CVS commit: pkgsrc/devel/roundup

[Tonnerre Lombard <tonnerre%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   tonnerre
Date:           Sun Sep 28 02:47:46 UTC 2008

Modified Files:
        pkgsrc/devel/roundup: Makefile PLIST distinfo

Log Message:
Upgrade roundup to version 1.4.6 in order to fix long-standing security
issues (CVE-2008-1474, CVE-2008-1475). Changes since 1.1.2:

 - Make URL matching code less matchy.
 - Try to clarify mail_domain config setting.
 - Add use of username/password stored in ~/.netrc in mailgw.
 - 'Make a Copy' failed with more than one person in nosy list.
 - xml-rpc security checks and tests across all backends.
 - Send a Precedence header in email so (well-written) autoresponders don't.
 - Fix mailgw total failure bounce message generation (thanks Bradley Dean).
 - Fix for postgres 8.3 compatibility (and bug).
 - Fix for translations.
 - Fire reactors after file storage is all done.
 - Allow negative ids other than -1 for item generation.
 - Better German translation for retiring users.
 - More improvements to German translation.
 - Add filter() to XML-RPC interface.
 - Fix IndexError when there are no messages to an issue.
 - Prevent broken pipe errors in csv export.
 - New session API and cleanup thanks anatoly t.
 - Make WSGI handler threadsafe.
 - Improved URL matching RE.
 - Allow binary file content submission via XML-RPC.
 - Don't run old code on newer database.
 - Fix HTML injection into page title
 - Fix indexer handling of indexed Link properties.
 - Security fixes (thanks Roland Meister).
 - New config option in mail section: ignore_alternatives allows to
   ignore alternatives besides the text/plain part used for the content
   of a message in multipart/alternative attachments.
 - Admin copy of error email from mailgw includes traceback (thanks Ulrik
   Mikaelsson).
 - Messages created through the web are now given an in-reply-to header
   when email out to nosy (thanks Martin v. L�wis).
 - Nosy messages now include more information about issues (all link
   properties with a "name" attribute) (thanks Martin v. L�wis).
 - Searching date range by supplying just a date as the filter spec.
 - Handle no time.tzset under Windows.
 - Fix race condition in file storage transaction commit.
 - Make user utils JS work with firstname/lastname again.
 - Fix ZRoundup to work with Zope 2.8.5.
 - Fix race condition for key properties in rdbms backends.
 - Handle Reject in mailgw final set/create.
 - Removed some metakit references.
 - Roundup has a new xmlrpc frontend that gives access to a tracker using
   XMLRPC.
 - Dates can now be in the year-range 1-9999.
 - The metakit backend has been removed.
 - Add simple anti-spam recipe to docs.
 - Allow customisation of regular expressions used in email parsing, thanks
   Bruno Damour.
 - Italian translation by Marco Ghidinelli.
 - Multilinks take any iterable.
 - config option: specify port and local hostname for SMTP connections.
 - Tracker index templating (i.e. when roundup_server is serving multiple
   trackers).
 - config option: Limit nosy attachments based on size (Philipp Gortan).
 - roundup_server supports SSL via pyopenssl.
 - templatable 404 not found messages.
 - Unauthorized email includes a link to the registration page for
   the tracker.
 - config options: control whether author info/email is included in email
   sent by roundup.
 - support for receiving OpenPGP MIME messages (signed or encrypted).
 - Handling of unset Link search in RDBMS backend.
 - Journal export of anydbm didn't correctly export previously empty values.
 - Fix handling of defaults for date fields.
 - Fix <form> name in user editing to allow multilink popups to work.
 - Fix form handling of editing existing hyperdb items from a new item page.
 - Added new rdbms-indexes for full-text index which will speed up
   reindexing.
 - Turning off indexing for content properties of FileClass instance
   (e.g., "file" and "msg") now works for SQL backends.
 - Enabled over-riding of content-type in web interface (thanks
   John Mitchell).
 - Validate user timezones to filter bad entries.
 - Classic template allows searching for issues with no topic set.
 - xapian_indexer uses current API for stemming (Rick Benavidez).
 - Ensure email addresses are unique.
 - roundup_admin tracks uncommitted changes in interactive mode
   for all backends.
 - add template search path for easy_install (Marek Kubica).
 - don't spam the roundup admin on client shutdowns (Ulrik Mikaelsson).
 - respect umask on filestorage backends (Ulrik Mikaelsson).
 - cope with spam robots posting multiple instances of the same form.
 - include the author of property-only changes in generated messages.
 - fuller email validation in templates.
 - cope with bad cookies from other apps on same domain.
 - updated Spanish translation from Ramiro Morales.
 - clean up query display of "Private to you items".
 - use local timezone for mail date header.
 - allow CSV export of queries on selected issues.
 - remove blobfiles on destroy.
