Roxen AB
www.roxen.com

Roxen WebServer 5.4.94-r3 (2015-11-17)

WebServer-specific changes

Core improvements:

  • I/O: Make sure to ignore SIGPIPE.
  • Locale: LC_ALL should override all other locale settings.
  • Tracing: Added missing TRACE_LEAVE().

Databases improvements:

  • DBs: Restore SIGPIPE signal handler after creating Mysql connections.
  • DBs: Implemented renaming of backup schedules.
  • DBs: Added button to delete backup schedules.
  • DBs: Added interface to add new backup schedules.
  • DBs: Added interface to change the backup schedule for a db.
  • DBs: List the backup schedules for the databases.
  • DBManager: Default to not backing up external databases.

Modules improvements:

  • Relay2: Fix for erroneously closing tags during rewrite.
  • Relay2: Fix for double zipped data.
  • Directories: Fixed broken redirect on empty lock file.

Protocols improvements:

  • SSL: Support TLS 1.1 and TLS 1.2.
  • SSL: Avoid setting the minimum version higher than supported.

RXML improvements:

  • <translate/>: Complain about missing required attributes.
  • <cache>: Fix bug where caching was effectively disabled with generation-variable.
  • Static Resource: Don't attempt to stat paths with a leading double slash.
  • cimg: Add defvar for default arguments.
  • RXML: Added cleaup() to TagCache.
  • <insert/>: Don't require the source attribute.
  • <insert/>: Complain about missing plugins in do_enter().



Pike-specific changes

Compiler improvements:

  • Build: Improved forward compatibility with Pike 8.0 precompiler.

Core improvements:

  • Cpp: Rename some of the hashtable functions.

Databases improvements:

  • Mysql: Restore the SIGPIPE signal handler.
  • Sql.odbc: Survive old Odbc module.

Modules improvements:

  • ADT.Heap: Improved robustness.
  • Parser.XML.Tree: Fixed handling of namespaced attributes.
  • Parser.XML.Tree: Increased strictness of namespace parser.
  • Parser.XML: Added some default required namespaces.
  • Calendar: Updated to tzdata2015g.
  • Protocols.DNS: Reduce race-condition window in do_query().
  • ADT.Heap: Fixed NULL-deref.
  • ADT.Heap: Added ADT.Heap.Element.

Runtime improvements:

  • Runtime: Added low-level API restore_signal_handler().
  • Threads: Added support for setting a thread time quanta.

SSL/TLS improvements:

