Releases: omar-polo/gmid
2.0.5 “Lady Stardust” security release
signify(1) public key for this release: RWQ+Bm0F0FtPLtTnpRe09x/Z6Fiodk4toTZe2TJ4yCqDZ6l0c5wiU9te
This release fixes a logic error that cane result in a DoS; therefore is a strongly recommended update for all users. It is safe to update from any version of the 2.0.x series since there were no breaking changes.
- allow again empty lines at the start of the configuration.
- change how strnvis(3) is handled: on systems with the broken interface gmid will just use its own built-in version.
- reject requests with
NUL
bytes in them. - don't error on a
..
component at the start of the path.
2.0.4 “Lady Stardust” bugfix release
signify(1) pubkeys for this release: RWQ+Bm0F0FtPLtTnpRe09x/Z6Fiodk4toTZe2TJ4yCqDZ6l0c5wiU9te
- add a nicer error message if the removed
cgi
option is still used. Reported by freezr. - portability fix for systems with a wrong strnvis(3).
2.0.3 “Lady Stardust” bugfix release
signify(1) pubkeys for this release: RWQ+Bm0F0FtPLtTnpRe09x/Z6Fiodk4toTZe2TJ4yCqDZ6l0c5wiU9te
- relax the SNI requirements
- gg: add -q to avoid printing the "Server Says:" line
- gg: unbreak -n
- fix parsing of IPv6 addresses
- fix
fastcgi off
handling
2.0.2 “Lady Stardust” bugfix release
signify(1) pubkeys for this release: RWQ+Bm0F0FtPLtTnpRe09x/Z6Fiodk4toTZe2TJ4yCqDZ6l0c5wiU9te
- fix
log access path
withchroot
enabled. - fix config dumping (
-nn
). - rework grammar to allow semicolors after top-level statements.
- don't make the log styles reserved keywords.
- contrib/vim: fixed indent, from Anna “CyberTailor”, thanks!
2.0.1 “Lady Stardust” bugfix release
signify(1) pubkeys for this release: RWQ+Bm0F0FtPLtTnpRe09x/Z6Fiodk4toTZe2TJ4yCqDZ6l0c5wiU9te
Changelog
- convert gmid to the new imsg API
- update bundled imsg
- configure: fix
--mandir
handling; from Anna “CyberTailor”, thanks!
2.0 -- "Lady Stardust"
signify(1) pubkeys for this release: RWQ+Bm0F0FtPLtTnpRe09x/Z6Fiodk4toTZe2TJ4yCqDZ6l0c5wiU9te
New Features
- added
listen on
to specify per-server the list of addresses from where connections are to be accepted. - added titan(1), a simple titan client.
- splitted the "configless" version of gmid as a standalone executable gemexp(1)
- added ability to log to files with
log access <path>
- added ability to change the syslog(3) facility with
log syslog facility <facility>
- added ability to change the logging style with
log style <style>
- added `fastcgi strip'
- reworked the privsep implementation and added a privsep crypto engine
- implemented
SCRIPT_NAME' and
PATH_INFO' splitting for fastcgi
Bug fixes
- fixed handling of TLS handshake failures
Improvements
- contrib/gencert: added -e to generate EC keys
- use default prefork (3) in regress
- removed the sha256 dependency of the regress suite
- parse and log the fastcgi reply
- revamped the fastcgi configuration, now it's per-location
- attempt to load the TLS certificates, mimes and virtual hosts root as part of the configtest (-n) instead of verifying the syntax only.
- synced the parameters with RFC3875 (CGI)
- gg: exit with the gemini response code unless it's 2X
- gemexp: generate EC certificates too (it's also the new default)
- (contrib/vim) added an ALE linter and updated the Vim syntax file; thanks Anna “CyberTailor”
Breaking Changes
- removed CGI support
- gg now warns when the server doesn't use TLS' close_notify
- deprecated the global
ipv6
andport
settings in favour of the per-serverlisten on
directive - removed the already deprecated config options
mime' and
map' - droped seccomp and capsicum support
- FastCGI: set REQUEST_METHOD to "GET" instead of the empty string
1.8.6 - “Lightbulb Sun” bugfix release
signify(1) pubkey for this release: RWTy3UJQzpxBUAymBwb2EGLLm0b3H/1n8hzhaC9HYFYzNuTavGt9QSwC
- add tests and compat for setresuid setresgid
- add GEMINI_SEARCH_STRING fastcgi parameter / cgi env variable
- manpage fix: QUERY_STRING is not urldecoded
- fixed use-after-free in the fastcgi code
- when switching user also set the groups
- always cast is*() arguments to unsigned char
Starting with this release tags are also signed with my ssh key like I'm doing with other projects as well:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0nD5I8BNVJknT87gnpLIJWK0fXTayDktQOlS38CGj4 [email protected]
“Lightbulb Sun” bugfix release
Released November 1, 2022.
signify(1) pubkeys for this release: RWTy3UJQzpxBUAymBwb2EGLLm0b3H/1n8hzhaC9HYFYzNuTavGt9QSwC
Bug Fixes
- removed OpenBSD' rc file. it's now maintained in the ports tree
- (hopefully) fix build on DragonflyBSD
- call tzset(3) to fix times in logs
- always send custom list of fcgi parameters (@nytpu)
“Lightbulb Sun” bugfix release
Released July 4, 2022.
signify(1) pubkeys for this release: RWTy3UJQzpxBUAymBwb2EGLLm0b3H/1n8hzhaC9HYFYzNuTavGt9QSwC
Starting from this release there will be no more pre-compiled binaries. gmid is already packaged by various repositories and the needed dependency are almost universally available.
Edit 2022/07/07: the tarball ended up without contrib/
. gmid-1.8.4.-with-contrib.tar.gz
was uploaded to recover from this issue and not tag another release; SHA256 and SHA256.sum had to be re-generated.
Bug Fixes
- allow "@" and ":" in paths; spotted by freezr
- URL-encode the file names in the directory index; reported by cage
Improvements
- move the documentation about the config file in its own manual page: gmid.conf.5
- improvements to the mime handling: fixed a memory leak and improve lookup speed.
- log (with low priority) when gmid failed to open a file because of its permissions.
- include a trailing "/" for dirs in the auto-generated directory index.
Breaking Changes
- deprecated the
map
rule in favour of the newtypes
block. - the default list is not loaded anymore when
types
is used; except for the text/gemini to ".gmi"/".gemini" mappings.
“Lightbulb Sun” bugfix release
signify(1) pubkeys for this release: RWTy3UJQzpxBUAymBwb2EGLLm0b3H/1n8hzhaC9HYFYzNuTavGt9QSwC
(note: no aarch64 precompiled binaries this time)
Bug Fixes
- fix a possible out-of-bound access in the CGI handling. It was introduced last October during a refactoring, but due to how many malloc(3) implementations works this hasn't been found until now. Otto' malloc is more strict fortunately.