Update NEWS

2014-07-11 22:51:09 +09:00 · 2014-07-11 22:51:09 +09:00 · 93a5a00f95
parent 84bd18b9a1
commit 93a5a00f95
1 changed files with 175 additions and 0 deletions
--- a/175
+++ b/175
@ -1,3 +1,178 @@
+aria2 1.18.6
+============
+
+Release Note
+------------
+
+This release fixes several bugs reported in github issues and adds a
+feature to make RPC authentication more resilient to certain attacks.
+New option --pause-metadata is added.  The explanation is a bit log,
+so check the changelog and manual.  The session is now only saved if
+there are changes from the last saved state.
+
+From this release, MinGW32 build uses Windows native TLS
+implementation and no longer use OpenSSL library.
+
+Changes
+-------
+
+* Disard cache when checking checksum
+
+  This will slow down checksum checking but does not thrash cache.
+
+* Compat with libuv 0.11 (Unstable)
+
+  Fixes #241
+
+* Drop WinMessageDigestImpl.
+
+  The algorithms the `CryptProv` on Windows supports does not
+  currently include SHA-224, so there is a "dark spot" in this
+  implementation. Also on Win XP < SP3, most of the SHA-2 family is
+  not actually supported.  All other implementation provide support
+  for MD5, SHA-1 and all of the SHA-2 family, hence drop the
+  incomplete WinMessageDigest implementation in favor of any other
+  supported implementation (at least the internal implementation is
+  always available at compile-time).
+
+* Add --pause-metadata option
+
+  This option pauses downloads created as a result of metadata
+  download. There are 3 types of metadata downloads in aria2: (1)
+  downloading .torrent file. (2) downloading torrent metadata using
+  magnet link. (3) downloading metalink file.  These metadata
+  downloads will generate downloads using their metadata. This option
+  pauses these subsequent downloads.
+
+* Improve compiler/platform/libs information in logs
+
+  Add and use usedCompilerAndPlatform().  This adds compiler
+  information to INFO logs and the --version output, and may be
+  helpful when trying to diagnose/reproduce user-reported problems.
+
+  Also make INFO logs include usedLibs() output.
+
+  Closes #235
+
+* Fix use-after-free on exit with multi-file torrent download + DHT
+
+  DefaultPieceStorage may be referenced by one of DHT task (e.g.,
+  DHTPeerLookupTask), after RequestGroup was deleted, and even after
+  RequestGroupMan was deleted.  DefaultPieceStorage has a reference to
+  MultiDiskAdaptor which calls RequestGroupMan object on destruction.
+  So when DHT task is destroyed, DefaultPieceStorage is destroyed,
+  which in turn destroys MultiDiskAdaptor.  DHT task is destroyed
+  after RequestGroupMan was destroyed, MultiDiskAdaptor will use now
+  freed RequestGroupMan object, this is use-after-free.
+
+* Fix bug that zero length file is not opened when flushing cache
+
+  This bug was only seen when MultiDiskAdaptor was used.
+
+* Support PREF_DIR change for Metalink files
+
+  Reworked previous commit adeead6f0396e2f8551d1182972e277728fd6c8b,
+  and now support changing PREF_DIR for Metalink downloads.
+
+* Fix assertion failure when dir option of paused HTTP/FTP download is
+  changed
+
+  When the directory is changed via aria2.changeOption RPC method, we
+  directly change first FileEntry's path using FileEntry::setPath().
+  If there is no PREF_OUT option is given, basically file name is
+  unknown, so we just set empty string and let the next run determine
+  the correct file name and new directory is applied there.  But
+  previous code does not reset length property of FileEntry, so the
+  unexpected code path is taken when unpaused and its path expects
+  path is not empty string.  This commit fixes this issue by setting
+  length to 0 using FileEntry::setLength().
+
+* Save session only when there is change since the last serialization
+
+  This is a slight optimization not to cause useless disk access.
+  This only applies to saving session automatically (see
+  --save-session-interval).  aria2.saveSession and serialization at
+  the end of the session are always performed as before.
+
+  When serialization, we first check that whether there is any change
+  since the last serialization.  To do this, we first calculate hash
+  value of serialized content without writing into file.  Then compare
+  this value to the value of last serialization.  If they do not
+  match, perform serialization.
+
+* Fix (unknown length) downloads larger than 2GiB
+
+  Closes #215
+
+* Fix F_PREALLOC based allocation on some OSX versions
+
+* Use index.html as filename for conditional-get when file is missing
+  in URI
+
+  Previously we disabled conditional-get if file part is missing in
+  URI.  But we use constant string "index.html" in this case, so we
+  can do the same to determine the modification time.  In this patch,
+  if we have file part in URI, we are not going to set absolute file
+  path in FileEntry, since it prevents content-disposition from
+  working.
+
+* Always add README.html to dist_doc_DATA
+
+  rst2html is required to produce README.html from README.rst.  We
+  include generated README.html to distribution.  And rst2html is not
+  required when compiling sources in distribution and always
+  README.html is available.
+
+* Validate token using PBKDF2-HMAC-SHA1.
+
+  This change should make token validation more resilient to:
+  - timing attacks (constant time array compare)
+  - brute-force/dictionary attacks (PBKDF2)
+
+  Closes #220
+
+* Add --disable-websocket configure option
+
+* mingw32: Enable wintls and compile with GMP
+
+  By enabling wintls, we can use Windows certificate store to validate
+  server's certificate.  Previously, we built windows build using
+  openssl and since we don't bundle CA certificates, aria2 fails to
+  validate server's certificate unless user setups their CA
+  certificates.  GMP provides fast big integer calculations, whic is
+  used in BitTorrent encryption.
+
+* AppleTLS: Enable BEAST mitigations in ST
+
+  Only available in 10.9+, but since we might be building on a
+  previous version but running on 10.9+, always try to set the option.
+
+* WinTLS: Accept chains with no revocation information.
+
+  This is kind what browser do anyway (IE, Firefox, Chrome tested),
+  what AppleTLS does, what GnuTLS does and what OpenSSL
+  does. Actually, most browsers will also be OK with the CRL/OCSP
+  provider being offline.  WinTLS will still fail in that case.
+
+  Should revocation information be available in the trust chain (CRL
+  or OCSP) the certificate still will be checked!
+
+  "Real" CAs, aka. those provided by the OS or system CA bundle,
+  usually provide revocation information and are thus still checked.
+  It should be mostly (only?) custom (organization) CAs that lack
+  revocation information, but those users might want to use aria2 in
+  their intranets and VPNs anyway ;)
+
+  See #217
+
+* Fix GnuTLS 2.x compatiblity
+
+  Closes GH-216
+
+* AppleTLS: Use newer, non-deprecated API in 10.8+
+
+
+
 aria2 1.18.5
 ============