  • SSL.Cipher: Use Crypto.DH for Diffie-Hellman KEX.
  • SSL.Cipher: Reduced DH overhead by a factor ~8.
  • SSL: Fix an exception for client hello packages close to 512 bytes.
  • SSL.Constants: Added some missing CCM constants from RFC 6655.
  • SSL.Constants: Applied errata to RFC 6367.
  • SSL.context: Added sort_suites().
  • SSL.connection: Implement 1/(n-1) measure against BEAST.
  • SSL: Fix priorities for anonymous cipher suites.
  • SSL.Cipher: Support KeyExchange using ECDHE.
  • SSL.handshake: Only use extensions the client has asked for.
  • SSL.handshake: Added the ECC extensions from RFC 4492.
  • SSL.Cipher: Improved TLS 1.2 compatibility.
  • SSL.Constants: Added some more AES-GCM cipher suites.
  • SSL.Constants: Added some AES-GCM cipher suites.
  • SSL: Add support for AEAD ciphers.
  • Nettle: Added Galois Counter Mode (GCM)
  • Stop sending timestamp in server_random.
  • SSL.context: Added get_suites().
  • SSL.Constants: Reduce the estimated strength of DES40.
  • SSL.Cipher: Added HMAC SHA384 and HMAC SHA512.
  • Handle weak DES/DES3 keys better.
  • SSL.Cipher: Filter suites obsoleted in TLS 1.1 and 1.2.
  • SSL.Constants: Added some SHA256 cipher suites.
  • SSL.Cipher: Support HMAC using SHA256.
  • SSL.handshake: Send EXTENSION_signature_algorithms.
  • Crypto: Added SHA 224, 384 and 512.
  • Crypto.RSA: Fixed API for pkcs_{sign,verify}().
  • SSL.handshake: Support EXTENSION_signature_algorithms.
  • SSL.Cipher: Enable support for TLS 1.2.
  • Crypto: Backported Crypto.[DR]SA()->pkcs_{sign,verify}() from Pike 8.0.
  • SSL.Cipher: Added KeyExchangeDH and KeyExchangeDHE.
  • SSL.Cipher: Added KeyExchangeRSA and KeyExchangeGeneric.
  • SSL: Made client_random more random.
  • SSL: Made the packet size configurable.
  • SSL: Survive servers returning an SNI extension.
  • SSL/Protocols.HTTP: Add client support for SNI (server name indication)
  • SSL: Added parsing of the server_name extension from RFC 4366 3.1.
  • SSL: Support exportable cipher suites in the client.
  • SSL: Add support for some CAMELLIA cipher suites.
  • SSL: Support DHE on the client side.
  • SSL: Define and enable the DHE_RSA cipher suites.
  • SSL: Adjusted the estimated effective keylengths.
  • SSL: Updated with constants from RFC 5932, 6209, 6367 and 6655.
  • Updated list of TLS extensions from IANA.
  • By default, require >=128 bit ciphers.
  • SSL: Added support for specifying the minimum and maximum versions of SSL.
  • SSL: Added symbolic constants for the SSL versions.
  • SSL: Fixed support for downgrading in client mode.
  • SSL: TLS 1.1 (aka SSL 3.2) is now supported!
  • SSL: Support TLS 1.1 IVs.
  • Nettle: Let the IV be set through Nettle.Proxy (aka Crypto.Buffer).

Roxen WebServer 5.4.88-r2 (2015-08-31)

WebServer-specific changes

Core improvements:

  • Loader: lopen() et all now use roxen_path().
  • Loader: Reverse the packages search order.
  • Cache manager_size_overhead when entries aren't added.
  • Moved last_garb timestamp from module variable to external state file.
  • SNMP: Added SNMP name space for _disable_threads().
  • Loader: Support packages in $LOCALDIR.
  • Fix backtrace that occurred when quick_host_to_ip was called with "".
  • Protocols: Improved support for reverse proxys. Fixes [bug 7385].
  • Norwegian: december -> desember.
  • Fixed request trace nesting inconsistency.
  • Debug: Moved gc histograms to a separate debug flag.
  • Take special ports into consideration if X-Forwarded-Host is missing. Updates [bug 7221].
  • Care about potential paths in id->url_base() as well. Updates [bug 7221].
  • Dropped X-Forwarded-By for the more common X-Forwarded-Host. Updates [bug 7221].
  • Handle X-Forwarded-By and X-Forwarded-Proto in make_absolute_url(). Partially fixes [bug 7221].
  • Schedule image cache cleanup around next 4:30 mark rather than next day.
  • RAM cache: Fix cache manager balancing bug.
  • Add SloppyDOM.DocumentWrapper to avoid cyclic garbage.
  • LOG_GC_TIMESTAMPS: The histogram is no longer accumulative.
  • LOG_GC_TIMESTAMPS: Reduce default verbosity.

Databases improvements:

  • SQLKey: Censor SQL-URLs. Fixes [bug 7439].
  • DBManager: db_url_info->local needs to be casted to int.
  • DBManager: Backup system fixes.
  • DBManager: Updated mysqldump invocation to mysql 4.0 and later.

Modules improvements:

  • Redirect: Normalize paths and urls to http-encoded utf-8.
  • Scripting: Protect against bash(1) vulnerability (aka Shellshock).
  • Perform negative caching of (typically) htaccess files for 5 seconds.
  • UserFS: Check banish list before looking up userinfo.
  • Directories: Check index files against dir listing before stat.

