| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Compiler options/fixes pertaining to the host compiler should not depend on
the target selection.
|
|
|
|
https://github.com/rakudo/rakudo/releases/tag/2021.06
New in 2021.06:
* Additions:
+ Support generics with consumption and inheritance in roles [4b99656][
6e1cfe4]
+ Introduce done foo syntax as a shortcut for emit foo; done [452e92e]
+ Implement pick method on Any taking HyperWhatever as an argument (.pick
(**)),
which produce all values of Foo.pick(), and then produce all values
of Foo.pick() again, and again, ad infinitum [cd4a72b]
+ Add a repl sub to enter the REPL from within a program [4183cda]
+ Add Buf and Blob coercers to Blob and Buf roles [f83e551]
* Changes:
+ No longer use Unicode in REPL on Windows [5e1c97b]
* Efficiency:
+ Tweak worker addition for many small tasks [39e5834]
+ Make .grep(Regex) and .first(Regex) about 40% faster [0de28ae]
+ Speed up setup of NativeCall subs and reduce memory usage [3b7fef2]
+ Micro-optimize levenshtein sub used to suggest alternatives in error
messages [da0f561]
* Fixes:
+ Improve stability on Windows by trying to rename precomp files multiple
times [a9510b8][7dfed29]
+ Fix bogus "emit without supply or react" error when using hyper to
process arrays [4953a29]
+ Fix some edge cases with (+), (.), (&) and (|) set operators [89fd8a8]
+ Make signature destructuring with a Junction an error [15d372e][57070f0
]
+ Make Mu eqv Mu work [750c5d0]
+ Fix possible error when throwing an exception on JVM backend [9743035]
* Internals:
+ Provide support for CORE:: namespace for the core itself [ea92934][
3fcf6f7][b03afef]
+ Remove a special case for native arrays on JVM [28ff12a]
+ Simplify Iterable eqv Iterable implementation [168da39]
+ Abstract single elem path of [] into Rakudo::Internals [db074a8]
|
|
|
|
|
|
Causes -arch x86_64 to be added to CFLAGS and then fails to link.
|
|
|
|
Unfortunately stripping the signatures breaks running the binaries outside a
chroot according to schmonz, so we're left with no choice but to make this
user-configurable. It took a lot of effort for me not to name this variable
something far ruder.
This will still mean the go-bin package is ultimately useless when shipped as
part of a package set, but really we only need it for bootstrapping a real
version which should work fine.
|
|
|
|
This causes problems executing inside a chroot. Bump PKGREVISION.
|
|
Fixes the build of go116 when inside a chroot as the signatures cannot be
verified for some reason.
|
|
Fixes builds on OS where PKG_SUPPORTED_OPTIONS is not defined, so
bsd.options.mk is not pulled in, but OPSYS is still tested.
|
|
|
|
This minor release includes a security fix according to the new security policy.
crypto/tls clients can panic when provided a certificate of the wrong type for
the negotiated parameters. net/http clients performing HTTPS requests are also
affected. The panic can be triggered by an attacker in a privileged network
position without access to the server certificate's private key, as long as a
trusted ECDSA or Ed25519 certificate for the server exists (or can be issued),
or the client is configured with Config.InsecureSkipVerify. Clients that
disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher
suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
This is issue 47143 and CVE-2021-34558. Thanks to Imre Rad for reporting this
issue.
|
|
This minor release includes a security fix according to the new security policy.
crypto/tls clients can panic when provided a certificate of the wrong type for
the negotiated parameters. net/http clients performing HTTPS requests are also
affected. The panic can be triggered by an attacker in a privileged network
position without access to the server certificate's private key, as long as a
trusted ECDSA or Ed25519 certificate for the server exists (or can be issued),
or the client is configured with Config.InsecureSkipVerify. Clients that
disable all TLS_RSA cipher suites (that is, TLS 1.0–1.2 cipher
suites without ECDHE), as well as TLS 1.3-only clients, are unaffected.
This is issue 47143 and CVE-2021-34558. Thanks to Imre Rad for reporting this
issue.
|
|
0.8.0:
Language Changes
No More Extern or Packed Enums
Require Block After Suspend
@extern
Nameless Tests
@TagType Removed
nosuspend
Add SysV Calling Convention
Wrapping Negation on Unsigned Ints at comptime
@import("builtin") no longer re-exports std.builtin
|
|
What’s New in Libc++ 12.0.0?
New Features
Random device support has been made optional. It’s enabled by default and can be disabled by building libc++ with -DLIBCXX_ENABLE_RANDOM_DEVICE=OFF. Disabling random device support can be useful when building the library for platforms that don’t have a source of randomness, such as some embedded platforms. When this is not supported, most of <random> will still be available, but std::random_device will not.
Localization support has been made optional. It’s enabled by default and can be disabled by building libc++ with -DLIBCXX_ENABLE_LOCALIZATION=OFF. Disabling localization can be useful when porting to platforms that don’t support the C locale API (e.g. embedded). When localization is not supported, several parts of the library will be disabled: <iostream>, <regex>, <locale> will be completely unusable, and other parts may be only partly available.
If libc++ is compiled with a C++20 capable compiler it will be compiled in C++20 mode. Else libc++ will be compiled in C++17 mode.
Several unqualified lookups in libc++ have been changed to qualified lookups. This makes libc++ more ADL-proof.
The libc++ implementation status pages have been overhauled. Like other parts documentation they now use restructured text instead of html. Starting with libc++12 the status pages are part of libc++’s documentation.
More C++20 features have been implemented. libc++ C++20 Status has the full overview of libc++’s C++20 implementation status.
