language implementation that caused the class loader of the first web application to use expressions to be pinned in memory. (markt)
fix 59654: Enforce the requirements of section 7.3.1 of the JSP specification regarding the permitted locations for TLD files. Patch provided by Huxing Zhang. (markt)
WebSocket
fix Ensure that a client disconnection triggers the error handling for the associated WebSocket end point. (markt)
Web Applications
fix Correct a typo in SSL/TLS Configuration How-To. Issue reported via comments.apache.org. (violetagg)
fix 58891: Update the SSL how-to. Based on a suggestion by Alexander Kjäll. (markt)
Tribes
fix Fix potential NPE that depends on the setting order of attributes of static member when using the static cluster. (kfujino)
add Add get/set method for the channel that is related to ChannelInterceptorBase. (kfujino)
fix As with the multicast cluster environment, in the static cluster environment, the local member inherits properties from the cluster receiver. (kfujino)
add Add get/set method for the channel that is related to each Channel services. (kfujino)
add Add name to channel in order to identify channels. In tomcat cluster environment, it is set the cluster name + "-Channel" as default value. (kfujino)
add Add the channel name to the thread which is invoked by channel services in order to identify the associated channel. (kfujino)
fix Ensure that clear the channel instance from channel services when stopping channel. (kfujino)
add Implement map state in the replication map. (kfujino)
fix Ensure that the ping is not executed during the start/stop of the replication map. (kfujino)
fix In ping processing in the replication map, send not the INIT message but the newly introduced PING message. (kfujino)
jdbc-pool
fix Fix a memory leak with the pool cleaner thread that retained a reference to the web application class loader for the first web application to use a connection pool. (markt)
Other
update Update the packaged version of the Tomcat Native Library to 1.2.7 to pick up the Windows binaries that are based on OpenSSL 1.0.2h and APR 1.5.2. (violetagg/markt)
update Remove native code (Windows Service Wrapper, APR/native connector) support for Windows Itanium. (markt)
update Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus additional fixes). (markt)
fix 58626: Add support for a new environment variable (USE_NOHUP) that causes nohup to be used when starting Tomcat. It is disabled by default except on HP-UX where it is enabled by default since it is required when starting Tomcat at boot on HP-UX. (markt)
|
|
|
|
Features
* Update Visual Studio build facade
* Update read me
* Performance improvements for @extend
* Performance improvements
Fixes
Disable FMA3 when compiling with Visual Studio 2013
Fix for loop variable to be referenced
Fix number compare issues when used as map keys with old gcc
Fix results of map-get not being evaluated
Fix null pointer access
Fix bug with media queries and @extend
Misc
Cleanup initial shared ptr interface
Refactor selector list and schema handling
Cleanup context usage and extend code
Cleanup misc
Cleanup issues detected by clangs static analyser
Remove Textual intermediate AST node
Add libsass-python to README
|
|
[core] add crash-handler.wait-pipe-close parameter 1092 (Frederik Deweerdt)
[core] introduce an option to bypass the server header sent from upstream 1226 (Frederik Deweerdt)
[core] apply global- and host-level configuration to requests not applicable to any of the path-level configurations 1231 (Kazuho Oku)
[access-log] add %{remote}p for logging the remote port 1166 (Kazuho Oku)
[access-log] add support for JSON-style escapes and null 1208 (Kazuho Oku)
[access-log] add specifier for logging per-request environment variables 1221 (Yannick Koechlin)
[access-log] add support for <, > modifiers for logging either the original or the final response 1238 (Kazuho Oku)
[access-log] do not emit request-total-time twice 1017 (Kazuho Oku)
[fastcgi] fix a bug that closes the FastCGI listener socket during startup 1203 (Frederik Deweerdt)
[file] add directive for serving gzipped files, decompressing them on-the-fly 1140 (Ichito Nagata)
[headers] fix buffer overrun during startup 1180 (Frederik Deweerdt)
