docs(changelog): record #5354/#5355, #5356, #5358, #5359; tighten 1.15.3 overview

matejk · matejk · commit 8cea52430145 · 2026-05-20T14:53:52.000+02:00
Four PRs merged on main after the release commit and cherry-picked into poco-1.15.3: - #5358 fix(AbstractEvent): operator-= holds the event mutex across Delegate destructor - #5359 enh(MongoDB): MongoDB 6.0/7.0/8.0 compat (carries its own API Changes for SCRAM-SHA-256 default, count() via $count, deprecated INDEX_BACKGROUND / CMD_MAP_REDUCE) - #5355 (GH #5354) feat(CppUnit): terminate handler - #5356 fix(Foundation): gate atomic_flag::test on C++20 atomic_wait Also tighten the 1.15.3 entries: trim the Summary paragraph, replace multi-paragraph API Changes prose with one-line bullets, drop redundant qualifiers from bug-fix / enhancement bullets, and use the verbatim GitHub issue/PR titles for each item. CHANGELOG and doc/99100-ReleaseNotes.page now carry the same content. CONTRIBUTORS unchanged -- all four PR authors (aleks-f, uilianries, matejk) are already listed.
diff --git a/CHANGELOG b/CHANGELOG
@@ -6,91 +6,53 @@ Release 1.15.3 (2026-05-13)
 
 Summary of Changes:
 
-A patch release focused on bug fixes, security updates in bundled
-third-party libraries (including two expat CVEs), and a small set of
-enhancements. Notable changes include PostgreSQL connection-string
-URI syntax support, a fix for the WAL-reset database corruption in
-SQLite, and a behaviour correction to the %c date/time format
-specifier so it actually emits centiseconds as documented (this is a
-breaking change for code that relied on the previous single-digit
-decisecond output).
+Bug fixes, expat CVE updates in bundled deps, MongoDB 6.0/7.0/8.0
+compatibility, PostgreSQL URI connection strings, and a corrected %c
+date/time format specifier (breaking).
 
 Breaking Changes:
 
-- GH #3949 Poco::DateTimeFormatter: %c now formats and parses a
-  zero-padded two-digit centisecond (00..99), matching the
-  documentation. Previously it emitted a single-digit decisecond
-  (millisecond/100). Callers using "%H:%M:%S.%c" will see one extra
-  character in the output. Closed by PR #5350.
+- GH #3949 Poco::DateTimeFormatter %c does not format to centisecond but decisecond (PR #5350)
 
 API Changes:
 