Patch system improvements:

  • RoxenPatch: List installed patches at start.
  • RoxenPatch: Add platforms rhel7_x86_64 and win32_x86_64.
  • RoxenPatch: Run patch in binary mode on WIN32.
  • RoxenPatch: Fix pike version deps on WIN32.

Protocols improvements:

  • SSL: Disable support for SSL 3.0 by default.
  • FTP: Fixed bug in MLSD/MLST handling.
  • FTP: Generate the ls(1) output synchronously in handler mode.
  • FTP: Improved command serialization when FTP_USE_HANDLER_THREADS.
  • Enable execution of FTP requests in handler threads by -DFTP_USE_HANDLER_THREADS.
  • If-Range date comparison should use strict equivalence and not less than as

RXML improvements:

  • TagCache: Provide the "no preceding lookup" argument when the keymap has changed.
  • TagSQLQuery: Removed remaining leakage of SQLKey to backtraces.
  • RXML: Fixed typo in <debug showscope=""/>.
  • Improve cache size calculation of PCode objects in general.
  • Bugfix in CacheTagEntry.cache_count_memory.
  • Perform breadth-first traversal in collect_things_recur.
  • Only complain about cache entry calculations under -DDEBUG.
  • RXML: Fix parsing of <if expr> containing newlines.
  • Handle wide-string attachments by converting to UTF-8 and adjusting the
  • Don't crash on empty src attrs. Fixes [Bug 7243].
  • Increase maximum URL length in <insert#cached-href> from 256 to 768 bytes.
  • TagCache: More efficient RAM cache utilisation.
  • TagCache: Fix bug that prevented persistent saving of alternatives.
  • TagCache: Store individual entries in Roxen's cache.
  • Move the CacheTagEntry class out of the TagCache class.
  • UserTag: Store saved scopes in external mapping to avoid circular refs.
  • Implement <debug sleep="2.5"/> for delaying a request.
  • Reduce garbage produced by UserTag Frame objects.
  • Allow RXML expressions to call basename() and dirname() for faster path handling.
  • <default>: Yet another factor ~2 speed increase by using Parser.HTML.
  • Tags: Added <emit#csv/>.
  • <date#strftime>: Document the modifiers ! (eliminate field padding) and E (alternate form).



Pike-specific changes

Compiler improvements:

  • Compiler: Improved cycle detection in implements() and is_compatible().
  • Optimizer: Fixed bug in foreach with ranges.
  • Optimizer: Fixed reference underflow in treeopt.
  • Compiler: Fixed type derivation for attributed getters.

Core improvements:

  • Build: Survive precompilation with Pike 8.0.
  • Export: gzip enters interactive mode if the destination exists.
  • precompile: Make sure to clamp the integer range correctly.
  • Build: Support Bison 3.
  • Fix bug where the write callback could be dropped if 0 bytes were written.
  • install.pike: Update CXX smartlink path to installed path as well.
  • GC: Bugfix in visit_short_svalue to avoid fatal.
  • Backend: Fixed stale thread state in poll devices.
  • Backend: Fixed potential double free on exit.
  • Backend: Improve robustness of reentrancy check.

Databases improvements:

  • Mysql: free -> free_string in pike_mysql_set_options.
  • Oracle: Fixed bug in macro ORACLE_UNICODE_DECODE().
  • Oracle: Fixed truncated error messages.
  • Oracle: Improved support for recent versions of Oracle.
  • Oracle: Enable dynamic fetch for CLOBs and BLOBs when using static buffer to work around SEGV.
  • Oracle: Enable static buffers to avoid two task communication failure with oracle 11.
  • Oracle: Return LOBs as objects.
  • Oracle: Perform queries in unicode mode with OCI 9 and later.
  • Oracle: Disable POLLING_FETCH
  • Oracle: Increase BLOCKSIZE to 8KB.
  • Oracle: Added commit function to connection object.
  • Odbc: list_tables() now seems to work.
  • Postgres: Improved error message.
  • Postgres: Fixed some reference-counting issues.
  • Odbc: Added big_typed_query().
  • ODBC: Odbc.odbc_result is now Odbc.odbc.result.
  • SQL.tds: Fixed support for fetching negative NUMERIC and DECIMAL.
  • Sql.tds: Added support for SYBFLTN, SYBUNIQUE and SYBDECIMAL.
  • Mysql: Improved library detection.
  • Postgres: Improve glue with libpq.
  • Search.Database.MySQL: Don't used DELAYED queries.
  • pgsql: Database creation didn't work with bound parameters.

Modules improvements:

  • Parser.C: Improved diagnostics from group().
  • FreeType: Fix compilation with Freetype 2.6.
  • Image.PCX: Added missing break. Fixes [CID 742629].
  • Parser.XML: Fixed some parser bugs.
  • Image: Fixed typo in factor 1/2 scaling.
  • Calendar: Updated to tzdata2015c.
  • Protocols.DNS: Remove the retry call_out on done.
  • Image: Fixed one-byte buffer read overrun in phasehv().
  • Java [NT]: Improved dll-search for jvm.
  • Stdio.Sendfile: Don't attempt nonblocking I/O on plain files.
  • Graphics.Graph.create_graph: Fixed legend color box border.
  • Crypto.RSA: Pad signature to the same size as the key.
  • Crypto.RandomString: Reduce entropy waste.
  • Protocols.LDAP: Attempt to pin connections to the same server.
  • Calendar.YMD: Improved dwim_time().
  • ZXID: Fixed some memory leaks on Session destruct.
  • Regexp.PCRE: Fix formatcheck to accomodate for the optional 2nd argument.
  • Standards.JSON: Allow \' in strings.
  • ZXID: Added Session()->get_auth_info().
  • ZXID: Added version().
  • ZXID: Added configuration option "IPPORT".
  • ZXID: Changed arguments to authenticate().
  • _Roxen: Fixed buffer overrun in http_decode_string().
  • Image.PNG: Fixed leak of arrays in __decode().
  • _Roxen: http_decode_string() now supports wide strings.
  • Stdio.File: Fixed race condition in nonblocking connect().
  • Calendar: Revert "dwim_time() should know how to parse ISO 8601 timestamps."
  • Stdio.sendfile: Fixed use before set.
  • Stdio.cp: Detect ouroboros.
  • Protocols.HTTP.Query: Support async keep-alive.
  • Parser.HTML: overlap in arguments to MEMCPY

Runtime improvements:

  • unicode_to_string: Support UTF8LE without BOM.
  • string_to_unicode: Support outputting UTF8LE.
  • Debug.memory_usage(): Added kludge for Linux libc.
  • enumerate(): fixed integer overflow handling
  • Added gethrdtime().
  • Threads: Keep track of the time spent with threads disabled.
  • destructedp, zero_type: detect trampolines referencing destructed objects
  • IS_DESTRUCTED(): only detect LFUN_CALL as destructed in trampolines
  • IS_DESTRUCTED(): detect trampolines in destructed objects
  • Fix negated test that broke native sendfile() for Stdio.File objects.
  • Stdio.exece(): Don't give away refs to members from the env mapping
  • Bignums: get_auto_bignum_program{,_or_zero}() now actually work...
  • Gmp.mpz: Support import/export from reversed network byte order.
  • Don't print errors for WSAEACCES when ports are reserved in Windows.
  • set_priority(): Use SCHED_IDLE for priority "lowest".
  • set_priority(): Raise an error on unsupported priorities.
  • set_priority(): Fix going from realtime to normal priorities.
  • set_priority(): add "normal" as a priority.
  • signal_handler: don't "randomly" change errno in receive_sigchild()

SSL/TLS improvements:

  • SSL.handshake: Support setting the minimum required version.
  • SSL: Added server-side support for TLS_fallback_scsv.
  • SSL.sslfile: Reducing linger time to zero wasn't a good idea...
  • SSL.sslfile: Make sure not to hang on destruct.