[http1][proxy] preserve the cases of characters used in header names 1194 (Frederik Deweerdt)
[http1][proxy] fix undefined behavior in HTTP/1 parser 1189 (Frederik Deweerdt)
[http1] stop reading from socket after sending 400 to avoid the risk of assertion failure 1223 (Frederik Deweerdt)
[http2] recognize x-http2-push-only attribute on link header 1169 (Frederik Deweerdt)
[http2] add optional timeout for closing connections upon graceful shutdown 1108 (Frederik Deweerdt)
[http2] do not ack an acked PING frame 1175 (Moto Ishisawa)
[http2] reject requests exceeding the maximum allowed size more efficiently 1183 (Frederik Deweerdt)
[mruby] remove dependenty to mkmf 1197 (Yuki Kurihara)
[mruby] correct the line number reported on an exception 1239 (Ichito Nagata)
[proxy] add directives for tweaking headers sent to upstream 1126 (Justin Zhu)
[proxy] retain case-sensitivity of unix socket paths 1131 (Frederik Deweerdt)
[proxy] add directive for controlling the via request header 1225 (Frederik Deweerdt)
[ssl] add directive for logging session ID 1164 (Yannick Koechlin)
[ssl] add support for TLS 1.3 draft-18 1204 (Kazuho Oku)
[ssl] stop evicting session entries in memcached when they are removed from internal cache 1185 (Ichito Nagata)
[ssl] fix crash when a secp384r1, secp521r1 certificate is used with TLS 1.3 1214 (Kazuho Oku)
[ssl] fix build failure with OpenSSL 1.1.0 1216 (Kazuho Oku)
[ssl] add doc for handshake-timeout 1233 (Kazuho Oku)
[status] fix race condition during start-up 1242 (Frederik Deweerdt)
[libh2o] implement h2o_evloop_destroy 1200 (kazan417)
[misc] add test code for fuzzing 1174 1182 1191 1192 (Frederik Deweerdt, Jonathan Foote)
[misc] fix issues reported by Coverity 1168 1172 1179 (Harrison Bowden, Frederik Deweerdt)
|
|
The bug which causes libnghttp2_asio client to crash has been fixed.
The bug which causes nghttpx to respond to a client with 502 status code if it receives 204 status code from HTTP/1 backend has been fixed.
|
|
Upstream changes:
unicorn 5.3.0 / 2017-04-01 08:03 UTC
A couple of portability fixes from Dylan Thacker-Smith and
Jeremy Evans since 5.3.0.pre1 over a week ago, but this looks
ready for a stable release, today.
When I started this over 8 years ago, I wondered if this would
just end up being an April Fools' joke. Guess not. I guess I
somehow tricked people into using a terribly marketed web server
that cannot talk directly to untrusted clients :x Anyways,
unicorn won't be able to handle slow clients 8 years from now,
either, or 80 years from now. And I vow never to learn to use
new-fangled things like epoll, kqueue, or threads :P
Anyways, this is a largish release with several new features,
and no backwards incompatibilities.
Simon Eskildsen contributed heavily using TCP_INFO under Linux
to implement the (now 5 year old) check_client_connection feature:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-check_client_connection
https://bogomips.org/unicorn-public/?q=s:check_client_connection&d:..20170401&x=t
This also led to FreeBSD and OpenBSD portability improvements in
one of our dependencies, raindrops:
https://bogomips.org/raindrops-public/20170323024829.GA5190@dcvr/T/#u
Jeremy Evans contributed several new features. First he
implemented after_worker_exit to aid debugging:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-after_worker_exit
https://bogomips.org/unicorn-public/?q=s:after_worker_exit&d:..20170401&x=t#t
And then security-related features to isolate workers. Workers
may now chroot to drop access to the master filesystem, and the
new after_worker_ready configuration hook now exists to aid with
chroot support in workers:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-after_worker_ready
https://bogomips.org/unicorn/Unicorn/Worker.html#method-i-user
https://bogomips.org/unicorn-public/?q=s:after_worker_ready&d:..20170401&x=t#t
https://bogomips.org/unicorn-public/?q=s:chroot&d:..20170401&x=t#t
Additionally, workers may run in a completely different VM space
(nullifying preload_app and any CoW savings) with the new
worker_exec option:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-worker_exec
https://bogomips.org/unicorn-public/?q=s:worker_exec&d:..20170401&x=t#t
There are also several improvements to FreeBSD and OpenBSD
support with the addition of these features.
