Redis 6.2.4
===========
Upgrade urgency: SECURITY, Contains fixes to security issues that affect
authenticated client connections. MODERATE otherwise.
Fix integer overflow in STRALGO LCS (CVE-2021-32625)
An integer overflow bug in Redis version 6.0 or newer can be exploited using the
STRALGO LCS command to corrupt the heap and potentially result with remote code
execution. This is a result of an incomplete fix by CVE-2021-29477.
Bug fixes that are only applicable to previous releases of Redis 6.2:
* Fix crash after a diskless replication fork child is terminated
* Fix redis-benchmark crash on unsupported configs
Other bug fixes:
* Fix crash in UNLINK on a stream key with deleted consumer groups
* SINTERSTORE: Add missing keyspace del event when none of the sources exist
* Sentinel: Fix CONFIG SET of empty string sentinel-user/sentinel-pass configs
* Enforce client output buffer soft limit when no traffic
Improvements:
* Hide AUTH passwords in MIGRATE command from slowlog
The upcoming lapack64 needs the library name liblapack64, the
variable for that was missing in the patch. This does not change
the build of math/lapack itself.
3.2.5 (2021-04-05)
Improvements
* Add more validations to XPath parser.
* require "rexml/document" by default. [GitHub#36][Patch by Koichi ITO]
* Don't add #dclone method to core classes globally. [GitHub#37][Patch by
Akira Matsuda]
* Add more documentations. [Patch by Burdette Lamar]
* Added REXML::Elements#parent. [GitHub#52][Patch by Burdette Lamar]
Fixes
* Fixed a bug that REXML::DocType#clone doesn't copy external ID
information.
* Fixed round-trip vulnerability bugs. See also:
https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
[HackerOne#1104077][CVE-2021-28965][Reported by Juho Nurminen]
Thanks
* Koichi ITO
* Akira Matsuda
* Burdette Lamar
* Juho Nurminen
2.0.5 (2021-03-19)
Fixed
* Support Mageia distros when libxml2/libxslt system libraries are
install. #165 (Thank you, @pterjan!)
Added
* Forward-looking support for a version of Nokogiri that will provide HTML5
parsing. #171
Improved
* Update extconf.rb to use Nokogiri v1.11's CPPFLAGS for more reliable
installation. #163
2.0.4 (2020-11-27)
Fixed
* Fixed a bug where Nokogiri::HTML5.fragment(nil) would raise an error. Now
it returns an empty DocumentFragment like it did in v2.0.2.
* Fixed assertion failure when a tag immediately followed the UTF-8 BOM.
2.0.3 (2020-11-21)
Added
* Limit enforced on number of attributes per element, defaulting to 400 and
configurable with the :max_attributes argument.
Fixed
* Ignore UTF-8 byte order mark at the beginning of the input.
* Fix content sniffing for Unicode strings.
* Fixed crash where Ruby objects constructed in C can be garbage collected.
2.0.15 (2021-04-27)
Bug Fixes
* Don't include trailing period, question mark, or exclamation point in
target (URL) of autolink (#3860)
* Don't assign nil value to named attribute mapped to absent positional
attribute when parsing attrlist (#4033)
* Remove leading and trailing spaces around role on inline phrase (#4035)
* Ignore empty role on inline phrase defined using legacy syntax and
followed by comma (#4035)
* Use xreftext on document as fallback link text in HTML output for
inter-document xref that resolves to current document when no link text is
provided (#4032)
* Use xreftext on document as fallback link text in HTML output for internal
xref with empty fragment when no link text is provided (#4032)
* Use document ID as linkend in DocBook output for internal xref with empty
fragment; auto-generating one if necessary (#4032)
Improvements
* Format keyboard references in monospace in manpage output
Build / Infrastructure
* Get remaining invoker tests working on JRuby 9.1 for Windows
2.82.25 (2021-04-25)
* Resolve namespace properly for File
* use localcert for older rubies on appvayor test
2.82.24 (2021-03-23)
* debian: add support for Debian testing and unstable
* Remove Ruby 1.8.7 from .travis.yml
4.37.20 (2021-05-26)
Merged Pull Requests
* Added new automate doc link for login tokens in inspec automate login
--help command #5529 (Nik08)
* Bugfix for inspec detect --no-color to not return colourful output #5530
(Nik08)
* Drop EOL Ubuntu 16.04, build on 18.04 #5532 (clintoncwolfe)
4.37.17 (2021-05-20)
Enhancements
* Fix for port resource performance: adding more specific search while using
ss command #5522 (Vasu1105)
Merged Pull Requests
* Fix the lint and failing test for windows_feature resource #5524
(Vasu1105)
* Support zfs_pool and zfs_dataset resources on Linux. Handled #5075#5523
(kannanr)
* Add basic docs for toml resource #5514 (clintoncwolfe)
* Add CI-CD docs #5489 (clintoncwolfe)
* Add explicit RHEL8 builders to omnibus build #5527 (clintoncwolfe)
* Changes returns nil on file non-existence through matcher
more_permissive_than #5519 (Nik08)
* Update control-eval Readme docs. #5516 (Vasu1105)
* Added Common Errors page doc #5517 (Nik08)
4.37.8 (2021-05-12)
Merged Pull Requests
* Update bond0 example to use params properly #5518 (gscho)
* HTTP resource response body coerced into UTF-8 #5510 (Nik08)
* Fixed automate login fake feedback on failure #5509 (Nik08)
* Document auxiliary reporter options on the reporter docs page #5504
(clintoncwolfe)
* Update chefstyle requirement from ~> 1.7.1 to ~> 2.0.3 #5508
(dependabot[bot])
* Update Hugo and correct how build previews are generated #5507 (IanMadd)
* Modified windows_feature to indicate enabled rather than just available
#5506 (jwdean)
* Remove outdated instructions about testing AWS and Azure resources #5499
(clintoncwolfe)
Quote from commit logs:
0.1.29 (2021-03-25)
* Land #31, Consistently return nil as the failure indicator
0.1.28 (2021-03-25)
* Land #30, Fix Some RangeWalker issues
0.1.27 (2021-03-24)
* Land #28, RangeWalker Updates To Return Hostnames When Available
# pkgload 1.2.1
* `unload()` no longer unregisters methods for generics of the package being unloaded. This way dangling references to generics defined in the stale namespace still work as expected (r-lib/vctrs#1341).
