w3m/NEWS

Debian's w3m 0.5.3+git20230121

* new features
  - location of ~/.w3m can be changed with the W3M_DIR environment variable
  - new option tmp_dir to set directory for temporary files
    e.g. W3M_DIR=~/.local/state/w3m w3m -o tmp_dir=~/.cache/w3m
  - new option -H to use high-intensity colors
  - recognize link targets in dfn elements
* bug fixes
  - fix m17n backspace handling causes out-of-bounds write in checkType
    [CVE-2022-38223]
  - fix LESSOPEN format string problem
  - fix potential overflow in checkType
  - fix potential null deref for newBuffer
  - fix potential null deref in main.c, file.c, etc.c, fb_imlib2.c, news.c
  - fix browsing local file fails when argv_is_url
  - skip soft hyphen when reading token
  - fix configure tests broken with Clang 16
  - do not override history file if it was changed
  - only read a first title to avoid titles in svg
  - use GROFF_NO_SGR=1 for w3mman with non-Debian groff
  - handle failed system calls
  - fix charset declaration parser fails with turkish locale
  - fix images are not displayed for OSC 5379
  - prevent unneeded image resizing for sixel

Debian's w3m 0.5.3+git20220429

* new features
  - support kitty's APC G graphics protocol with ImageMagick's convert
  - support iTerm2's OSC 1337 graphics protocol
  - new option inline_img_protocol to select the graphics protocol
    (0: w3m-img, 1: OSC 5379, 2: sixel, 3: OSC 1337, 4: APC G)
  - new option ssl_cipher to specify TLSv1.2 ciphers, e.g. DEFAULT:@SECLEVEL=2
  - new option ssl_min_version for OpenSSL 1.1
  - new option -insecure to use insecure SSL config options
  - new option ssl_ca_default, explicitly use OpenSSL default paths by default
  - new option cross_origin_referer, use origin only Referer when cross origin
  - new option localhost_only to restrict connections only to localhost
  - new option disable_center to disable center alignment
  - support brotli content encoding
  - ignore the "-" option to accept `w3m -` as "read from stdin"
  - new configure option --with-cafile to detect CA bundle file
  - support auto-detection for configure --with-migemo
  - add fuzzer for OSS-Fuzz
  - add Italian translation
  - add Swedish translation
* bug fixes
  - prevent index overflow and huge allocation due to Str, libwc, and table
  - prevent integer overflow due to fontstat
  - prevent StrStream memory leak
  - prevent GC warnings of repeated allocation
  - prevent buffer overflow in shiftAnchorPosition
  - prevent buffer overflow READ when parsing Gopher URLs
  - prevent buffer overflow in gotoLine and gotoRealLine
  - prevent warnings when -Wnull-dereference, enabled by default
  - prevent warnings when -Wall, enabled by default
  - prevent warnings from Cppcheck
  - avoid zero length arrays even when GCC
  - fix fail to render over 32767 lines in a table cell
  - disable `<section>` behaves as `<hr>`
  - disable TLSv1.0 and TLSv1.1 by default
  - mention a workaround for SSL error
  - fix manipulation of ASN1_STRING
  - don't include username in Referer
  - don't set Referer when data URI scheme
  - fix broken anchor with link number at EOL
  - fix incorrect query string for `w3mman 7z`
  - drop imlib2-config, use pkg-config
  - improve named character references
  - improve `<dl>` rendering
  - prefer Imlib2 over GTK2 by default
  - replace encodeB with base64_encode to encode null bytes
  - wording fixes for configure --help

