Real changes are in www/ruby-actionpack61 only.
## Rails 6.1.3.2 (May 05, 2021) ##
* Prevent open redirects by correctly escaping the host allow list
CVE-2021-22903
* Prevent catastrophic backtracking during mime parsing
CVE-2021-22902
* Prevent regex DoS in HTTP token authentication
CVE-2021-22904
* Prevent string polymorphic route arguments.
`url_for` supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
*Gannon McGibbon*
Real changes are in www/ruby-actionpack60 only.
## Rails 6.0.3.7 (May 05, 2021) ##
* Prevent catastrophic backtracking during mime parsing
CVE-2021-22902
* Prevent regex DoS in HTTP token authentication
CVE-2021-22904
* Prevent string polymorphic route arguments.
`url_for` supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
*Gannon McGibbon*
This includes a number of serious security fixes (one of which was
included in a now obsoleted pkgsrc patch)
CVE-2020-28016
CVE-2020-BDATA
CVE-2020-EXOPT
CVE-2020-PFPSN
CVE-2020-RCPTL
CVE-2020-SLCWD
CVE-2020-SPRSS
Since Exim version 4.94
-----------------------
JH/02 Bug 2587: Fix pam expansion condition. Tainted values are commonly used
as arguments, so an implementation trying to copy these into a local
buffer was taking a taint-enforcement trap. Fix by using dynamically
created buffers. Similar fix for radius expansion condition.
JH/03 Bug 2586: Fix listcount expansion operator. Using tainted arguments is
reasonable, eg. to count headers. Fix by using dynamically created
buffers rather than a local. Do similar fixes for ACL actions "dcc",
"log_reject_target", "malware" and "spam"; the arguments are expanded
so could be handling tainted values.
JH/04 Bug 2590: Fix -bi (newaliases). A previous code rearrangement had
broken the (no-op) support for this sendmail command. Restore it
to doing nothing, silently, and returning good status.
JH/05 Bug 2593: Fix "vacation" in Exim filter. Previously, when a "once"
record path was given (or the default used) without a leading directory
path, an error occurred on trying to open it. Use the transport's working
directory.
JH/06 Bug 2594: Change the name used for certificate name checks in the smtp
transport. Previously it was the name on the DNS A-record; use instead
the head of the CNAME chain leading there (if there is one). This seems
to align better with RFC 6125.
JH/07 Bug 2597: Fix a resource leak. Using a lookup in obtaining a value for
smtp_accept_max_per_host allocated resources which were not released
when the limit was exceeded. This eventually crashed the daemon. Fix
by adding a relase action in that path.
JH/08 Bug 2598: Fix verify ACL condition. The options for the condition are
expanded; previously using tainted values was rejected. Fix by using
dynamically-created buffers.
JH/10 Bug 2603: Fix coding of string copying to only evaluate arguments once.
Previously a macro used one argument twice; when called with the
argument as an expression having side-effects, incorrect operation
resulted. Use an inlineable function.
JH/11 Bug 2604: Fix request to cutthrough-deliver when a connection is already
held open for a verify callout. Previously this wan not accounted for
and a corrupt onward SMTP conversation resulted.
JH/13 Fix dsearch "subdir" filter to ignore ".". Previously only ".." was
excluded, not matching the documentation.
JH/14 Bug 2606: Fix a segfault in sqlite lookups. When no, or a bad, filename
was given for the sqlite_dbfile a trap resulted.
JH/15 Bug 2620: Fix "spam" ACL condition. Previously, tainted values for the
"name" argument resulted in a trap. There is no reason to disallow such;
this was a coding error.
JH/16 Bug 2615: Fix pause during message reception, on systems that have been
suspended/resumed. The Linux CLOCK_MONOTONIC does not account for time
spent suspended, ignoring the Posix definition. Previously we assumed
it did and a constant offset from real time could be used as a correction.
Change to using the same clock source for the start-of-message and the
post-message next-tick-wait. Also change to using CLOCK_BOOTTIME if it
exists, just to get a clock slightly more aligned to reality.
JH/17 Bug 2295: Fix DKIM signing to always semicolon-terminate. Although the
RFC says it is optional some validators care. The missing char was not
intended but triggered by a line-wrap alignement. Discovery and fix by
Guillaume Outters, hacked on by JH.
