1.8.9 release infos

Bug fixes

• Fixed XSS issue in rst parser (CVE-2011-1058).

• PackagePages: avoid strange exception in zipfile.py for pre-1980 timestamps.

• revert action: Catch and display all SaveErrors when revert failed

• ldap_login: assign server early, it is used in exception handler

Other changes

None - we did not update system/help pages since the previous release, so you do not need to update your underlay directory

Please note: this is the final 1.8.x version, there will be no more 1.8.x security / bug fixes coming from moin developers from now on. You are advised to upgrade to the latest moin 1.9.x release as soon as possible. If you need help with that, please see there: http://moinmo.in/Support

1.8.8 release infos

For details see the CHANGES file.

Bug fixes

• Fixed XSS issues (see MoinMoinBugs/1.9.2UnescapedInputForThemeAddMsg).
• Fixed XSS in Despam action (CVE-2010-0828).
• wikiutil.clean_input: avoid crash if it gets str type

• Add RenderAsDocbook to actions_excluded if we have no python-xml

• AttachFile._build_filelist: verifies readonly flag for unzip file link

• attachUrl: fix wrongly generated tickets (e.g. for AttachList macro)

• MoinMoin.util.filesys.dc* (dircache can't work reliably):

  • disable usage of dircache, deprecate dc* functions
  • remove all calls to filesys.dc* (dclistdir, dcdisable)

• Fixed crash, see MoinMoinPatch/IncludeMacroWithDocBookFormatter

• Avoid hardly recoverable crashes if #format specification is invalid

• Fixed info action: AttachFile sub-actions that needed a ticket did not work (e.g. do=del).

New features

• auth.ldap_login: add report_invalid_credentials param to control wrong credentials error message (typically used when using multiple ldap authenticators)

1.8.7 release infos

For details see the CHANGES file.

Bug fixes

• Fixed major security issues in miscellaneous parts of moin.
  HINT: if you have removed superuser configuration to workaround the issue (following our security advisory), you may re-add it after installing this moin release. If you don't need superuser capabilities often, it might be wise to not have superusers configured all the time, though.

• Improved package security: cfg.packagepages_actions_excluded excludes unsafe or otherwise questionable package actions by default now.
• wiki parser: fixed transclusion of (e.g. video) attachments from other pages.
• Fixed edit locking for non-logged in editors and cfg.log_remote_addr=False.
• xmlrpc:
  • Process attachname in get/putAttachment similarly.
  • revertPage: convert pagename to internal representation.
• Fixed config.umask usage for page packages.
• Fixed usage of i18n.wikiLanguages() on class level (moved to method), failed when tools import the module (e.g. pydoc -k foo).

• SubProcess: fixed win32-specific parts, fixed imports (fixes calling of external xapian index filters)

1.8.6 release infos

For details see the CHANGES file.

Bug fixes

• Xapian indexing / indexing filters:
  • fix deadlocks with well- and misbehaving external filters
  • work around indexing run crashing when encountering encoding problems with non-ascii filenames

  • OpenOffice/OpenDocument filters: catch UnicodeDecodeErrors (happens with password protected files)

• i18n: check if languages is not initialized yet, don't crash
• http_redirect: use 301 redirect for some cases
• do not use httponly session cookies, makes trouble with twikidraw and ACLs

• GetText2 macro: fix for named placeholder

• Fix SHA -> SSHA password hash upgrade for old user profiles.

• abort RenamePage if renaming of main page fails (do not try to rename subpages)

New features

• search: improve search result ordering
• add MS Powerpoint indexing filter (needs catppt from catdoc package)
• migration scripts: make finding damaged edit-log entries easier

• SubscribeUser action: support username regexes and unsubscribing.

1.8.5 release infos

For details see the CHANGES file.

