/contrib/cvs/NEWS
#! | 1905 lines | 1423 code | 482 blank | 0 comment | 0 complexity | 4757c658c84975a79a2bc2338854851d MD5 | raw file
Possible License(s): MPL-2.0-no-copyleft-exception, BSD-3-Clause, LGPL-2.0, LGPL-2.1, BSD-2-Clause, 0BSD, JSON, AGPL-1.0, GPL-2.0
Large files files are truncated, but you can click here to view the full file
1Changes since 1.11.22: 2********************** 3 4NEW FEATURES 5 6* A new log option -n reverts the -N option which may be in a .cvsrc 7 file. 8 9* The `cvs blame' command is now a synonym for the `cvs annotate' command. 10 11* The :extssh: method will use $CVS_SSH if set, or fall back on "ssh" 12 by default (but may be explicitly set using the --with-ssh flag to 13 configure). 14 15* There is a new IgnoreUnknownConfigKeys option available for 16 CVSROOT/config to aid in the transition to newer versions of CVS. 17 18BUG FIXES 19 20* Merges of file removals using -j options are a little smarter. 21 22* `cvs add' checks more thoroughly for `CVS' directories in the argument list. 23 24* `cvs server' now accepts `--allow-root=PATH' options. 25 26* `cvs import' no longer attempts to send CVS metadata to the server. 27 28* `cvs import' makes more of an effort not to import paths containing files 29 and directories named `CVS'. 30 31* The CVS server will no longer allow clients to run `cvs init'. 32 33* Applying diffs when checking out very old revisions has been reduced from an 34 O(n^2) operation to an O(n) thanks to a patch from Michael J. Smith 35 <msmith@ideorlando.org> and additional touch-up work from the CVS team. 36 37* Thanks to report from Paul Eggert <eggert@CS.UCLA.EDU>, an assertion failure 38 that could occur when "." was in the path (e.g. `cvs co /cvsroot/./module') 39 has been removed. 40 41* Thanks to a report from Peter Toft <pto@linuxbog.dk>, CVS server now sends 42 correct patch files more often when the RCS `Name' keyword is present in 43 a working file (bug #17302). 44 45* Thanks to a report from Dan Peterson <dbpete@aol.com>, clients now send the 46 right set of commands to the server when asked to update directories with 47 trailing slashes on their name. 48 49* Thanks to a report and patch from <mbarabas@redhat.com>, potential stack 50 corruption during pserver login is avoided (bug #16961). 51 52* The :extssh: method is now properly recognized as an alias for :ext:. 53 54DEVELOPER ISSUES 55 56* We've standardized on Autoconf version 2.61 to get a bug fix that notes 57 that the AIX C compiler's default mode isn't quite C89 and sets the 58 correct mode instead. 59 60* We've standardized on Autoconf version 1.10 because it lets us simplify our 61 sources. 62 63Changes from 1.11.21 to 1.11.22: 64******************************** 65 66BUG FIXES 67 68* The CVS client again correctly reports files with conflicts when using 69 servers running CVS 1.11.20/1.12.12, or earlier (and maybe 3rd party 70 servers). 71 72* The GSSAPI server should now build under HP-UX. 73 74* `cvs rtag' now correctly tags files that have been removed from the trunk. 75 76* Code efficiency has been improved slightly. 77 78* A rare race condition that could leave a lock on the val-tags file has been 79 avoided. 80 81* A potential buffer overflow in the history command has been fixed. 82 83* Thanks to a report and patch from Garrett Rooney <grooney@collab.net>, paused 84 trigger processes no longer cause the CVS server to consume 100% CPU. 85 86* Thanks to a suggestion from Joseph P. Skudlarek <Jskud@Jskud.com>, an 87 :extssh: has been added as a synonym of the :ext: access method, as a 88 kindness to users of old version of Eclipse. 89 90* Misc documentation updates and minor bug fixes. 91 92Changes from 1.11.20 to 1.11.21: 93******************************** 94 95BUG FIXES 96 97* Thanks to Serguei E. Leontiev <lse@CryptoPro.ru>, CVS with Kerberos 5 GSSAPI 98 should automatically link on FreeBSD 5.x. (bug #14639). 99 100* Thanks to Rahul Bhargava <rahul@wandisco.com>, heavily loaded systems 101 suffering from a disk crash or power failure will not lose data they claimed 102 to have committed. 103 104* CVS server now handles conflict markers in Entry requests as documented. 105 106* CVS now remembers that binary file merge conflicts occurred until the 107 timestamp of the updated binary file changes. 108 109* CVS client now saves some bandwidth by not sending the contents of files 110 with conflicts to the server when it isn't needed. 111 112* CVS now does correct locking during import. 113 114* A problem where the server could block indefinitely waiting for an EOF from 115 the client when compression was enabled has been fixed. 116 117* `cvs diff' no longer splits its arguments on spaces. 118 119* Thanks to an old report and patch from Stewart Brodie <stewart@eh.org>, a 120 potential crash in response to a corrupt RCS file has been fixed. 121 122* CVS now locks the history and val-tags files before writing to them. 123 Especially with large repositories, users should no longer see new warnings 124 about corrupt history records when using the `cvs history' command. Existing 125 corrupt history records will still need to be removed manually. val-tags 126 corruption should have had less obvious effects, but removing the 127 CVSROOT/val-tags file and allowing a 1.11.21 or later version of CVS to 128 regenerate it may eliminate a few odd behaviors and possibly cause a slight 129 speed up of read transactions in large repositories over time. 130 131BUILD ISSUES 132 133* The RPM spec file works again with the most modern versions of `rpm'. 134 135DEVELOPER ISSUES 136 137* We've standardized on Automake 1.9.6 to get some at new features that make 138 our jobs easier. See the HACKING file for more on using the autotools with 139 CVS. 140 141Changes from 1.11.19 to 1.11.20: 142******************************** 143 144SERVER SECURITY FIXES 145 146* Thanks to a report from Alen Zukich <alen.zukich@klocwork.com>, several minor 147 security issues have been addressed. One was a buffer overflow that is 148 potentially serious but which may not be exploitable, assigned CAN-2005-0753 149 by the Common Vulnerabilities and Exposures Project 150 <http://www.cve.mitre.org>. Other fixes resulting from Alen's report include 151 repair of an arbitrary free with no known exploit and several plugged memory 152 leaks and potentially freed NULL pointers which may have been exploitable for 153 a denial of service attack. 154 155* Thanks to a report from Craig Monson <craig@malachiarts.com>, minor 156 potential vulnerabilities in the contributed Perl scripts have been fixed. 