Work has started to implement new C++2b features. libc++ C++2b Status has the full overview of libc++’s C++2b implementation status.
API Changes
By default, libc++ will _not_ include the definition for new and delete, since those are provided in libc++abi. Vendors wishing to provide new and delete in libc++ can build the library with -DLIBCXX_ENABLE_NEW_DELETE_DEFINITIONS=ON to get back the old behavior. This was done to avoid providing new and delete in both libc++ and libc++abi, which is technically an ODR violation. Also note that we couldn’t decide to put the operators in libc++ only, because they are needed from libc++abi (which would create a circular dependency).
During the C++20 standardization process some new low-level bit functions have been renamed. Libc++ has renamed these functions to match the C++20 Standard. - ispow2 has been renamed to has_single_bit - ceil2 has been renamed to bit_ceil - floor2 has been renamed to bit_floor - log2p1 has been renamed to bit_width
In C++20 mode, std::filesystem::path::u8string() and generic_u8string() now return std::u8string according to P0428, while they return std::string in C++17. This can cause source incompatibility, which is discussed and acknowledged in P1423, but that paper doesn’t suggest any remediation for this incompatibility.
|
|
Improvements to clangd
Performance
clangd’s memory usage is significantly reduced on most Linux systems. In particular, memory usage should not increase dramatically over time.
The standard allocator on most systems is glibc’s ptmalloc2, and it creates disproportionately large heaps when handling clangd’s allocation patterns. By default, clangd will now periodically call malloc_trim to release free pages on glibc systems.
Users of other allocators (such as jemalloc or tcmalloc) on glibc systems can disable this using --malloc_trim=0 or the CMake flag -DCLANGD_MALLOC_TRIM=0.
Added the $/memoryUsage request: an LSP extension. This provides a breakdown of the memory clangd thinks it is using (excluding malloc overhead etc). The clangd VSCode extension supports showing the memory usage tree.
Parsing and selection
Improved navigation of broken code in C using Recovery AST. (This has been enabled for C++ since clangd 11).
Types are understood more often in broken code. (This is the first release where Recovery AST preserves speculated types).
Heuristic resolution for dependent names in templates.
Code completion
Higher priority for symbols that were already used in this file, and symbols from namespaces mentioned in this file. (Estimated 3% accuracy improvement)
Introduced a ranking algorithm trained on snippets from a large C++ codebase. Use the flag --ranking-model=decision_forest to try this (Estimated 6% accuracy improvement). This mode is likely to become the default in future.
Note: this is a generic model, not specialized for your code. clangd does not collect any data from your code to train code completion.
Signature help works with functions with template-dependent parameter types.
Go to definition
Selecting an auto or decltype keyword will attempt to navigate to a definition of the deduced type.
Improved handling of aliases: navigate to the underlying entity more often.
Better understanding of declaration vs definition for Objective-C classes and protocols.
Selecting a pure-virtual method shows its overrides.
Find references
Indexes are smarter about not returning stale references when code is deleted.
References in implementation files are always indexed, so results should be more complete.
Find-references on a virtual method shows references to overridden methods.
New navigation features
Call hierarchy (textDocument/callHierarchy) is supported. Only incoming calls are available.
Go to implementation (textDocument/implementation) is supported on abstract classes, and on virtual methods.
Symbol search (workspace/symbol) queries may be partially qualified. That is, typing b::Foo will match the symbol a::b::c::Foo.
Refactoring
New refactoring: populate switch statement with cases. (This acts as a fix for the -Wswitch-enum warning).
Renaming templates is supported, and many other complex cases were fixed.
Attempting to rename to an invalid or conflicting name can produce an error message rather than broken code. (Not all cases are detected!)
The accuracy of many code actions has been improved.
Hover
Hovers for auto and decltype show the type in the same style as other hovers. this is also now supported.
Displayed type names are more consistent and idiomatic.
Semantic highlighting
Inactive preprocessor regions (#ifdef) are highlighted as comments.
clangd 12 is the last release with support for the non-standard textDocument/semanticHighlights notification. Clients sholud migrate to the textDocument/semanticTokens request added in LSP 3.16.
Remote index (alpha)
clangd can now connect to a remote index server instead of building a project index locally. This saves resources in large codebases that are slow to index.
The server program is clangd-index-server, and it consumes index files produced by clangd-indexer.
This feature requires clangd to be built with the CMake flag -DCLANGD_ENABLE_REMOTE=On, which requires GRPC libraries and is not enabled by default. Unofficial releases of the remote-index-enabled client and server tools are at https://github.com/clangd/clangd/releases
Large projects can deploy a shared server, and check in a .clangd file to enable it (in the Index.External section). We hope to provide such a server for llvm-project itself in the near future.
Configuration
Static and remote indexes can be configured in the Index.External section. Different static indexes can now be used for different files. (Obsoletes the flag --index-file).
Diagnostics can be filtered or suppressed in the Diagnostics section.
Clang-tidy checks can be enabled/disabled in the Diagnostics.ClangTidy section. (Obsoletes the flag --clang-tidy-checks).
The compilation database directory can be configured in the CompileFlags section. Different compilation databases can now be specified for different files. (Obsoletes the flag --compile-commands-dir).
Errors in loaded configuration files are published as LSP diagnostics, and so should be shown in your editor.
Full reference of configuration options
System integration
Changes to compile_commands.json and compile_flags.txt will take effect the next time a file is parsed, without restarting clangd.
clangd --check=<filename> can be run on the command-line to simulate opening a file without actually using an editor. This can be useful to reproduce crashes or aother problems.
Various fixes to handle filenames correctly (and case-insensitively) on windows.
