Subject: CVS commit: [pkgsrc-2006Q4] pkgsrc/www/p5-CGI-Session
To: None <pkgsrc-changes@NetBSD.org>
From: Geert Hendrickx <ghen@netbsd.org>
List: pkgsrc-changes
Date: 03/16/2007 23:10:40
Module Name:	pkgsrc
Committed By:	ghen
Date:		Fri Mar 16 23:10:40 UTC 2007

Modified Files:
	pkgsrc/www/p5-CGI-Session [pkgsrc-2006Q4]: Makefile distinfo

Log Message:
Pullup ticket 2050 - requested by wiz
security update for p5-CGI-Session

- pkgsrc/www/p5-CGI-Session/Makefile			1.8
- pkgsrc/www/p5-CGI-Session/distinfo			1.4

   Module Name:	pkgsrc
   Committed By:	wiz
   Date:		Fri Mar 16 20:41:22 UTC 2007

   Modified Files:
	   pkgsrc/www/p5-CGI-Session: Makefile distinfo

   Log Message:
   Update to 4.20:

   4.20 - Monday, December 4, 2006

       * INTERNAL: No Changes since 4.20_1. Declaring stable.

   4.20_1 - Friday, November 24, 2006

       * FIX: -ip_match now works even when it's not the last import item. (RT#21779)
       * FIX: In the PostgreSQL driver, a race condition is when storing is now worked around. (Mark Stosberg)
       * FIX: Added important clarification and example to MySQL driver docs that the session column
              needs to be defined as a primary key to avoid duplicate sessions. (Justin Simoni, Mark Stosberg)
       * FIX: The default serializer now works correctly with certain data structures. (RT#?) (Matt LeBlanc)
       * FIX: A documentation bug in find() was fixed (Matt LeBlanc)
       * FIX: Documented how to declare a database handle to be used on demand, which was introduced
              in 4.04. (Mark Stosberg)
       * FIX: Connections made with SQLite now disconnect only when appropriate, instead of always.
              This addresses a symptom seen as "attempt to prepare on inactive database handle"
              (Jaldhar Vyas, Sherzod, Mark Stosberg)
       * FIX: Args to the constructor for CGI::Session and the drivers are now always shallow
              copied rather than used directly, to prevent modification.
              (RT#21952, Franck Porcher, Sherzod, Mark Stosberg)
       * FIX: The documentation for expire($param, $time) was made more explicit
              (pjf, Mark Stosberg)
       * NEW: Added recommended use of flush() to the Synopsis (Michael Renner, RT#22333)
       * NEW: Added links to Japanese translations of the documentation (Makio Tsukamoto)
              http://digit.que.ne.jp/work/index.cgi?Perldoc/ja
       * INTERNAL: Update test to workaround YAML versions less than 0.58. (Matt LeBlanc)
       * INTERNAL: param() code was refactored for clarity (Mark Stosberg, Ali ISIK, RT#21782)
       * INTERNAL: new() and load() were refactored (Ali Isik)
       * INTERNAL: renamed some environment variables used for testing (Ron Savage)
       * INTERNAL: Multi key-value syntax of param() now always returns number of keys
         successfully processed, 0 if no key/values were processed.

   4.14 - Sunday, June 11, 2006

       * NEW: The find() command now has better documentation. (Ron Savage, Matt LeBlanc)
       * FIX: find() no longer changes the access or modified times (RT#18442) (Matt LeBlanc)
       * FIX: param() called with two parameters now returns the value set, if any (RT#18912) (Matt LeBlanc)
       * FIX: driver, serializer, and id generator names are now untainted (RT#18873) (Matt LeBlanc)
       * INTERNAL: automatic flushing has been documented to be unreliable, although
         it was recommended in the past. Automatic flushing can be affected adversely
         in persistent environments and in some cases by third party software. There are
         also some cases in which flushing happened automatically in 3.x, but quit working
         with 4.x. See these tickets for details.

          http://rt.cpan.org/Ticket/Display.html?id=17541
          http://rt.cpan.org/Ticket/Display.html?id=17299

   4.13 - Wednesday, April 12, 2006

       * FIX: Applied patch to fix cookie method (RT#18493,Nobuaki ITO)
       * FIX: Berkeley DB 1.x exhibits a bug when used in conjunction with O_NOFOLLOW. Because of this,
         we've removed it from the db_file driver. It will still attempt to stop symlinks but the
         open itself has dropped the flag. (Matt LeBlanc)
       * FIX: json and yaml db_file tests now check for the presence of DB_File. (Matt LeBlanc)

   4.12 - Friday, April 7, 2006

       * SECURITY: Fix possible SQL injection attack. (RT#18578, DMUEY)

   4.11 - Friday, March 31, 2006

       * FIX: Since 4.10, using name() as a class method was broken. This has
         been fixed, and regression tests for both uses have been added. (Matt LeBlanc)

   4.10 - Tuesday, March 28, 2006

       * SECURITY: Hopefully this settles all of the problems with symlinks. Both the file
         and db_file drivers now use O_NOFOLLOW with open when the file should exist and
         O_EXCL|O_CREAT when creating the file. Tests added for symlinks. (Matt LeBlanc)
       * SECURITY: sqlite driver no longer attempts to use /tmp/sessions.sqlt when no
         Handle or DataSource is specified. This was a mistake from a security standpoint
         as anyone on the machine would then be able to create and therefore insert data
         into your sessions. (Matt LeBlanc)
       * NEW: name is now an instance method (RT#17979) (Matt LeBlanc)

   4.09 - Friday, March 16th, 2006

       * SECURITY: Applying security patch from: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555 (Julien Danjou)

   4.08 - Thursday, March 15th, 2006

       * FIX: DESTROY was sometimes wiping out exception handling. RT#18183, Matt LeBlanc.
       * SECURITY: Resolve some issues in: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555
         - db_file and file now check for symlinks either explicitly or by using O_EXCL on sysopen
         - file creation umask defaults to 660
       * NEW: db_file and file drivers now accepts a UMask option. (Matt LeBlanc)
       * INTERNAL: test suite clean up (Tyler MacDonald)


To generate a diff of this commit:
cvs rdiff -r1.7 -r1.7.6.1 pkgsrc/www/p5-CGI-Session/Makefile
cvs rdiff -r1.3 -r1.3.6.1 pkgsrc/www/p5-CGI-Session/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.