Age | Commit message (Collapse) | Author | Files | Lines |
|
Ruby 2.6 reached to EOL on 22th April 2022.
|
|
Start removing of Ruby 2.6.
|
|
|
|
|
|
0.981
* Support for Python 3.6 and 2 Dropped
* Generate Error on Unbound TypeVar Return Type
* Methods with Empty Bodies in Protocols Are Abstract
* Implicit Optional Types Will Be Disabled by Default
* Precise Types for **kwds Using TypedDict
* Experimental Support for General Recursive Types
* Generic NamedTuples and TypedDicts
* Better Support for Callable Attributes
* Per-Module Error Code Configuration
* Experimental Support for Interactive Inspection of Expressions
|
|
This minor release includes 3 security fixes following the security policy:
- archive/tar: unbounded memory consumption when reading headers
Reader.Read did not set a limit on the maximum size of file headers.
A maliciously crafted archive could cause Read to allocate unbounded
amounts of memory, potentially causing resource exhaustion or panics.
Reader.Read now limits the maximum size of header blocks to 1 MiB.
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.
- net/http/httputil: ReverseProxy should not forward unparseable query parameters
Requests forwarded by ReverseProxy included the raw query parameters from the
inbound request, including unparseable parameters rejected by net/http. This
could permit query parameter smuggling when a Go proxy forwards a parameter
with an unparseable value.
ReverseProxy will now sanitize the query parameters in the forwarded query
when the outbound request's Form field is set after the ReverseProxy.Director
function returns, indicating that the proxy has parsed the query parameters.
Proxies which do not parse query parameters continue to forward the original
query parameters unchanged.
Thanks to Gal Goldstein (Security Researcher, Oxeye) and
Daniel Abeles (Head of Research, Oxeye) for reporting this issue.
This is CVE-2022-2880 and Go issue https://go.dev/issue/54663.
- regexp/syntax: limit memory used by parsing regexps
The parsed regexp representation is linear in the size of the input,
but in some cases the constant factor can be as high as 40,000,
making relatively small regexps consume much larger amounts of memory.
Each regexp being parsed is now limited to a 256 MB memory footprint.
Regular expressions whose representation would use more space than that
are now rejected. Normal use of regular expressions is unaffected.
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.
|
|
This minor release includes 3 security fixes following the security policy:
- archive/tar: unbounded memory consumption when reading headers
Reader.Read did not set a limit on the maximum size of file headers.
A maliciously crafted archive could cause Read to allocate unbounded
amounts of memory, potentially causing resource exhaustion or panics.
Reader.Read now limits the maximum size of header blocks to 1 MiB.
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
This is CVE-2022-2879 and Go issue https://go.dev/issue/54853.
- net/http/httputil: ReverseProxy should not forward unparseable query parameters
Requests forwarded by ReverseProxy included the raw query parameters from the
inbound request, including unparseable parameters rejected by net/http. This
could permit query parameter smuggling when a Go proxy forwards a parameter
with an unparseable value.
ReverseProxy will now sanitize the query parameters in the forwarded query
when the outbound request's Form field is set after the ReverseProxy.Director
function returns, indicating that the proxy has parsed the query parameters.
Proxies which do not parse query parameters continue to forward the original
query parameters unchanged.
Thanks to Gal Goldstein (Security Researcher, Oxeye) and
Daniel Abeles (Head of Research, Oxeye) for reporting this issue.
This is CVE-2022-2880 and Go issue https://go.dev/issue/54663.
- regexp/syntax: limit memory used by parsing regexps
The parsed regexp representation is linear in the size of the input,
but in some cases the constant factor can be as high as 40,000,
making relatively small regexps consume much larger amounts of memory.
Each regexp being parsed is now limited to a 256 MB memory footprint.
Regular expressions whose representation would use more space than that
are now rejected. Normal use of regular expressions is unaffected.
Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.
This is CVE-2022-41715 and Go issue https://go.dev/issue/55949.
|
|
The specification for pyversion.mk says that it defines PYPKGPREFIX
and PYVERSSUFFIX. Various buildlink files rely on these being
defined, as they are tested without guarding them for being empty.
When there is no valid python version, _PYTHON_VERSION was set to
"none", and PKG_FAIL_REASON defined, so the user gets a reasonable
error. However, if a buildlink3 uses an unguarded PYPKGPREFIX, a
syntax error results, and the PKG_FAIL_REASON is not display.
This commit defines the two variables to "none" in the case of no
valid version, mirroring the treatment of _PYTHON_VERSION and
correcting a failure to follow the specification. In this case the
build is going to fail one way or another, but it's vastly better to
have a useful error message.
(Tested earlier, but deferred during freeze.)
|
|
|
|
Go 1.9 and 1.10 are no longer useful because they do not support
module-based builds, which is most other packages now.