If incoming LSP messages are malformed, the logs now contain details.
Miscellaneous
“Show AST” request (textDocument/ast) added as an LSP extension. This displays a simplified view of the clang AST for selected code. The clangd VSCode extension supports this.
clangd should no longer crash while loading old or corrupt index files.
The flags --index, --recovery-ast and -suggest-missing-includes have been retired. These features are now always enabled.
Too many stability and correctness fixes to mention.
|
|
12.0.1:
Non-comprehensive list of changes in this release
The builtin intrinsics __builtin_bitreverse8, __builtin_bitreverse16, __builtin_bitreverse32 and __builtin_bitreverse64 may now be used within constant expressions.
The builtin intrinsics __builtin_rotateleft8, __builtin_rotateleft16, __builtin_rotateleft32 and __builtin_rotateleft64 may now be used within constant expressions.
The builtin intrinsics __builtin_rotateright8, __builtin_rotateright16, __builtin_rotateright32 and __builtin_rotateright64 may now be used within constant expressions.
New Compiler Flags
…
AArch64 options -moutline-atomics, -mno-outline-atomics to enable and disable calls to helper functions implementing atomic operations. These out-of-line helpers like ‘__aarch64_cas8_relax’ will detect at runtime AArch64 Large System Extensions (LSE) availability and either use their atomic instructions, or falls back to LL/SC loop. These options do not apply if the compilation target supports LSE. Atomic instructions are used directly in that case. The option’s behaviour mirrors GCC, the helpers are implemented both in compiler-rt and libgcc.
New option -fbinutils-version= specifies the targeted binutils version. For example, -fbinutils-version=2.35 means compatibility with GNU as/ld before 2.35 is not needed: new features can be used and there is no need to work around old GNU as/ld bugs.
Deprecated Compiler Flags
The following options are deprecated and ignored. They will be removed in future versions of Clang.
The clang-cl /fallback flag, which made clang-cl invoke Microsoft Visual C++ on files it couldn’t compile itself, has been deprecated. It will be removed in Clang 13.
…
Modified Compiler Flags
On ELF, -gz now defaults to -gz=zlib with the integrated assembler. It produces SHF_COMPRESSED style compression of debug information. GNU binutils 2.26 or newer, or lld is required to link produced object files. Use -gz=zlib-gnu to get the old behavior.
Now that this pointers are tagged with nonnull and dereferenceable(N), -fno-delete-null-pointer-checks has gained the power to remove the nonnull attribute on this for configurations that need it to be nullable.
-gsplit-dwarf no longer implies -g2.
-fasynchronous-unwind-tables is now the default on Linux AArch64/PowerPC. This behavior matches newer GCC. (D91760) (D92054)
Support has been added for the following processors (command-line identifiers in parentheses):
Arm Cortex-A78C (cortex-a78c).
Arm Cortex-R82 (cortex-r82).
Arm Neoverse V1 (neoverse-v1).
Arm Neoverse N2 (neoverse-n2).
Fujitsu A64FX (a64fx).
For example, to select architecture support and tuning for Neoverse-V1 based systems, use -mcpu=neoverse-v1.
Removed Compiler Flags
The following options no longer exist.
clang-cl’s /Zd flag no longer exist. But -gline-tables-only still exists and does the same thing.
New Pragmas in Clang
…
Modified Pragmas in Clang
The “#pragma clang loop vectorize_width” has been extended to support an optional ‘fixed|scalable’ argument, which can be used to indicate that the compiler should use fixed-width or scalable vectorization. Fixed-width is assumed by default.
Scalable or vector length agnostic vectorization is an experimental feature for targets that support scalable vectors. For more information please refer to the Clang Language Extensions documentation.
Attribute Changes in Clang
Added support for the C++20 likelihood attributes [[likely]] and [[unlikely]]. As an extension they can be used in C++11 and newer. This extension is enabled by default.
|
|
12.0.1:
Non-comprehensive list of changes in this release
The ConstantPropagation pass was removed. Users should use the InstSimplify pass instead.
Changes to the LLVM IR
Added the byref attribute to better represent argument passing for the amdgpu_kernel calling convention.
Added type parameter to the sret attribute to continue work on removing pointer element types.
The llvm.experimental.vector.reduce family of intrinsics have been renamed to drop the “experimental” from the name, reflecting their now fully supported status in the IR.
Changes to building LLVM
The internal llvm-build Python script and the associated LLVMBuild.txt files used to describe the LLVM component structure have been removed and replaced by a pure CMake approach, where each component stores extra properties in the created targets. These properties are processed once all components are defined to resolve library dependencies and produce the header expected by llvm-config.
Changes to TableGen
The new “TableGen Programmer’s Reference” replaces the “TableGen Language Introduction” and “TableGen Language Reference” documents.
The syntax for specifying an integer range in a range list has changed. The old syntax used a hyphen in the range (e.g., {0-9}). The new syntax uses the “…” range punctuation (e.g., {0...9}). The hyphen syntax is deprecated.
Changes to the AArch64 Backend
Lots of improvements to generation of Windows unwind data; the unwind data is optimized and written in packed form where possible, reducing the size of unwind data (pdata and xdata sections) by around 60% compared with LLVM 11. The generation of prologs/epilogs is tweaked when targeting Windows, to increase the chances of being able to use the packed unwind info format.
Support for creating Windows unwind data using .seh_* assembler directives.
Produce proper assembly output for the Windows target, including :lo12: relocation specifiers, to allow the assembly output to actually be assembled.
Changed the assembly comment string for MSVC targets to // (consistent with the MinGW and ELF targets), freeing up ; to be used as statement separator.
