Release 1.11.1:
Switched to using PBKDF2 implementation provided by PyCA, replacing a much slower pure-Python implementation used in earlier releases.
Improved support for file-like objects in process I/O redirection, properly handling objects which don’t support fileno() and allowing both text and binary file objects based on whether they have an ‘encoding’ member.
Changed PEM parser to be forgiving of trailing blank lines.
Updated documentation to note lack of support in OpenSSH for send_signal(), terminate(), and kill() channel requests.
Updated unit tests to work better with OpenSSH 7.6.
Updated Travis CI config to test with more recent Python versions.
Upstream changes:
Highlights
MDL-59798 - Assignment: Show Due Date in calendar for teachers and managers
MDL-36580 - External Tool: backup/restore consumer key and secret (on the same site only)
MDL-57560 - Show file upload progress bar in Boost theme
MDL-37810 - List custom roles in the filter on Participants page
Security issues
A number of security related issues were resolved. Details of these issues will be released after a period of approximately one week to allow system administrators to safely update to the latest version.
Fixes and improvements
MDL-52131 - Respect comment format in questions manual comments when Plain text area editor is used
MDL-55849 - Assignment: Reopening a group assignment should not create additional attempts for each group member
MDL-59909 - Fixed error in ad-hoc refresh_mod_calendar_events_task that caused exceptions and very long cron run time
MDL-59780 - Restore MathJax filter settings that were lost in previous upgrades
MDL-54540 - External tool: Allow to switch to full screen mode
MDL-51892 - Better explaination of the reason for failed logins in the logs report
MDL-57055 - Label resource: allow to access "Label administration" without Administration block on the "Edit label" page
MDL-53244 - Show error message when incorrect CAPTCHA is entered on sign-up page
MDL-57477 - Fixed configuration of PHP 7 sessions using memcached (3.x.x)
MDL-59854 - Forum: Avoid creating duplicate subscriptions due to race conditions
MDL-60366 - Feedback: fixed upgrade script (introduced in 3.1.6 and 3.2.3) that deleted valid multiple anonymous attempts. If your site was affected, please follow MDL-60592 for the script that restores accidentally deleted data.
Upstream changes:
1.58 2017-11-15 rurban
----
* Drop 5.005 support
* Switch from DynaLoader to XSLoader [atoomic #5]
* Replace use vars by our. [atoomic #5]
* Lazy load Carp only when required. [atoomic #5]
* Minor test improvements
* Fix v5.8 cast warnings
Upstream changes:
0.67 Wed Nov 15 18:59:33 CET 2017
- Support standard tags !!str, !!map and !!seq instead of dying. PR#67
(TINITA++)
- Support JSON::PP::Boolean and boolean.pm via $YAML::XS::Boolean. PR#66
(TINITA++) Thanks also to Bj枚rn H枚hrmann for SvPV_nolen()
Upstream changes:
2.003003 - 2017-11-16
- test tweaks
- fix handling of code refs stored directly in the stash (for perl 5.28)
- consider inline packages with constants in them as being loaded
- stubs will be treated as methods that exist when inflating to Moose
- avoid loading overload.pm unless required
Chagelog:
New
In Thunderbird 52 a new behavior was introduced for replies to mailing
list posts: "When replying to a mailing list, reply will be sent to
address in From header ignoring Reply-to header". A new preference
mail.override_list_reply_to allows to restore the previous behavior.
Fixed
Under certain circumstances (image attachment and non-image attachment),
attached images were shown truncated in messages stored in IMAP
folders not synchronised for offline use.
Fixed
IMAP UIDs > 0x7FFFFFFF not handled properly
Security fixes:
#CVE-2017-7793: Use-after-free with Fetch API
Reporter
Abhishek Arya
Impact
high
Description
A use-after-free vulnerability can occur in the Fetch API when the
worker or the associated window are freed when still in use,
resulting in a potentially exploitable crash.