Debian's w3m 0.5.3+git20210102

* new features
  - support links containing divs for HTML5
  - rudimentary support for HTML5 tags: figure, figcaption, and section
  - enhance the behaviour of the q tag when m17n and Unicode are configured
  - support for file://hostname/... URLs
  - new commands CURSOR_TOP, CURSOR_MIDDLE, and CURSOR_BOTTOM
  - new option space_autocomplete, disabled by default
* bug fixes
  - fix and improve broken Gopher support, enabled by default
  - change the encoding of the Japanese document files to UTF-8
  - use the default ciphers without SSL_CTX_set_cipher_list for OpenSSL 1.1
  - fix compilation errors due to sys_errlist and longjmp
  - define X_DISPLAY_MISSING when configure --without-x for Imlib2
  - avoid the -l option of the man command for w3mman
  - fix some source formatting in the manual
  - show keyboard shortcuts in a consistent order in help
  - fix traditional Chinese translation
  - drop obsolete w3m-doc

Debian's w3m 0.5.3+git20200502

* bug fixes
  - support &apos; entity
  - prevent multiple User-Agent with -header
  - fix -Wchar-subscripts
* new features
  - support setting user_agent in siteconf
  - new command GOTO_HOME
  - extend ssl_forbid_method for TLSv1.2 and TLSv1.3

Debian's w3m 0.5.3+git20190105

* bug fixes
  - do not use deprecated features with OpenSSL 1.1
  - fix dependency for Imlib2
  - fix that the mark_all_pages option works
  - respect the simple_preserve_space option for table cells
  - fix error handling for ~/.w3m/request.log and localcgi_post()
* new feature
  - w3mman supports specifying a section number during a keyword search

Debian's w3m 0.5.3+git20180125

* bug fixes
  - fix stack overflow with malformed text [CVE-2018-6196]
  - fix null deref with malformed text [CVE-2018-6197]
  - fix /tmp file races only when ~/.w3m is unwritable [CVE-2018-6198]
  - do not remove w3mdict.cgi when "make distclean"
  - do not turn a form's GET into POST
  - correct <base ...> parsing
  - accept TERM=fbterm
* new feature
  - extend ssl_forbid_method to disable TLSv1.1

Debian's w3m 0.5.3+git20170102

* bug fixes
  - fix multiple flaws with malformed text
    (buffer overflow, use after free, infinite loop)
  - fix uninitialized variable when not USE_IMAGE

Debian's w3m 0.5.3+git20161120

* bug fixes
  - fix multiple flaws with malformed text
    (stack overflow, buffer overflow, null deref, out of memory)
    [CVE-2016-9622], [CVE-2016-9623], [CVE-2016-9624], [CVE-2016-9625],
    [CVE-2016-9626], [CVE-2016-9627], [CVE-2016-9628], [CVE-2016-9629],
    [CVE-2016-9630], [CVE-2016-9631], [CVE-2016-9632], [CVE-2016-9633]
  - fix stack overflow with nested table and textarea [CVE-2016-9439]
  - fix suspend (^Z) behavior

Debian's w3m 0.5.3+git20161031

* new features
  - support OSC 5379 remote imaging and sixel graphics
  - support SGR style mouse handler
  - support 32-bit color images
  - support FreeBSD framebuffer
  - support button element
  - support meta charset
  - include w3mdict.cgi to use a dictd dictionary query
  - add extbrowser4..9
  - add display_borders to display 0 pixel table borders
  - add siteconf feature
  - add German translation for options setting panel
  - add translations for de, zh_CN and zh_TW
* bug fixes
  - fix multiple flaws with malformed text
    [CVE-2016-9422], [CVE-2016-9423], [CVE-2016-9424], [CVE-2016-9425],
    [CVE-2016-9426], [CVE-2016-9428], [CVE-2016-9429], [CVE-2016-9430],
    [CVE-2016-9431], [CVE-2016-9432], [CVE-2016-9433], [CVE-2016-9434],
    [CVE-2016-9435], [CVE-2016-9436], [CVE-2016-9437], [CVE-2016-9438],
    [CVE-2016-9440], [CVE-2016-9441], [CVE-2016-9443], [CVE-2016-9621]
  - fix potential heap buffer corruption due to Strgrow [CVE-2016-9442]
  - disable SSLv2 and SSLv3 by default [CVE-2014-3566]
  - set ssl_verify_server to 1 by default
  - disable RC4, export ciphers, and keys < 128 bits
  - use SSL_OP_NO_COMPRESSION due to "CRIME attack" [CVE-2012-4929]
  - use SSL_MODE_RELEASE_BUFFERS
  - disable USE_EGD for LibreSSL
  - appease gcc -Werror=format-security
  - option -s is now "squeeze multiple blank lines" to work as pager, and
    -j and -e are obsolete, so use -O{s|j|e} to specify display charset
  - accept single quoted meta refresh URL
  - assume "text" if a form input type is unknown
  - accept cookies by default
  - set use_dictcommand to 1 by default
  - set default_url to 1 by default
  - set argv_is_url to 1 by default
  - set alt_entity to 0 by default
  - fix build problems with Boehm GC 7.2, imlib2 1.4.6 and glibc 2.14
  - fix parallel make failure
  - fix incorrect ucs_ambwidth_map
  - and many fixes