157 The confirmed vulnerability could allow the execution of arbitrary code on 158 the CVS server, but only if a user already had commit access and if one of 159 the contrib scripts was installed improperly, a condition which should have 160 been quickly visible to any administrator. The complete description of the 161 problem is here: <https://ccvs.cvshome.org/issues/show_bug.cgi?id=224>. If 162 you were making use of any of the contributed trigger scripts on a CVS 163 server, you should probably still replace them with the new versions, to be 164 on the safe side. 165 166 Unfortunately, our fix is incomplete. Taint-checking has been enabled in all 167 the contributed Perl scripts intended to be run as trigger scripts, but no 168 attempt has been made to ensure that they still run in taint mode. You will 169 most likely have to tweak the scripts in some way to make them run. Please 170 send any patches you find necessary back to <bug-cvs@nongnu.org> so that we 171 may again ship fully enabled scripts in the future. 172 173 You should also make sure that any home-grown Perl scripts that you might 174 have installed as CVS triggers also have taint-checking enabled. This can be 175 done by adding `-T' on the scripts' #! lines. Please try running 176 `perldoc perlsec' if you would like more information on general Perl security 177 and taint-checking. 178 179BUG FIXES 180 181* Thanks to a report and a patch from Georg Scwharz <georg.scwarz@freenet.de> 182 CVS now builds without error on IRIX 5.3 183 184DEVELOPER ISSUES 185 186* We've standardized on Automake 1.9.5 to get some at new features that make 187 our jobs easier. See the HACKING file for more on using the autotools with 188 CVS. 189 190Changes from 1.11.18 to 1.11.19: 191******************************** 192 193BUG FIXES 194 195* Thanks to a patch from Jim Hyslop <jhyslop@ieee.org>, issuing 196 'cvs watch on' or 'cvs watch off' in an empty directory no longer 197 clears any watchers in that directory. 198 199* An intermittant assertion failure in checkout has been fixed. 200 201* Thanks to a report from Chris Bohn <cbohn@rrinc.com>, all the source files 202 needed for the Windows "red file" fix are actually included in the 203 distribution. 204 205* Misc bug and documentation fixes. 206 207Changes from 1.11.17 to 1.11.18: 208******************************** 209 210BUG FIXES 211 212* Thanks to a report from Gottfried Ganssauge <gotti@cvshome.org>, CVS no 213 longer exits when it encounters links pointing to paths containing more 214 than 128 characters. 215 216* Thanks to a report from Dan Peterson <dbpete@aol.com>, error messages from 217 GSSAPI servers are no longer truncated. 218 219* Thanks to a report from Dan Peterson <dbpete@aol.com>, attempts to resurrect 220 a file on the trunk that was added on a branch no longer causes an assertion 221 failure. 222 223* Thanks to a report from Dan Peterson <dbpete@aol.com>, imports to branches 224 like "1.1." no longer create corrupt RCS archives. 225 226* Thanks to a report from Chris Bohn <cbohn@rrinc.com>, links from J.C. Hamlin 227 <jchamlin@ibsys.com>, and code posted by Jonathan Gilligan, we think we have 228 finally corrected the Windows "red-file" (daylight savings time) bug once and 229 for all. 230 231* Thanks to a patch from Jeroen Ruigrok/asmodai <asmodai@wxs.nl>, the 232 log_accum.pl script should no longer elicit warnings from Perl 5.8.5. 233 234* The r* commands (rlog, rls, etc.) can once again handle requests to run 235 against the entire repository (e.g. `cvs rlog .'). Thanks go to Dan Peterson 236 <dbpete@aol.com> for the report. 237 238* A problem where the attempted access of files via tags beginning with spaces 239 could cause the CVS server to hang has been fixed. This was a particular 240 problem with WinCVS clients because users would sometimes accidentally 241 include spaces in tags pasted into a dialog box. This fix also altered some 242 of the error messages generated by the use of invalid tags. Thanks go to Dan 243 Peterson <dbpete@aol.com> for the report. 244 245* Thanks to James E Wilson <wilson@specifixinc.com> for a bug fix to 246 modules processing "gcc-core -a !gcc/f gcc" will no longer exclude 247 gcc/fortran by mistake. 248 249* Thanks to Conrad Pino <conrad@pino.com>, the Windows build works once again. 250 251* Misc updates to the manual. 252 253DEVELOPER ISSUES 254 255* We've standardized on Automake 1.9.3 to get some at new features that make 256 our jobs easier. See the note below on the Autoconf upgrade for more 257 details. 258 259* We've standardized on Autoconf version 2.59 to get presumed bug fixes and 260 features, but nothing specific. Mostly, once we decide to upgrade one of the 261 autotools we just figure it'll save time later to grab the most current 262 versions of the others too. See the HACKING file for more on using the 263 autotools with CVS. 264 265Changes from 1.11.16 to 1.11.17: 266******************************** 267 268SERVER SECURITY FIXES 269 270* Thanks to Stefan Esser & Sebastian Krahmer, several potential security 271 problems have been fixed. The ones which were considered dangerous enough 272 to catalogue were assigned issue numbers CAN-2004-0416, CAN-2004-0417, & 273 CAN-2004-0418 by the Common Vulnerabilities and Exposures Project. Please 274 see <http://www.cve.mitre.org> for more information. 275 276* A potential buffer overflow vulnerability in the server has been fixed. 277 This addresses the Common Vulnerabilities and Exposures Project's issue 278 #CAN-2004-0414. Please see <http://www.cve.mitre.org> for more information. 279 280Changes from 1.11.15 to 1.11.16: 281******************************** 282 283SERVER SECURITY FIXES 284 285* A potential buffer overflow vulnerability in the server has been fixed. 286 Prior to this patch, a malicious client could potentially use carefully 287 crafted server requests to run arbitrary programs on the CVS server machine. 288 This addresses the Common Vulnerabilities and Exposures Project's issue 289 #CAN-2004-0396. Please see <http://www.cve.mitre.org> for more information. 290 291BUG FIXES 292 293* The Microsoft Visual C++ workspace and project files have been repaired and 294 regenerated with MSVC++ 6.0. 295 296* The cvs.1 man page is now generated automatically from a section of the CVS 297 Manual. 298 299* Thanks to a report from Mark Andrews at the Internet Systems Consortium, the 300 :ext: connection method no longer relies on a transparent transport that uses 301 an argument processor that can handle arbitrary ordering of options and other 302 arguments when using a username other than the caller's. 303 304* Thanks to Ken Raeburn at MIT, directory deletion, whether via `cvs release' 305 or empty directory pruning, now works on network shares under Windows XP. 306 307Changes from 1.11.14 to 1.11.15: 308******************************** 309 310SERVER SECURITY ISSUES 311 312* Piped checkouts of paths above $CVSROOT no longer work. Previously, clients 313 could have requested the contents of RCS archive files anywhere on a CVS 314 server. This addresses CVE issue CAN-2004-0405. Please see 315 <http://www.cve.mitre.org> for more information. 