shortlog of changes since v5.2.0 (2016-10-31):
Dylan Thacker-Smith (1):
Check for Socket::TCP_INFO constant before trying to get TCP_INFO
Eric Wong (30):
drop rb_str_set_len compatibility replacement
TUNING: document THP caveat for Linux users
tee_input: simplify condition for IO#write
remove response_start_sent
http_request: freeze constant strings passed IO#write
Revert "remove response_start_sent"
t/t0012-reload-empty-config.sh: access ivars directly if needed
t0011-active-unix-socket.sh: fix race condition in test
new test for check_client_connection
revert signature change to HttpServer#process_client
support "struct tcp_info" on non-Linux and Ruby 2.2+
unicorn_http: reduce rb_global_variable calls
oob_gc: rely on opt_aref_with optimization on Ruby 2.2+
http_request: reduce insn size for check_client_connection
freebsd: avoid EINVAL when setting accept filter
test-lib: expr(1) portability fix
tests: keep disabled tests defined
test_exec: SO_KEEPALIVE value only needs to be true
doc: fix links to raindrops project
http_request: support proposed Raindrops::TCP states on non-Linux
ISSUES: expand on mail archive info + subscription disclaimer
test_ccc: use a pipe to synchronize test
doc: remove private email support address
input: update documentation and hide internals.
http_server: initialize @pid ivar
gemspec: remove olddoc from build dependency
doc: add version annotations for new features
unicorn 5.3.0.pre1
doc: note after_worker_exit is also 5.3.0+
test_exec: SO_KEEPALIVE value only needs to be true (take #2)
Jeremy Evans (7):
Add after_worker_exit configuration option
Fix code example in after_worker_exit documentation
Add support for chroot to Worker#user
Add after_worker_ready configuration option
Add worker_exec configuration option
Don't pass a block for fork when forking workers
Check for SocketError on first ccc attempt
Simon Eskildsen (1):
check_client_connection: use tcp state on linux
unicorn 5.3.0.pre1 / 2017-03-24 00:25 UTC
A largish release with several new features.
Simon Eskildsen contributed heavily using TCP_INFO under Linux
to implement the (now 5 year old) check_client_connection feature:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-check_client_connection
https://bogomips.org/unicorn-public/?q=s:check_client_connection&d:..20170324&x=t
This also led to FreeBSD and OpenBSD portability improvements in
one of our dependencies, raindrops:
https://bogomips.org/raindrops-public/20170323024829.GA5190@dcvr/T/#u
Jeremy Evans contributed several new features. First he
implemented after_worker_exit to aid debugging:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-after_worker_exit
https://bogomips.org/unicorn-public/?q=s:after_worker_exit&d:..20170324&x=t#t
And then security-related features to isolate workers. Workers
may now chroot to drop access to the master filesystem, and the
new after_worker_ready configuration hook now exists to aid with
chroot support in workers:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-after_worker_ready
https://bogomips.org/unicorn/Unicorn/Worker.html#method-i-user
https://bogomips.org/unicorn-public/?q=s:after_worker_ready&d:..20170324&x=t#t
https://bogomips.org/unicorn-public/?q=s:chroot&d:..20170324&x=t#t
Additionally, workers may run in a completely different VM space
(nullifying preload_app and any CoW savings) with the new
worker_exec option:
https://bogomips.org/unicorn/Unicorn/Configurator.html#method-i-worker_exec
https://bogomips.org/unicorn-public/?q=s:worker_exec&d:..20170324&x=t#t
There are also several improvements to FreeBSD and OpenBSD
support with the addition of these features.
34 changes since 5.2.0 (2016-10-31):
Eric Wong (27):
drop rb_str_set_len compatibility replacement
TUNING: document THP caveat for Linux users
tee_input: simplify condition for IO#write
remove response_start_sent
http_request: freeze constant strings passed IO#write
Revert "remove response_start_sent"
t/t0012-reload-empty-config.sh: access ivars directly if needed
t0011-active-unix-socket.sh: fix race condition in test
new test for check_client_connection
revert signature change to HttpServer#process_client
support "struct tcp_info" on non-Linux and Ruby 2.2+
unicorn_http: reduce rb_global_variable calls
oob_gc: rely on opt_aref_with optimization on Ruby 2.2+
http_request: reduce insn size for check_client_connection
freebsd: avoid EINVAL when setting accept filter
test-lib: expr(1) portability fix
tests: keep disabled tests defined
test_exec: SO_KEEPALIVE value only needs to be true
doc: fix links to raindrops project
http_request: support proposed Raindrops::TCP states on non-Linux
ISSUES: expand on mail archive info + subscription disclaimer
test_ccc: use a pipe to synchronize test
doc: remove private email support address
input: update documentation and hide internals.