References
Bug 1371889
#CVE-2017-7818: Use-after-free during ARIA array manipulation
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur when manipulating arrays of
Accessible Rich Internet Applications (ARIA) elements within containers
through the DOM. This results in a potentially exploitable crash.
References
Bug 1363723
#CVE-2017-7819: Use-after-free while resizing images in design mode
Reporter
Nils
Impact
high
Description
A use-after-free vulnerability can occur in design mode when image
objects are resized if objects referenced during the resizing have
been freed from memory. This results in a potentially exploitable crash.
References
Bug 1380292
#CVE-2017-7824: Buffer overflow when drawing and validating elements
with ANGLE
Reporter
Omair, Andre Weissflog
Impact
high
Description
A buffer overflow occurs when drawing and validating elements with
the ANGLE graphics library, used for WebGL content. This is due to
an incorrect value being passed within the library during checks and
results in a potentially exploitable crash.
References
Bug 1398381
#CVE-2017-7805: Use-after-free in TLS 1.2 generating handshake hashes
Reporter
Martin Thomson
Impact
high
Description
During TLS 1.2 exchanges, handshake hashes are generated which point
to a message buffer. This saved data is used for later messages but
in some cases, the handshake transcript can exceed the space available
in the current buffer, causing the allocation of a new buffer. This
leaves a pointer pointing to the old, freed buffer, resulting in
a use-after-free when handshake hashes are then calculated afterwards.
This can result in a potentially exploitable crash.
References
Bug 1377618
#CVE-2017-7814: Blob and data URLs bypass phishing and malware
protection warnings
Reporter
François Marier
Impact
moderate
Description
File downloads encoded with blob: and data: URL elements bypassed
normal file download checks though the Phishing and Malware Protection
feature and its block lists of suspicious sites and files. This
would allow malicious sites to lure users into downloading executables
that would otherwise be detected as suspicious.
References
Bug 1376036
#CVE-2017-7825: OS X fonts render some Tibetan and Arabic unicode
characters as spaces
Reporter
Khalil Zhani
Impact
moderate
Description
Several fonts on OS X display some Tibetan and Arabic characters
as whitespace. When used in the addressbar as part of an IDN
this can be used for domain name spoofing attacks.
Note: This attack only affects OS X operating systems. Other
operating systems are unaffected.
References
Bug 1393624
Bug 1390980
#CVE-2017-7823: CSP sandbox directive did not create a unique origin
Reporter
Jun Kokatsu
Impact
moderate
Description
The content security policy (CSP) sandbox directive did not
create a unique origin for the document, causing it to behave as
if the allow-same-origin keyword were always specified. This could
allow a Cross-Site Scripting (XSS) attack to be launched from
unsafe content.
References
Bug 1396320
#CVE-2017-7810: Memory safety bugs fixed in Firefox 56, Firefox ESR 52.4,
and Thunderbird 52.4
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christoph Diehl, Jan de Mooij,
Jason Kratzer, Randell Jesup, Tom Ritter, Tyson Smith, and Sebastian
Hengst reported memory safety bugs present in Firefox 55, Firefox
ESR 52.3, and Thunderbird 52.3. Some of these bugs showed evidence
of memory corruption and we presume that with enough effort that some
of these could be exploited to run arbitrary code.
References
Memory safety bugs fixed in Firefox 56 and Firefox ESR 52.4
Changelog:
Security fixes:
#CVE-2017-7828: Use-after-free of PressShell while restyling layout
Reporter
Nils
Impact
critical
Description
A use-after-free vulnerability can occur when flushing and resizing
layout because the PressShell object has been freed while still
in use. This results in a potentially exploitable crash during
these operations.
References
Bug 1406750
Bug 1412252
#CVE-2017-7830: Cross-origin URL information leak through Resource Timing API
Reporter
Jun Kokatsu
Impact
high
Description
The Resource Timing API incorrectly revealed navigations in cross-origin
iframes. This is a same-origin policy violation and could allow for
data theft of URLs loaded by users.