Changes to the ARM Backend
Changes to the MIPS Target
Changes to the PowerPC Target
Optimization:
Made improvements to loop unroll-and-jam including fix to respect user provided #pragma unroll-and-jam for loops on targets other than ARM.
Improved PartialInliner allowing it to handle code regions in a switch statements.
Improved PGO support on AIX by building and linking with compiler-rt profile library.
Add support for Epilogue Vectorization and enabled it by default.
CodeGen:
POWER10 support * Implementation of PC Relative addressing in LLD including the associated
linker optimizations.
Add support for the new matrix multiplication (MMA) instructions to Clang and LLVM.
Implementation of Power10 builtins.
Scheduling enhancements * Add a new algorithm to cluster more loads/stores if the DAG is not too
complicated.
Enable the PowerPC scheduling heuristic for Power10.
Target dependent passes tuning * Enhance LoopStrengthReduce/PPCLoopInstrFormPrep pass for PowerPC,
especially for P10 intrinsics.
Enhance machine combiner pass to reduce register pressure for PowerPC.
Improve MachineSink to do more sinking based on register pressure and alias analysis.
General improvements * Complete the constrained floating point operations support. * Improve the llvm-exegesis support. * Improve the stack clash protection to probe the gap between stackptr and
realigned stackptr.
Improve the IEEE long double support for Power8.
Enable MemorySSA for LoopSink.
Enhance LLVM debugging functionality via options such as -print-changed and -print-before-changed.
Add builtins for Power9 (i.e. darn, xvtdiv, xvtsqrt etc).
Add options to disable all or part of LoopIdiomRecognizePass.
Add support for printing the DDG in DOT form allowing for visual inspection of the Data Dependence Graph.
Remove the QPX support.
Significant number of bug fixes including all the fixes necessary to achieve a clean test run for Julia.
AIX Support:
Compiler-rt support * Add support for building compiler-rt for AIX and 32-bit Power targets. * Made compiler-rt the default rtlib for AIX.
General Improvements * Enable the AIX extended AltiVec ABI under option -mabi=vec-extabi. * Add partial C99 complex type support. * Implemente traceback table for functions (encodes vector information, emits exception handling).
Implemente code generation for C++ dynamic initialization and finalization. of non-local variables for use with the -bcdtors option of the AIX linker.
Add new option -mignore-xcoff-visibility.
Enable explicit sections on AIX.
Enable -f[no-]data-sections on AIX and set -fdata-sections to be the default on AIX.
Enable -f[no-]function-sections.
Add support for relocation generation using the large code model.
Add pragma align natural and sorted out pragma pack stack effect.
Changes to the X86 Target
The ‘mpx’ feature was removed from the backend. It had been removed from clang frontend in 10.0. Mention of the ‘mpx’ feature in an IR file will print a message to stderr, but IR should still compile.
Support for -march=alderlake, -march=sapphirerapids, -march=znver3 and -march=x86-64-v[234] has been added.
The assembler now has support for {disp32} and {disp8} pseudo prefixes for controlling displacement size for memory operands and jump displacements. The assembler also supports the .d32 and .d8 mnemonic suffixes to do the same.
A new function attribute “tune-cpu” has been added to support -mtune like gcc. This allows microarchitectural optimizations to be applied independent from the “target-cpu” attribute or TargetMachine CPU which will be used to select Instruction Set. If the attribute is not present, the tune CPU will follow the target CPU.
Support for HRESET instructions has been added.
Support for UINTR instructions has been added.
Support for AVXVNNI instructions has been added.
Changes to the AMDGPU Target
The new byref attribute is now the preferred method for representing aggregate kernel arguments.
|
|
* Update HOMEPAGE and COMMENT.
* Use tarball from GitHub.
* Use wxWidgets unconditionally (cannot disable wxWidgets anymore).
* Set LICENSE.
Changelog:
6.2.1
Corrects manual page name from logo to ucblogo to match executable.
(Note: Windows executable and Mac dmg installs do not need this so only
the .tar.gz is provided.)
6.2
This is a maintenance release of the UCB Logo programming language interpreter.
Fixes and Updates:
multiple bug fixes
a new autoconf based build system
optional object oriented logo ( --enable-objects )
Renamed executable from logo to ucblogo for unix.
This includes work from dmalec, Barak A. Pearlmutter, janekr, hosiet, reinerh,
atehwa, kilobyte, brianharvey, pahihu, and jrincayc.
6.1
This is a maintenance release of the UCB Logo programming language interpreter.
Fixes and Updates:
64 bit support (fixes bug that prevented drawing large numbers of lines in 64 bit mode)
wxWidgets 3.0 support
License changed to GNU General Public License 3 or newer
Support for compiling for 64 bit MacOS
|
|
ChangeLog:
Version 2.90.1 (July 11, 2021)
- Repaired the docu (especially yabasic.htm)
- Removed references to the old documentation (still available on github)
Version 2.90.0 (July 10, 2021)
- Fixed an error with local variables
- Moved to a new building-environment (see github and there README.org
for details)
|
|
This uses the faster "install.sh" script, and also omits the
"rust-doc" subset, for a much faster installation.
This is a temporary hack for this version, will be removed on
the next go-around.
Apologies for this going un-committed, only myself to blame.
Should fix part of PR#56304.
|
|
Move cmake dependency out of condition on PKG_OPTIONS.rust-llvm.
|
|
|
|
|
|
Ruby 3.0.2 has been released.
This release includes security fixes. Please check the topics below
for details.
* CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
* CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
* CVE-2021-31799: A command injection vulnerability in RDoc
See the commit logs for details:
<https://github.com/ruby/ruby/compare/v3_0_1...v3_0_2>.
|
|
Ruby 2.7.4 has been released.
This release includes security fixes. Please check the topics below
for details.
* CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
* CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
* CVE-2021-31799: A command injection vulnerability in RDoc
See the commit logs for details:
<https://github.com/ruby/ruby/compare/v2_7_3...v2_7_4>.
|
|
Ruby 2.6.8 has been released.
This release includes security fixes. Please check the topics below
for details.
* CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
* CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
* CVE-2021-31799: A command injection vulnerability in RDoc
We ordinally do not fix Ruby 2.6 except security fixes, but this
release also includes some regressed bugs and build problem fixes.
See the commit logs for details.
Ruby 2.6 is now under the state of the security maintenance phase,
until the end of March of 2022. After that date, maintenance of Ruby
2.6 will be ended. We recommend you start planning the migration to
newer versions of Ruby, such as 3.0 or 2.7.
|
|
Version 14.17.3 'Fermium' (LTS)
Notable Changes
Node.js 14.17.2 introduced a regression in the Windows installer on non-English locales that is being fixed in this release. There is no need to download this release if you are not using the Windows installer.
Version 14.17.2 'Fermium' (LTS)
This is a security release.
Notable Changes
Vulnerabilities fixed:
CVE-2021-22918: libuv upgrade - Out of bounds read (Medium)
Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918
CVE-2021-22921: Windows installer - Node Installer Local Privilege Escalation (Medium)
Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921
|
|
Version 12.22.3 'Erbium' (LTS)
Notable Changes
Node.js 12.22.2 introduced a regression in the Windows installer on non-English locales that is being fixed in this release. There is no need to download this release if you are not using the Windows installer.
Version 12.22.2 'Erbium' (LTS)
This is a security release.
Notable Changes
Vulnerabilities fixed:
CVE-2021-22918: libuv upgrade - Out of bounds read (Medium)
Node.js is vulnerable to out-of-bounds read in libuv's uv__idna_toascii() function which is used to convert strings to ASCII. This is called by Node's dns module's lookup() function and can lead to information disclosures or crashes. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918
CVE-2021-22921: Windows installer - Node Installer Local Privilege Escalation (Medium)
Node.js is vulnerable to local privilege escalation attacks under certain conditions on Windows platforms. More specifically, improper configuration of permissions in the installation directory allows an attacker to perform two different escalation attacks: PATH and DLL hijacking. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22921
CVE-2021-27290: npm upgrade - ssri Regular Expression Denial of Service (ReDoS) (High)
This is a vulnerability in the ssri npm mudule which may be vulnerable to denial of service attacks. You can read more about it in https://github.com/advisories/GHSA-vx3p-948g-6vhq
CVE-2021-23362: npm upgrade - hosted-git-info Regular Expression Denial of Service (ReDoS) (Medium)
This is a vulnerability in the hosted-git-info npm mudule which may be vulnerable to denial of service attacks. You can read more about it in https://nvd.nist.gov/vuln/detail/CVE-2021-23362
|
|
|
|
Ruby on Rails 6.0.4 (2021-06-15), including security fixes.
Active Support
* Fixed issue in ActiveSupport::Cache::RedisCacheStore not passing
options to read_multi causing fetch_multi to not work properly.
(Rajesh Sharma)
* with_options copies its options hash again to avoid leaking mutations.
Fixes #39343. (Eugene Kenny)
Active Record
* Only warn about negative enums if a positive form that would cause
conflicts exists. Fixes #39065. (Alex Ghiculescu)
* Allow the inverse of a has_one association that was previously
autosaved to be loaded. Fixes #34255. (Steven Weber)
* Reset statement cache for association if table_name is changed.
Fixes #36453. (Ryuta Kamizono)
* Type cast extra select for eager loading. (Ryuta Kamizono)
* Prevent collection associations from being autosaved multiple times.
Fixes #39173. (Eugene Kenny)
* Resolve issue with insert_all unique_by option when used with
expression index.
When the :unique_by option of ActiveRecord::Persistence.insert_all
and ActiveRecord::Persistence.upsert_all was used with the name of
an expression index, an error was raised. Adding a guard around the
formatting behavior for the :unique_by corrects this.
Usage:
create_table :books, id: :integer, force: true do |t|
t.column :name, :string
t.index "lower(name)", unique: true
end
Book.insert_all [{ name: "MyTest" }], unique_by: :index_books_on_lower_name
Fixes #39516. (Austen Madden)
* Fix preloading for polymorphic association with custom scope.
(Ryuta Kamizono)
* Allow relations with different SQL comments in the or method.
(Takumi Shotoku)
* Resolve conflict between counter cache and optimistic locking.
Bump an Active Record instance's lock version after updating its
counter cache. This avoids raising an unnecessary
ActiveRecord::StaleObjectError upon subsequent transactions by
maintaining parity with the corresponding database record's
lock_version column. Fixes #16449. (Aaron Lipman)
* Fix through association with source/through scope which has joins.
(Ryuta Kamizono)
* Fix through association to respect source scope for includes/preload.
(Ryuta Kamizono)
* Fix eager load with Arel joins to maintain the original joins order.
(Ryuta Kamizono)
* Fix group by count with eager loading + order + limit/offset.