316 317CLIENT SECURITY ISSUES 318 319* Clients now check paths from the server to verify that they are within one of 320 the sandboxes the user requested be updated. Previously, a trojan server 321 could have written or overwritten files anywhere the user had access, 322 presenting a serious security risk. This addresses CVE issue CAN-2004-1080. 323 Please see <http://www.cve.mitre.org> for more information. 324 325GENERAL USER ISSUES 326 327* Method options (used by WinCVS & CVS 1.12.7+) in CVSROOTs are ignored. 328 329* Configure no longer checks the $TMPDIR, $TMP, & $TEMP variables to set the 330 default temporary directory. 331 332* CVS on Cygwin correctly handles X:\ style paths. 333 334* Import now uses backslash rather than slash on Windows when checking for 335 "CVS" directories to ignore in import commands. 336 337* Relative paths containing up-references (`..') should now work in 338 client/server mode (client fix). 339 340* A race condition between the ordering of messages from CVS and messages from 341 called scripts in client/server mode has been removed (server fix). 342 343* Resurrected files now get their modes and timestamps set correctly and a 344 longstanding bug involving resurrection of an uncommitted removal has been 345 fixed (server fix). 346 347* Some resurrection (cvs add) status messages have changed slightly. 348 349* `cvs release' now works with Kerberos or GSSAPI encryption enabled (server 350 fix). 351 352* File resurrection from a previously existing revision no longer just reports 353 that it works (server fix). 354 355* Misc error & status message corrections. 356 357* Diffing of locally added files against arbitrary revisions in an RCS archive 358 is now allowed when a file of the same name exists or used to exist on some 359 branch (server fix). 360 361* Misc documentation fixes. 362 363Changes from 1.11.13 to 1.11.14: 364******************************** 365 366GENERAL USER ISSUES 367 368* Imports will now always ignore directories and files named `CVS' to avoid 369 violating assumptions made by other parts of CVS. 370 371* A problem with `cvs release' of subdirs that could corrupt CVS/Entries files 372 has been fixed (client/server). 373 374* The CVS server's protocol check for unused data from the client is no longer 375 called automatically at program exit in order to avoid potential recursive 376 calls to error when the first close is due to memory allocation or similar 377 problems that cause calls to error() to fail. The check is still made when 378 the server program exits normally. 379 380* The spec file has been updated to work with more recent versions of RPM. 381 382* Several memory leaks have been plugged (client/server). 383 384DEVELOPER ISSUES 385 386* Misc cosmetic, readability, and commenting fixes. 387 388Changes from 1.11.12 to 1.11.13: 389******************************** 390 391GENERAL USER ISSUES 392 393* Several memory leaks have been plugged. 394 395* Thanks to Ville Skyttä the man page has a few less spelling errors and is 396 slightly more accurate. 397 398* An unlikely potential segfault when using the :fork: connection method has 399 been fixed. 400 401* The CVS server has had the protocol check for unused data from the client 402 partially restored. 403 404* A fix has been included that should avoid a very rare race condition that 405 could cause a CVS server to exit with a "broken pipe" message. 406 407* A minor problem with the nmake build file that was preventing the source from 408 compiling under Windows has been fixed. 409 410* Tests have been added to the test suite. 411 412DEVELOPER ISSUES 413 414* Misc cosmetic, readability, and commenting fixes. 415 416Changes from 1.11.11 to 1.11.12: 417******************************** 418 419GENERAL USER ISSUES 420 421* Infinite alias loops in the modules file are now checked for and avoided. 422 423* Clients on case insensitive systems now preserve the case of directories in 424 CVS/Entries, in addition to files, for use in communications with the CVS 425 server. 426 427* Some previously untested behavior is now being tested. 428 429* Server support for case insensitive clients has been removed in favor of the 430 server relying on the client to preserve the case of checked out files, as 431 per the CVS client/server protocol spec. This is not as drastic as it may 432 sound, as all of the current tests still pass without modification when run 433 from a case insensitive client to a case sensitive server. This change 434 disables little previous functionality, enables access to more of the 435 possible namespace to users on systems with case insensitive file systems, 436 fixes a few bugs, and in the end this should provide a major stability 437 improvement. 438 439* Thanks to Ville Skyttä the man page is a bit more accurate. 440 441* Thanks to Ville Skyttä some unused variables were removed from the log_accum 442 Perl script in contrib. 443 444* Thanks to Alexey Mahotkin, a bug that prevented CVS from being compiled with 445 Kerberos 4 authentication enabled has been fixed. 446 447* A minor bug that caused CVS to fail to report an inifinte alias loop in the 448 modules file when portions of the alias definition contained trailing slashes 449 has been fixed. 450 451* A bug in the gzip code that could cause heap corruption and segfaults in CVS 452 servers talking to clients less than 1.8 and some modern third-party CVS 453 clients has been fixed. 454 455* mktemp.sh is now included with the source distribution so that the rcs2log 456 and cvsbug executables may be run on systems which do not contain an 457 implementation of mktemp. 458 459* Misc documentation fixes. 460 461Changes from 1.11.10 to 1.11.11: 462******************************** 463 464SERVER SECURITY ISSUES 465 466* pserver can no longer be configured to run as root via the 467 $CVSROOT/CVSROOT/passwd file, so if your passwd file is compromised, it no 468 longer leads directly to a root hack. Attempts to root will also be logged 469 via the syslog. 470 471Changes from 1.11.9 to 1.11.10: 472******************************* 473 474SERVER SECURITY ISSUES 475 476* Malformed module requests could cause the CVS server to attempt to create 477 directories and possibly files at the root of the filesystem holding the CVS 478 repository. Filesystem permissions usually prevent the creation of these 479 misplaced directories, but nevertheless, the CVS server now rejects the 480 malformed requests. 