Go 1.16 and 1.17 are end of life.
ok to remove from gdt@ on tech-pkg@.
|
|
Removal agreed on tech-pkg@
|
|
29 Sep 2022, PHP 8.0.24
- Core:
. Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function)
(Tim Starling)
. Fixed bug GH-9361 (Segmentation fault on script exit #9379). (cmb,
Christian Schneider)
. Fixed bug GH-9407 (LSP error in eval'd code refers to wrong class for static
type). (ilutov)
. Fix #81727 (Don't mangle semantically meaningful HTTP var names). (derick)
- DOM:
. Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double free).
(Nathan Freeman)
- FPM:
. Fixed bug GH-8885 (FPM access.log with stderr begins to write logs to
error_log after daemon reload). (Dmitry Menshikov)
. Fixed bug #77780 ("Headers already sent..." when previous connection was
aborted). (Jakub Zelenka)
- GMP
. Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed
to gmp_init()). (Girgias)
- Intl
. Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter).
(Girgias)
- Phar:
. Fix #81726 (DOS when using quine gzip file). (cmb)
- PDO_PGSQL:
. Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed).
(Yurunsoft)
- Reflection:
. Fixed bug GH-8932 (ReflectionFunction provides no way to get the called
class of a Closure). (cmb, Nicolas Grekas)
. Fixed bug GH-9409 (Private method is incorrectly dumped as "overwrites").
(ilutov)
- Streams:
. Fixed bug GH-9316 ($http_response_header is wrong for long status line).
(cmb, timwolla)
|
|
29 Sep 2022, PHP 8.1.11
- Core:
. Fixed bug #81726: phar wrapper: DOS when using quine gzip file.
(CVE-2022-31628). (cmb)
. Fixed bug #81727: Don't mangle HTTP variable names that clash with ones
that have a specific semantic meaning. (CVE-2022-31629). (Derick)
. Fixed bug GH-9323 (Crash in ZEND_RETURN/GC/zend_call_function)
(Tim Starling)
. Fixed bug GH-9361 (Segmentation fault on script exit #9379). (cmb,
Christian Schneider)
. Fixed bug GH-9447 (Invalid class FQN emitted by AST dump for new and class
constants in constant expressions). (ilutov)
- DOM:
. Fixed bug #79451 (DOMDocument->replaceChild on doctype causes double free).
(Nathan Freeman)
- FPM:
. Fixed bug GH-8885 (FPM access.log with stderr begins to write logs to
error_log after daemon reload). (Dmitry Menshikov)
. Fixed bug #77780 ("Headers already sent..." when previous connection was
aborted). (Jakub Zelenka)
- GMP
. Fixed bug GH-9308 (GMP throws the wrong error when a GMP object is passed
to gmp_init()). (Girgias)
- Intl
. Fixed bug GH-9421 (Incorrect argument number for ValueError in NumberFormatter).
(Girgias)
- PCRE:
. Fixed pcre.jit on Apple Silicon. (Niklas Keller)
- PDO_PGSQL:
. Fixed bug GH-9411 (PgSQL large object resource is incorrectly closed).
(Yurunsoft)
- Reflection:
. Fixed bug GH-8932 (ReflectionFunction provides no way to get the called
class of a Closure). (cmb, Nicolas Grekas)
- Streams:
. Fixed bug GH-9316 ($http_response_header is wrong for long status line).
(cmb, timwolla)
|
|
- Core:
. Fixed bug #81726: phar wrapper: DOS when using quine gzip file.
(CVE-2022-31628). (cmb)
. Fixed bug #81727: Don't mangle HTTP variable names that clash with ones
that have a specific semantic meaning. (CVE-2022-31629). (Derick)
|
|
Noteworthy changes from 1.6.6:
- Fixed "Add --gc:arc (or --mm:arc) induce different behavior when using
converter" (#19862)
- Fixed "Converting unsigned integer to float fails in VM" (#19199)
- Fixed "regression(0.20.0 => devel): var params assignment gives silently
wrong results in VM" (#15974)
- Fixed "genDepend broken for duplicate module names in separate folders"
(#18735)
- Fixed "Orc booting compiler doesn't work with newSeq operations" (#19404)
- Fixed "hasCustomPragma and getCustomPragmaVal don't work on fields with
backticks" (#20067)
- Fixed "Cant use uint64 in case" (#20031)
- Fixed "nim jsondoc output is broken" (#20132)
- Fixed "Underscores are unnecessarily escaped in db_mysql" (#20153)
- Fixed "Invalid codegen when block ends with lent" (#20107)
- Fixed "locals doesn't work with ORC" (#20162)
- Fixed "reset does not work on set" (#19967)
- Fixed "selectRead and selectWrite are dangerous to use sockets with FD
numbers bigger than FD_SETSIZE (1024) on *nixes" (#19973)
- Fixed "use-after-free bugs in object variants" (#20305)
- Fixed "[ARC] C compiler error when using the result of a template in the
subscript operator" (#20303)
- Fixed "Calling nullary templates without () doesn't work inside calls
inside other templates" (#13515)
- Fixed "[Regression] Incorrect captures of pegs \ident macro in nim 1.6"
(#19104)
- Fixed "Windows gcc shipped with choosenim 1.6.4 with TLS emulation turned
off : The application was unable to start correctly (0xc000007b)."