http_server: initialize @pid ivar
gemspec: remove olddoc from build dependency
doc: add version annotations for new features
Jeremy Evans (6):
Add after_worker_exit configuration option
Fix code example in after_worker_exit documentation
Add support for chroot to Worker#user
Add after_worker_ready configuration option
Add worker_exec configuration option
Don't pass a block for fork when forking workers
Simon Eskildsen (1):
check_client_connection: use tcp state on linux
|
|
Upstream changes:
MediaWiki 1.28.1
Changes since 1.28.0
$wgRunJobsAsync is now false by default (T142751). This change only affects wikis with $wgJobRunRate > 0.
Fix fatal from "WaitConditionLoop" not being found, experienced when a wiki has more than one database server setup.
(T152717) Better escaping for PHP mail() command
(T154670) A missing method causing the MySQL installer to fatal in rare circumstances was restored.
(T154672) Un-deprecate ArticleAfterFetchContentObject hook.
(T158766) Avoid SQL error on MSSQL when using selectRowCount()
(T145635) Fix too long index error when installing with MSSQL
(T156184) $wgRawHtml will no longer apply to internationalization messages.
(T160519) CACHE_ANYTHING will not be CACHE_ACCEL if no accelerator is installed.
(T154872) Fix incorrect ar_usertext_timestamp index names in new 1.28 installs.
(T109140) (T122209) SECURITY: Special:UserLogin and Special:Search allow redirect to interwiki links.
(T144845) SECURITY: XSS in SearchHighlighter::highlightText() when $wgAdvancedSearchHighlighting is true.
(T125177) SECURITY: API parameters may now be marked as "sensitive" to keep their values out of the logs.
(T150044) SECURITY: "Mark all pages visited" on the watchlist now requires a CSRF token.
(T156184) SECURITY: Escape content model/format url parameter in message.
(T151735) SECURITY: SVG filter evasion using default attribute values in DTD declaration.
(T161453) SECURITY: LocalisationCache will no longer use the temporary directory in it's fallback chain when trying to work out where to write the cache.
(T48143) SECURITY: Spam blacklist ineffective on encoded URLs inside file inclusion syntax's link parameter.
|
|
Bug fixes.
|
|
Added support for waiting for I/O using selectors other than select, improving urllib3’s behaviour with large numbers of concurrent connections. (Pull 1001)
Updated the date for the system clock check. (Issue 1005)
ConnectionPools now correctly consider hostnames to be case-insensitive. (Issue 1032)
Outdated versions of PyOpenSSL now cause the PyOpenSSL contrib module to fail when it is injected, rather than at first use. (Pull 1063)
Outdated versions of cryptography now cause the PyOpenSSL contrib module to fail when it is injected, rather than at first use. (Issue 1044)
Automatically attempt to rewind a file-like body object when a request is retried or redirected. (Pull 1039)
Fix some bugs that occur when modules incautiously patch the queue module. (Pull 1061)
Prevent retries from occuring on read timeouts for which the request method was not in the method whitelist. (Issue 1059)
Changed the PyOpenSSL contrib module to lazily load idna to avoid unnecessarily bloating the memory of programs that don’t need it. (Pull 1076)
Add support for IPv6 literals with zone identifiers. (Pull 1013)
Added support for socks5h:// and socks4a:// schemes when working with SOCKS proxies, and controlled remote DNS appropriately. (Issue 1035)
|
|
Maintenance release
Issues
Unfortunately there are still 2 unfixed long standing bugs in this release:
* suwsgi protocol behind nginx does not work reliably when a request body is sent by the client (https://github.com/unbit/uwsgi/issues/1490). As we cannot reproduce it in uWSGI itself, we will start checking in the nginx module too
* There are reports of the “holy” wsgi env allocator crashing on specific conditions, this release includes a bunch of workarounds but they could not be enough
Changes
* workaround for the holy allocator for avoiding crashes with newrelic (see Issues notes)
* avoid time overflow in request logs during (even minimal) clock skew
* fixed python logger with python3
* fixed catch-exceptions with python3
* backported “don’t clone $env->{‘psgix.io’} on ‘PSGI cancel’”
* added support for authentication in the redis logger
* added the spinningfifo action hook to the core
* fixed compilation with php 7.1
* correctly returns error code 22 in lazy_apps + master_mode
* fixed compilation for OpenSSL 1.1
* Add a –skip-atexit-teardown option to skip perl/python teardown
* fixed static file serving over https-socket
|
|
|
|
Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API. Loofah excels at HTML sanitization (XSS
prevention). It includes some nice HTML sanitizers, which are based on
HTML5lib's whitelist, so it most likely won't make your codes less
secure.
