| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Vala 0.54.1
===========
* Regression and bug fixes:
- codegen:
+ Add type declaration for implicit temporary local variable
+ Sealed class in external package is not special [#1229]
* Bindings:
- gstreamer: Update from 1.19.0+ git master
- gtk4: Update to 4.5.0~3e20ecd6
|
|
|
|
This minor release includes a security fix according to the new security policy.
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js,
passing very large arguments can cause portions of the module to be overwritten
with data from the arguments.
If using wasm_exec.js to execute WASM modules, users will need to replace their
copy (as described in https://golang.org/wiki/WebAssembly#getting-started)
after rebuilding any modules.
This is issue 48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this
issue.
|
|
This minor release includes a security fix according to the new security policy.
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js,
passing very large arguments can cause portions of the module to be overwritten
with data from the arguments.
If using wasm_exec.js to execute WASM modules, users will need to replace their
copy (as described in https://golang.org/wiki/WebAssembly#getting-started)
after rebuilding any modules.
This is issue 48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this
issue.
|
|
|
|
|
|
This is a list of extra directories in which to look for go.mod files
when generating the output of show-go-modules.
|
|
This defaults to WRKSRC and allows packages that aren't primarily
written in rust, but have a rust component that needs to be built, to
support the correct operation of cargo within their source tree.
|
|
It's already added to bootstrap tools by mk, and adding it here actually
has the opposite effect of what's intended. It seems to confuse the
tools infrastructure and defer its dependency, i.e. until it's too late,
causing "digest: not found" errors if it's not already installed.
|
|
|
|
|
|
|
|
Python 3.10
Summary – Release highlights
New syntax features:
PEP 634, Structural Pattern Matching: Specification
PEP 635, Structural Pattern Matching: Motivation and Rationale
PEP 636, Structural Pattern Matching: Tutorial
bpo-12782, Parenthesized context managers are now officially allowed.
New features in the standard library:
PEP 618, Add Optional Length-Checking To zip.
Interpreter improvements:
PEP 626, Precise line numbers for debugging and other tools.
New typing features:
PEP 604, Allow writing union types as X | Y
PEP 613, Explicit Type Aliases
PEP 612, Parameter Specification Variables
Important deprecations, removals or restrictions:
PEP 644, Require OpenSSL 1.1.1 or newer
PEP 632, Deprecate distutils module.
PEP 623, Deprecate and prepare for the removal of the wstr member in PyUnicodeObject.
PEP 624, Remove Py_UNICODE encoder APIs
PEP 597, Add optional EncodingWarning
|
|
|
|
|
|
Bulk builds have been running for some time, and this is expected to be
fine.
|
|
|
|
|
|
Also apply the "cp -p" fix from other versions, removing the need for ln
workarounds on OmniOS.
|
|
|
|
Announce: Rakudo compiler, Release #150 (2021.09)
On behalf of the Rakudo development team, I?m very happy to announce the
September 2021 release of Rakudo #150. Rakudo is an implementation of the Raku^
1 language.
The source tarball for this release is available from https://rakudo.org/files/
rakudo. Pre-compiled archives will be available shortly.
New in 2021.09:
* Additions:
+ Introduce the safe-snapper module. It is a shorthand for loading
Telemetry and starting a snapper with control-c safety, allowing one to
stop the script with control-c and still get a report [87152eba]
+ Add ability to subtract an Instant value from a DateTime object and
vice versa [9a4af4b6]
+ Add Numeric coercer to DateTime [67138ec0]
* Changes:
+ Make the sprintf method show its format string on error [ea8a95e5]
[57841911]
+ The test named parameter of the dir routine now handles Junctions
[21a7117d]
+ Improve error message for the X::Pragma::CannotPrecomp exception
[a52f1f62][fe461d17]
* Efficiency:
+ Numerous small speed-ups and memory-related improvements [94462dfa]
[3aba9707][3c1c709c]
* Fixes:
+ Properly handle List of Lists in the List.fmt method [a86ec91e]
+ Don't lose concurrent modifications to %!conc_table [72bc5623]
+ Fix potential race in Metamodel::Concretization [d666dfe8]
+ Make the default scheduler properly see RAKUDO_MAX_THREADS env variable
[b14d404a]
* Internal:
+ Support ROAST_TIMING_SCALE in telemetry tests [9681a093]
+ Fix false positive in basic telemetry test [c0a6823b]
+ Pass along whether the Rakudo runner was called with --full-cleanup
[5492452b]
+ Update the concretization table more sparingly [b236dcfd]
|
|
|
|
Switch to new 8.8.4 bootstrap that has been rebuilt after recent changes,
fix hardlink usage, and pull in upstream patch for thread CPU time.