References
Memory safety bugs fixed in Firefox 57
#CVE-2017-7826: Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
Reporter
Mozilla developers and community
Impact
critical
Description
Mozilla developers and community members Christian Holler, David
Keeler, Jon Coppeard, Julien Cristau, Jan de Mooij, Jason Kratzer,
Philipp, Nicholas Nethercote, Oriol Brufau, André Bargull, Bob Clary,
Jet Villegas, Randell Jesup, Tyson Smith, Gary Kwong, and Ryan VanderMeulen
reported memory safety bugs present in Firefox 56 and Firefox ESR 52.4.
Some of these bugs showed evidence of memory corruption and we presume
that with enough effort that some of these could be exploited to
run arbitrary code.
References
Memory safety bugs fixed in Firefox 57 and Firefox ESR 52.5
No changes intended on other platforms, the configure script arguments
should be identical to those previously found in config.toml. Doing it
this way makes it a lot easier to have per-OS configuration.
Bugs fixed in this release
- 784735 : gst-libav: Memory leak and possible crash in avio_alloc_context.
XXX Unfortunately https://trac.ffmpeg.org/ticket/6775 stands.
(ffmpeg 3.4 regression)
This modification to the Makefile is no longer necessary since the
custom CFLAGS and LDFLAGS are now passed explicitly, instead of through
the environment (which did not work for me).
NFC.
In the C plug-ins, mark the constructor and destructor functions as
such. While there, comment out a new target to run the tests; they are
broken, but not because of this modification. This allows us to use
cc(1) to link the plug-ins, thus working around a bug in the cwrappers
for ld(1).
Bump PKGREVISION, since this generates a different binary now that SSP
and FORTIFY are enabled.
This bug-fix release addresses several regressions in Gradle 4.3.
- Gradle 4.3 introduced an improvement where an error in resolving a
module from one repository would prevent Gradle from searching for
that same module in subsequent repositories. However, the change to
abort searching repositories on all unrecognized errors proved to be
too aggressive. With 4.3.1, only repository timeout errors will
prevent Gradle from searching for a module in a subsequent repository.
- Moreover, the connection and socket timeouts for HTTP/HTTPS requests
have been increased to 30 seconds.
- This version of Gradle also removes an overload of
TaskInputs.property which caused statically compiled plugin code to
use the wrong method when calling TaskInputs.property(..., null).
- Finally, when using --scan the build scan plugin is applied before
other plugins to avoid rendering a warning message.
Features
- Send keyspace in QUERY, PREPARE, and BATCH messages
- Add IPv4Address/IPv6Address support for inet types
- WriteType.CDC and VIEW missing
- Warn on Cluster init if contact points are specified but LBP isn't
- Include hash of result set metadata in prepared stmt id
- Add NO_COMPACT startup option
- Add new exception type for CDC
Bug Fixes
- Both _set_final_exception/result called for the same ResponseFuture
- Use of DCAwareRoundRobinPolicy raises NoHostAvailable exception
- Not create two sessions by default in CQLEngine
- Bug when subclassing AyncoreConnection
- Error at cleanup when closing the asyncore connections
- Fix sites where sessions can change during iteration
- cqlengine: allow min_length=0 for Ascii and Text column types
- Rare exception when "sys.exit(0)" after query timeouts
- Dont set the session keyspace when preparing statements
- Use of DCAwareRoundRobinPolicy raises NoHostAvailable exception
Other
- Remove DeprecationWarning when using WhiteListRoundRobinPolicy
- Bump Cython dependency version to 0.27
Pkgsrc changes:
* for zabbix-frontend, adjust PLIST
Upstream changes:
Changes for 3.2.10
3.2.10rc1 was released as 3.2.10 without any changes
Changes for 3.2.10rc1