(#19713)
|
|
Version 18.10.0 (Current)
Notable changes
doc:
(SEMVER-MINOR) deprecate modp1, modp2, and modp5 groups (Tobias Nießen)
add legendecas to TSC list (Michael Dawson)
move policy docs to the permissions scope (Rafael Gonzaga)
gyp:
libnode for ios app embedding (chexiongsheng)
http:
(SEMVER-MINOR) throw error on content-length mismatch (sidwebworks)
stream:
(SEMVER-MINOR) add ReadableByteStream.tee() (Daeyeon Jeong)
|
|
Version 18.9.1 (Current)
This is a security release.
Notable changes
The following CVEs are fixed in this release:
CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
Insufficient fix for macOS devices on v18.5.0
CVE-2022-32222: Node 18 reads openssl.cnf from /home/iojs/build/ upon startup on MacOS (Medium)
CVE-2022-32213: HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding (Medium)
Insufficient fix on v18.5.0
CVE-2022-32215: HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)
Insufficient fix on v18.5.0
CVE-2022-35256: HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)
CVE-2022-35255: Weak randomness in WebCrypto keygen
|
|
Version 16.17.1 'Gallium' (LTS)
This is a security release.
Notable changes
The following CVEs are fixed in this release:
CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
CVE-2022-32213: bypass via obs-fold mechanic (Medium)
CVE-2022-35255: Weak randomness in WebCrypto keygen
CVE-2022-35256: HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)
|
|
Version 14.20.1 'Fermium' (LTS)
This is a security release.
Notable changes
The following CVEs are fixed in this release:
CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
CVE-2022-32213: bypass via obs-fold mechanic (Medium)
CVE-2022-35256: HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (Medium)
|
|
This switches ~all Go packages to be built with Go 1.19 instead of 1.18.
Discussed on tech-pkg@ "ok after the freeze"
|
|
|
|
|
|
|
|
gcc6-aux does not support some of the flags.
|
|
* Add a cast which is needed
* Simplify one other macro
Fixes build on NetBSD/macppc.
|
|
illumos has the header and functions but it shouldn't be used.
|
|
The previous default (...) means "build the whole world", which is never
what you want. Instead, use "./...", which means "everything below the
top-level directory". According to the documentation, this is what was
meant the whole time.
This is probably a no-op because any useful Go package overrides this
currently.
no objection from wiz@
|
|
Requested by nia@ during dev summit @EuroBSDCon
|
|
This now caused the build to fail, and the build and install
now succeeds on NetBSD/macppc.
|
|
This no longer had any effect, and therefore caused the build to fail.
The build and install now succeeds on NetBSD/macppc.
|
|
0.4.7 - 2022-07-12
Fixed
* Fix get_qualified_names_for matching on prefixes of the given name by @lpetre in https://github.com/Instagram/LibCST/pull/719
Added
* Implement lazy loading mechanism for expensive metadata providers by @Chenguang-Zhu in https://github.com/Instagram/LibCST/pull/720
0.4.6 - 2022-07-04
New Contributors
- @superbobry made their first contribution in https://github.com/Instagram/LibCST/pull/702
Fixed
- convert_type_comments now preserves comments following type comments by @superbobry in https://github.com/Instagram/LibCST/pull/702
- QualifiedNameProvider optimizations
- Cache the scope name prefix to prevent scope traversal in a tight loop by @lpetre in https://github.com/Instagram/LibCST/pull/708
- Faster qualified name formatting by @lpetre in https://github.com/Instagram/LibCST/pull/710
- Prevent unnecessary work in Scope.get_qualified_names_for_ by @lpetre in https://github.com/Instagram/LibCST/pull/709
- Fix parsing of parenthesized empty tuples by @zsol in https://github.com/Instagram/LibCST/pull/712
- Support whitespace after ParamSlash by @zsol in https://github.com/Instagram/LibCST/pull/713
- [parser] bail on deeply nested expressions by @zsol in https://github.com/Instagram/LibCST/pull/718
0.4.5 - 2022-06-17
New Contributors
- @zzl0 made their first contribution in https://github.com/Instagram/LibCST/pull/704
Fixed
- Only skip supported escaped characters in f-strings by @zsol in https://github.com/Instagram/LibCST/pull/700
- Escaping quote characters in raw string literals causes a tokenizer error by @zsol in https://github.com/Instagram/LibCST/issues/668
- Corrected a code example in the documentation by @zzl0 in https://github.com/Instagram/LibCST/pull/703
- Handle multiline strings that start with quotes by @zzl0 in https://github.com/Instagram/LibCST/pull/704