|
|
|
|
Fixes behaviour of "ln -f" when creating bootstrap kit on SunOS.
|
|
Version 14.18.0 'Fermium' (LTS)
Notable Changes
assert: change status of legacy asserts (James M Snell)
(SEMVER-MINOR) buffer: introduce Blob (James M Snell)
(SEMVER-MINOR) buffer: add base64url encoding option (Filip Skokan)
(SEMVER-MINOR) child_process: allow options.cwd receive a URL (Khaidi Chu)
(SEMVER-MINOR) child_process: add timeout to spawn and fork (Nitzan Uziely)
(SEMVER-MINOR) child_process: allow promisified exec to be cancel (Carlos Fuentes)
(SEMVER-MINOR) child_process: add 'overlapped' stdio flag (Thiago Padilha)
(SEMVER-MINOR) cli: add -C alias for --conditions flag (Guy Bedford)
(SEMVER-MINOR) cli: add --node-memory-debug option (Anna Henningsen)
(SEMVER-MINOR) dns: add "tries" option to Resolve options (Luan Devecchi)
(SEMVER-MINOR) dns: allow --dns-result-order to change default dns verbatim (Ouyang Yadong)
doc: refactor fs docs structure (James M Snell)
(SEMVER-MINOR) errors: remove experimental from --enable-source-maps (Benjamin Coe)
esm: deprecate legacy main lookup for modules (Guy Bedford)
(SEMVER-MINOR) fs: allow empty string for temp directory prefix (Voltrex)
(SEMVER-MINOR) fs: allow no-params fsPromises fileHandle read (Nitzan Uziely)
(SEMVER-MINOR) fs: add support for async iterators to fsPromises.writeFile (HiroyukiYagihashi)
fs: improve fsPromises readFile performance (Nitzan Uziely)
(SEMVER-MINOR) fs: add fsPromises.watch() (James M Snell)
(SEMVER-MINOR) fs: allow position parameter to be a BigInt in read and readSync (Darshan Sen)
(SEMVER-MINOR) http2: add support for sensitive headers (Anna Henningsen)
(SEMVER-MINOR) http2: allow setting the local window size of a session (Yongsheng Zhang)
inspector: mark as stable (Gireesh Punathil)
(SEMVER-MINOR) module: add support for URL to import.meta.resolve (Antoine du Hamel)
(SEMVER-MINOR) module: add support for node:‑prefixed require(…) calls (ExE Boss)
(SEMVER-MINOR) net: introduce net.BlockList (James M Snell)
(SEMVER-MINOR) node-api: allow retrieval of add-on file name (Gabriel Schulhof)
(SEMVER-MINOR) os: add os.devNull (Luigi Pinca)
(SEMVER-MINOR) perf_hooks: introduce createHistogram (James M Snell)
(SEMVER-MINOR) process: add api to enable source-maps programmatically (legendecas)
(SEMVER-MINOR) process: add 'worker' event (James M Snell)
(SEMVER-MINOR) process: add direct access to rss without iterating pages (Adrien Maret)
(SEMVER-MINOR) readline: add AbortSignal support to interface (Nitzan Uziely)
(SEMVER-MINOR) readline: add support for the AbortController to the question method (Mattias Runge-Broberg)
(SEMVER-MINOR) readline: add history event and option to set initial history (Mattias Runge-Broberg)
(SEMVER-MINOR) repl: add auto‑completion for node:‑prefixed require(…) calls (ExE Boss)
(SEMVER-MINOR) src: call overload ctor from the original ctor (Darshan Sen)
(SEMVER-MINOR) src: add a constructor overload for CallbackScope (Darshan Sen)
(SEMVER-MINOR) src: allow to negate boolean CLI flags (Michaël Zasso)
(SEMVER-MINOR) src: add --heapsnapshot-near-heap-limit option (Joyee Cheung)
(SEMVER-MINOR) src: add way to get IsolateData and allocator from Environment (Anna Henningsen)
(SEMVER-MINOR) src: allow preventing SetPrepareStackTraceCallback (Shelley Vohr)
(SEMVER-MINOR) src: add maybe versions of EmitExit and EmitBeforeExit (Anna Henningsen)
(SEMVER-MINOR) stream: add readableDidRead if has been read from (Robert Nagy)
(SEMVER-MINOR) stream: pipeline accept Buffer as a valid first argument (Nitzan Uziely)
(SEMVER-MINOR) tls: allow reading data into a static buffer (Andrey Pechkurov)
(SEMVER-MINOR) url: expose urlToHttpOptions utility (Yongsheng Zhang)
(SEMVER-MINOR) util: expose toUSVString (Robert Nagy)
(SEMVER-MINOR) v8: implement v8.stopCoverage() (Joyee Cheung)
(SEMVER-MINOR) v8: implement v8.takeCoverage() (Joyee Cheung)
(SEMVER-MINOR) worker: add setEnvironmentData/getEnvironmentData (James M Snell)
|
|
|
|
- Adaptation to skalibs-2.11.0.0.