|
|
Bug fixes
The tornado.auth module has been updated for compatibility with a change to Facebook’s access_token endpoint.
|
|
Highlights of this release:
1. Binary wheels are now built for Windows systems.
2. setopt_string method added to Curl objects to permit setting string libcurl
options that PycURL does not know about.
3. curl module can now be imported on Windows again.
4. OPENSOCKETFUNCTION callback is now invoked with the address as bytes on
Python 3 as was documented.
5. Support for many libcurl options and constants was added.
|
|
As always, the release notes cover the medley of new features in detail, but a few highlights are:
* Class-based model indexes for creating database indexes.
* Template-based widget rendering to ease customizing form widgets.
* Subquery expressions to create explicit subqueries using the ORM.
|
|
6.25 2017-04-03
- Fix LWP::UserAgent docs for request and request_simple that pointed to
functions in LWP::Simple rather than LWP::UserAgent
- Moved the official bug tracker to GitHub rather than RT.
|
|
7.29 2017-03-12
- Added support for overriding configuration files in applications tested with
Test::Mojo.
- Added html_attr_unescape function to Mojo::Util.
- Fixed unescaping of HTML5 attribute values in Mojo::DOM::HTML.
7.28 2017-03-07
- Added copy_to, realpath and sibling methods to Mojo::File.
- Added dir option to list_tree method in Mojo::File.
- Improved app generator command to generate a config file.
(tudorconstantin)
7.27 2017-02-27
- Added support for UNIX domain sockets. (sri, salva)
- Improved Mojo::UserAgent to complain about unsupported protocols.
- Fixed a bug in Mojo::URL where invalid host strings could be generated.
- Fixed blib handling in Mojo::Home.
|
|
6.03 2017-04-03 11:35:35-04:00 America/Toronto
- No changes since TRIAL release 6.02
6.02 2017-01-12 18:02:49-05:00 America/Toronto (TRIAL RELEASE)
- Document the lack of Public Suffix https://publicsuffix.org/ support
- Add TODO tests for lack of Public Suffix support
- Improve "maxage" documentation
- Update the GitHub repository location
- Use GitHub Issues instead of RT
- Stop using bareword filehandles
- Various internal distribution management and testing changes
|
|
is built into PHP. Bump resp. PKGREVISION.
|
|
Add upstream patch fixing CVE-2017-7407.
|
|
The upstream distfile incorrectly has world-writable files.
|
|
* Bug 4688: various typo error(s) in man page(s)
* libtrie: Fix 'make check' when run before 'make all'
* Docs: update refresh_pattern description regarding 'max' option
* Fix variable shadowing after rev.14149
* Bug 4508: Host forgery stalls intercepted being-spliced connections.
* Native FTP relay: NAT and TPROXY interception fixes
* ext_kerberos_ldap_group_acl: fix unused value warnings
* Check that -k argument is provided before trying to use it.
* Fix missing CRLF on FTP timeout ABORT commands
* Fix crash when configuring with invalid delay_parameters restore value.