481 482GENERAL USER ISSUES 483 484* Case insensitive clients using a case sensitive server can now use a 485 `cvs rm -f file; cvs add FILE' command sequence to add a file with the same 486 name in a new case. 487 488* CVSROOTs which contain a symlink to a real repository should work. 489 490* The configure script now tests whether it is building CVS on a case 491 insensitive file system. If it is, CVS assumes that all file systems on this 492 platform will be case insensitive. This is useful for getting the case 493 insensitivity flag set correctly when compiling on Mac OS X and under Cygwin 494 on Windows. Autodetection can be overridden using the 495 --disable-case-sensitivity and --enable-case-sensitivity arguments to 496 configure. 497 498* A behavior change in `cvs up -jrev1 -jrev2' for modified files with a base 499 revision of rev2 (ie, checked-out version matches rev2 and file has been 500 modified). The operation is no longer ignored and instead is passed to 501 diff3. This will potentially re-apply the diffs between the two revisions to 502 a modified local file. Status messages like from a standard merge have also 503 been added when the file would not or does not change due to this merge 504 request ("[file] already contains the changes between [revisions]..."). 505 506* A bug which could stop `cvs admin -mTAG:message' from recursing has been 507 fixed. 508 509* Misc documentation cleanup and fixes. 510 511* Some of the contrib scripts, some of the documentation, and sanity.sh were 512 modified to use and recommend more portable commands rather than using and 513 recommending commands which were not compatible with the POSIX 1003.1-2001 514 specification. 515 516DEVELOPER ISSUES 517 518* A new set of tests to test issues specific to case insensitive clients and 519 servers has also been added. 520 521* Support has been added to the test suite to support testing over a :ext: link 522 to another machine, subject to some stringent requirements. This support can 523 be used, for instance, to test the operation of a case insensitive client 524 against a case sensitive server. Please see the comments in TEST and the 525 src/sanity.sh test script itself for more. 526 527* We've standardized on Automake 1.7.9 to get a bug fix. See the note below 528 on the Autoconf upgrade for more details. 529 530* We've standardized on Autoconf version 2.58 to avoid a bug and get at a few 531 new macros. Again, this should only really affect developers, though it is 532 possible that CVS will now compile on a few new platforms. Please see the 533 section of the INSTALL file about using the autotools if you are compiling 534 CVS yourself. 535 536Changes from 1.11.8 to 1.11.9: 537 538* CVS now knows how to report, as well as record, `P' record types. 539 540* When running the `cvs history' command, clients will now send the 541 long-accepted `-e' option, for all records, rather than explicitly requesting 542 `P' record types, a request which servers prior to 1.11.7 will reject with a 543 fatal error message. 544 545* A problem with locating files requested by case insensitive clients which was 546 accidentally introduced in 1.11.6 as part of a fix for a data loss problem 547 involving `cvs add's from case insensitive clients has been fixed. The 548 relevant error message was `cvs [<command> aborted]: filE,v is ambiguous; 549 could mean FILE,v or file,v'. 550 551* Attempts to use the global `-l' option, removed from both client and server 552 as of version 1.11.6, will now elicit a warning rather than a fatal error 553 from the server. 554 555Changes from 1.11.7 to 1.11.8: 556 557* A problem in the CVS getpass library that could cause passwords to echo on 558 some systems has been fixed. 559 560Changes from 1.11.6 to 1.11.7: 561 562* A segfault that could occur in very rare cases where the stat of a file 563 failed during a diff has been fixed. 564 565* Any user with write privleges to the CVSROOT/checkoutlist file could pass 566arbitrary format strings directly through to a printf function. This was 567probably bad and has been fixed. White space at the beginning of error strings 568in checkoutlist is now ignored properly. 569 570* In client/server mode, most messages from CVS now contain the actual 571command name rather than the generic "server". 572 573* A long-standing bug that prevented most client/server updates from being 574logged in the history file has been fixed. 575 576* Updates done via a patch ("P" status) are now logged in the history file 577by default and the corresponding "P" history record type is now documented. 578If you're setting the LogHistory option in your CVSROOT/config file, you may 579want to add "P" to the list of record types. 580 581* CVS now will always compile and its own getpass() function (originally from 582GNULIB) in favor of any system one that may exist. This avoids some problems 583with long passwords on some systems and updates us to POSIX.2 compliance, since 584getpass() was removed from the POSIX.2 specification. 585 586* A bug that allowed a write lock to be created in a directory despite 587there being existing read locks when using LockDir in CVSROOT/config has 588been fixed. 589 590* A bug with short patches (`rdiff -s') which caused rdiff to sometimes report 591differences that did not exist has been fixed. 592 593* Some minor corrections were made to the diff code to keep diff & rdiff from 594printing diff headers with empty change texts when two files have different 595revision numbers but the same content. 596 597* The global '-l' option, which suppressed history logging, has been removed 598from both client and server. 599 600Changes from 1.11.5 to 1.11.6: 601 602* A warning message is now issued if an administrative file contains 603more than one DEFAULT entry. 604 605* An error running a verifymsg script (such as referencing an unset user 606variable or the script not existing) now causes the verification to 607fail. 608 609* Errors in administrative files commands (like unset user variables) 610are no longer reported unless the command is actually executed. 611 612* When a file is initially checked out, its last access time is now set 613to the current time rather than being set to the time the file was last 614checked in like the modification time is. 615 616* The Checkin.prog and Update.prog functionality has been removed. This 617fuctionality previously allowed executables to be specified in the modules file 618to be run at update and checkin time, but users could edit these files on a per 619workspace basis, creating a security hole. 620 621* contrib/rcs2log and src/cvsbug now use the BSD mktemp program to create 622their temp files and directories on systems which provide it. 623 624* Corrected the path in a failed write error message. 