Roxen WebServer 5.4.66-r1 (2014-03-20)

WebServer-specific changes

Please see important upgrade notes for earlier releases if you are upgrading from a version prior to 5.2.

Administration Interface improvements:

  • Fix bug when restoring DB backups. [Bug 6963]
  • Improve module info display now that package system and git hashes are used. [Bug 6267]
  • Fix error when scheduling backups on tables with views. [Bug 7002]
  • Fix a backtrace seen when dropping a site. [Bug 6237]
  • Patch system now correctly handles mode bits on updated files.
  • Added documentation link for SMF manifest.
  • Implemented new RoxenPatch format.
  • Support stronger passwords for administration interface accounts.
  • Added centralized garbage collection of directories on server disk.
  • Deprecate the use of site templates due to various design issues. [Bug 5600]
  • Include version number and non-empty administration interface name in window header.
  • Fixed issues with Memory Logger functionality.
  • Fixed error in DB backup scheduler where changed settings didn't take effect.
  • Improve memory calculation correctness in Pike Memory Usage wizard.
  • Support removal of imported patch packages.
  • Patch system can now import archives of multiple patches.
  • Repeated import of same patch will now overwrite older copy.
  • Added XHTML extension.
  • Added $scheme for logging URL scheme.
  • Updated support for Cacti monitoring.
  • Added support for optional host header to Periodic Fetcher module.
  • Fix missing privilege elevation in patch system when writing to disk. [Bug 6036]
  • Added support for running MySQL upgrade binary.
  • Implement support for newer patch format with fat binaries and platform-specific patches.
  • Check for required binaries before attempting to patch. [Bug 6587]
  • Support stronger password hashing algoritms. [Bug 6358]

RXML improvements:

  • Allow min and max for HTML5 ranges in <vform>.
  • Fixed regression from Roxen 4.5 concerning old PS font names in graphics rendering tags.
  • Improved HTML5 support in <vform>.
  • Added mutex and generation variables to <cache>.
  • Add optional disabling for run-together words in Aspell.
  • Improved <format-number/>. [Bug 6903]
  • Fix quoting issue in <replace/>.
  • Make <accessed/> more tolerant to database connection issues.
  • Extend <wash-html> with remove-unwanted-tags attribute.
  • Support Russian locale in <date>.
  • Improve database performance for <insert#cached-href>.
  • Added a compatibility NULL object for <emit#sql>. [Bug 5900]
  • Support custom spell checker dictionaries. [Bug 5737]
  • The <session/> tag can now use prestates to verify its cookie.
  • Clarified documentation for <header/> vs HTML5 compatibility.
  • Improved documentation for <diagram/>. [Bug 6343]
  • Allow overriding return code in 401 and 404 pages. [Bug 6287]
  • Fix a problem with unwanted data sharing in mappings. [Bug 6342]
  • Fix expansion of RXML variables in <sscanf/> inside <nooutput/>. [Bug 6359]
  • Added the showscope attribute in <debug>.
  • Avoid internal server error in <recode> when passing wide string data.
  • Extended <set expr> syntax with new functions floor(), ceil(), round() and log(), and fixed infinite loop bug in search().
  • Fixed <maketag> error that could manifest in e.g <if#variable>. [Bug 6425]
  • Added <sscanf variable=""> as a new data source.
  • Compiled RXML will now be split in 64K segments to improve threading. [Bug 6467]
  • <insert#cached-href> will now exclude port numbers from Host header for HTTPS (443) requests.
  • Improve HTML markup compatibility in <serve-static-resources>. [Bug 6051]
  • Added soap-method attribute to <insert#href> to post tag data as SOAP request. [Bug 6523]
  • Don't send linebreaks in auth headers. [Bug 6592]
  • Added a set of decoding methods to entity syntax: -utf8, -hex, -base64 and -html. Example:
  • Improved russian language support.
  • Less noise in HTML output when using some <debug> attributes.
  • Fix conflict between <button> inside <awizard> and HTML5.
  • Avoid table scan when clearing old entries in <insert#cached-href>. [Bug 6680]
  • Fixed some weekday/-number calculation bugs in <date strftime>>, and added some new ISO 8601 formatters.
  • Extend <emit#captcha> with some new styling attributes: background-color, background-image, color and font.