JH/18 Bug 2617: Fix a taint trap in parse_fix_phrase(). Previously when the
name being quoted was tainted a trap would be taken. Fix by using
dynamicaly created buffers. The routine could have been called by a
rewrite with the "h" flag, by using the "-F" command-line option, or
by using a "name=" option on a control=submission ACL modifier.
JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion.
Previously when a whitespace character was specified it was not inserted
after removing the newline.
JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for
is_tainted() had an off-by-one error in the overenthusiastic direction.
Find and fix by Gavan. Although NetBSD is not a supported platform for
4.94 this bug could affect other platforms.
JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for
is_tainted() had an off-by-one error in the overenthusiastic direction.
Find and fix by Gavan. Although NetBSD is not a supported platform for
4.94 this bug could affect other platforms.
JH/21 Bug 2630: Fix eol-replacement string for the ${readsocket } expansion.
Previously when a whitespace character was specified it was not inserted
after removing the newline.
JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be
the domain part of the recipient address. This overrides any tls_sni
option set, which was previously used.
JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI
in quotes.
JH/26 Bug 2646: fix a memory usage issue in ldap lookups. Previously, when more
than one server was defined and depending on the platform memory layout
details, an internal consistency trap could be hit while walking the list
of servers.
JH/27 Bug 2648: fix the passing of an authenticator public-name through spool
files. The value is used by the authresults expansion item. Previously
if this was used in a router or transport, a crash could result.
JH/30 Bug 2677: fix matching of long addresses. Since 4.93 a limit of 256 was
applied. This resulted, if any header-line rewrite rules were configured,
in a panic-log trigerrable by sending a message with a long address in
a header. Fix by increaing the arbitrary limit to larger than a single
(dewrapped) 5322 header line maximum size.
JH/31 The ESMTP option name advertised for the SUPPORT_EARLY_PIPE build option
is changed from X_PIPE_CONNECT to PIPE_CONNECT. This is in line with
RFC 6648 which deprecates X- options in protocols as a general practice.
Changeover between the implementations is handled by the mechanisms
alrready coded.
JH/32 Bug 2599: fix delay of delivery to a local address where there is also
a remote which uses callout/hold. Previously the local was queued.
JH/33 Fix a taint trap in the ${listextract } expansion when the source data
was tainted.
JH/35 Bug 2343: Harden exim_tidydb against corrupt wait- files.
JH/36 Bug 2687: Fix interpretation of multiple ^ chars in a plaintext
authenticator client_send option. Previously the next char, after a pair
was collapsed, was taken verbatim (so ^^^foo became ^^foo; ^^^^foo became
^^\x00foo). Fixed to get ^\x00foo and ^^foo respectively to match the
documentation. There is still no way to get a leading ^ immediately
after a NUL (ie. for the password of a PLAIN method authenticator.
JH/39 Bug 2691: fix $local_part_data. When the matching list element
referred to a file, bad data was returned. This likely also affected
$domain_part_data.
JH/41 Fix daemon SIGHUP on FreeBSD. Previously, a named socket for IPC was
left undeleted; the attempt to re-create it then failed - resulting in
the usual "SIGHUP tp have daemon reload configuration" to not work.
This affected any platform not supporting "abstract" Unix-domain
sockets (i.e. not Linux).
JH/42 Bug 2692: Harden against a peer which reneges on a 452 "too many
recipients" response to RCPT in a later response, with a 250. The
previous coding assumed this would not happen, and under PIPELINING
would result in both lost and duplicate recipients for a message.
JH/43 Bug 2694: Fix weighted distribution of work to multiple spamd servers.
Previously the weighting was incorrectly applied. Similar fix for socks
proxies. Found and fixed by Heiko Schlichting.
JH/44 Bug 2701: Fix list-expansion of dns_ipv4_lookup. Previously, it did
not handle sub-lists included using the +namedlist syntax. While
investigating, the same found for dns_trust_aa, dns_again_means_nonexist,
dnssec_require_domains, dnssec_request_domains, srv_fail_domains,
mx_fail_domains.
HS/01 Enforce absolute PID file path name.
HS/02 Handle SIGINT as we handle SIGTERM: terminate the Exim process.