625 626* Autoconf and Automake are no longer run automatically unless you run 627configure with --enable-maintainer-mode. Accordingly, noautomake.sh is 628no longer needed and has been removed. 629 630* We've standardized on Automake version 1.7.5 and Autoconf version 2.57 to get 631at a few new macros. Again, this should only really affect developers. See 632the section of the INSTALL file about using the autotools if you are compiling 633CVS yourself. 634 635Changes from 1.11.4 to 1.11.5: 636 637* Fixed a security hole in the CVS server by which users with read only access 638could gain write access. This issue does not affect client builds. The 639Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the 640name CAN-2003-0015 to this issue. See 641<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0015> for more 642information. 643 644* Fixed some bugs where revision numbers starting with 0 (like 0.3) 645weren't correctly handled. (CVS doesn't normally use such revision 646numbers, but users may be able to force it to do so and old RCS files 647might.) 648 649Changes from 1.11.3 to 1.11.4: 650 651* Some minor changes to allow the code to compile on Windows platforms. 652 653Changes from 1.11.2 to 1.11.3: 654 655* The tag/rtag code has been fixed to once again lock just a single 656directory at a time. 657 658* There was a bug where certain error conditions could cause the server 659to go into an infinite loop. There was also a bug that caused a 660compressed connection from an older client to hang on shutdown. These 661bugs have been fixed. 662 663* Fixed a bug that caused the server to reject most watch commands. 664 665* When waiting for another user's lock, the message timestamps are now 666in UTC rather than the server's local time. 667 668* The options.h file is no longer used. This fixes a bug that occurred when 6691.11.2 was compiled on Windows platforms. 670 671* We've standardized on Automake version 1.6.3 and Autoconf version 2.53. 672They are cleaner, less bug prone, and will hopfully allow me to start updating 673sanity.sh to use Autotest and Autoshell. Again, this should only really affect 674developers. See the section of the INSTALL file about using the autotools if 675you are compiling CVS yourself. 676 677* Fixed a bug in the log/rlog code when a revision range crosses a 678branch point. 679 680* Fixed a bug where filenames starting with - would be misinterpreted as 681options when using client/server mode. 682 683Changes from 1.11.1p1 to 1.11.2: 684 685* There is a new feature, enabled by RereadLogAfterVerify in CVSROOT/config, 686which tells CVS to reread the log message after running the verifymsg 687script. This allows the verifymsg script to reformat or otherwise 688modify the log message. 689 690* The interpretation of revision ranges using :: in "log" and "rlog" 691has changed: a::b now excludes the log message from revision a but 692includes the log message from revision b. Also, revision ranges that 693cross branch points should now work. 694 695* zlib has been updated to version 1.4. There is a security advisory 696out in regards to 1.3. This should fix that problem. 697 698* The "log" and "rlog" commands now have a -S option to suppress the 699header information when no revisions are selected. 700 701* A serious error that allowed read-only users to tag files has been 702corrected. 703 704* The "annotate" command will no longer annotate binary files unless 705you specify the new -F option. 706 707* The "tag" and "rtag" commands will no longer move or delete branch 708tags unless you use the new -B option. (This prevents accidental 709changes to branch tags that are hard to undo.) 710 711* We've standardized on the 1.5 Automake release for the moment. Again, this 712should only really affect developers. See the section of the INSTALL file 713about using the autotools if you are compiling CVS yourself. 714 715Changes from 1.11.1 to 1.11.1p1: 716 717* Read only access was broken - now fixed. 718 719Changes from 1.11 to 1.11.1: 720 721* There was a locking bug in the tag/rtag code that could lose changes 722made to a file while the tag operation was in progress. This has been 723fixed, but all of the directories being tagged are now locked for the 724entire duration of the tag operation rather than only one directory at a 725time. 726 727* The "cvs diff" command now accepts the -y/--side=by-side and -T/ 728--initial-tab options. (To use these options with a remote repository, 729both the client and the server must support them.) 730 731* The expansion of the loginfo format string has changed slightly. 732Previously, the expansion was surrounded by single quotes ('); if a file 733name contained a single quote character, the string would not be parsed 734as a single entity by the Unix shell (and it would not be possible to 735parse it unambiguously). Now the expansion is surrounded by double 736quotes (") and any embedded dollar signs ($), backticks (`), backslashes 737(\), and double quotes are preceded by a backslash. This is parsed as a 738single entity by the shell reguardless of content. This change should 739not be noticable unless you're not using a Unix shell or you have 740embedded the format string inside a double quoted string. 741 742* There was a bug in the diff code which sometimes caused conflicts to 743be flagged which shouldn't have been. This has been fixed. 744 745* New "cvs rlog" and "cvs rannotate" commands have been added to get log 746messages and annotations without having to have a checked-out copy. 747 748* Exclusive revision ranges have been added to "cvs log" using :: 749(similar to "cvs admin -o"). 750 751* The VMS client now accepts wildcards if you're running VMS 7.x. 752 753* ZLIB has been updated to version 1.1.3, the most current version. This 754includes mostly some optimizations and minor bug fixes. 755 756* The ~/.cvspass file has a slightly modified format. CVSROOTs are now 757stored in a new canonical form - hostnames are now case insensitive and 758port numbers are always stored in the new format. Until a new login for 759a particular CVSROOT is performed with the new version of CVS, new and 760old versions of CVS should interoperate invisibly. After that point, an 761extra login using the old version of CVS may be necessary to continue to 762allow the new and old versions of CVS to interoperate using the same 763~/.cvspass file and CVSROOT. The exception to this rule occurs when the 764CVSROOTs used with the different versions use case insensitively 765different hostnames, for example, "empress", and "empress.2-wit.com". 