- Fixed a performance regression in libcst.metadata.ScopeProvider by @lpetre in https://github.com/Instagram/LibCST/pull/698
0.4.4 - 2022-06-13
New Contributors
- @adamchainz made their first contribution in https://github.com/Instagram/LibCST/pull/688
Added
- Add package links to PyPI by @adamchainz in https://github.com/Instagram/LibCST/pull/688
- native: add overall benchmark by @zsol in https://github.com/Instagram/LibCST/pull/692
- Add support for PEP-646 by @zsol in https://github.com/Instagram/LibCST/pull/696
Updated
- parser: use references instead of smart pointers for Tokens by @zsol in https://github.com/Instagram/LibCST/pull/691
|
|
Changelog:
1.11.1.1155 (Aug 5, 2022)
* TDEPS-228 Add support for auto inferred Sourcehut git urls
* Update aws-api, Maven, etc dep versions
* Use tools.deps.alpha 0.14.1222
1.11.1.1149 (Jun 21, 2022)
* clj -Ttools install-latest - refine how versions are filtered, sorted, and
newest selected
* Update to tools.tools v0.2.8
* Use tools.deps.alpha 0.14.1212
1.11.1.1139 (Jun 16, 2022)
* Add clj -Ttools install-latest api function, examples:
* Install tool: clj -Ttools install-latest :lib io.github.clojure/
tools.deps.graph :as graph
* Update tool: clj -Ttools install-latest :tool graph
* Fix regression with clj -X:deps find-versions from 1.11.1.1119
* Output from clj -X:deps find-versions now provides :git/tag and :git/sha
* Update to tools.tools v0.2.6
* Use tools.deps.alpha 0.14.1205
1.11.1.1129 (Jun 14, 2022)
* Fix directory context of -X:deps prep with transitive local deps
* Use tools.deps.alpha 0.14.1194
1.11.1.1124 (Jun 11, 2022)
* Fix bug in TDEPS-213 change
* Use tools.deps.alpha 0.14.1189
1.11.1.1119 (Jun 9, 2022)
* TDEPS-213 - Add -X:deps aliases to list available aliases
* TDEPS-226 - More nunanced error handling for s3 downloads
* Better error message when git url can??t be inferred
* Use tools.deps.alpha 0.14.1185
1.11.1.1113 (Apr 25, 2022)
* TDEPS-153 - yet more fixes for errors during concurrent Maven downloads
* Use tools.deps.alpha 0.14.1178
1.11.1.1105 (Apr 5, 2022)
* Default to Clojure 1.11.1 if no Clojure version specified
1.11.0.1100 (Mar 28, 2022)
* Default to Clojure 1.11.0 if no Clojure version specified
* TDEPS-153 Fix concurrency issues in Maven artifact downloads
1.10.3.1087 (Feb 28, 2022)
* Fix error message when git url missing or not inferred
* Pass :exec-fn and :exec-args to -X/-T even when using -Scp
* TDEPS-222 Make Clojure dependency in pom a compile dependency, not provided
* TDEPS-203 In -X:deps prep - now takes basis settings, including aliases
* TDEPS-197 -X:deps git-resolve-tags - now resolves to :git/tag and :git/sha
* -X:deps tree - now takes basis settings
* -X:deps mvn-pom - now takes basis settings
* -X:deps list - put license abbreviation list in a resource and load on
demand
* Use tools.deps.alpha 0.12.1158
1.10.3.1075 (Feb 2, 2022)
* TDEPS-216 - Built-in :deps alias should remove project paths from classpath
* Improve error if git sha is not found in git repo
* Improve prep error if transtive dep??s prep function is unresolvable
* Bump AWS deps to latest versions
* Use tools.deps.alpha 0.12.1135
1.10.3.1069 (Jan 26, 2022)
* Update some Maven transitive deps to address some CVEs
* Update to tools.tools v0.2.5
* Add check to error on invocation of multiple exec functions
* Use tools.deps.alpha 0.12.1120
1.10.3.1058 (Jan 5, 2022)
* TDEPS-207 Fix deadlock in version range resolution
* TDEPS-215 Fix race condition during parallel loading of s3 transporter
* Don??t track local deps.edn manifest for caching if deps project doesn??t
have one
* Update maven-core to 3.8.4, aws libs, tools.build, tools.tools to latest
* Use tools.deps.alpha 0.12.1109
1.10.3.1040 (Dec 1, 2021)
* Add clj -X:deps list for listing the full transitive set of deps and their
license info - see docs
* Improved error handling for unknown tool with -T or -X:deps find-versions
* Use tools.deps.alpha 0.12.1084
1.10.3.1029 (Nov 8, 2021)
* TDEPS-212 Cover a much wider range of valid git dep urls, including git
file urls
* Use tools.deps.alpha 0.12.1071
1.10.3.1020 (Nov 5, 2021)
* TDEPS-83 Invalidate classpath cache when local dep manifests change
* Add new clj -X:deps list program to list the full lib set on the classpath,
see API docs for more info
* Bump deps to more recent versions - aws-api, jetty-client, etc
* Clean up exception handling for -X/-T
* Use tools.deps.alpha 0.12.1067
1.10.3.998 (Oct 26, 2021)
* Remove bottle :unneeded from brew formulas (no longer needed)