(Ryuta Kamizono)
* Fix left joins order when merging multiple left joins from different
associations. (Ryuta Kamizono)
* Fix index creation to preserve index comment in bulk change table on
MySQL. (Ryuta Kamizono)
* Change remove_foreign_key to not check :validate option if database
doesn't support the feature. (Ryuta Kamizono)
* Fix the result of aggregations to maintain duplicated "group by"
fields. (Ryuta Kamizono)
* Do not return duplicated records when using preload. (Bogdan Gusiev)
Action View
* SanitizeHelper.sanitized_allowed_attributes and
SanitizeHelper.sanitized_allowed_tags call safe_list_sanitizer's
class method. Fixes #39586. (Taufiq Muhammadi)
Action Pack
* Accept base64_urlsafe CSRF tokens to make forward compatible.
* Base64 strict-encoded CSRF tokens are not inherently websafe, which
makes them difficult to deal with. For example, the common practice
of sending the CSRF token to a browser in a client-readable cookie
does not work properly out of the box: the value has to be
url-encoded and decoded to survive transport.
In Rails 6.1, we generate Base64 urlsafe-encoded CSRF tokens, which
are inherently safe to transport. Validation accepts both urlsafe
tokens, and strict-encoded tokens for backwards compatibility.
In Rails 5.2.5, the CSRF token format is accidentally changed to
urlsafe-encoded. If you upgrade apps from 5.2.5, set the config
urlsafe_csrf_tokens = true.
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
(Scott Blum, Étienne Barrié)
* Signed and encrypted cookies can now store false as their value when
action_dispatch.use_cookies_with_metadata is enabled. (Rolandas
Barysas)
Active Storage
* The Poppler PDF previewer renders a preview image using the original
document's crop box rather than its media box, hiding print
margins. This matches the behavior of the MuPDF previewer. (Vincent
Robert)
Railties
* Allow relative paths with trailing slashes to be passed to rails
test. (Eugene Kenny)
* Return a 405 Method Not Allowed response when a request uses an
unknown HTTP method. Fixes #38998. (Loren Norman)
|
|
Ruby on Rails 5.2.6 (2021-05-05)
There are changes in www/ruby-actionpack52 only, including security fix.
Action Pack
* Accept base64_urlsafe CSRF tokens to make forward compatible.
Base64 strict-encoded CSRF tokens are not inherently websafe, which
makes them difficult to deal with. For example, the common practice
of sending the CSRF token to a browser in a client-readable cookie
does not work properly out of the box: the value has to be
url-encoded and decoded to survive transport.
In this version, we generate Base64 urlsafe-encoded CSRF tokens,
which are inherently safe to transport. Validation accepts both
urlsafe tokens, and strict-encoded tokens for backwards
compatibility.
How the tokes are encoded is controllr by the
action_controller.urlsafe_csrf_tokens config.
In Rails 5.2.5, the CSRF token format was accidentally changed to
urlsafe-encoded.
Atention: If you already upgraded your application to 5.2.5, set the
config urlsafe_csrf_tokens to true, otherwise your form submission
will start to fail during the deploy of this new version.
Rails.application.config.action_controller.urlsafe_csrf_tokens = true
If you are upgrading from 5.2.4.x, you don't need to change this
configuration.
Scott Blum, Étienne Barrié
|
|
|
|
01 Jul 2021, PHP 7.3.29
- Core:
. Fixed bug #81122: SSRF bypass in FILTER_VALIDATE_URL. (CVE-2021-21705) (cmb)
- PDO_Firebird:
. Fixed bug #76448: Stack buffer overflow in firebird_info_cb.
(CVE-2021-21704) (cmb)
. Fixed bug #76449: SIGSEGV in firebird_handle_doer. (CVE-2021-21704) (cmb)
. Fixed bug #76450: SIGSEGV in firebird_stmt_execute. (CVE-2021-21704) (cmb)
. Fixed bug #76452: Crash while parsing blob data in firebird_fetch_blob.
(CVE-2021-21704) (cmb)
|
|
01 Jul 2021, PHP 8.0.8
- Core:
. Fixed bug #81076 (incorrect debug info on Closures with implicit binds).
(krakjoe)
. Fixed bug #81068 (Double free in realpath_cache_clean()). (Dimitry Andric)
. Fixed bug #76359 (open_basedir bypass through adding ".."). (cmb)
. Fixed bug #81090 (Typed property performance degradation with .= operator).
(Nikita)
. Fixed bug #81070 (Integer underflow in memory limit comparison).
(Peter van Dommelen)
. Fixed bug #81122 (SSRF bypass in FILTER_VALIDATE_URL).
(CVE-2021-21705) (cmb)
- Bzip2:
. Fixed bug #81092 (fflush before stream_filter_remove corrupts stream).
(cmb)
- Fileinfo:
. Fixed bug #80197 (implicit declaration of function 'magic_stream' is
invalid). (Nikita)
- GMP:
. Fixed bug #81119 (GMP operators throw errors with wrong parameter names).
(Nikita)
- OCI8:
. Fixed bug #81088 (error in regression test for oci_fetch_object() and
oci_fetch_array()). (Máté)
- Opcache:
. Fixed bug #81051 (Broken property type handling after incrementing
reference). (Dmitry)
. Fixed bug #80968 (JIT segfault with return from required file). (Dmitry)
- OpenSSL:
. Fixed bug #76694 (native Windows cert verification uses CN as sever name).
(cmb)
- MySQLnd:
. Fixed bug #80761 (PDO uses too much memory). (Nikita)
- PDO_Firebird:
. Fixed bug #76448 (Stack buffer overflow in firebird_info_cb).
(CVE-2021-21704) (cmb)
. Fixed bug #76449 (SIGSEGV in firebird_handle_doer).
(CVE-2021-21704) (cmb)
. Fixed bug #76450 (SIGSEGV in firebird_stmt_execute).