766 767* A password and a port number may now be specified in CVSROOT for 768pserver connections. The new format is: 769 770 :pserver:[[user][:password]@]host[:[port]]/path 771 772Note that passwords specified in a checkout command will be saved in the 773clear in the CVS/Root file in each created directory, so this is not 774recommended, except perhaps when accessing anonymous repositories or the 775like. 776 777* The distribution has been converted to use Automake. This shouldn't 778affect most users except to ease some portability concerns, but if you 779are building from the repository and encounter problems with the 780makefiles, you might try running ./noautomake.sh after a fresh update 781-AC. 782 783Changes from 1.10 to 1.11: 784 785* The "cvs update" command has a new -C option to get clean copies from 786the repository, abandoning any local changes. 787 788* The new "cvs version" command gives a short version message. If 789the repository is remote, both the client and server versions are 790reported. 791 792* "cvs admin -t" now works correctly in client/server mode. 793 794* The "cvs history" command output format has changed -- the date 795now includes the year and is given is ISO 8601 format (yyyy-mm-dd). 796Also, the new LogHistory option in CVSROOT/config can be used to 797control what information gets recorded in the log file and code has 798been added to record file removals. 799 800* The buggy PreservePermissions code has been disabled. 801 802* Anonymous read-only access can now be done without requiring a 803password. On the server side, simply give that user (presumably 804`anonymous') an empty password in the CVSROOT/passwd file, and then 805any received password will authenticate successfully. 806 807* There is a new access method :fork: which is similar to :local: 808except that it is implemented via the CVS remote protocol, and thus 809has a somewhat different set of quirks and bugs. 810 811* The -d command line option no longer updates the CVS/Root file. For 812one thing, the CVS 1.9/1.10 behavior never had updated CVS/Root in 813subdirectories, and for another, it didn't seem that popular in 814general. So this change restores the CVS 1.8 behavior (which is also 815the CVS 1.9/1.10 behavior if the environment variable 816CVS_IGNORE_REMOTE_ROOT is set; with this change, 817CVS_IGNORE_REMOTE_ROOT no longer has any effect). 818 819* It is now possible for a single CVS command to recurse into several 820CVS roots. This includes roots which are located on several servers, 821or which are both remote and local. CVS will make connections to as 822many servers as necessary. 823 824* It is now possible to put the CVS lock files in a directory 825set by the new LockDir option in CVSROOT/config. The default 826continues to be to put the lock files in the repository itself. 827 828Changes from 1.9 to 1.10: 829 830* A bug was discovered in the -t/-f wrapper support that can cause 831serious data loss. Because of this (and also the fact that it doesn't 832work at all in client/server mode), the -t/-f wrapper code has been 833disabled until it can be fixed. 834 835* There is a new feature, enabled by TopLevelAdmin in CVSROOT/config, 836which tells CVS to modify the behavior of the "checkout" command. The 837command now creates a CVS directory at the top level of the new 838working directory, in addition to CVS directories created within 839checked-out directories. See the Cederqvist for details. 840 841* There is an optional set of features, enabled by PreservePermissions 842in CVSROOT/config, which allow CVS to store unix-specific file 843information such as permissions, file ownership, and links. See the 844Cederqvist for details. 845 846* One can now authenticate and encrypt using the GSSAPI network 847security interface. For details see the Cederqvist's description of 848specifying :gserver: in CVSROOT, and the -a global option. 849 850* All access to RCS files is now implemented internally rather than by 851calling RCS programs. The main user-visible consequence of this is 852that there is no need to worry about making sure that CVS finds the 853correct version of RCS. The -b global option and the RCSBIN setting 854in CVSROOT/config are still accepted but don't do anything. The 855$RCSBIN internal variable in administrative files is no longer 856accepted. 857 858* There is a new syntax, "cvs admin -orev1::rev2", which collapses the 859revisions between rev1 and rev2 without deleting rev1 or rev2 860themselves. 861 862* There is a new administrative file CVSROOT/config which allows one 863to specify miscellaneous aspects of CVS configuration. Currently 864supported here: 865 866 - SystemAuth, allows you to prevent pserver from checking for system 867 usernames/passwords. 868 869For more information see the "config" section of cvs.texinfo. 870 871* When setting up the pserver server, one now must specify the 872allowable CVSROOT directories in inetd.conf. See the Password 873authentication server section of cvs.texinfo for details. Note that 874this implies that everyone who is running a pserver server must edit 875inetd.conf when upgrading their CVS. 876 877* The client no longer needs an external patch program (assuming both 878the client and the server have been updated to the new version). 879 880* "cvs admin [options]" will now recurse. In previous versions of 881CVS, it was an error and one needed to specify "cvs admin [options] ." 882to recurse. This change brings admin in line with the other CVS 883commands. 884 885* New "logout" command to remove the password for a remote cvs 886repository from the cvspass file. 887 888* Read-only repository access is implemented for the 889password-authenticated server (other access methods are just governed 890by Unix file permissions, since they require login access to the 891repository machine anyway). See the "Repository" section of 892cvs.texinfo for details, including a discussion of security issues. 893Note that the requirement that read-only users be able to create locks 894and write the history file still applies. 895 896* There is a new administrative file verifymsg which is like editinfo 897but merely validates the message, rather than also getting it from the 898user. It therefore works with client/server CVS or if one uses the -m 899or -F options to commit. See the verifymsg section of cvs.texinfo for 900details. 901 902* The %s format formerly accepted in loginfo has been extended to 903formats such as %{sVv}, so that loginfo scripts have access to the 904version numbers being changed. See the Loginfo section of cvs.texinfo 905for details. 