- New binary: case. It compares a value against a series of regular
expressions, executing into another command line on the first match.
|
|
Vala 0.54.0
===========
* Various improvements and bug fixes:
- vala: Warn about unsupported cast to void and drop it [#1070]
- vala: Don't restrict element type of GLib.Array [#1227]
- valadoc: Correctly format background of inline @link's [#1226]
* Bindings:
- gio-2.0: Unhide a few usable symbols which are marked not introspectable [#1222]
Vala 0.53.2
===========
* Various improvements and bug fixes:
- codegen:
+ Fix property access inside opaque compact class
+ Add missing cast to access base-class members in class/static ctor [#1221]
* Bindings:
- glib-2.0: Current constants in GLib.Math are part of glib.h [#1220]
- glib-2.0: Add RefString since 2.58 [#723]
- gstreamer: Update from 1.19.0+ git master
- gtk4: Update to 4.5.0~e681fdd9
- vapi: Update GIR-based bindings
Vala 0.53.1
===========
* Highlights:
- Support explicit nullable var-type declarations [#1146]
- Add support for variadic delegates [#160]
- Add support for sealed classes [#278]
- Add support for null-safe access operator [#522]
- Emit external creation methods in bindings
- Introduce VALA_EXPORT for public symbols to improve portability
- girwriter:
+ Use "optional" and "nullable" instead of deprecated "allow-none"
+ Improve struct creation method binding
- girparser:
+ Improve instance method detection [#1210]
+ Never skip "function" elements
+ Add "move-to" value of functions as Version.replacement
* Various improvements and bug fixes:
- codegen:
+ Use ssize_t for length variables in common array helper functions
+ Fix support for public fields on GLib.Source subclasses
- vala:
+ Add Profile.LIBC as synonym for POSIX and accept "libc" profile
+ Improve semantic check of simple type structs
+ Refactor UnresolvedSymbol/Type constructors
+ Properly check GLib.Object naming convention for properties
+ Add foreach statement support for GLib.GenericArray
- build: Add "test-asan" make target for convenience
- build: Add --enable-test-ubsan configure option and "test-ubsan" make target
- build: Use jing to verify generated GIR file, if available
- testrunner: Allow checking generated C sources
* Bindings:
- Remove gedit-2.20 and webkit-1.0 bindings
- gio-2.0,glib-2.0: Add new symbols from 2.69.0
- gio-2.0: Improve DatagramBased.create_source() binding
- glib-2.0: Wrap TimeZone.identifier() constuctor for proper error support
- gstreamer-rtp-1.0: Fix some bindings errors [#1177]
- gstreamer: Update from 1.19.0+ git master
- javascriptcoregtk-4.0: Fix JSC.Class.add_property() binding
- linux: Add SocketCAN bindings, and ISOTP constants and options
- webkit2gtk-4.0: Update to 2.33.3
|
|
Otherwise I see (on -current):
./lisp.run -B . -N locale -E UTF-8 -Epathname 1:1 -Emisc 1:1 -norc -m 2MW -lp -x '(and (load "init.lisp") (sys::%saveinitmem) (ext::exit)) (ext::exit t)'
*** Signal 11
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Presumably there's a way to make this work, but it probably requires
changes to the bootstrap kits.
|
|
|
|
This is security release fixing CVE-2021-21706.
23 Sep 2021, PHP 7.4.24
- Core:
. Fixed bug #81302 (Stream position after stream filter removed). (cmb)
. Fixed bug #81346 (Non-seekable streams don't update position after write).