Bug fixes

• Attachment links: fix processing of attributes (e.g. 'target', 'title')
• Upgrade FCKeditor from 2.6.4 to 2.6.4.1.
• PDF embedding: fix html, works better with PDF browser plugins now.
• Fix typo in rightsidebar CSS.
• Action revert: avoids reverting to a deleted current revision.
• Action diff: enable prev/next button only in the range of given revisions.
• Add a Auto-Submitted: auto-generated header to generated mails.
• Include comment in email notifies.
• mailimport: fix endless looping while trying to import a forwarded mail.
• fuid: keep same fake_mtime for intervals of max_staleness duration.
• Fixes a bug with empty list items in the GUI editor.
• Improve filesys.rename compatibility code (win32).

• Fix locking for CacheEntry.

• Xapian indexing: catch exception when a bad zip file is encountered.

• openidrp / botbouncer: fix param count for CancelLogin().

New features

• Added CAS authentication.
• Added httponly cookie support and use it for session cookie.

Other changes

• HTTP auth: added debug logging.
• Minor LDAP auth improvements.
• Data browser widget:

  • Add (h)column<idx> css class to make it styleable.

  • Include only necessary autofilter options.
• moin maint cleancache purges now drafts, too.
• Add gopher and apt protocols to url_schemas.
• Add .csv, .flv, .swf to MIMETYPES_MORE.

1.8.4 release infos

For details see the CHANGES file.

Bug fixes

• ACL security: fix bug in hierarchical ACL processing, more restrictive sub page ACLs did not work if the current user name did not give a match within the sub page ACL (instead, the less restrictive parent page ACL was used). Non-hierarchical ACL processing (the default) is NOT affected.
• Creole parser: fix spaces in multiline elements.
• Use msie.css only for Internet Explorer older than version 8, fixes e.g. the double rendering of link icons.
• http auth: do auth_type comparisons case-insensitively (spec-compliant)

New features

• EmbedObject macro: changed default width value for PDF files to 100% (use a recent Adobe Reader to make this work).

• CopyPage action: added a TextCha for it

Other changes

• Creole parser: Add second license: BSD

1.8.3 release infos

For details see the CHANGES file.

New features

• added modernized_cms theme
• use url_prefix_fckeditor if you don't want to use the builtin FCKeditor
  • of moin, but a separate one at some specific url
• ldap auth: new name_callback param to create a custom wiki username (not
  • the ldap login username).
• (some other minor features)

Fixes

• AttachFile XSS fixes: move escaping to error_msg / upload_form

• email attachments import with xapian indexing enabled: fix AttributeError

• fix wrong links in attachment notifications

• AttachFile do=view: quote filename and pagename params for EmbedObject

  • macro call

• AttachFile: fix exception when someone just clicks on upload, without

  • giving a file

• ldap_login: use None as default value for ssl certs/keys (using '' for

  • the pathes lets it fail with Connect Error)
• release edit lock if someone saves an unchanged page
• (some more minor fixes)

1.8.2 release infos

For details see the CHANGES file.

New features

• More privacy: logging of IP addresses to edit-log and event-log can be disabled.

Fixes

• Some XSS security fixes.
• FCKeditor updated from 2.6.3 to 2.6.4.
• Theme fixes.
• Fixed anchor parsing / sanitizing - more usable, more consistent now.
• Xapian indexing and search fixes, esp. historysearch.
• Other fixes.

1.8.1 release infos

For details see the CHANGES file.

For everybody

• We fixed some minor bugs here and there.
• Some cosmetic improvements in the themes, esp. in modernized theme.
• It is possible to specify alternate stylesheets now.

For windows users

• We worked around some strange windows behaviour with caching / locking. This problem has been there for long and due to the work around, it works much better now.
• Fixed xapian indexing filter problem on win32.

1.8.0 release infos

For details see the CHANGES file.

Major new features

• Major GUI editor upgrade and lots of GUI editor related fixes.
• New "modernized" theme.

Plus lots of other small features and bug fixes.