906 907* The postscript documentation (doc/cvs.ps) shipped with CVS is now 908formatted for US letter size instead of A4. This is not because we 909consider this size "better" than A4, but because we believe that the 910US letter version will print better on A4 paper than the other way 911around. 912 913* The "cvs export" command is now logged in the history file and there 914is a "cvs history -x E" command to select history file entries 915produced by export. 916 917* CVS no longer uses the CVS_PASSWORD environment variable. Storing 918passwords in cleartext in an environment variable is a security risk, 919especially since (on BSD variants) any user on the system can display 920any process's environment using 'ps'. Users should use the 'cvs 921login' command instead. 922 923 924Changes from 1.8 to 1.9: 925 926* Windows NT client should now work on Windows 95 as well. 927 928* New option "--help-synonyms" prints a list of all recognized command 929synonyms. 930 931* The "log" command is now implemented internally rather than via the 932RCS "rlog" program. The main user-visible consequence is that 933symbolic branch names now work (for example "cvs log -rbranch1"). 934Also, the date formats accepted by -d have changed. They previously 935had been a bewildering variety of poorly-documented date formats. Now 936they are the same as the date formats accepted by the -D options to 937the other CVS commands, which is also a (different) bewildering 938variety of poorly-documented date formats, but at least we are 939consistently bewildering :-). 940 941* Encryption is now supported over a Kerberos client/server 942connection. The new "-x" global option requests it. You must 943configure with the --enable-encryption option in order to enable 944encryption. 945 946* The format of the CVS commit message has changed slightly when 947committing changes on a branch. The tag on which the commit is 948ocurring is now reported correctly in all cases. 949 950* New flag -k in wrappers allows you to specify the keyword expansion 951mode for added files based on their name. For example, you can 952specify that files whose name matches *.exe are binary by default. 953See the Wrappers section of cvs.texinfo for more details. 954 955* Remote CVS with the "-z" option now uses the zlib library (included 956with CVS) to compress all communication between the client and the 957server, rather than invoking gzip on each file separately. This means 958that compression is better and there is no need for an external gzip 959program (except to interoperate with older version of CVS). 960 961* The "cvs rlog" command is deprecated and running it will print a 962warning; use the synonymous "cvs log" command instead. It is 963confusing for rlog to mean the same as log because some other CVS 964commands are in pairs consisting of a plain command which operates on 965a working directory and an "r" command which does not (diff/rdiff; 966tag/rtag). 967 968* "cvs diff" has a bunch of new options, mostly long options. Most of 969these work only if rcsdiff and diff support them, and are named the 970same as the corresponding options to diff. 971 972* The -q and -Q command options to "cvs diff" were removed (use the 973global options instead). This brings "cvs diff" into line with the 974rest of the CVS commands. 975 976* The "annotate" command can now be used to annotate a revision other 977than the head revision on the trunk (see the -r, -D, and -f options in 978the annotate node of cvs.texinfo for details). 979 980* The "tag" command has a new option "-c" which checks that all files 981 are not locally modified before tagging. 982 983* The -d command line option now overrides the cvsroot setting stored 984in the CVS/Root file in each working directory, and specifying -d will 985cause CVS/Root to be updated. 986 987* Local (non-client/server) CVS now runs on Windows NT. See 988windows-NT/README for details. 989 990* The CVSROOT variable specification has changed to support more 991access methods. In addition to "pserver," "server" (internal rsh 992client), "ext" (external rsh client), "kserver" (kerberos), and 993"local" (local filesystem access) can now be specified. For more 994details on each method, see cvs.texinfo (there is an index entry for 995:local: and each of the other access methods). 996 997* The "login" command no longer prompts the user for username and 998hostname, since one will have to provide that information via the `-d' 999flag or by setting CVSROOT. 1000 1001Changes from 1.7 to 1.8: 1002 1003* New "cvs annotate" command to display the last modification for each 1004line of a file, with the revision number, user checking in the 1005modification, and date of the modification. For more information see 1006the `annotate' node in cvs.texinfo. 1007 1008* The cvsinit shell script has been replaced by a cvs init command. 1009The cvs init command creates some example administrative files which 1010are similar to the files found in the examples directory (and copied 1011by cvsinit) in previous releases. 1012 1013* Added the patterns *.olb *.exe _$* *$ to default ignore list. 1014 1015* There is now a $USER internal variable for *info files. 1016 1017* There is no longer a separate `mkmodules' program; the functionality 1018is now built into `cvs'. If upgrading an old repository, it is OK to 1019leave in the lines in the modules file which run mkmodules (the 1020mkmodules actions will get done twice, but that is harmless); you will 1021probably want to remove them once you are no longer using the old CVS. 1022 1023* One can now specify user variables in *info files via the 1024${=varname} syntax; there is a -s global option to set them. See the 1025Variables node in cvs.texinfo for details. 1026 1027Changes from 1.6 to 1.7: 1028 1029* The default ignore list has changed slightly: *.obj has been added 1030and CVS* has been changed to CVS CVS.adm. 1031 1032* CVS now supports password authentication when accessing remote 1033repositories; this is useful for sites that can't use rsh (because of 1034a firewall, for example), and also don't have kerberos. See node 1035"Password authenticated" (in "Remote repositories", in 1036doc/cvs.texinfo) for more details. Note: This feature requires both 1037the client and server to be upgraded. 1038 1039* Using the -kb option to specify binary files now works--most cases 1040did not work before. See the "Binary files" section of 1041doc/cvs.texinfo for details. 1042 1043* New developer communication features. See the "Watches" section of 1044doc/cvs.texinfo for details. 