* Fix regression in CONNECT authentication after rev.14142
* Bump SSL client on [more] errors encountered before ssl_bump evaluation
|
|
Upstream changes:
0.33 2017/01/14
* Perl Critic fixes from Nitish Bezzala
0.32 2017/01/11
* Perl Critic fixes from Nitish Bezzala
|
|
Upstream changes:
0.26 2016-10-19T15:03:00Z
- Improve `HTML::TreeBuilder::LibXML::Node->new` compatibility
with `HTML::Element->new`
https://github.com/tokuhirom/HTML-TreeBuilder-LibXML/issues/12
(reported by nanto++)
|
|
Upstream changes:
0.23 20170323 (Thu Mar 23 19:35:00 GMT+1 2017)
- seems as if "provides" in META.json makes new versions not get indexed
properly
. No code changes, no need to upgrade
. We also allow static installation now, without running Makefile.PL
0.22 20160923 (Fri Sep 23 21:35:00 GMT+2 2016)
- seems as if "provides" in META.json must be a full path to the file...
. No code changes, no need to upgrade
0.21 Fri Sep 23 17:38:00 GMT+2 2016
- add META.json, added by Lisa Hare
. No code changes, no need to upgrade
|
|
* Remove unintended dependency on ``graphviz`` in Python 2.6.
|
|
* Add "ciphers" parameter to SSLAdapter.
|
|
|
|
* Sync with firefox-52.0.2
|
|
Changelog:
Fixed:
Use Nirmala UI as fallback font for additional Indic languages (Bug 1342787)
Fix loading tab icons on session restore (Bug 1338009)
Fix a crash on startup on Linux (Bug 1345413)
Fix new installs erroneously not prompting to change the default browser setting (Bug 1343938)
|
|
libnghttp2
----------
The bug that nghttp2_session_want_write may return 0 if there is pending frames after GOAWAY frame is submitted has been fixed.
build
-----
_U_ macro has been eliminated in favor of old school (void)VAR for better compiler compatibility.
libnghttp2_asio
---------------
The asio client now sends PING frame when it gets idle for 30 seconds.
src
---
Mozilla’s “Modern compatibility” ciphers are used by default.
nghttpx
-------
The bug that -v option does not print out version number has been fixed.
The workaround of getaddrinfo failure with AI_ADDRCONFIG has been applied.
nghttpx now escapes certain characters in access log.
nghttpx now enables backend pattern matching with --http2-proxy option as well.
|
|
* Sync with firefox-45.8.0
|
|
|
|
Changelog:
#CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
#CVE-2017-5401: Memory Corruption when handling ErrorResult
#CVE-2017-5402: Use-after-free working with events in FontFace objects
#CVE-2017-5404: Use-after-free working with ranges in selections
#CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
#CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
#CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service
#CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
#CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
#CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8
|
|
Changelog:
Version 9.1.4 Feb 2 2017
[major] Make error message for password reset form more generic - core/#27011
[major] When sharing autocomplete is disabled, also disable for the email field - core/#26504
[major] Add command to clean up invalid/expired remote storages - core/#26379
[major] Fix encryption key storage when using LDAP home folder rules - core/#26820
[major] Properly react on memcache errors - core/#25692
[major] Fix random normalizedPathCache log messages / garbage collection issues from PHP 7 - core/#22370
[major] Properly deal with inconsistent LDAP/memcache or user/group manager responses - core/#26871
[major] Added configreport app which will help with better bug reports - configreport/#6
[minor] Fix syncing of file names with colon followed by a number - core/#25479
[minor] Prevent empty user uid from LDAP - user_ldap/#6
[minor] Prevent repeated log messages when dealing with broken picture files - core/#26758
[minor] Fix group-enable option in apps page when memcache is enabled - core/#26638
[minor] Add AVMaxFileSize config option - files_antivirus/#133
[minor] Reduce number of federated share requests when dealing with non-existing entries - core/#26324
[minor] Remove obsolete legacy storage repair routine - core/#26774
[minor] Fix broken remote avatar image in activities tab - activity/#529
[minor] When grouping duplicate shares, sort by stime then id - core/#25830
[minor] Make file upload post hooks consistent between chunking and non-chunking mode - core/#26387
[minor] Fix wrong German translation in upload progress bar by using momentjs library - core/#26804
[minor] Skip unavailable storages in background file scan instead of failing - core/#26055
[minor] Update PHP 7.1 incompatibility warning - core/#26982
[minor] Warning notification when uploading 4+ GB file in IE11 - core/#27004
|
|
Quote from release announce:
The bugfix release fixes a problem with installing the managed edition.
|
|
mirror.
|
|
Quote from release announce:
The bugfix release fixes several issues, including a problem
with the initialization of custom entry points. Also, the
changes from Contao 3.5 have been adopted.
|
|
|
|
|
|
|
|
* pkgsrc change: accept php71 with security/php-pecl-mcrypt.
