Log message:
Update to 4.20:

4.20 - Monday, December 4, 2006

    * INTERNAL: No Changes since 4.20_1. Declaring stable.

4.20_1 - Friday, November 24, 2006

    * FIX: -ip_match now works even when it's not the last import item. (RT#21779)
    * FIX: In the PostgreSQL driver, a race condition is when storing is now \ 
worked around. (Mark Stosberg)
    * FIX: Added important clarification and example to MySQL driver docs that \ 
the session column
           needs to be defined as a primary key to avoid duplicate sessions. \ 
(Justin Simoni, Mark Stosberg)
    * FIX: The default serializer now works correctly with certain data \ 
structures. (RT#?) (Matt LeBlanc)
    * FIX: A documentation bug in find() was fixed (Matt LeBlanc)
    * FIX: Documented how to declare a database handle to be used on demand, \ 
which was introduced
           in 4.04. (Mark Stosberg)
    * FIX: Connections made with SQLite now disconnect only when appropriate, \ 
instead of always.
           This addresses a symptom seen as "attempt to prepare on inactive \ 
database handle"
           (Jaldhar Vyas, Sherzod, Mark Stosberg)
    * FIX: Args to the constructor for CGI::Session and the drivers are now \ 
always shallow
           copied rather than used directly, to prevent modification.
           (RT#21952, Franck Porcher, Sherzod, Mark Stosberg)
    * FIX: The documentation for expire($param, $time) was made more explicit
           (pjf, Mark Stosberg)
    * NEW: Added recommended use of flush() to the Synopsis (Michael Renner, \ 
RT#22333)
    * NEW: Added links to Japanese translations of the documentation (Makio \ 
Tsukamoto)
           http://digit.que.ne.jp/work/index.cgi?Perldoc/ja
    * INTERNAL: Update test to workaround YAML versions less than 0.58. (Matt \ 
LeBlanc)
    * INTERNAL: param() code was refactored for clarity (Mark Stosberg, Ali \ 
ISIK, RT#21782)
    * INTERNAL: new() and load() were refactored (Ali Isik)
    * INTERNAL: renamed some environment variables used for testing (Ron Savage)
    * INTERNAL: Multi key-value syntax of param() now always returns number of keys
      successfully processed, 0 if no key/values were processed.

4.14 - Sunday, June 11, 2006

    * NEW: The find() command now has better documentation. (Ron Savage, Matt \ 
LeBlanc)
    * FIX: find() no longer changes the access or modified times (RT#18442) \ 
(Matt LeBlanc)
    * FIX: param() called with two parameters now returns the value set, if any \ 
(RT#18912) (Matt LeBlanc)
    * FIX: driver, serializer, and id generator names are now untainted \ 
(RT#18873) (Matt LeBlanc)
    * INTERNAL: automatic flushing has been documented to be unreliable, although
      it was recommended in the past. Automatic flushing can be affected adversely
      in persistent environments and in some cases by third party software. There are
      also some cases in which flushing happened automatically in 3.x, but quit \ 
working
      with 4.x. See these tickets for details.

       http://rt.cpan.org/Ticket/Display.html?id=17541
       http://rt.cpan.org/Ticket/Display.html?id=17299

4.13 - Wednesday, April 12, 2006

    * FIX: Applied patch to fix cookie method (RT#18493,Nobuaki ITO)
    * FIX: Berkeley DB 1.x exhibits a bug when used in conjunction with \ 
O_NOFOLLOW. Because of this,
      we've removed it from the db_file driver. It will still attempt to stop \ 
symlinks but the
      open itself has dropped the flag. (Matt LeBlanc)
    * FIX: json and yaml db_file tests now check for the presence of DB_File. \ 
(Matt LeBlanc)

4.12 - Friday, April 7, 2006

    * SECURITY: Fix possible SQL injection attack. (RT#18578, DMUEY)

4.11 - Friday, March 31, 2006

    * FIX: Since 4.10, using name() as a class method was broken. This has
      been fixed, and regression tests for both uses have been added. (Matt LeBlanc)

4.10 - Tuesday, March 28, 2006

    * SECURITY: Hopefully this settles all of the problems with symlinks. Both \ 
the file
      and db_file drivers now use O_NOFOLLOW with open when the file should exist and
      O_EXCL|O_CREAT when creating the file. Tests added for symlinks. (Matt LeBlanc)
    * SECURITY: sqlite driver no longer attempts to use /tmp/sessions.sqlt when no
      Handle or DataSource is specified. This was a mistake from a security \ 
standpoint
      as anyone on the machine would then be able to create and therefore insert data
      into your sessions. (Matt LeBlanc)
    * NEW: name is now an instance method (RT#17979) (Matt LeBlanc)