(cmb)
. Fixed bug #73122 (Integer Overflow when concatenating strings). (cmb)
-GD:
. Fixed bug #53580 (During resize gdImageCopyResampled cause colors change).
(cmb)
- Opcache:
. Fixed bug #81353 (segfault with preloading and statically bound closure).
(Nikita)
- Shmop:
. Fixed bug #81407 (shmop_open won't attach and causes php to crash). (cmb)
- Standard:
. Fixed bug #71542 (disk_total_space does not work with relative paths). (cmb)
. Fixed bug #81400 (Unterminated string in dns_get_record() results). (cmb)
- SysVMsg:
. Fixed bug #78819 (Heap Overflow in msg_send). (cmb)
- XML:
. Fixed bug #81351 (xml_parse may fail, but has no error code). (cmb, Nikita)
- Zip:
. Fixed bug #81420 (ZipArchive::extractTo extracts outside of destination).
(CVE-2021-21706) (cmb)
|
|
* pkgsrc change: fix PLIST problem when php-embed PKG_OPTIONS is enabled.
* This release conintas security fix for CVE-2021-21706.
23 Sep 2021, PHP 8.0.11
- Core:
. Fixed bug #81302 (Stream position after stream filter removed). (cmb)
. Fixed bug #81346 (Non-seekable streams don't update position after write).
(cmb)
. Fixed bug #73122 (Integer Overflow when concatenating strings). (cmb)
-GD:
. Fixed bug #53580 (During resize gdImageCopyResampled cause colors change).
(cmb)
- Opcache:
. Fixed bug #81353 (segfault with preloading and statically bound closure).
(Nikita)
- Shmop:
. Fixed bug #81407 (shmop_open won't attach and causes php to crash). (cmb)
- Standard:
. Fixed bug #71542 (disk_total_space does not work with relative paths). (cmb)
. Fixed bug #81400 (Unterminated string in dns_get_record() results). (cmb)
- SysVMsg:
. Fixed bug #78819 (Heap Overflow in msg_send). (cmb)
- XML:
. Fixed bug #81351 (xml_parse may fail, but has no error code). (cmb, Nikita)
- Zip:
. Fixed bug #80833 (ZipArchive::getStream doesn't use setPassword). (Remi)
. Fixed bug #81420 (ZipArchive::extractTo extracts outside of destination).
(cmb)
|
|
This is security release fixing CVE-2021-21706.
23 Sep 2021, PHP 7.3.31
- Zip:
. Fixed bug #81420 (ZipArchive::extractTo extracts outside of destination).
(cmb)
|
|
|
|
Not sure how that crept in...
|
|
the PLIST is target-specific and it's possible that files for multiple
targets are generated (this is the case on NetBSD/amd64). Since the
static PLIST can't support multiple targets currently, switch to a
generated one.
|
|
This release contains only bug fixes:
Elixir
* [Code] Make sure that bindings in the default context returned by
Code.eval_* functions are not returned as tagged tuples
* [Kernel] Do not crash when handling ambiguity errors
* [Range] Still match on old range patterns throughout the stdlib
IEx
* [IEx.Autocomplete] Do not error autocompletion with module
attribute
Mix
* [Mix] Rename inconsistent :exit_code option to :exit_status on
Mix.raise/2
|
|
Version 14.17.6 'Fermium' (LTS)
This is a security release.
Notable Changes
These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, and npm arborist.
Version 14.17.5 'Fermium' (LTS)
This is a security release.
Notable Changes
CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.
CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.
|
|
Version 12.22.6 'Erbium' (LTS)
This is a security release.
Notable Changes
These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, and npm arborist.
Version 12.22.5 'Erbium' (LTS)
This is a security release.
Notable Changes
CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.
CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.
Version 12.22.4 'Erbium' (LTS)
This is a security release.
Notable Changes
CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930
|
|
go1.17.1 (released 2021-09-09) includes a security fix to the archive/zip
package, as well as bug fixes to the compiler, linker, the go command, and to
the crypto/rand, embed, go/types, html/template, and net/http packages.
|
|
go1.16.8 (released 2021-09-09) includes a security fix to the archive/zip
package, as well as bug fixes to the archive/zip, go/internal/gccgoimporter,
html/template, net/http, and runtime/pprof packages.
|
