Summary of changes from September 13, 2015 to September 19, 2015.
| Codebase | Repository | {icon lock} | HEAD | Activity |
|----------|------------|--|------|----------|
| Phabricator | rP | | rP9c43853 | 12 commits |
| Arcanist | rARC | | rARC083127c | 3 commits |
| libphutil | rPHU | | rPHU880c0fb | 1 commit |
| Instances (SAAS) | rSAAS | {icon lock} | rSAAS6de6761 | 3 commits |
| Services (SAAS) | rSERVICES | {icon lock} | rSERVICES4828dcd | 0 commits |
| Core (SAAS) | rCORE | {icon lock} | rCOREbee5f5d | 9 commits |
These changes were promoted to `stable`.
General
=======
- No major changes in this period.
Security
========
- The `dot` (Graphviz) remarkup rule has been removed from the upstream because the design of the feature is not secure and a researcher uncovered a material vulnerability which potentially allowed an attacker to disclose some information about the host system. The `cowsay` and `figlet` rules have been rewritten natively. See T9408 for discussion in depth. This issue was reported to us via HackerOne, and we awarded a $300 bounty for it.
Upgrading / Compatibility
=========================
- There is an upcoming mandatory migration from old Differential hunk storage to new Differential hunk storage. Installs with a large amount of data and a long history can avoid maintenance downtime by running this migration manually in advance of when it becomes mandatory. Follow T8623 for discussion.
Phacility SAAS
==============
- Tweaked design of Phacility admin console.
Minor
=====
- Added `bin/auth unlimit` for manually clearing user rate limits.
- Fixed an issue where notifications about macros didn't clear correctly.
- Fixed an issue where `arc patch` would try to set credentials twice.