4.09 - Friday, March 16th, 2006

    * SECURITY: Applying security patch from: \ 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555 (Julien Danjou)

4.08 - Thursday, March 15th, 2006

    * FIX: DESTROY was sometimes wiping out exception handling. RT#18183, Matt \ 
LeBlanc.
    * SECURITY: Resolve some issues in: \ 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555
      - db_file and file now check for symlinks either explicitly or by using \ 
O_EXCL on sysopen
      - file creation umask defaults to 660
    * NEW: db_file and file drivers now accepts a UMask option. (Matt LeBlanc)
    * INTERNAL: test suite clean up (Tyler MacDonald)

Log message:
Update to version 4.09

Includes security fixes for:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-1279
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-1280

Changes:

4.09:
=====
- SECURITY: Applying security patch from:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555 (Julien
Danjou)

4.08:
=====
- FIX: DESTROY was sometimes wiping out exception handling. RT#18183,
  Matt LeBlanc.
- SECURITY: Resolve some issues in:
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=356555
      - db_file and file now check for symlinks either explicitly or by
        using O_EXCL on sysopen
      - file creation umask defaults to 660
- NEW: db_file and file drivers now accepts a UMask option. (Matt
  LeBlanc)
- INTERNAL: test suite clean up (Tyler MacDonald)

4.07:
=====
- INTERNAL: MANIFEST update to fix release.

4.06:
=====
- INTERNAL: MANIFEST update to fix release.

4.06:
=====
- FIX: some stray warnings when flushing:  "Use of uninitialized value
  in numeric eq (==)" (RT#14603)
- NEW: JSON and YAML serializers (Tyler MacDonald)
- INTERNAL: CGI::Session::Test::Default accepts a "skip" argument,
  listing tests that should be skipped. (Tyler)

4.05:
=====
- FIX: Race condition fixed when writing to session files (RT#17949)

4.04:
=====
- NEW: File driver now has option to disable flock (for those running
  Win 9x, VMS, MacPerl, VOS and RISC OS). (Matt LeBlanc)
- FIX: If DBI driver wass initialized using 'Handle',
  Driver::DBI::init() returned false, and Driver::new() thought init
  faild and kept returning undef. The problem was fixed by making sure
  Driver::DBI::init() returned true. (Sherzod)
- Added .*cgisess.* to disclude cgisess.db, cgisess.id, and any session
  files created in the t directory. (Matt LeBlanc)
- FIX: File driver now respects $CGI::Session::File::FileName for 3.9x
  compatibility. (Matt LeBlanc)
- FIX: Default serializer now properly handles data structures that
  appear more than once in the serialized data structure (before it'd
  result in data structures that were equivalent but did not have the same
  address). (Matt LeBlanc)
- FIX: File driver now localizes the filehandle to avoid any possibility
  of extended locking in persistent environments (Matt LeBlanc)
- FIX: File driver now locks the file when retrieving the session data
  (Matt LeBlanc)
- NEW: DBI Drivers now support a lazy loaded database handle. This is
  useful with the CGI::Application plugin system. If the session is
  never used, the database handle may not not need to be created. The
  syntax is to use a code ref: Handle => sub {DBI->connect} (Mark
  Stosberg)

 Finally, be aware that since 4.0 some people have reported problems
 with the auto-flushing code. There may be an unresolved. You always
 call flush() to be safe. Input or code contributions for the issue
 are appreciated. Some related tickets include:

    http://rt.cpan.org/Public/Bug/Display.html?id=14604
    http://rt.cpan.org/Public/Bug/Display.html?id=16861
    http://rt.cpan.org/Public/Bug/Display.html?id=17541
    http://rt.cpan.org/Public/Bug/Display.html?id=17299

4.03:
=====
- FIX: automatic flushing did not work if session object was global
- FIX: Default serializer can now serialize objects (Matt LeBlanc)
- INTERNAL: SQLite driver no longer needs MIME::Base64 for encoding
  (Matt LeBlanc)

4.02:
=====
- FIX: remote_addr() was missing (RT #14414])

4.01:
=====
- FIX: Minor POD fix

4.00:
=====
 *** NOTE ***

 The 4.0 release represents a major overhaul of the CGI::Session code
 base.  Care has been taken to be 100% compatible with applications
 developed with 3.x.  However, you are encouraged to run regression
 tests with your own applications before using this in production.