1045 1046* RCS keyword "Name" supported for "cvs update -r <tag>" and "cvs 1047checkout -r <tag>". 1048 1049* If there is a group whose name matches a compiled in value which 1050defaults to "cvsadmin", only members of that group can use "cvs 1051admin". This replaces the CVS_NOADMIN option. 1052 1053* CVS now sets the modes of files in the repository based on the 1054CVSUMASK environment variable or a compiled in value defaulting to 1055002. This way other developers will be able to access the files in 1056the repository regardless of the umask of the developer creating them. 1057 1058* The command names in .cvsrc now match the official name of the 1059command, not the one (possibly an alias) by which it was invoked. If 1060you had previously relied on "cvs di" and "cvs diff" using different 1061options, instead use a shell function or alias (for example "alias 1062cvsdi='cvs diff -u'"). You also can specify global CVS options (like 1063"-z") using the command name "cvs". 1064 1065Changes from 1.5 to 1.6: 1066 1067* Del updated the man page to include all of the new features 1068of CVS 1.6. 1069 1070* "cvs tag" now supports a "-r | -D" option for tagging an already 1071tagged revision / specific revision of a file. 1072 1073* There is a "taginfo" file in CVSROOT that supports filtering and 1074recording of tag operations. 1075 1076* Long options support added, including --help and --version options. 1077 1078* "cvs release" no longer cares whether or not the directory being 1079released has an entry in the `modules' file. 1080 1081* The modules file now takes a -e option which is used instead of -o 1082for "cvs export". If your modules file has a -o option which you want 1083to be used for "cvs export", change it to specify -e as well as -o. 1084 1085* "cvs export" now takes a -k option to set RCS keyword expansion. 1086This way you can export binary files. If you want the old behavior, 1087you need to specify -kv. 1088 1089* "cvs update", "cvs rdiff", "cvs checkout", "cvs import", "cvs 1090release", "cvs rtag", and "cvs tag" used to take -q and -Q options 1091after the command name (e.g. "cvs update -q"). This was confusing 1092because other commands, such as "cvs ci", did not. So the options 1093after the command name have been removed and you must now specify, for 1094example, "cvs -q update", which has been supported since CVS 1.3. 1095 1096* New "wrappers" feature. This allows you to set a hook which 1097transforms files on their way in and out of cvs (apparently on the 1098NeXT there is some particular usefulness in tarring things up in the 1099repository). It also allows you to declare files as merge-by-copy 1100which means that instead of trying to merge the file, CVS will merely 1101copy the new version. There is a CVSROOT/cvswrappers file and an 1102optionsl ~/.cvswrappers file to support this feature. 1103 1104* You can set CVSROOT to user@host:dir, not just host:dir, if your 1105username on the server host is different than on the client host. 1106 1107* VISUAL is accepted as well as EDITOR. 1108 1109* $CVSROOT is expanded in *info files. 1110 1111Changes from 1.4A2 to 1.5: 1112 1113* Remote implementation. This is very helpful when collaborating on a 1114project with someone across a wide-area network. This release can 1115also be used locally, like other CVS versions, if you have no need for 1116remote access. 1117 1118Here are some of the features of the remote implementation: 1119- It uses reliable transport protocols (TCP/IP) for remote repository 1120 access, not NFS. NFS is unusable over long distances (and sometimes 1121 over short distances) 1122- It transfers only those files that have changed in the repository or 1123 the working directory. To save transmission time, it will transfer 1124 patches when appropriate, and can compress data for transmission. 1125- The server never holds CVS locks while waiting for a reply from the client; 1126 this makes the system robust when used over flaky networks. 1127 1128The remote features are documented in doc/cvsclient.texi in the CVS 1129distribution, but the main doc file, cvs.texinfo, has not yet been 1130updated to include the remote features. 1131 1132* Death support. See src/README-rm-add for more information on this. 1133 1134* Many speedups, especially from jtc@cygnus.com. 1135 1136* CVS 1.2 compatibility code has been removed as a speedup. If you 1137have working directories checked out by CVS 1.2, CVS 1.3 or 1.4A2 will 1138try to convert them, but CVS 1.5 and later will not (if the working 1139directory is up to date and contains no extraneous files, you can just 1140remove it, and then check out a new working directory). Likewise if 1141your repository contains a CVSROOT.adm directory instead of a CVSROOT 1142directory, you need to rename it. 1143 1144Fri Oct 21 20:58:54 1994 Brian Berliner <berliner@sun.com> 1145 1146 * Changes between CVS 1.3 and CVS 1.4 Alpha-2 1147 1148 * A new program, "cvsbug", is provided to let you send bug reports 1149 directly to the CVS maintainers. Please use it instead of sending 1150 mail to the info-cvs mailing list. If your build fails, you may 1151 have to invoke "cvsbug" directly from the "src" directory as 1152 "src/cvsbug.sh". 1153 1154 * A new User's Guide and Tutorial, written by Per Cederqvist 1155 <ceder@signum.se> of Signum Support. See the "doc" directory. A 1156 PostScript version is included as "doc/cvs.ps". 1157 1158 * The Frequesntly Asked Questions file, FAQ, has been added to the 1159 release. Unfortunately, its contents are likely out-of-date. 1160 1161 * The "cvsinit" shell script is now installed in the $prefix/bin 1162 directory like the other programs. You can now create new 1163 CVS repositories with great ease. 1164 1165 * Index: lines are now printed on output from 'diff' and 'rdiff', 1166 in order to facilitate application of patches to multiple subdirs. 1167 1168 * Support for a ~/.cvsrc file, which allows you to specify options 1169 that are always supposed to be given to a specific command. This 1170 feature shows the non-orthogonality of the option set, since while 1171 there may be an option to turn something on, the option to turn 1172 that same thing off may not exist. 1173 1174 * You can now list subdirectories that you wish to ignore in a 1175 modules listing, such as: 1176 1177 gcc -a gnu/gcc, !gnu/gcc/testsuites 1178 1179 which will check out everything underneath gnu/gcc, except 1180 everything underneath gnu/gcc/testsuites. 1181 1182 * It is now much harder to accidentally overwrite an existing tag 1183 name, since attempting to move a tag name will result in a error, 1184 unless the -F (forc…
Large files files are truncated, but you can click here to view the full file