PP/01 Add a too-many-bad-recipients guard to the default config's RCPT ACL.
PP/02 Bug 2643: Correct TLS DH constants.
A missing NUL termination in our code-generation tool had led to some
incorrect Diffie-Hellman constants in the Exim source.
Reported by kylon94, code-gen tool fix by Simon Arlott.
PP/03 Impose security length checks on various command-line options.
Fixes CVE-2020-SPRSS reported by Qualys.
PP/04 Fix Linux security issue CVE-2020-SLCWD and guard against PATH_MAX
better. Reported by Qualys.
PP/05 Fix security issue CVE-2020-PFPSN and guard against cmdline invoker
providing a particularly obnoxious sender full name.
Reported by Qualys.
PP/06 Fix CVE-2020-28016 (PFPZA): Heap out-of-bounds write in parse_fix_phrase()
PP/07 Refuse to allocate too little memory, block negative/zero allocations.
Security guard.
PP/08 Change default for recipients_max from unlimited to 50,000.
PP/09 Fix security issue with too many recipients on a message (to remove a
known security problem if someone does set recipients_max to unlimited,
or if local additions add to the recipient list).
Fixes CVE-2020-RCPTL reported by Qualys.
PP/10 Fix security issue in SMTP verb option parsing
Fixes CVE-2020-EXOPT reported by Qualys.
PP/11 Fix security issue in BDAT state confusion.
Ensure we reset known-good where we know we need to not be reading BDAT
data, as a general case fix, and move the places where we switch to BDAT
mode until after various protocol state checks.
Fixes CVE-2020-BDATA reported by Qualys.
HS/03 Die on "/../" in msglog file names
QS/01 Creation of (database) files in $spool_dir: only uid=0 or the uid of
the Exim runtime user are allowed to create files.
QS/02 PID file creation/deletion: only possible if uid=0 or uid is the Exim
runtime user.
QS/03 When reading the output from interpreted forward files we do not
pass the pipe between the parent and the interpreting process to
executed child processes (if any).
QS/04 Always die if requested from internal logging, even is logging is
disabled.
Changelog:
Notmuch 0.32 (2021-05-02)
=========================
General
-------
This release includes a significant overhaul of the configuration
management facilities for notmuch. The previous distinction between
configuration items that can be modified via plain text configuration
files and those that must be set in the database via the "notmuch
config" subcommand is gone, and all configuration items can be set in
both ways. The external configuration file overrides configuration
items in the database. The location of database, hooks, and
configuration files is now more flexible, with several new
configuration variables. In particular XDG locations are now supported
as fallbacks for database, configuration and hooks. For more
information see `notmuch-config(1)`.
Library
-------
To support the new configuration facilities, several functions and
constants have been added to the notmuch API. Most notably:
- `notmuch_database_create_with_config`
- `notmuch_database_open_with_config`
- `notmuch_database_load_config`
- `notmuch_config_get`
A previously requested API change is that `notmuch_database_reopen` is
now exposed (and generalized).
The previously severe slowdowns from large numbers calls to
notmuch_database_remove_message or notmuch_message_delete in one
session has been fixed.
As always, the canonical source of API documentation is
`lib/notmuch.h`, or the doxygen formatted documentation in `notmuch(3)`
CLI
---
The `notmuch config set` subcommand gained a `--database` argument to
specify that the database should be updated, rather than a config file.
The speed of `notmuch new` and `notmuch reindex` in dealing with large
numbers of mail file deletions is significantly improved.
Emacs
-----
Completion related updates include: de-duplicating tags offered for
completion, use the actual initial input in address completion, allow
users to opt out of notmuch address completion, and do not force Ido
when prompting for senders.
Some keymaps used to contain bindings for unnamed commands. These
lambda expressions have been replaced by named commands (symbols), to
ease customization.
Lexical binding is now used in all notmuch-emacs libraries.
Fix bug in calling `notmuch-mua-mail` with a non-nil RETURN-ACTION.
Removed, inlined or renamed functions and variables:
`notmuch-address-locate-command`,
`notmuch-documentation-first-line`, `notmuch-folder`,
`notmuch-hello-trim', `notmuch-hello-versions` => `notmuch-version`,
`notmuch-remove-if-not`, `notmuch-search-disjunctive-regexp`,
`notmuch-sexp-eof`, `notmuch-split-content-type`, and
`notmuch-tree-button-activate`.