-- Poco::MongoDB::Database::authenticate() default mechanism changed from
-  "SCRAM-SHA-1" to "SCRAM-SHA-256", matching the MongoDB server default
-  for new users since 4.0 and the convention used by every official
-  MongoDB driver. Existing callers that rely on SCRAM-SHA-1 should pass
-  Database::AUTH_SCRAM_SHA1 explicitly. SCRAM-SHA-256 currently requires
-  ASCII passwords; non-ASCII passwords throw NotImplementedException
-  pending full SASLprep (RFC 4013) support.
-- Poco::MongoDB::Database::count() now uses aggregation [{$count: "n"}]
-  instead of the legacy "count" command. The signature is unchanged.
-  Aggregation $count is in the Stable API v1, returns accurate results
-  on sharded clusters (the legacy command over-reports due to orphans),
-  and is permitted in multi-document transactions. Operators watching
-  server-side query metrics will see "aggregate" commands where they
-  previously saw "count".
-- Poco::MongoDB::Database::INDEX_BACKGROUND is now marked POCO_DEPRECATED
-  (deprecated by MongoDB in 4.2; server-side no-op). The flag is kept
-  for source compatibility but its value is no longer forwarded to the
-  server.
-- Poco::MongoDB::OpMsgMessage::CMD_MAP_REDUCE is now marked
-  POCO_DEPRECATED (mapReduce deprecated by MongoDB in 5.0); use the
-  aggregation pipeline.
-
-- GH #5322 PropertyFileConfiguration: the optional parent-configuration
-  parameter (added in 1.15.1 via #5253) is now an AbstractConfiguration*
-  raw non-owning pointer instead of AbstractConfiguration::Ptr. Callers
-  must keep the parent alive for the child's lifetime. This fixes a
-  circular reference between LayeredConfiguration and child
-  PropertyFileConfiguration instances in Application::loadConfiguration().
-  The Ptr-taking overloads are retained as deprecated forwarders to
-  surface the lifetime contract at compile time; they will be removed
-  in a future release. Passing a temporary Ptr would leave _pParentConfig
-  dangling and should be replaced with a named variable whose lifetime
-  outlives the child. All three PropertyFileConfiguration constructors
-  are now explicit to prevent accidental implicit conversions.
+- MongoDB::Database::authenticate() default is now SCRAM-SHA-256; pass AUTH_SCRAM_SHA1 for the previous default. ASCII passwords only. (PR #5359)
+- MongoDB::Database::count() now uses {$count: "n"} aggregation; signature unchanged, accurate on sharded clusters, transaction-safe. (PR #5359)
+- MongoDB::Database::INDEX_BACKGROUND and MongoDB::OpMsgMessage::CMD_MAP_REDUCE are POCO_DEPRECATED (deprecated server-side in 4.2 and 5.0). (PR #5359)
+- GH #5322 Circular reference in `Application::loadConfiguration()` -- PropertyFileConfiguration parent parameter is now AbstractConfiguration* (was Ptr); caller owns lifetime. Ptr overloads retained as deprecated. Constructors are now explicit.
 
 Security Fixes:
 
-- PR #5351 chore(deps): bundled third-party library updates -- includes
-  expat 2.8.1 with CVE-2026-41080 (hash flooding salt entropy) and
-  CVE-2026-45186 (quadratic runtime on attribute name collisions, DoS).
-- GH #5050 CodeQL: Net: IPv6 isLoopback IPv4-mapped check was always
-  false. Closed by PR #5349.
+- PR #5351 chore(deps): bundled third-party library updates for 1.15.3
+- GH #5050 CodeQL: Net: Comparison result is always the same (PR #5349)
 
 Bundled Third-Party Library Upgrades:
 
-- expat 2.7.5 -> 2.8.1 - security (CVE-2026-41080, CVE-2026-45186), new entropy sources
-- SQLite 3.53.0 -> 3.53.1 - WAL-reset database corruption fix
-- libpng 1.6.57 -> 1.6.58 - fix png_get_PLTE returning stale palette data (1.6.56 regression)
-- 7zip (LZMA SDK) 26.00 -> 26.01 - bug fixes, Linux huge pages
+- expat 2.7.5 -> 2.8.1 (CVE-2026-41080, CVE-2026-45186)
+- SQLite 3.53.0 -> 3.53.1 (WAL-reset corruption fix)
+- libpng 1.6.57 -> 1.6.58 (png_get_PLTE regression fix)
+- 7zip (LZMA SDK) 26.00 -> 26.01
 
 Features, Enhancements and Third Party Updates:
 
-- PR #5346 enh(PostgreSQL): let libpq parse the connection string itself, support URI syntax
-- GH #5344 POCO::JWT issue with OPENSSL_NO_DEPRECATED -- addressed by silencing OpenSSL 3.x deprecation warnings on legacy key accessors (PR #5332)
+- PR #5359 enh(MongoDB): MongoDB 6.0/7.0/8.0 compat -- partial indexes, Decimal128, SCRAM-SHA-256
+- GH #5354 CppUnit terminate handler (PR #5355)
+- PR #5346 Support quoted parameters and URI syntax in PostgreSQL connection strings
+- GH #5344 POCO::JWT issue with OPENSSL_NO_DEPRECATED (PR #5332)
 - PR #5334 enh(MongoDB): add wire version constants for MongoDB 6.1-8.0
-- GH #5337 ProcessRunner error message format
+- GH #5337 `ProcessRunner` error message format (PR #5338)
 