- NEW: PostgreSQL driver enhanced to work better with binary serializers
  (Matt LeBlanc)
- FIX: update to un tainting in default serializer to make "-T" happy
  (Matt LeBlanc)
- FIX: CGI::Session (qw/-ip_match/), a 3.x feature, works again (Shawn
  Sorichetti)
- INTERNAL: Improved documentation shown during "make", which explains
  how to run database-driven tests. (Mark Stosberg)
- FIX: to support binary serializers SQLite driver uses MIME::Base64
  (Sherzod Ruzmetov)

4.00_09:
========
- CHANGE: Starting with 4.0, it will no longer work to use the syntax of
  CGI::Session::DriverName(). This hasn't been a documented API since
  CGI::Session 2.94, released in August, 2002.
- FIX: documented etime(), which was present in 3.x (Mark Stosberg)
- FIX: Added code, test and docs to make $CGI::Session::File::FileName
  work, for 3.x compatibility. (Mark Stosberg)
- FIX: Providing an expire time like "-10" now works (Mark Stosberg)
- FIX: Restored close() method, for 3.x compatibility. (Mark Stosberg)
- FIX: Make ->clear('email') work, for 3.95 compatibility (Mark
  Stosberg)
- FIX: Added back is_new() for compatibility with 3.95. (Mark Stosberg)
- FIX: Support for CGI::Simple is confirmed, resolving RT#6141 (Mark
  Stosberg)
- FIX: Add code and tests for $CGI::Session::MySQL::TABLE_NAME, which
  worked in 3.x (Mark Stosberg)
- DOCS: CGI::Session now has a public Subversion repository, thanks to
  Jason Crome.  See the bottom of the CGI::Session docs for details.

4.00_08:
========
- FIX: Changes made in 4.00_07 rolled back

4.00_07:
========
- FIX: overloaded objects are now stored properly

4.00_06:
========
- FIX (?): a test script was failing on Win32
- FIX: inaccurate error reporting in load()

4.00_05:
========
- FIX: case insensitivity was not enforced properly in
  CGI::Session::parse_dsn()

4.00_04:
========
- FIX: Minor fix in tests suits and error-checking routines
  of serializers and id-generators

4.00_03:
========
- NEW: CGI::Session::find() introduced
- NEW: traverse() introduced into drivers to support
  CGI::Session::find()
- DOCS: More complete driver specs documented

4.00_02:
========
- FIX: race conditions in Driver/file.pm pointed out by Martin Bartosch

4.00_01:
========
- NEW: load() - constructor method to prevent unnecessary session
  creations
- NEW: is_expired() - method to intercept expired sessions
- NEW: is_empty() - to intercept requests for un existing sessions
- NEW: more optimized source code
- NEW: updated and improved driver specs
- NEW: standard testing framework
- NEW: 'sqlite' driver

Log message:
Point MAINTAINER to pkgsrc-users@NetBSD.org in the case where no
developer is officially maintaining the package.

The rationale for changing this from "tech-pkg" to \ 
"pkgsrc-users" is
that it implies that any user can try to maintain the package (by
submitting patches to the mailing list).  Since the folks most likely
to care about the package are the folks that want to use it or are
already using it, this would leverage the energy of users who aren't
developers.

Log message:
Bump the PKGREVISIONs of all (638) packages that hardcode the locations
of Perl files to deal with the perl-5.8.7 update that moved all
pkgsrc-installed Perl files into the "vendor" directories.

Log message:
Turn PERL5_PACKLIST into a relative path instead of an absolute path.
These paths are now relative to PERL5_PACKLIST_DIR, which currently
defaults to ${PERL5_SITEARCH}.  There is no change to the binary
packages.

Log message:
Remove USE_BUILDLINK3 and NO_BUILDLINK; these are no longer used.

Log message:
Add RMD160 checksums.

Log message:
since perl is now built with threads on most platforms, the perl archlib
module directory has changed (eg. "darwin-2level" vs.
"darwin-thread-multi-2level").

binary packages of perl modules need to be distinguishable between
being built against threaded perl and unthreaded perl, so bump the
PKGREVISION of all perl module packages and introduce
BUILDLINK_RECOMMENDED for perl as perl>=5.8.5nb5 so the correct
dependencies are registered and the binary packages are distinct.

addresses PR pkg/28619 from H. Todd Fujinaka.

Log message:
Initial import of p5-CGI-Session, a Perl5 module providing session
management across HTTP requests.