* `load_all()` will now work for packages that have testthat tests but do not have testthat installed (#151)
* The `pkgbuild` dependency has been moved to `Suggests`, as it is only needed for packages with compiled code.
* `load_all()` will now work for packages that have testthat tests but do not have testthat installed (#151)
* `load_all(warn_conflicts = TRUE)` becomes more narrow and only warns when a *function* in the global environment masks a *function* in the package, consistent with the docs (#125, #143 @jennybc).
* `load_all()` no longer does a comprehensive check on the `DESCRIPTION` file when loading, instead just checking that it exists and starts with Package (#149, @malcolmbarrett)
* `unload()` no longer warns when it can't unload a namespace.
# pkgload 1.2.0
* Fix test failure in R 4.1 with regards to S4 method registration
* `load_all()` now preserves existing namespaces in working order. In
particular, it doesn't unload the package's shared library and keeps
it loaded instead. When reloading, a copy of the SO for the new
namespace is loaded from a temporary location. These temporary SOs
are only unloaded on GC and deleted from their temporary location
via a weak reference attached to the namespace.
This mechanism ensures that lingering references to the namespace
keep working as expected. Consequently the namespace
propagation routine that was added to pkgload as a workaround has
been removed.
Note that `.Call()` invocations that pass a string symbol rather
than a structured symbol may keep crashing, because R will look into
the most recently loaded SO of a given name. Since symbol
registration is now the norm, we don't expect this to cause much
trouble.
* `load_all()` no longer forces all bindings of a namespace to avoid
lazy-load errors. Instead, it removes exported S3 methods from the
relevant tables.
- This improves the loading behaviour with packages that define
objects in their namespaces lazily (e.g. with `delayedAssign()`).
- This also makes `load_all()` more predictable after a method has
been removed from the package. It is now actually removed from the
generic table. It would previously linger until R was restarted.
* If `load_all()` attaches testthat, it automatically suppresses conflicts.
# pkgcache 1.2.2
* The default location of the cache has changed to align with the
standard `tools::R_user_dir()` cache location. To clean up your old
cache call `pkgcache:::cleanup_old_cache_dir()`.
# pkgcache 1.2.1
No user visible changes.
# pkgcache 1.2.0
* New `repo_add()`, `repo_get()`, `repo_resolve()` and `with_repo()`
functions to query and manipulate repositories.
* `meta_cache_*()` functions now handle `getOption("repos")` changes
correctly.
* Failed metadata downloads now do not trigger metadata updates (#52).
* New `bioc_release_version()`, `bioc_devel_version()`, `bioc_repos()`
helper functions to deal with Bioconductor repositories.
* Metadata cache functions, e.g. `meta_cache_deps()` etc. now allow
specifying the dependency types in all lowercase (#54).
(https://cran.r-project.org/web/packages/pkgKitten/news.html)
Changes in version 0.2.1 (2021-02-22)
A small documentation error was corrected (David Dalpiaz in #15).
A new option ‘bunny’ adds support for roxygen2.
Continuous integration now use run.sh from r-ci.
Changes in version 0.2.0 (2020-09-27)
Continuous Integration uses the updated BSPM-based script on
Travis and with GitHub Actions (Dirk in #11 plus earlier commits).
A new default NAMESPACE file is now installed (Dirk in #12).
A package documentation website was added (Dirk in #13).
Call tinytest::puppy if installed and not opted out (Dirk in #14).
Major changes in 0.3.2:
* compressor: Fix hardlink handling for new cpio format (Ondrej Holy)
* compressor: Fix hardlink detection for remote files (Ondrej Holy)
* extractor: Fix extraction of readonly folders (Ondrej Holy)
Changes with nginx 1.21.0
*) Security: 1-byte memory overwrite might occur during DNS server
response processing if the "resolver" directive was used, allowing an
attacker who is able to forge UDP packets from the DNS server to
cause worker process crash or, potentially, arbitrary code execution
(CVE-2021-23017).
*) Feature: variables support in the "proxy_ssl_certificate",
"proxy_ssl_certificate_key" "grpc_ssl_certificate",
"grpc_ssl_certificate_key", "uwsgi_ssl_certificate", and
"uwsgi_ssl_certificate_key" directives.
*) Feature: the "max_errors" directive in the mail proxy module.
*) Feature: the mail proxy module supports POP3 and IMAP pipelining.
*) Feature: the "fastopen" parameter of the "listen" directive in the
stream module.
Thanks to Anbang Wen.
*) Bugfix: special characters were not escaped during automatic redirect
with appended trailing slash.
*) Bugfix: connections with clients in the mail proxy module might be
closed unexpectedly when using SMTP pipelining.
Changes with nginx 1.20.1
*) Security: 1-byte memory overwrite might occur during DNS server
response processing if the "resolver" directive was used, allowing an
attacker who is able to forge UDP packets from the DNS server to
cause worker process crash or, potentially, arbitrary code execution
(CVE-2021-23017).
nginx-rtmp-module v1.2.2:
Fixed segfaults.