Contao 4.3.5 is available 15.02.2017 11:24 by Leo Feyer
Contao version 4.3.5 is available. Beginning with version 4.3.5, we are
synchronizing the version numbers of the editions and the included bundles.
Contao 4.3.4 is available 26.01.2017 11:25 by Leo Feyer
Contao version 4.3.4 is available. In addition to the standard edition, Contao
4.3.4 is now also available as managed edition. The managed edition is the
second technical foundation of the Contao Manager.
Contao managed edition
Contao 4.3.4 is the first version that is available as managed edition. The
managed edition simplifies managing a Contao installation for users by
automatizing several processes such as bundle registration or config file
updating.
Existing Contao 3 extensions
All existing Contao 3 extensions are fully compatible with the managed edition
and can simply be copied into the system/modules folder. The managed edition
will load the extensions as usual on the basis of the autoload.ini
information.
Contao Manager
Besides the Composer plugin, the managed edition is the second technical
foundation for the Contao Manager. Now only the graphical user interface (GUI)
is still missing, which will be released as beta version soon.
|
|
No bump PKGREVISION since it dose not affect existing binary package.
|
|
Version 3.5.25 (2017-03-20)
---------------------------
### Fixed
Only show error messages to authenticated users in the install tool (see #8666).
### Fixed
Always show the modal windows in full height (see #8631).
### Fixed
Support cross domain requests when rebuilding the search index (see #8597).
### Fixed
Correctly store numbers with leading zero in the Config class (see #4035).
### Fixed
Delete an old search entry if the new URL is more canonical (see #8647).
### Fixed
Also make Folder::$dirname an absolute path again (see #8325).
### Fixed
Support using namespaces and use statements in DCA/config files (see #8635).
|
|
* Allow load_paths in safe mode with sanitization (#50)
* SCSS converter: expand @config["source"] to be "safer". (#55)
* Match Ruby versions with jekyll/jekyll (#46)
* Don't test Jekyll 2.5 against Ruby 2.3. (#52)
|
|
* Lock coffee-script-source (#16)
* Load converter only when used. (#11)
* Test against Jekyll 2 & Jekyll 3 (#13)
|
|
Changes are too many to write here, please refer:
<https://github.com/jekyll/jekyll/releases>.
|
|
0.14.0 (2017-03-15)
* NEW #2120 enable cascading with Rack application (@namusyaka)
* FIX lock rake < 11.0 to avoid last_comment error (@namusyaka)
* FIX handle nil database passwords for create_db and drop_db (@phallstrom)
* FIX #2119 add rake gem tasks to gem project Rakefile
* NEW support Erubi ERB engine (@adam12)
* FIX #2125 do not load in cycle files excluded from reloading
0.14.0.rc2 (2017-01-19)
* FIX #2109 change the format of session_id for Padrino Admin AccessControl
* WARN #2109 Existing sessions will be dropped
* FIX #2097 Use exe folder for application executables (@adam12)
* FIX #2105 Run bundle with –binstubs on -b switch (@adam12)
* FIX #2111 disallow conflicting project names
* NEW remove deprecations planned for 0.14.0
* NEW stop managing Ruby default encodings Default Encoding.default_internal
is now nil (Ruby default) instead of UTF-8 (Padrino < 0.14 default)
* FIX #2113 properly override default values in route definitions if parameter
is present (@fidalgo)
* FIX #2116 fix plugin list `padrino g plugin -l` (@fnordfish)
0.14.0.rc1 (2016-11-02)
* NEW remove the requirement of ActiveSupport (export AS_VERSION=X.0 to put it
back)
0.13.3.3 (2016-11-02)
* FIX #2075 cache actual content_type mime type
* FIX #2081 remove -i option from pg_dump command (@dfens)
* FIX #2083 be able to create sqlite's file to deep tree of subdirectories
(@kkarakawa)
* NEW dynamically list supported renderers (@jfredrickson)
|
|
## 1.2.4
- add subprotocol handling for both server and client
|