 - handle postgres exceptions during session cleanup.
 - update Xapian indexer to use current API.
 - handle export and import of old trackers that have data attached to
   journal "create" events.
 - fix a couple more old instances of "type" instead of "ENGINE" for mysql
   backend.
 - make LinkHTMLProperty handle non-existing keys.
 - If-Modified-Since handling was broken.
 - Updated documentation for customising hard-coded searches in page.html.
 - Updated Windows installation docs (thanks Bo Berglund).
 - Handle rounding of seconds generating invalid date values.
 - Handle 8-bit untranslateable messages from database properties.
 - Fix scripts/roundup-reminder date calculation.
 - Improved due_date and timelog customisation docs.
 - relax rules for required fields in form_parser.py.
 - documentation cleanup from Luke Ross.
 - updated Spanish translation from Ramiro Morales.
 - handle 8-bit untranslateable messages in tracker templates.
 - handling of required for boolean False and numeric 0.
 - removed bogus args attr of ConfigurationError.
 - implemented start_response in roundup.cgi.
 - clarified windows service documentation.
 - HTMLClass fixed to work with new item permissions check.
 - support POP over SSL.
 - clean up input field generation and quoting of values.
 - allow use of roundup-server pidfile without forking.
 - allow translation of status/priority menu options.
 - setup.py had broken reference to roundup.cgi.
 - full-text search wasn't coping with multiple multilinks to the same class.
 - unicode / sqlite 3 problem.
 - WSGI support via roundup.cgi.wsgi_handler.
 - sqlite module detection was broken for python 2.5 compiled without sqlite
   support.
 - fixed support for pysqlite2 (version 2.1.0 is the minimum version
   supported).
 - roundup-server called setuid when run by non-root user.
 - fix sort/group direction checkbox in issue.index.html.
 - fix error detection for non-EN locales of postgres.
 - fix email change note rendering of multiline properties.
 - fix sidebar search links.
 - nicer "permission required" messages.
 - fix unstable ordering of detectors.
 - E-mail subject line prefix delimiter configuration was being ignored.
 - Password confirm field in user editing.
 - supports Python 2.5, including the sqlite3 module.
 - full timezone support.
 - handle connection loss when responding to web requests.
 - match incoming mail In-Reply-To against existing messages when no issue
   id is specified in the Subject.
 - added StringHTMLProperty wrapped() method to wrap long lines in issue
   display.
 - include the popcal in Date field editing and search fields by default.
 - @required in forms may now specify properties of linked items.
 - update for latest version of pysqlite.
 - update for latest version of psycopg2.
 - new "exporttables" command in roundup-admin.
 - roundup-admin "export" may specify classes to exclude.
 - sorting and grouping by multiple properties is now supported by the
   backends *and* the classic template.
 - sorting, grouping, and searching by transitive properties (e.g.,
   messages.author.supervisor) is now supported in all backends.
 - added filter_sql to SQL backends which takes an arbitrary SQL statement
   and returns a list of item ids.
 - Verbose option for import and export.
 - -c option for roundup-mailgw won't accept parameter.
 - '?' in rfc2822-encoded header isn't quoted.
 - fix error message in form parser.
 - updated ZRoundup for Zope 2.9.
 - fix timelog example in customisation doc to mention permissions.
 - nicer listing of Superseder links.
 - include roundup-server.ini.example.
 - dumb bug in cgi templating utils.
 - handle unicode in query names.
 - fix error during mailgw bouncing message.
 - hyperdb handling of empty raw values for Multilink and Password.
 - don't int() ids.
 - fix importing into anydbm backend.
 - fix help message for roundup-admin install.
 - removed traceback with OTK is used multiple times.
 - metakit backend was indexing FileClass content even when asked not to.
 - anydbm backend will finally sort numerically by ID.
 - problem with string sorting in anydbm backend fixed: If a string was
   fully numeric it was sorted as a number.
 - Multilink-sorting now sorts by orderprop not by ID and works for all
   backends.
 - Bug with name-collisions in sorted classes when sorting by Link
   properties in metakit backend fixed.
 - Postgres backend allows transaction collisions to be ignored when
   committing cleanup in the sessions database.
 - translate titles of "show all" and "unassigned" issue lists
   in classic template.
 - "as" is a keyword in Python 2.6.
 - "from __future__" statments need to be first line of file in Python 2.6.
 - better conflict retry in postgresql backend.
 - fix time log example.


To generate a diff of this commit:
cvs rdiff -r1.32 -r1.33 pkgsrc/devel/roundup/Makefile
cvs rdiff -r1.13 -r1.14 pkgsrc/devel/roundup/PLIST
cvs rdiff -r1.23 -r1.24 pkgsrc/devel/roundup/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.