* TDEPS-209 Include only jar files in classpath from Maven artifacts
* Update to tools.tools v0.2.1 (minor improvements in clj -Ttools list)
* Use tools.deps.alpha 0.12.1058
1.10.3.986 (Sep 22, 2021)
* Fix nested session cache computation for local pom model building
* Use tools.deps.alpha 0.12.1048
1.10.3.981 (Sep 21, 2021)
* Update to latest AWS API libs
* Downgrade Maven resolver libs to better match Maven core libs
* Use tools.deps.alpha 0.12.1041
1.10.3.967 (Sep 1, 2021)
* Refine exec exceptions for missing namespace vs missing function in
namespace
* Replace Maven-based build process with tools.build
* Compile entry points in tools.deps used for building classpaths for
performance
* Use tools.deps.alpha 0.12.1036
1.10.3.943 (Aug 13, 2021)
* TDEPS-199 Use default http-client in S3 transporter
* Cache S3 transporter for a repo
* Fixed session cache to work properly across threads / binding stacks for
better perf
* Replace specific maven version range requests with non-range request to
reduce repo metadata lookups
* Load and cache Maven settings once for perf
* Cache version range resolution results for perf
* Use tools.deps.alpha 0.12.1019
1.10.3.933 (July 28, 2021)
* deps.edn
+ git deps
o If a git library name follows the repo convention names, the :git/
url can now be inferred (:git/url can also be specified explicitly
and takes precedence)
o :git/tag and prefix :git/sha can now be specified instead of the
full sha. Both must point to the same commit.
o :sha has been renamed to :git/sha but the original is still
supported for backwards compatibility
+ :deps/prep-lib - a new top-level key can be used to say how a source
lib should be prepared before being added to the classpath. This key??s
value is a map with :alias, :fn, and :ensures. See prep docs for more
info.
+ :tools/usage - a new top-level key can be used to provide the
:ns-default and :ns-aliases context for a tool
* Tools - git-based programs that can be installed with a local name. Tools
can provide their own usage context in deps.edn.
+ Added new auto-installed tool named tools with functions install, list,
remove. See reference.
+ Install a tool with clojure -Ttools install <lib> <coord> :as
<toolname>
+ Run a tool with clojure -T<toolname> fn (also takes -X style args)
* Clojure CLI
+ New -T option is like -X (executes a function) but does not use the
project classpath, instead uses tool classpath (and adds :paths ["."]
by default). -T:aliases is otherwise same as -X. -Ttoolname resolves
named tool by name and uses that tool lib.
+ TDEPS-198 - -X and -T will not wait to exit if futures/agents have been
used
+ TDEPS-182 - Improve deprecation messages to be more accurate
+ TDEPS-183 - Fix -Sdescribe output to be valid EDN on Windows
+ TDEPS-179 - Fix incorrect classpath when :classpath-overrides removes
path
+ Delay computation of local-repo path (don??t compute at load time)
+ Use tools.deps.alpha 0.12.1003
* New -X:deps programs:
+ find-versions - to find versions of Maven or git libs or tools
+ prep - use to prep source libs
+ help/dir - to list available functions in a tool namespace
+ help/doc - to list docs for a tool namespace or function
Read more at Source Libs and Builds.
1.10.3.855 (May 25, 2021)
* Fix in applying :jvm-opts with -X execution on Windows
1.10.3.849 (May 21, 2021)
* Adds support for a trailing map of kvs in -X calls (similar to Clojure 1.11
trailing map to vararg calls)
* Updates all Maven deps to latest (maven-resolver 1.7.0, maven core 1.8.3)
to address these security concerns
+ CVE-2020-13956 - bumps deps on Apache HttpClient used by Maven
+ CVE-2021-26291 - potential security problems regarding Maven
repositories:
o Due to the possibility of MITM (man in the middle) attacks, http
repo access is now blocked by default. tools.deps/Clojure CLI has
always used https repos in the default repository list (central and
clojars), so this mostly impacts any explicit http repositories
defined in deps.edn
o Concerns over the "hijacking" of repository urls by transitive pom
deps (or their super poms) to download artifacts from malicious
repos. Maven made no changes here, but did clarify how repos are
resolved on this page. From a deps perspective, we only use
repositories declared in the top-level deps.edn (if transitive deps
need a custom repo, you will need to add it at top-level too). For
tools.deps use of pom dependencies, we are providing the repos of
the top deps.edn file (which should always put Maven Central and
Clojars first), then deferring to Maven for the rest.