(CVE-2021-21704) (cmb)
. Fixed bug #76452 (Crash while parsing blob data in firebird_fetch_blob).
(CVE-2021-21704) (cmb)
- readline:
. Fixed bug #72998 (invalid read in readline completion). (krakjoe)
- Standard:
. Fixed bug #81048 (phpinfo(INFO_VARIABLES) "Array to string conversion").
(cmb)
. Fixed bug #77627 (method_exists on Closure::__invoke inconsistency).
(krakjoe)
- Windows:
. Fixed bug #81120 (PGO data for main PHP DLL are not used). (cmb)
|
|
01 Jul 2021, PHP 7.4.21
- Core:
. Fixed bug #81068 (Double free in realpath_cache_clean()). (Dimitry Andric)
. Fixed bug #76359 (open_basedir bypass through adding ".."). (cmb)
. Fixed bug #81090 (Typed property performance degradation with .= operator).
(Nikita)
. Fixed bug #81070 (Integer underflow in memory limit comparison).
(Peter van Dommelen)
. Fixed bug #81122 (SSRF bypass in FILTER_VALIDATE_URL).
(CVE-2021-21705) (cmb)
- Bzip2:
. Fixed bug #81092 (fflush before stream_filter_remove corrupts stream).
(cmb)
- OpenSSL:
. Fixed bug #76694 (native Windows cert verification uses CN as sever name).
(cmb)
- PDO_Firebird:
. Fixed bug #76448 (Stack buffer overflow in firebird_info_cb).
(CVE-2021-21704) (cmb)
. Fixed bug #76449 (SIGSEGV in firebird_handle_doer).
(CVE-2021-21704) (cmb)
. Fixed bug #76450 (SIGSEGV in firebird_stmt_execute).
(CVE-2021-21704) (cmb)
. Fixed bug #76452 (Crash while parsing blob data in firebird_fetch_blob).
(CVE-2021-21704) (cmb)
- Standard:
. Fixed bug #81048 (phpinfo(INFO_VARIABLES) "Array to string conversion").
(cmb)
|
|
Although 8 doesn't seem to use kqueue by default the class is
still compiled so it's a good idea to have the correct values.
Bump PKGREVISION for this and recent changes.
|
|
Python 3.9.6 final
Security
bpo-44022: mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server.
Core and Builtins
bpo-44409: Fix error location information for tokenizer errors raised on initialization of the tokenizer. Patch by Pablo Galindo.
bpo-43667: Improve Unicode support in non-UTF locales on Oracle Solaris. This issue does not affect other Solaris systems.
bpo-44168: Fix error message in the parser involving keyword arguments with invalid expressions. Patch by Pablo Galindo
bpo-44114: Fix incorrect dictkeys_reversed and dictitems_reversed function signatures in C code, which broke webassembly builds.
bpo-44070: No longer eagerly makes import filenames absolute, except for extension modules, which was introduced in 3.9.5.
bpo-28146: Fix a confusing error message in str.format().
bpo-11105: When compiling ast.AST objects with recursive references through compile(), the interpreter doesn’t crash anymore instead it raises a RecursionError.
Library
bpo-44516: Update vendored pip to 21.1.3
bpo-44482: Fix very unlikely resource leak in glob in alternate Python implementations.
bpo-44439: Fix in bz2.BZ2File.write() / lzma.LZMAFile.write() methods, when the input data is an object that supports the buffer protocol, the file length may be wrong.
bpo-44434: _thread.start_new_thread() no longer calls PyThread_exit_thread() explicitly at the thread exit, the call was redundant. On Linux with the glibc, pthread_exit() aborts the whole process if dlopen() fails to open libgcc_s.so file (ex: EMFILE error). Patch by Victor Stinner.
bpo-44422: The threading.enumerate() function now uses a reentrant lock to prevent a hang on reentrant call. Patch by Victor Stinner.
bpo-44395: Fix as_string() to pass unixfrom properly. Patch by Dong-hee Na.
bpo-44342: [Enum] Be more robust in searching for pickle support before making an enum class unpicklable.
bpo-44356: [Enum] Allow multiple data-type mixins if they are all the same.
bpo-44254: On Mac, give turtledemo button text a color that works on both light or dark background. Programmers cannot control the latter.
bpo-44145: hmac computations were not releasing the GIL while calling the OpenSSL HMAC_Update C API (a new feature in 3.9). This unintentionally prevented parallel computation as other hashlib algorithms support.
bpo-37788: Fix a reference leak when a Thread object is never joined.
bpo-44061: Fix regression in previous release when calling pkgutil.iter_modules() with a list of pathlib.Path objects
bpo-36515: The hashlib module no longer does unaligned memory accesses when compiled for ARM platforms.
bpo-44018: random.seed() no longer mutates bytearray inputs.
bpo-38352: Add IO, BinaryIO, TextIO, Match, and Pattern to typing.__all__. Patch by Jelle Zijlstra.
bpo-43972: When http.server.SimpleHTTPRequestHandler sends a 301 (Moved Permanently) for a directory path not ending with /, add a Content-Length: 0 header. This improves the behavior for certain clients.
bpo-28528: Fix a bug in pdb where checkline() raises AttributeError if it is called after reset().
bpo-43776: When subprocess.Popen args are provided as a string or as pathlib.Path, the Popen instance repr now shows the right thing.
bpo-43666: AIX: Lib/_aix_support.get_platform() may fail in an AIX WPAR. The fileset bos.rte appears to have a builddate in both LPAR and WPAR so this fileset is queried rather than bos.mp64. To prevent a similiar situation (no builddate in ODM) a value (9988) sufficient for completing a build is provided. Patch by M Felt.
bpo-43650: Fix MemoryError in shutil.unpack_archive() which fails inside shutil._unpack_zipfile() on large files. Patch by Igor Bolshakov.
bpo-43318: Fix a bug where pdb does not always echo cleared breakpoints.
bpo-43295: datetime.datetime.strptime() now raises ValueError instead of IndexError when matching 'z' with the %z format specifier.
bpo-37022: pdb now displays exceptions from repr() with its p and pp commands.