Now it should be more obvious when a package needs it as a dependency,
as it will fail loudly if it isn't declared as a tool.
While here, some duplicate dependencies on itstool were removed from the
MATE packages
upstream changes:
-----------------
Fixed in 3.5.10:
o Missing null pointer checks (introduced in Postfix 3.4) after an internal I/O error during the smtp(8) to tlsproxy(8) handshake. Found by Coverity, reported by Jaroslav Skarvada. Based on a fix by Viktor Dukhovni.
o Null pointer bug (introduced in Postfix 3.0) and memory leak (introduced in Postfix 3.4) after an inline: table syntax error in main.cf or master.cf. Found by Coverity, reported by Jaroslav Skarvada. Based on a fix by Viktor Dukhovni.
o Incomplete null pointer check (introduced: Postfix 2.10) after truncated HaProxy version 1 handshake message. Found by Coverity, reported by Jaroslav Skarvada. Fix by Viktor Dukhovni.
o Missing null pointer check (introduced: Postfix alpha) after null argv[0] value.
Changelog:
Fixes:
Usability & theme improvements on Windows
Various security fixes
Security fixes:
#CVE-2021-23994: Out of bound write due to lazy initialization
#CVE-2021-23995: Use-after-free in Responsive Design Mode
#CVE-2021-23998: Secure Lock icon could have been spoofed
#CVE-2021-23961: More internal network hosts could have been probed by a
malicious webpage
#CVE-2021-23999: Blob URLs may have been granted additional privileges
#CVE-2021-24002: Arbitrary FTP command execution on FTP servers using an
encoded URL
#CVE-2021-29945: Incorrect size computation in WebAssembly JIT could lead to
null-reads
#CVE-2021-29948: Race condition when reading from disk while verifying
signatures
Real changes are in devel/devel/ruby-activestorage61 only.
## Rails 6.1.3.1 (March 26, 2021) ##
* Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed
mime types data.
*George Claghorn*
Real changes are in devel/ruby-activestorage60 only.
## Rails 6.0.3.6 (March 26, 2021) ##
* Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed
mime types data.
*George Claghorn*
Real changes are in devel/ruby-activestorage52 only.
## Rails 5.2.5 (March 26, 2021) ##
* Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed
mime types data.
*George Claghorn*
* The Poppler PDF previewer renders a preview image using the original
document's crop box rather than its media box, hiding print margins. This
matches the behavior of the MuPDF previewer.
*Vincent Robert*
* Drop support for Python 3.5, add support for Python 3.9
* Switch to feedparser 6
* Switch to poetry instead of requirements.txt
* Make the `verbose` flag in the config file actually have an impact,
and have it default to `info`
* Improve log messages
* Remove documentation of `smtp-ssl-protocol` as this option was
dropped in 2016
* Stop forging SMTP and sendmail envelope sender (#134)
* Add sendmail_config option
* Log sendmail output
* Support multipart/alternative emails with both HTML and plain text
parts with option `multipart-html`
* Add inline-links option, allowing links to be sent to the bottom of
the paragraph
* Add wrap-links option, preventing links from be wrapped over
multiple lines
* Stop looking in $XDG_DATA_DIRS for the database, and only look in
$XDG_DATA_HOME
* Warnings about HTTP content-type being unexpected now properly display
* Make the proxy parameter also affect https connections
* Add a --clean argument on the run command to reduce the database size
* Set body element attribute dir=auto in HTML mail
* Store the lock file in XDG_RUNTIME_DIR instead of /tmp
If RequiredFrom is set, opendmarc will reject messages that lack
a From header from which a valid domain can be extracted. This
is a subset of the full RFC5322 requirements enforced by the
RequiredHeaders option.
While non RFC5322-compliant messages are too common to make
RequiredHeaders always usable, the check on the From header
remains especially valuable. It makes sure forged domain messages
cannot evade the filter by just omitting the From header and relying
on the MTA to fill it by a copy from the enveloppe header.
Submitted upstream as
https://github.com/trusteddomainproject/OpenDMARC/pull/147