* Use tools.deps.alpha 0.11.922
1.10.3.839 (May 12, 2021)
* Fix Linux installer breakage in 1.10.3.833
1.10.3.833 (May 11, 2021)
* TDEPS-177 - Fix Maven mirrors to look up by id, not name
* Remove flag when fetching git deps so that older git versions work
* Tweak some warning messages
* Clean up scripts to simplify variable replacement
* Use tools.deps.alpha 0.11.918
1.10.3.822 (Apr 3, 2021)
* Fix issue with git deps where new commits on branches were not fetched
1.10.3.814 (Mar 16, 2021)
* git deps: switch from using jgit to shelling out to git (must be git >=
2.5)
+ New env vars for control:
o GITLIBS_COMMAND - command to invoke when shelling out to git,
default = git
o GITLIBS_DEBUG - set to true to print git commands and output to
stderr, default = false
* Made git fetch only when shas can??t be resolved to improve performance
* Bump dep versions for tools.cli and aws api to latest
* Use tools.deps.alpha 0.11.905
1.10.2.796 (Feb 23, 2021)
* Fix clj -X:deps git-resolve-tags to update the sha to match the tag
* Perf improvements for git or local deps using pom.xml
* Use tools.deps.alpha 0.9.884
1.10.2.790 (Feb 19, 2021)
* Add -version and --version options
* TDEPS-56 - Fix main-opts and jvm-opts word splitting on spaces
* TDEPS-125 - Use JAVA_CMD if set (thanks Gregor Middell!)
* Add warning if :paths or :extra-paths refers to a directory outside the
project root (in the future will become an error)
* Use tools.deps.alpha 0.9.871
1.10.2.774 (Jan 26, 2021)
* Improve error when git dep version relationship can??t be determined
* Switch to 1.10.2 for default Clojure version
* Use tools.deps.alpha 0.9.863
1.10.1.763 (Dec 10, 2020)
* Set exit code for -X ex-info error
* Sync up cli syntax for aliases in help
* Use tools.deps.alpha 0.9.857
1.10.1.754 (Dec 7, 2020)
* New, more informative tree format for clj -Stree / clj -X:deps tree
* Added options for use with clj -X:deps tree
* Use tools.deps.alpha 0.9.857
1.10.1.739 (Nov 23, 2020)
* Fix use of jdk profile activation in local deps with pom files
* Fix error handling for -X to avoid double throw
* Add error handling for -A used without an alias
* Use tools.deps.alpha 0.9.840
1.10.1.727 (Oct 21, 2020)
* Fix clj -X:deps tree adding tools.deps.alpha to tree
* Fix clj -X:deps mvn-pom adding tools.deps.alpha to pom deps
* Fix clj -X:deps git-resolve-tags not working
* TDEPS-169 - Fix clj -X:deps mvn-install on jar to also install embedded pom
* Fix clj -Spom not respecting dep modifications from -A (regression)
* Use tools.deps.alpha 0.9.833
1.10.1.716 (Oct 10, 2020)
* Make edn reading tolerant of unknown tagged literals
* Update to latest dependencies for maven-resolver and aws-api
* Use tools.deps.alpha 0.9.821
1.10.1.708 (Oct 7, 2020)
* Fixes to handling transitive deps when newer versions of a dep are found in
the dep expansion
* TDEPS-168 - Improvements to -X error message handling
* Use tools.deps.alpha 0.9.816
1.10.1.697 (Sept 25, 2020)
* Added execution mode (-X)
* Added prepare mode (-P)
* Expanded main execution (-M) to support all argmap arguments
* Added new argmap attributes for namespace resolution:
+ :ns-aliases and :ns-default
* Added new clojure.tools.cli.api available via -X:deps alias:
+ clj -X:deps git-resolve-tags
+ clj -X:deps mvn-install
+ clj -X:deps mvn-pom
+ clj -X:deps tree
* Deprecated -R, -C (use -X, -M, or -A instead)
* Deprecated unqualified lib names in deps.edn (use fully qualified lib
names)
* Deprecated alias tool args :deps and :paths (use :replace-deps and
:replace-paths)
* Removed -O (use -X, -M, or -A)
* Removed -Sresolve-tags (use -X:deps git-resolve-tags)
* TDEPS-152 - Fixes to -Spom generation with srcDirectory
* TDEPS-155 - Better error handling for bad coordinates
* TDEPS-167 - Handle absolute resource paths in pom deps
* Use tools.deps.alpha 0.9.810
1.10.1.561 (July 17, 2020)
* Rework exclusion handling when exclusion sets differ for same lib/version
* Use tools.deps.alpha 0.8.709
1.10.1.547 (June 11, 2020)
* (Windows) Write -Spath to output, not to host
* TDEPS-152 - Fix bad addition of srcDirectory in pom gen
* TDEPS-155 - Add error checking for missing :mvn/version
* Use tools.deps.alpha 0.8.695
1.10.1.536 (Feb 28, 2020)
* Release automation work, no tool changes
1.10.1.510 (Feb 14, 2020)
* TDEPS-150 - Fix regression in supporting -Scp flag (avoid resolving deps)
* TDEPS-148 - Fix incorrect path resolution for git/local dep without
deps.edn
* Use tools.deps.alpha 0.8.677
|
|
Fixes builds of go118 and newer in x86_64 chroots on an arm64 host. The go
build system parses "uname -v" and incorrectly assumes that if you're running
on an arm64 host you always want arm64 binaries.