w3m 0.5.3 - 2011-01-15

* security fix
 - fix vulnerabilities indicated by bugs.debian.org.
 - suppress sending Referer, if https:// -> http://
* new features
 - adapt w3mimg to native windows on MS Windows.
 - support xterm-incompatible terminals without gpm.
 - add "xhtml" to default guess.
 - introduce option pseudo_inlines.
 - add option to avoid "wrong number of dots" error in cookies.
* other bug fixes
 - fix "important" bugs from bugs.debian.org
 - preserve spaces in multibyte context.
 - fix proxy authentication.

w3m 0.5.2 - 2007-05-31

* security fix
 - fix format string vulnerability.
* new features
 - support gtk2 with w3m-img.
 - new option for LiveHTTPHeaders-like logs.
 - new option to fontify <del>, <s>, <ins>, and so on.
* other bug fixes
 - avoid errors in "configure" and "make".
 - '\n' handling in attributes' values of HTML tags.

w3m 0.5.1 - 2004-04-29

* fix minor bugs
 - build problem on some platform/some configuration
 - authentication bug
 - ipv6 FQDN resolv
 - SSL verify
 - search problem on different charset page/display
 - cleanup LANG==JA
 - DisplayCharset default
 - w3mhelp.cgi charset

w3m 0.5	- 2004-03-22

* gettextize
* m17n patch merged

w3m 0.4.2 - 2003-09-23

* options: -4, -6
* configuration file in $(sysconfdir)/$(package)/
* func: NEXT_VISITED, PREV_VISITED
* autoconfiscate (partially)
* rc: use_history

w3m 0.4.1 - 2003-03-07

* fix bugs
  - completion segfault in lineinput
  - incremental search
  - URL pattern fix
  - UFhalfclose bug
  - allow pipe in shell command
  - enhance ftp directory support
  - linenumber in edit
  - fix Bug#181897
  - W3M_TTY problem fixed

w3m 0.4 - 2003-02-24

* rc: decode_url
* func: RESHAPE
* rc: fold_line
* local cookie: passed via file named $LOCAL_COOKIE or posted not in url query
* func: SEARCH can take arg
* URL data: support
* URL news:, nntp: newsgroup support
* rc: nntpserver, nntpmode, max_news
* rc: graphic_char
* rc: use_proxy
* rc: preserve_timestamp
* func: REDO, UNDO
* func: LIST, LIST_MENU, MOVE_LIST_MENU
* func: ACCESSKEY, LINK_MENU
* rc: display_ins_del
* 2 stroke keybinding
* func: MULTIMAP
* func: CLOSE_TAB_MOUSE, MENU_MOUSE, MOVE_MOUSE, TAB_MOUSE
* options: -N
* func: NEXT, PREV
* rc: image_map_list
* rc: open_tab_dl_list
* func: DOWNLOAD_LIST
* env: https_proxy
* rc: https_proxy
* options: -show-option
* rc: relative_wheel_scroll
* rc: relative_wheel_scroll_ratio
* rc: fixed_wheel_scroll_count
* separate auxbindir and libdir (local-CGI, file:///$LIB/)
* configure: -auxbindir
* rc: disable_secret_security_check (for windows?)
* tab browsing
* rc: open_tab_blank, close_tab_back
* func: CLOSE_TAB, NEW_TAB, NEXT_TAB, PREV_TAB, 
* func:	TAB_GOTO, TAB_GOTO_RELATIVE
* func: TAB_LEFT, TAB_LINK, TAB_MENU, TAB_RIGHT
* pre_form: ~/.w3m/pre_form
* rc: pre_form_file: pre_form configuration file