 Bug Fixes and Improvements:
 
-- GH #5352 C++20 does not guarantee atomic_flag::test (PR #5353)
+- PR #5358 fix(AbstractEvent): operator-= holds the event mutex across Delegate destructor
+- PR #5356 [fix] Only allow use atomic when C++20 is properly configured
+- GH #5352 C++ 20 does not guarantee atomic_flag.test (PR #5353)
 - GH #5347 PDF does not build with make
-- GH #5342 Oracle ODBC CI fail
-- GH #5340 PropertyFileConfiguration does not persist deletion of last key from included property files
+- GH #5342 Oracle ODBC CI fail (PR #5343)
+- GH #5340 PropertyFileConfiguration does not persist deletion of last key from included property files (PR #5341)
 - GH #5330 POCO_UNBUNDLED=ON build fails when ZLIB is a transitive dependency of another found package
 - GH #5327 UnbufferedStreamBuf::xsgetn silently swallows decoder errors after partial read (regression from #5290)
-- GH #5324 Logger::shutdown() use-after-free
+- GH #5324 `Logger::shutdown()` use-after-free
 - GH #5316 ThreadTest::testTrySleep flaky on macOS, causes segfault
 - PR #5345 fix(cmake): replace obsolete -s with -Wl,-x on Apple linker
 - PR #5336 Fix C1021 fatal error when building DataSQLite with POCO_SQLITE_UNBUNDLED on MSVC
diff --git a/doc/99100-ReleaseNotes.page b/doc/99100-ReleaseNotes.page
@@ -5,50 +5,52 @@ AAAIntroduction
 
 !!Summary of Changes
 
-A patch release focused on bug fixes, security updates in bundled
-third-party libraries (including two expat CVEs), and a small set of
-enhancements. Notable changes include PostgreSQL connection-string
-URI syntax support, a fix for the WAL-reset database corruption in
-SQLite, and a behaviour correction to the %c date/time format
-specifier so it actually emits centiseconds as documented (this is a
-breaking change for code that relied on the previous single-digit
-decisecond output).
+Bug fixes, expat CVE updates in bundled deps, MongoDB 6.0/7.0/8.0
+compatibility, PostgreSQL URI connection strings, and a corrected %c
+date/time format specifier (breaking).
 
 !!Breaking Changes
 
-  - GH #3949 Poco::DateTimeFormatter: %c now emits zero-padded two-digit centisecond (00..99), matching documentation. Previously it emitted a single-digit decisecond. Closed by PR #5350.
+  - GH #3949 Poco::DateTimeFormatter %c does not format to centisecond but decisecond (PR #5350)
 
 !!API Changes
 
-  - GH #5322 PropertyFileConfiguration optional parent-configuration parameter is now an AbstractConfiguration* raw non-owning pointer instead of AbstractConfiguration::Ptr. Callers must keep the parent alive for the child's lifetime. Ptr-taking overloads retained as deprecated forwarders. Constructors are now explicit. See CHANGELOG for details.
+  - MongoDB::Database::authenticate() default is now SCRAM-SHA-256; pass AUTH_SCRAM_SHA1 for the previous default. ASCII passwords only. (PR #5359)
+  - MongoDB::Database::count() now uses {$count: "n"} aggregation; signature unchanged, accurate on sharded clusters, transaction-safe. (PR #5359)
+  - MongoDB::Database::INDEX_BACKGROUND and MongoDB::OpMsgMessage::CMD_MAP_REDUCE are POCO_DEPRECATED (deprecated server-side in 4.2 and 5.0). (PR #5359)
+  - GH #5322 Circular reference in `Application::loadConfiguration()` -- PropertyFileConfiguration parent parameter is now AbstractConfiguration* (was Ptr); caller owns lifetime. Ptr overloads retained as deprecated. Constructors are now explicit.
 