Core improvements:

  • Switched to modern MariaDB library for MySQL connections.
  • Fix Windows problem with mysql_upgrade binary. [Bug 7007] [Bug 7018]
  • Updated default 404 page to work better on small screens.
  • Show thread name in slow thread dump header.
  • Avoid DNS timeout for resolving IPv6 link-local addresses (fe80::1).
  • HTTP output of wide strings with narrow charset will now force UTF-8 conversion instead of error.
  • Improve robustness in start script in directory permission checks. [Bug 6980]
  • Fix issue with internal request object observed on Windows.
  • Fix module initialization problem seen on Windows. [Bug 7059]
  • Fixed internal locking issues in protocol layer.
  • Fix issue with domain resolving from /etc/resolv.conf. [Bug 6357]
  • Support quoted strings in cookie header parser.
  • Cleaned up error reporting in image caches.
  • Fixed handling of charset errors in case-insensitive path lookup code.
  • Support Java modules located in local/modules/.
  • Don't load old Java class files if current process doesn't support Java.
  • Shorten very large argument lists in thread dump output.
  • Name more internal threads for easier thread dump analysis.
  • Refactored PID file handling to protect against multiple launches. [Bug 6516]
  • Improved calculation of RAM cache entry sizes, thereby also improving eviction decisions.
  • Fix memory leak in WebDAV module.
  • Improved accounting of protocol-level cache callbacks. [Bug 6520]
  • Speed up FTP directory listings when certain authentication modules are loaded. [Bug 6410]
  • Solve SNMP port binding error on OS X 10.8 and newer. [Bug 6613]
  • Optimize image cache storing by removing redundant SQL inserts via extra read first.
  • Improved image cache support for large images.
  • Don't linger on HTTP connections after timeout.



Pike-specific changes

Modules improvements:

  • ADT.Struct: Working int32/SWord.
  • Calendar.Timezone: Make compile() reentrant.
  • Freetype: Support name mapping that is backwards compatible with older Freetype.
  • Graphics.Graph: Fixed some infinite loops.
  • Image.Image: Fix crash in skewy().
  • Image.GIF: Fix robustness against decoding broken files and infinite loops.
  • Image.PNG: Fixed crash problem in decoding certain PNG files.
  • MySQL: Switched to MariaDB client library.
  • MySQL: Fixed overflow in fetch_fields().
  • Sql.rsql: Various improvements and fixes.
  • Stdio: Reduce number of system calls in mkdirhier().
  • Stdio.File: Implement support for changing linger time on sockets via linger().
  • SNMP: Fix error in GetRequest variable bindings.
  • SSL.sslfile: Implement support for changing linger time on sockets via linger().
  • SSL.sslfile: Improve robustness in destroy to avoid error message.
  • Unicode: Fix hash table issue in normalize() for 32-bit strings.

Core improvements:

  • Enable full address space (3 GB) on Windows.
  • Fix internal compiler problem with running out of stack.
  • Low-level fixes to setting up socket pair.
  • Fix internal error class to avoid an issue while printing backtraces.
  • Added callbacks during garbage collection.
  • Various fixes to wide-string handling in compiler.
  • Improve thread safety in backend call-out handling.
  • Switch to binary mode when opening text files.
  • Various fixes to integer math overflow detection.
  • Increase thread stack to 1 MB to help 64-bit architectures.