|
|
Fixes build in an x86_64 chroot on an arm64 host.
|
|
Changes from 5.1.x to 5.2.0
---------------------------
*****************************************************************************
* MPFR mode (the -M option) is now ON PAROLE. This feature is now being *
* supported by a volunteer in the development team and not by the primary *
* maintainer. If this situation changes, then the feature will be removed. *
* For more information see this section in the manual: *
* https://www.gnu.org/software/gawk/manual/html_node/MPFR-On-Parole.html *
*****************************************************************************
1. Infrastructure upgrades: Libtool 2.4.7, Bison 3.8.2.
2. Numeric scalars now compare in the same way as C for the relational
operators. Comparison order for sorting has not changed. This only
makes a difference when comparing Infinity and NaN values with
regular numbers; it should not be noticeable most of the time.
3. If the AWK_HASH environment variable is set to "fnv1a" gawk will
use the FNV1-A hash function for associative arrays.
4. The CMake infrastructure has been removed. In the five years it was in
the tree, nobody used it, and it was not updated.
5. There is now a new function, mkbool(), that creates Boolean-typed
values. These values *are* numbers, but they are also tagged as
Boolean. This is mainly for use with data exchange to/from languages
or environments that support real Boolean values. See the manual
for details.
6. As BWK awk has supported interval expressions since 2019, they are
now enabled even if --traditional is supplied. The -r/--re-interval option
remains, but it does nothing.
7. The rwarray extension has two new functions, writeall() and readall(),
for saving / restoring all of gawk's variables and arrays.
8. The new `gawkbug' script should be used for reporting bugs.
9. The manual page (doc/gawk.1) has been considerably reduced in size.
Wherever possible, details were replaced with references to the online
copy of the manual.
10. Gawk now supports Terence Kelly's "persistent malloc" (pma),
allowing gawk to preserve its variables, arrays and user-defined
functions between runs. THIS IS AN EXPERIMENTAL FEATURE!
For more information, see the manual. A new pm-gawk.1 man page
is included, as is a separate user manual that focuses on the feature.
11. Support for OS/2 has been removed. It was not being actively
maintained.
12. Similarly, support for DJGPP has been removed. It also was not
being actively maintained.
13. VAX/VMS is no longer supported, as it can no longer be tested.
The files for it remain in the distribution but will be removed
eventually.
14. Some subtle issues with untyped array elements being passed to
functions have been fixed.
15. Syntax errors are now immediately fatal. This prevents problems
with errors from fuzzers and other such things.
16. There have been numerous minor code cleanups and bug fixes. See the
ChangeLog for details.
|
|
...so that we don't insist on -mno-pltseq on older NetBSD.
|
|
Python 3.7.14
Security
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form.
Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.
Core and Builtins
gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.
The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for more details.
Library
bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters. Patch by Sergey Fedoseev.
Documentation
gh-91888: Add a new gh role to the documentation to link to GitHub issues.
bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.3.1.
Tests
gh-94208: test_ssl is now checking for supported TLS version and protocols in more tests.
bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and setuptools. Patch by Illia Volochii and Adam Turner.
bpo-41306: Fixed a failure in test_tk.test_widgets.ScaleTest happening when executing the test with Tk 8.6.10.
Windows
bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.
|
|
|
|
|
|
Add support for Ruby 3.1 which was lack. Real change for it was
accidently commited in previous update for Ruby on Rails 7.1
Bump PKGREVISION.
|
|
Start update of Ruby on Rails to 7.0.4.
|
|
Ruby on Rails 6.1.7 release on 9th September 2022.
Active Record and Active Storage are updated:
Active Record
* Symbol is allowed by default for YAML columns
Étienne Barrié
* Fix ActiveRecord::Store to serialize as a regular Hash
Previously it would serialize as an
ActiveSupport::HashWithIndifferentAccess which is wasteful and cause
problem with YAML safe_load.
Jean Boussier
* Fix PG.connect keyword arguments deprecation warning on ruby 2.7
Fixes .