 !!Security Fixes
 
-  - PR #5351 chore(deps): bundled third-party library updates (expat CVE-2026-41080, CVE-2026-45186)
-  - GH #5050 CodeQL: Net: IPv6 isLoopback IPv4-mapped check was always false
+  - PR #5351 chore(deps): bundled third-party library updates for 1.15.3
+  - GH #5050 CodeQL: Net: Comparison result is always the same (PR #5349)
 
 Bundled Third-Party Library Upgrades:
-  - expat 2.7.5 -> 2.8.1 - security (CVE-2026-41080, CVE-2026-45186), new entropy sources
-  - SQLite 3.53.0 -> 3.53.1 - WAL-reset database corruption fix
-  - libpng 1.6.57 -> 1.6.58 - fix png_get_PLTE returning stale palette data (1.6.56 regression)
-  - 7zip (LZMA SDK) 26.00 -> 26.01 - bug fixes, Linux huge pages
+  - expat 2.7.5 -> 2.8.1 (CVE-2026-41080, CVE-2026-45186)
+  - SQLite 3.53.0 -> 3.53.1 (WAL-reset corruption fix)
+  - libpng 1.6.57 -> 1.6.58 (png_get_PLTE regression fix)
+  - 7zip (LZMA SDK) 26.00 -> 26.01
 
 !!Features, Enhancements and Third Party Updates
 
-  - PR #5346 enh(PostgreSQL): let libpq parse the connection string itself, support URI syntax
-  - GH #5344 POCO::JWT issue with OPENSSL_NO_DEPRECATED -- addressed via PR #5332 (silence OpenSSL 3.x deprecation warnings on legacy key accessors)
+  - PR #5359 enh(MongoDB): MongoDB 6.0/7.0/8.0 compat -- partial indexes, Decimal128, SCRAM-SHA-256
+  - GH #5354 CppUnit terminate handler (PR #5355)
+  - PR #5346 Support quoted parameters and URI syntax in PostgreSQL connection strings
+  - GH #5344 POCO::JWT issue with OPENSSL_NO_DEPRECATED (PR #5332)
   - PR #5334 enh(MongoDB): add wire version constants for MongoDB 6.1-8.0
-  - GH #5337 ProcessRunner error message format
+  - GH #5337 `ProcessRunner` error message format (PR #5338)
 
 !!Bug Fixes and Improvements
 
-  - GH #5352 C++20 does not guarantee atomic_flag::test (PR #5353)
+  - PR #5358 fix(AbstractEvent): operator-= holds the event mutex across Delegate destructor
+  - PR #5356 [fix] Only allow use atomic when C++20 is properly configured
+  - GH #5352 C++ 20 does not guarantee atomic_flag.test (PR #5353)
   - GH #5347 PDF does not build with make
-  - GH #5342 Oracle ODBC CI fail
-  - GH #5340 PropertyFileConfiguration does not persist deletion of last key from included property files
+  - GH #5342 Oracle ODBC CI fail (PR #5343)
+  - GH #5340 PropertyFileConfiguration does not persist deletion of last key from included property files (PR #5341)
   - GH #5330 POCO_UNBUNDLED=ON build fails when ZLIB is a transitive dependency of another found package
   - GH #5327 UnbufferedStreamBuf::xsgetn silently swallows decoder errors after partial read (regression from #5290)
-  - GH #5324 Logger::shutdown() use-after-free
+  - GH #5324 `Logger::shutdown()` use-after-free
   - GH #5316 ThreadTest::testTrySleep flaky on macOS, causes segfault
   - PR #5345 fix(cmake): replace obsolete -s with -Wl,-x on Apple linker
   - PR #5336 Fix C1021 fatal error when building DataSQLite with POCO_SQLITE_UNBUNDLED on MSVC
