diff --git a/NEWS b/NEWS index c940ed46..76129b68 100644 --- a/NEWS +++ b/NEWS @@ -16,6 +16,11 @@ Incompatibilities: * bug 1024: Verify the host name or IP address in the server certificate if connection.ssl.cert_verify is not 0. +Regressions: + +* ELinks 0.13.GIT does not yet include the fix for bug 1083, listed + below for ELinks 0.12pre6. + Miscellaneous: * major bug 181: Slave ELinks processes can now run an external editor. @@ -28,8 +33,6 @@ Miscellaneous: * bug 963: New option document.css.ignore_display_none. * bug 977: Fixed crash when opening in new tab a non link with onclick attribute. -* bug 983: Give preference to the Content-Type specified in the HTTP - header over that specified via the HTML meta tag. * bug 1008: File upload fields in HTML forms now stream the files to the server, instead of reading them to memory in advance. This lets you upload larger files. The downsides are that ELinks may use a @@ -42,15 +45,7 @@ Miscellaneous: ``Background and Notify'' via the download manager in some terminal, reassociate the download with that terminal. These changes do not apply to downloads to external handlers. -* bug 1112: Map most numeric character references € ... Ÿ - to graphical characters also when the output charset is UTF-8. - (ELinks 0.12pre1 was the first release that supported UTF-8 as the - terminal charset, and ELinks 0.12pre5 was the first release that - supported UTF-8 as the dump charset.) * Really retry forever when connection.retries = 0. -* minor bug 1113: Fix a small memory leak if a mailcap file is malformed. -* minor bug 1114: Decode SGML entities and NCRs only once in link/@title - and other attributes. * enhancement: Session-specific options. Any options changed with toggle-* actions no longer affect other tabs or other terminals. * Do not crash when document.browse.minimum_refresh_time = 0 and @@ -91,7 +86,6 @@ Miscellaneous: * SpiderMonkey must be 1.8.5 or later. Find it with pkg-config. * using iconv for some multibyte charsets. It works if the terminal codepage is UTF-8. More charsets will be added on demand. -* Dropped support for SEE ////////////////////////////////////////////////////////////////////// The following changes should be removed from NEWS before ELinks 0.13.0 @@ -105,24 +99,59 @@ have already been considered. (mostly reverted) ////////////////////////////////////////////////////////////////////// -ELinks 0.12pre5.GIT now: ------------------------- +ELinks 0.12pre6 +--------------- -To be released as 0.12pre6 or 0.12rc1. +Released on 2012-10-30. -* major bug 764: Correctly initialize options on big-endian 64-bit - systems. -* bug 1084: Allow option names containing '+' and '*' in the option - manager. +Security fix: -Bugs that should be removed from NEWS before the 0.12.0 release: +* bug 1124, CVE-2012-4545: Do not delegate GSSAPI credentials in HTTP + Negotiate or GSS-Negotiate authentication. Reported by Marko Myllynen. + (ELinks 0.12pre1 was the first release that supported GSSAPI; earlier + releases are not vulnerable.) + +Fixed crashes and hangs: * critical bug 943: Don't let user JavaScripts call any methods of ``elinks.action'' in tabs that do not have the focus. If a tab was closed with ``elinks.action.tab_close'' while it had pop-up windows, ELinks could crash; as a precaution, don't allow other actions - either. ELinks 0.12pre1 was the first release that supported - ``elinks.action''. + either. (ELinks 0.12pre1 was the first release that supported + ``elinks.action''.) +* critical bug 1083: Avoid an infinite loop when trying to decompress + malformed data. Caused by the bug 1068 fix in ELinks 0.12pre3. +* Fix a possible crash or information disclosure on big-endian 64-bit + systems using HTTP Negotiate or GSS-Negotiate authentication. + +Incompatibilities: + +* Dropped support for SEE. (ELinks 0.12pre1 was the first release + that supported SEE.) +* Guile 2.0.0 (released on 2011-02-16) changed its license to + LGPLv3-or-later, which is not compatible with the GPLv2 that covers + ELinks. Also, Guile has deprecated many of the functions that + ELinks calls. + +Other changes: + +* major bug 764: Correctly initialize options on big-endian 64-bit + systems. +* bug 983: Give preference to the Content-Type specified in the HTTP + header over that specified via the HTML meta tag. +* bug 1084: Allow option names containing '+' and '*' in the option + manager. +* bug 1112: Map most numeric character references € ... Ÿ + to graphical characters also when the output charset is UTF-8. + (ELinks 0.12pre1 was the first release that supported UTF-8 as the + terminal charset, and ELinks 0.12pre5 was the first release that + supported UTF-8 as the dump charset.) +* minor bug 1113: Fix a small memory leak if a mailcap file is malformed. +* minor bug 1114: Decode SGML entities and NCRs only once in link/@title + and other attributes. +* build: Fix several warnings reported by GCC 4.7.1. Harmless at + runtime but could break the build if configured --enable-debug. + (This version does not fix all such warnings.) ELinks 0.12pre5: ---------------- @@ -150,8 +179,7 @@ Bugs that should be removed from NEWS before the 0.12.0 release: ELinks 0.12pre4: ---------------- -Released on 2009-05-31. This release also included the changes listed -under ``ELinks 0.11.6'' below. +Released on 2009-05-31. Incompatibilities: @@ -215,7 +243,6 @@ Other changes: * minor bug 761: When reading bookmarks from an XBEL file, distinguish attribute names from attribute values. * enhancement: Updated ISO 8859-7, ISO 8859-16, KOI8-R, and MacRoman. -* lzma disabled by default. It's rarely used and doesn't build with new xz. Bugs that should be removed from NEWS before the 0.12.0 release: @@ -441,13 +468,15 @@ Changes in the experimental SGML/DOM implementation: * enhancement: incremental parsing * and more. -ELinks 0.11.6.GIT now: ----------------------- +ELinks 0.11.7: +-------------- -To be released as 0.11.7. +Released on 2009-08-22. * critical bug 1077: fix crash opening a ``javascript:'' link in a new tab +* major bug 764: remove int/long/pointer type punning in union + option_value, especially harmful on sparc64 ELinks 0.11.6: -------------- @@ -499,8 +528,8 @@ Released on 2008-06-20. that may have been collected as garbage. This fix causes bug 954. * CVE-2007-2027: check if the program path contains "src/" before using ../po files -* important Debian bug 380347: prevent a buffer overflow in entity_cache - and a possible subsequent crash +* important Debian bug 380347, CVE-2008-7224: prevent a buffer + overflow in entity_cache and a possible subsequent crash * major bug 788: don't read STRLEN n_a, which isn't initialized by POPpx of Perl v5.8.8 and later * fix query parsing in file: URIs for local CGI (was broken in 0.11.3)