From 93a5a00f955b91ba317e0581e626ddeb5e3d6ee8 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Fri, 11 Jul 2014 22:51:09 +0900 Subject: [PATCH] Update NEWS --- NEWS | 175 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 175 insertions(+) diff --git a/NEWS b/NEWS index f92ac812..8e989aec 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,178 @@ +aria2 1.18.6 +============ + +Release Note +------------ + +This release fixes several bugs reported in github issues and adds a +feature to make RPC authentication more resilient to certain attacks. +New option --pause-metadata is added. The explanation is a bit log, +so check the changelog and manual. The session is now only saved if +there are changes from the last saved state. + +From this release, MinGW32 build uses Windows native TLS +implementation and no longer use OpenSSL library. + +Changes +------- + +* Disard cache when checking checksum + + This will slow down checksum checking but does not thrash cache. + +* Compat with libuv 0.11 (Unstable) + + Fixes #241 + +* Drop WinMessageDigestImpl. + + The algorithms the `CryptProv` on Windows supports does not + currently include SHA-224, so there is a "dark spot" in this + implementation. Also on Win XP < SP3, most of the SHA-2 family is + not actually supported. All other implementation provide support + for MD5, SHA-1 and all of the SHA-2 family, hence drop the + incomplete WinMessageDigest implementation in favor of any other + supported implementation (at least the internal implementation is + always available at compile-time). + +* Add --pause-metadata option + + This option pauses downloads created as a result of metadata + download. There are 3 types of metadata downloads in aria2: (1) + downloading .torrent file. (2) downloading torrent metadata using + magnet link. (3) downloading metalink file. These metadata + downloads will generate downloads using their metadata. This option + pauses these subsequent downloads. + +* Improve compiler/platform/libs information in logs + + Add and use usedCompilerAndPlatform(). This adds compiler + information to INFO logs and the --version output, and may be + helpful when trying to diagnose/reproduce user-reported problems. + + Also make INFO logs include usedLibs() output. + + Closes #235 + +* Fix use-after-free on exit with multi-file torrent download + DHT + + DefaultPieceStorage may be referenced by one of DHT task (e.g., + DHTPeerLookupTask), after RequestGroup was deleted, and even after + RequestGroupMan was deleted. DefaultPieceStorage has a reference to + MultiDiskAdaptor which calls RequestGroupMan object on destruction. + So when DHT task is destroyed, DefaultPieceStorage is destroyed, + which in turn destroys MultiDiskAdaptor. DHT task is destroyed + after RequestGroupMan was destroyed, MultiDiskAdaptor will use now + freed RequestGroupMan object, this is use-after-free. + +* Fix bug that zero length file is not opened when flushing cache + + This bug was only seen when MultiDiskAdaptor was used. + +* Support PREF_DIR change for Metalink files + + Reworked previous commit adeead6f0396e2f8551d1182972e277728fd6c8b, + and now support changing PREF_DIR for Metalink downloads. + +* Fix assertion failure when dir option of paused HTTP/FTP download is + changed + + When the directory is changed via aria2.changeOption RPC method, we + directly change first FileEntry's path using FileEntry::setPath(). + If there is no PREF_OUT option is given, basically file name is + unknown, so we just set empty string and let the next run determine + the correct file name and new directory is applied there. But + previous code does not reset length property of FileEntry, so the + unexpected code path is taken when unpaused and its path expects + path is not empty string. This commit fixes this issue by setting + length to 0 using FileEntry::setLength(). + +* Save session only when there is change since the last serialization + + This is a slight optimization not to cause useless disk access. + This only applies to saving session automatically (see + --save-session-interval). aria2.saveSession and serialization at + the end of the session are always performed as before. + + When serialization, we first check that whether there is any change + since the last serialization. To do this, we first calculate hash + value of serialized content without writing into file. Then compare + this value to the value of last serialization. If they do not + match, perform serialization. + +* Fix (unknown length) downloads larger than 2GiB + + Closes #215 + +* Fix F_PREALLOC based allocation on some OSX versions + +* Use index.html as filename for conditional-get when file is missing + in URI + + Previously we disabled conditional-get if file part is missing in + URI. But we use constant string "index.html" in this case, so we + can do the same to determine the modification time. In this patch, + if we have file part in URI, we are not going to set absolute file + path in FileEntry, since it prevents content-disposition from + working. + +* Always add README.html to dist_doc_DATA + + rst2html is required to produce README.html from README.rst. We + include generated README.html to distribution. And rst2html is not + required when compiling sources in distribution and always + README.html is available. + +* Validate token using PBKDF2-HMAC-SHA1. + + This change should make token validation more resilient to: + - timing attacks (constant time array compare) + - brute-force/dictionary attacks (PBKDF2) + + Closes #220 + +* Add --disable-websocket configure option + +* mingw32: Enable wintls and compile with GMP + + By enabling wintls, we can use Windows certificate store to validate + server's certificate. Previously, we built windows build using + openssl and since we don't bundle CA certificates, aria2 fails to + validate server's certificate unless user setups their CA + certificates. GMP provides fast big integer calculations, whic is + used in BitTorrent encryption. + +* AppleTLS: Enable BEAST mitigations in ST + + Only available in 10.9+, but since we might be building on a + previous version but running on 10.9+, always try to set the option. + +* WinTLS: Accept chains with no revocation information. + + This is kind what browser do anyway (IE, Firefox, Chrome tested), + what AppleTLS does, what GnuTLS does and what OpenSSL + does. Actually, most browsers will also be OK with the CRL/OCSP + provider being offline. WinTLS will still fail in that case. + + Should revocation information be available in the trust chain (CRL + or OCSP) the certificate still will be checked! + + "Real" CAs, aka. those provided by the OS or system CA bundle, + usually provide revocation information and are thus still checked. + It should be mostly (only?) custom (organization) CAs that lack + revocation information, but those users might want to use aria2 in + their intranets and VPNs anyway ;) + + See #217 + +* Fix GnuTLS 2.x compatiblity + + Closes GH-216 + +* AppleTLS: Use newer, non-deprecated API in 10.8+ + + + aria2 1.18.5 ============