----------------------------------------------------------------

w3m 0.3.2.2 - 2002-12-06

* security fix: html_quote for img alt attributes

----------------------------------------------------------------

w3m 0.3.2.1 - 2002-11-27

* security fix: html_quote for frame contents
* backport from w3m 0.3.2+cvs
 - fix segmentation fault by large complex table.
	[w3m-dev 03371][w3m-dev 03438]

----------------------------------------------------------------
w3m 0.3.2 - 2002-11-05

* ~/.netrc: password for ftp
* rc: display_lineinfo: display current line number
* rc: passwd_file: passwd file for HTTP auth
* func: MARK_WORD
* rc: imgsize: obsoleted
* w3m-img for framebuffer merged

----------------------------------------------------------------
w3m 0.3.1 - 2002-07-16

* func: REINIT
	INIT_MAILCAP deleted, use REINIT MAILCAP instead
* func: DEFINE_KEY
* rc: keymap_file
* rc: use_dictcommand, dictcommand
* rc: mark_all_pages
* configure: -mandir
* func: COMMAND
* -title option: set buffer name to terminal title
* X-Face support: USE_XFACE, require uncompface

----------------------------------------------------------------
w3m 0.3 - 2002-03-06

* rc: mailer
	if mailer is set, it will be used for simple mailto: URLs
	otherwise, w3mmail.cgi will be used (when USE_W3MMAILER defined)
* rc: max_load_image
* rc: display_image, auto_image, image_scale, imgdisplay, imgsize
* func: DISPLAY_IMAGE, STOP_IMAGE
* w3m-img merged: w3m now can display images! see doc/README.img

----------------------------------------------------------------
w3m 0.2.5.1 - 2002-02-05

* backport from w3m/0.2.5+cvs-1.299
 - fix inputAnswer() and no "ssl_forbid_method" [w3m-dev 02985]
 - fix SunOS 4.1.4 build problem [w3m-dev 02972]
 - fix problem with Netscape-Enterprise WWW-authenticate [w3m-dev 02968]

----------------------------------------------------------------
w3m 0.2.5 - 2002-01-31

* RFC2617: HTTP Digest authentication
* rc: default_url=0(empty) 1(current URL) 2(link URL)
* GOTO_RELATIVE (M-u)
* highlight for incremental search
* support migemo (romaji search)
* use w3mmail.cgi for mailto: URL
* support external URI loader
* support -dump_extra ftp://
* new regex implementation

----------------------------------------------------------------
w3m 0.2.4 - 2002-01-07

* RFC2818 server identity check
* incremental search (C-s, C-r)

----------------------------------------------------------------
w3m 0.2.3.2 - 2001-12-22

* fix security hole in w3m/scripts

----------------------------------------------------------------
w3m 0.2.3.1 - 2001-12-20

* sync with cvs repository
* fix bug in configure

----------------------------------------------------------------
w3m 0.2.3 - 2001-12-20

* command line option: -help, -version
* new libgc included
* new runtime option use_mark, nextpage_topline, label_topline, vi_prec_num
   emacs_like_lineedit, ftppass_hostnamegen
* RFC2732 support (IPv6)
* new w3mhelp system
* several configure changes
* code cleanups, now gcc -Wall -Werror safe

----------------------------------------------------------------
w3m 0.2.2 - 2001-11-15

* sync with w3m 0.2.1-inu-1.5
* w3m maintained in sourceforge.net/projects/w3m