Nikita Vasilevsky
Active Storage
* Respect Active Record's primary_key_type in Active Storage
migrations. Backported from 7.0.
fatkodima
|
|
Ruby on Rails 6.0.6 release on 9th September 2022 and
Active Record is only updated.
databases/ruby-activerecord60
* Symbol is allowed by default for YAML columns
Étienne Barrié
|
|
Vala 0.56.3
===========
* Various improvements and bug fixes:
- vala: Don't unconditionally expect ObjectType of Class [#1341]
- vala: Make try-statement parsing more resilient [#1304]
- vala: Avoid problems with '\' in #line directives on Windows [#1353]
- gidlparser: Set source reference of parameters
* Bindings:
- atspi-2: Fix a few binding errors
- glib-2.0: Use g_abort for GLib.Process.abort() beginning with 2.50 [#1350]
- gtk+-3.0: Correctly unhide BindingSet.by_class to avoid Version attribute
|
|
|
|
Python 3.9.14
Security
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form.
Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.
Core and Builtins
gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.
The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for more details.
Library
gh-94821: Fix binding of unix socket to empty address on Linux to use an available address from the abstract namespace, instead of “0”.
gh-91810: Suppress writing an XML declaration in open files in ElementTree.write() with encoding='unicode' and xml_declaration=None.
bpo-45393: Fix the formatting for await x and not x in the operator precedence table when using the help() system.
bpo-46197: Fix ensurepip environment isolation for subprocess running pip.
Tests
gh-95280: Fix problem with test_ssl test_get_ciphers on systems that require perfect forward secrecy (PFS) ciphers.
gh-94208: test_ssl is now checking for supported TLS version and protocols in more tests.
bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and setuptools. Patch by Illia Volochii and Adam Turner.
|
|
Python 3.8.14
Security
gh-95778: Converting between int and str in bases other than 2 (binary), 4, 8 (octal), 16 (hexadecimal), or 32 such as base 10 (decimal) now raises a ValueError if the number of digits in string form is above a limit to avoid potential denial of service attacks due to the algorithmic complexity. This is a mitigation for CVE-2020-10735.
This new limit can be configured or disabled by environment variable, command line flag, or sys APIs. See the integer string conversion length limitation documentation. The default limit is 4300 digits in string form.
Patch by Gregory P. Smith [Google] and Christian Heimes [Red Hat] with feedback from Victor Stinner, Thomas Wouters, Steve Dower, Ned Deily, and Mark Dickinson.
gh-87389: http.server: Fix an open redirection vulnerability in the HTTP server when an URI path starts with //. Vulnerability discovered, and initial fix proposed, by Hamza Avvan.
Core and Builtins
gh-93065: Fix contextvars HAMT implementation to handle iteration over deep trees.
The bug was discovered and fixed by Eli Libman. See MagicStack/immutables#84 for more details.
Library
bpo-46197: Fix ensurepip environment isolation for subprocess running pip.
bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters. Patch by Sergey Fedoseev.
Documentation
gh-91888: Add a new gh role to the documentation to link to GitHub issues.
bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.4.4.
Tests
gh-94208: test_ssl is now checking for supported TLS version and protocols in more tests.
bpo-47016: Create a GitHub Actions workflow for verifying bundled pip and setuptools. Patch by Illia Volochii and Adam Turner.
bpo-46114: Fix test case for OpenSSL 3.0.1 version. OpenSSL 3.0 uses 0xMNN00PP0L.
Windows
bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.
|
|
|
|
This minor release includes 2 security fixes following the security policy:
net/http: handle server errors after sending GOAWAY
A closing HTTP/2 server connection could hang forever waiting for a clean
shutdown that was preempted by a subsequent fatal error. This failure mode
could be exploited to cause a denial of service.
Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher,
and Kaan Onarlioglu for reporting this.
This is CVE-2022-27664 and Go issue https://go.dev/issue/54658.
net/url: JoinPath does not strip relative path components in all circumstances
JoinPath and URL.JoinPath would not remove ../ path components appended to a
relative path. For example, JoinPath("https://go.dev", "../go") returned the
URL https://go.dev/../go, despite the JoinPath documentation stating that ../
path elements are cleaned from the result.
Thanks to q0jt for reporting this issue.
This is CVE-2022-32190 and Go issue https://go.dev/issue/54385.
|
|
Release notes are too long to paste here:
* 0.15.4: https://github.com/purescript/purescript/releases/tag/v0.15.4
* 0.15.3: https://github.com/purescript/purescript/releases/tag/v0.15.3
* 0.15.2: https://github.com/purescript/purescript/releases/tag/v0.15.2
* 0.15.0: https://github.com/purescript/purescript/releases/tag/v0.15.0
* 0.14.9: https://github.com/purescript/purescript/releases/tag/v0.14.9
* 0.14.8: https://github.com/purescript/purescript/releases/tag/v0.14.8
* 0.14.7: https://github.com/purescript/purescript/releases/tag/v0.14.7
|