Supervisor

------------------

- Backported from Supervisor 3.3.3: Fixed CVE-2017-11610. A vulnerability
was found where an authenticated client can send a malicious XML-RPC request
to ``supervisord`` that will run arbitrary shell commands on the server.
The commands will be run as the same user as ``supervisord``. Depending on
how ``supervisord`` has been configured, this may be root. See
https://github.com/Supervisor/supervisor/issues/964 for details.

----------------

- Parsing the config file will now fail with an error message if a process
or group name contains characters that are not compatible with the
eventlistener protocol.

- Fixed a bug where the ``tail -f`` command in ``supervisorctl`` would fail
if the combined length of the username and password was over 56 characters.

- Reading the config file now gives a separate error message when the config
file exists but can't be read. Previously, any error reading the file
would be reported as "could not find config file". Patch by Jens Rantil.

- Fixed an XML-RPC bug where array elements after the first would be ignored
when using the ElementTree-based XML parser. Patch by Zev Benjamin.

- Fixed the usage message output by ``supervisorctl`` to show the correct
default config file path. Patch by Alek Storm.

------------------

- The behavior of the program option ``user`` has changed. In all previous
versions, if ``supervisord`` failed to switch to the user, a warning would
be sent to the stderr log but the child process would still be spawned.
This means that a mistake in the config file could result in a child
process being unintentionally spawned as root. Now, ``supervisord`` will
not spawn the child unless it was able to successfully switch to the user.
Thanks to Igor Partola for reporting this issue.

- If a user specified in the config file does not exist on the system,
``supervisord`` will now print an error and refuse to start.

- Reverted a change to logging introduced in 3.0b1 that was intended to allow
multiple processes to log to the same file with the rotating log handler.
The implementation caused supervisord to crash during reload and to leak
file handles. Also, since log rotation options are given on a per-program
basis, impossible configurations could be created (conflicting rotation
options for the same file). Given this and that supervisord now has syslog
support, it was decided to remove this feature. A warning was added to the
documentation that two processes may not log to the same file.

- Fixed a bug where parsing ``command=`` could cause supervisord to crash if
shlex.split() fails, such as a bad quoting. Patch by Scott Wilson.

- It is now possible to use ``supervisorctl`` on a machine with no
``supervisord.conf`` file by supplying the connection information in
command line options. Patch by Jens Rantil.

- Fixed a bug where supervisord would crash if the syslog handler was used
and supervisord received SIGUSR2 (log reopen request).

- Fixed an XML-RPC bug where calling supervisor.getProcessInfo() with a bad
name would cause a 500 Internal Server Error rather than the returning
a BAD_NAME fault.

- Added a favicon to the web interface. Patch by Caio Ariede.

- Fixed a test failure due to incorrect handling of daylight savings time
in the childutils tests. Patch by Ildar Hizbulin.

- Fixed a number of pyflakes warnings for unused variables, imports, and
dead code. Patch by Philippe Ombredanne.

------------------

- Fixed a bug where parsing ``environment=`` did not verify that key/value
pairs were correctly separated. Patch by Martijn Pieters.

- Fixed a bug in the HTTP server code that could cause unnecessary delays
when sending large responses. Patch by Philip Zeyliger.

- When supervisord starts up as root, if the ``-c`` flag was not provided, a
warning is now emitted to the console. Rationale: supervisord looks in the
current working directory for a ``supervisord.conf`` file; someone might
trick the root user into starting supervisord while cd'ed into a directory
that has a rogue ``supervisord.conf``.

- A warning was added to the documentation about the security implications of
starting supervisord without the ``-c`` flag.

- Add a boolean program option ``stopasgroup``, defaulting to false.
When true, the flag causes supervisor to send the stop signal to the
whole process group. This is useful for programs, such as Flask in debug
mode, that do not propagate stop signals to their children, leaving them
orphaned.

- Python 2.3 is no longer supported. The last version that supported Python
2.3 is Supervisor 3.0a12.

- Removed the unused "supervisor_rpc" entry point from setup.py.

- Fixed a bug in the rotating log handler that would cause unexpected
results when two processes were set to log to the same file. Patch
by Whit Morriss.

- Fixed a bug in config file reloading where each reload could leak memory
because a list of warning messages would be appended but never cleared.
Patch by Philip Zeyliger.

- Added a new Syslog log handler. Thanks to Denis Bilenko, Nathan L. Smith,
and Jason R. Coombs, who each contributed to the patch.

- Put all change history into a single file (CHANGES.txt).

-------------------

- Released to replace a broken 3.0a11 package where non-Python files were
not included in the package.

-------------------

- Added a new file, ``PLUGINS.rst``, with a listing of third-party plugins
for Supervisor. Contributed by Jens Rantil.

- The ``pid`` command in supervisorctl can now be used to retrieve the PIDs
of child processes. See ``help pid``. Patch by Gregory Wisniewski.

- Added a new ``host_node_name`` expansion that will be expanded to the
value returned by Python's ``platform.node`` (see
http://docs.python.org/library/platform.html#platform.node).
Patch by Joseph Kondel.

- Fixed a bug in the web interface where pages over 64K would be truncated.
Thanks to Drew Perttula and Timothy Jones for reporting this.

- Renamed ``README.txt`` to ``README.rst`` so GitHub renders the file as
ReStructuredText.

- The XML-RPC server is now compatible with clients that do not send empty
<params> when there are no parameters for the method call. Thanks to
Johannes Becker for reporting this.

- Fixed ``supervisorctl --help`` output to show the correct program name.

- The behavior of the configuration options ``minfds`` and ``minprocs`` has
changed. Previously, if a hard limit was less than ``minfds`` or
``minprocs``, supervisord would unconditionally abort with an error. Now,
supervisord will attempt to raise the hard limit. This may succeed if
supervisord is run as root, otherwise the error is printed as before.
Patch by Benoit Sigoure.

- Add a boolean program option ``killasgroup``, defaulting to false,
if true when resorting to send SIGKILL to stop/terminate the process
send it to its whole process group instead to take care of possible
children as well and not leave them behind. Patch by Samuele Pedroni.

- Environment variables may now be used in the configuration file
for options that support string expansion. Patch by Aleksey Sivokon.

- Fixed a race condition where supervisord might not act on a signal sent
to it. Thanks to Adar Dembo for reporting the issue and supplying the
initial patch.

- Updated the output of ``echo_supervisord_conf`` to fix typos and
improve comments. Thanks to Jens Rantil for noticing these.

- Fixed a possible 500 Server Error from the web interface. This was
observed when using Supervisor on a domain socket behind Nginx, where
Supervisor would raise an exception because REMOTE_ADDR was not set.
Patch by David Bennett.