Documentation
bpo-40620: Convert examples in tutorial controlflow.rst section 4.3 to be interpreter-demo style.
bpo-13814: In the Design FAQ, answer “Why don’t generators support the with statement?”
bpo-44392: Added a new section in the C API documentation for types used in type hinting. Documented Py_GenericAlias and Py_GenericAliasType.
bpo-38291: Mark typing.io and typing.re as deprecated since Python 3.8 in the documentation. They were never properly supported by type checkers.
bpo-44322: Document that SyntaxError args have a details tuple and that details are adjusted for errors in f-string field replacement expressions.
bpo-44195: Corrected references to TraversableResources in docs. There is no TraversableReader.
bpo-41963: Document that ConfigParser strips off comments when reading configuration files.
bpo-44072: Correct where in the numeric ABC hierarchy ** support is added, i.e., in numbers.Complex, not numbers.Integral.
bpo-43558: Add the remark to dataclasses documentation that the __init__() of any base class has to be called in __post_init__(), along with a code example.
bpo-41621: Document that collections.defaultdict parameter default_factory defaults to None and is positional-only.
Tests
bpo-44287: Fix asyncio test_popen() of test_windows_utils by using a longer timeout. Use military grade battle-tested test.support.SHORT_TIMEOUT timeout rather than a hardcoded timeout of 10 seconds: it’s 30 seconds by default, but it is made longer on slow buildbots. Patch by Victor Stinner.
bpo-44363: Account for address sanitizer in test_capi. test_capi now passes when run GCC address sanitizer.
Build
bpo-44381: The Windows build now accepts EnableControlFlowGuard set to guard to enable CFG.
Windows
bpo-41299: Fix 16ms jitter when using timeouts in threading, such as with threading.Lock.acquire() or threading.Condition.wait().
macOS
bpo-43568: Relax unnecessarily restrictive MACOSX_DEPLOYMENT_TARGET check when building extension modules for macOS. Patch by Joshua Root.
bpo-43109: Allow –with-lto configure option to work with Apple-supplied Xcode or Command Line Tools.
IDLE
bpo-40128: Mostly fix completions on macOS when not using tcl/tk 8.6.11 (as with 3.9). The added update_idletask call should be harmless and possibly helpful otherwise.
bpo-33962: Move the indent space setting from the Font tab to the new Windows tab. Patch by Mark Roseman and Terry Jan Reedy.
bpo-40468: Split the settings dialog General tab into Windows and Shell/ED tabs. Move help sources, which extend the Help menu, to the Extensions tab. Make space for new options and shorten the dialog. The latter makes the dialog better fit small screens.
bpo-41611: Avoid uncaught exceptions in AutoCompleteWindow.winconfig_event().
bpo-41611: Fix IDLE sometimes freezing upon tab-completion on macOS.
Tools/Demos
bpo-44074: Make patchcheck automatically detect the correct base branch name (previously it was hardcoded to ‘master’)
C API
bpo-44441: Py_RunMain() now resets PyImport_Inittab to its initial value at exit. It must be possible to call PyImport_AppendInittab() or PyImport_ExtendInittab() at each Python initialization. Patch by Victor Stinner.
bpo-42083: Fix crash in PyStructSequence_NewType() when passed NULL in the documentation string slot.
|
|
Python 3.8.11 final
Security
bpo-44022: mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server.
bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.
Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks.
bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame, and generator code/frame attribute access.
Core and Builtins
bpo-44070: No longer eagerly makes import filenames absolute, except for extension modules, which was introduced in 3.8.10.
Library
bpo-44061: Fix regression in previous release when calling pkgutil.iter_modules() with a list of pathlib.Path objects
|
|
Python 3.7.11 final
Security
bpo-44022: mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server.
bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.
Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks.
bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network.
Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.
Core and Builtins
bpo-43660: Fix crash that happens when replacing sys.stderr with a callable that can remove the object while an exception is being printed. Patch by Pablo Galindo.
Tests
bpo-41561: Add workaround for Ubuntu’s custom OpenSSL security level policy.
|
|
Python 3.6.14 final
Security
bpo-44022: mod:http.client now avoids infinitely reading potential HTTP headers after a 100 Continue status response from the server.
bpo-43882: The presence of newline or tab characters in parts of a URL could allow some forms of attacks.
Following the controlling specification for URLs defined by WHATWG urllib.parse() now removes ASCII newlines and tabs from URLs, preventing such attacks.
bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network.
Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has quadratic worst-case complexity and it allows cause a denial of service when identifying crafted invalid RFCs. This ReDoS issue is on the client side and needs remote attackers to control the HTTP server.
|
|
|
|
|
|
Clean up some pkglint.
Bump PKGREVISION.
|
|
... but don't enable by default yet. Works for me, but needs more testing.
|
|
|
|
It seems that os_bsd.cpp:Semaphore::~Semaphore() is sometimes called
twice, causing a crash in the call path
vm_direct_exit() -> exit() -> __cxa_finalize () -> sem_destroy().
This patch works around the crash but may obscure some deeper problem.
|
|
Needed to build polkit with duktape.
Bump PKGREVISION.
|
