* Don't use DATE as a variable, as it's used elsewhere, use QJS_DATE instead
* Don't use the "bignum" PLIST variable anymore, the "bn" variants are no
longer being built
* Add "lto" PLIST variable, supported by and used on Linux
* Move the setting of CONFIG_BIGNUM to the pkg Makefile instead of
always setting it, should support 32-bit NetBSD ports.
Bump PKGREVISION.
Version 13.8.0 (Current):
Notable Changes
This is a security release.
Vulnerabilities fixed:
CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the --insecure-http-parser command line flag, or the insecureHTTPParser http option. Using the insecure HTTP parser should be avoided.
Version 12.15.0 'Erbium' (LTS):
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the --insecure-http-parser command line flag, or the insecureHTTPParser http option. Using the insecure HTTP parser should be avoided.
Version 10.19.0 'Dubnium' (LTS):
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2019-15606: HTTP header values do not have trailing OWS trimmed.
CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding header.
CVE-2019-15604: Remotely trigger an assertion on a TLS server with a malformed certificate string.
Also, HTTP parsing is more strict to be more secure. Since this may cause problems in interoperability with some non-conformant HTTP implementations, it is possible to disable the strict checks with the --insecure-http-parser command line flag, or the insecureHTTPParser http option. Using the insecure HTTP parser should be avoided.
Changelog:
Updated BSD port of JDK 11
Additional features include:
Update to 11.0.6 GA
Fix remote HotSpot debugging on BSD
Add support for setting thread names on BSD (useful for top -H)
Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue.
The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of
golang.org/x/crypto/cryptobyte.
Panic in crypto/x509 certificate parsing and golang.org/x/crypto/cryptobyte
On 32-bit architectures, a malformed input to crypto/x509 or the ASN.1 parsing
functions of golang.org/x/crypto/cryptobyte can lead to a panic.
The malformed certificate can be delivered via a crypto/tls connection to a
client, or to a server that accepts client certificates. net/http clients can
be made to crash by an HTTPS server, while net/http servers that accept client
certificates will recover the panic and are unaffected.
Thanks to Project Wycheproof for providing the test cases that led to the
discovery of this issue.
The issue is CVE-2020-7919 and Go issue golang.org/issue/36837.
This is also fixed in version v0.0.0-20200124225646-8b5121be2f68 of
golang.org/x/crypto/cryptobyte.
I created the package (based on lang/gcc8) and made the PLIST check
intentionally strict, to document which files are installed under which
circumstances. Therefore it's only fair that I get all the bug reports
directly.
Pkgsrc changes:
* adapt patches
* If NetBSD platform misses 64-bit atomics, turn off all atomics
(Trying to just disable BIGNUM fails; workaround suggested by
Fabrice Bellard)
Upstream changes:
- keep CONFIG_BIGNUM in the makefile
- added os.chdir()
- qjs: added -I option
- more memory checks in the bignum operations
- modified operator overloading semantics to be closer to the TC39
proposal
- suppressed "use bigint" mode. Simplified "use math" mode
- BigDecimal: changed suffix from 'd' to 'm'
- misc bug fixes
pkglint -r --network --only "migrate"
As a side-effect of migrating the homepages, pkglint also fixed a few
indentations in unrelated lines. These and the new homepages have been
checked manually.
Changes include:
- native 63-bit machine integers;
- a new sort of definitionally proof-irrelevant propositons: SProp;
- private universes for opaque polymorphic constants;
- string notations and numeral notations;
- a new simplex-based proof engine for the tactics lia, nia, lra and nra;
- new introduction patterns for SSReflect;
- a tactic to rewrite under binders: under;
- easy input of non-ASCII symbols in CoqIDE, which now uses GTK3.
and many small improvements and bugfixes.
Idris is a general purpose language with full dependent types. It is
compiled, with eager evaluation. Dependent types allow types to be
predicated on values, meaning that some aspects of a program's
behaviour can be specified precisely in the type. The language is
closely related to Epigram and Agda. There is a tutorial at
http://www.idris-lang.org/documentation
Enlightened Sound Daemon was one of the earlier solutions to the old
"multiple programs can't open /dev/audio at once" problem that was once
a thing we had to worry about.
Eventually, it was adopted as part of GNOME. GNOME lost interest in it
about a decade ago and dropped it in favour of PulseAudio, newer
applications are generally uninterested in supporting it. Last release
was in 2008 and support for newer OS APIs is pretty nonexistent.
Several years ago the original website disappeared.
https://en.wikipedia.org/wiki/Enlightened_Sound_Daemonhttps://tracker.debian.org/news/999428/removed-0241-11-from-unstable/
pkglint --only "https instead of http" -r -F
With manual adjustments afterwards since pkglint 19.4.4 fixed a few
indentations in unrelated lines.
This mainly affects projects hosted at SourceForce, as well as
freedesktop.org, CTAN and GNU.
