Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Kalle Olavi Niemitalo <kon <at> iki.fi>
Subject: [ANNOUNCE][SECURITY] ELinks 0.12pre6
Newsgroups: gmane.comp.web.elinks.user
Date: Tuesday 30th October 2012 17:44:16 UTC (over 4 years ago)
ELinks 0.12pre6
===============

This is the sixth prerelease for ELinks 0.12.

This release of ELinks is mostly licensed under version 2 of the GNU
General Public License.  More permissive licences apply to some parts
of it; please see COPYING for the list.

Changes since ELinks 0.12pre5
-----------------------------

Security fix:

* bug 1124, CVE-2012-4545: Do not delegate GSSAPI credentials in HTTP
  Negotiate or GSS-Negotiate authentication.  Reported by Marko Myllynen.
  (ELinks 0.12pre1 was the first release that supported GSSAPI; earlier
  releases are not vulnerable.)

Fixed crashes and hangs:

* critical bug 943: Don't let user JavaScripts call any methods of
  ``elinks.action'' in tabs that do not have the focus.  If a tab was
  closed with ``elinks.action.tab_close'' while it had pop-up windows,
  ELinks could crash; as a precaution, don't allow other actions
  either.  (ELinks 0.12pre1 was the first release that supported
  ``elinks.action''.)
* critical bug 1083: Avoid an infinite loop when trying to decompress
  malformed data.  Caused by the bug 1068 fix in ELinks 0.12pre3.
* Fix a possible crash or information disclosure on big-endian 64-bit
  systems using HTTP Negotiate or GSS-Negotiate authentication.

Incompatibilities:

* Dropped support for SEE.  (ELinks 0.12pre1 was the first release
  that supported SEE.)
* Guile 2.0.0 (released on 2011-02-16) changed its license to
  LGPLv3-or-later, which is not compatible with the GPLv2 that covers
  ELinks.  Also, Guile has deprecated many of the functions that
  ELinks calls.

Other changes:

* major bug 764: Correctly initialize options on big-endian 64-bit
  systems.
* bug 983: Give preference to the Content-Type specified in the HTTP
  header over that specified via the HTML meta tag.
* bug 1084: Allow option names containing '+' and '*' in the option
  manager.
* bug 1112: Map most numeric character references € ... Ÿ
  to graphical characters also when the output charset is UTF-8.
  (ELinks 0.12pre1 was the first release that supported UTF-8 as the
  terminal charset, and ELinks 0.12pre5 was the first release that
  supported UTF-8 as the dump charset.)
* minor bug 1113: Fix a small memory leak if a mailcap file is malformed.
* minor bug 1114: Decode SGML entities and NCRs only once in link/@title
  and other attributes.
* build: Fix several warnings reported by GCC 4.7.1.  Harmless at
  runtime but could break the build if configured --enable-debug.
  (This version does not fix all such warnings.)

Authors since ELinks 0.12pre5
-----------------------------

Kalle Olavi Niemitalo
Kamil Dudka
Laurent MONIN
Miciah Dashiel Butler Masters
Petr Baudis
Witold Filipczyk

Future work
-----------

There are no known regressions from ELinks 0.11.7.
However, there is one remaining bug scheduled for 0.12.0:

* Bug 771 - Infinite loop is not well handled

A whitelist option should be added so that the user can enable GSSAPI
credential delegation for specific servers.  The plan is to implement
this in the master branch first and backport to elinks-0.12 later.
_______________________________________________
elinks-users mailing list
[email protected]
http://linuxfromscratch.org/mailman/listinfo/elinks-users
 
CD: 4ms