New features:
..F....... [ZBXNEXT-1421] added service sorting by name if multiple services
has same 'sortorder' value (miks)
..F....... [ZBXNEXT-4081] improved error message for case when none of
supported database modules exists (gcalenko)
Bug fixes:
..F....... [DEV-593] fixed multiple security issues (miks)
........S. [ZBX-11658] fixed error message in case no items were found
for aggre gated check (gleb)
.......PS. [ZBX-12854] fixed crash of VMware collector with DebugLevel=4 (gleb)
...G...... [ZBX-11902] fixed CPU count for LPAR partitions in IBM AIX (abs)
...G...... [ZBX-12260] fixed windows agent to support UTF-16LE, UCS-2,
UCS-2LE encodings (vso)
..F....... [ZBX-6669] fixed use of current host as filter when selecting
items for graph forms and trigger forms (gcalenko)
..F....... [ZBX-12722] fixed scrollbar causing a JS error in "500 latest
values" page due to unnecessarily initialization (Ivo)
..F....... [ZBX-12710] fixed OS type detection logic (vjaceslavs)
..F....... [ZBX-12543] fixed problems with session management (vjaceslavs)
........S. [ZBX-12259] added an informative warning about lack of data for
macros used in LLD rule filter (viktors)
--------------------------------------------------------------------------------
Changes for 3.2.9
3.2.9rc1 was released as 3.2.9 without any changes
--------------------------------------------------------------------------------
Changes for 3.2.9rc1
New features:
...G...PS. [ZBXNEXT-1862] modified server, proxy and agent to follow
changes in /etc/resolv.conf (Andris)
Bug fixes:
..F....... [ZBX-12788] fixed error when template is added to hosts via
mass update form (gcalenko, vmurzins)
..F....... [ZBX-12666] fixed ETag comparison check in jsLoader for web
server with enabled compression (gcalenko)
........S. [ZBX-10547] fixed IT services calculation in parallel
transactions not seeing each other changes when calculating
common parent service (vso)
........S. [ZBX-12441] fixed user permission check for macros containing
user personal information in notification messages (viktors)
....I..... [ZBX-12779] fixed detection of PostgreSQL 10 (Andris)
.......P.. [ZBX-12281] fixed simultaneous sending of the same history
data from passive proxy (gleb, vjaceslavs)
..F....... [ZBX-12770] fixed links in select popup for user groups;
updated group selection field in Administration->Users (gcalenko)
A......... [ZBX-8277] improved performance of hostgeneral.unlink() method;
fixed SQL statement (Sasha)
........S. [ZBX-11426] fixed the housekeeper for not deleting events in
open problem state (abs)
A......... [ZBX-10754] fixed inheritance of template properties in
web scenarios (miks)
A......... [ZBX-12681] fixed SQL errors in event.get() method (Sasha)
A......... [ZBX-12727] fixed response for script.get() method with
"editable" flag (Sasha)
A......... [ZBX-12727] fixed dcheck.get(), dhost.get() and dservice.get()
permission checks for admin users; related to ZBX-7238 (Sasha)
--------------------------------------------------------------------------------
Changes for 3.2.8
3.2.8rc1 was released as 3.2.8 without any changes
--------------------------------------------------------------------------------
Changes for 3.2.8rc1
New features:
A.F....... [ZBX-1357] enabled Turkish translation to be displayed
by default (zalex_ua)
A.F....... [ZBX-1357] updated Czech, English (United States), French,
Italian, Japanese, Korean, Russian, Turkish translations;
thanks to Zabbix translators (zalex_ua)
........S. [ZBX-12258] added bulk selections to improve performance
in processing of escalations (Sergejs)
Bug fixes:
..F....... [ZBX-12769] fixed XSS vulnerabilities in argument passing for
popup forms and file import forms (gcalenko)
A.F....... [ZBX-12768] added schema validation for URL fields based on
schemas whitelist in ZBX_URI_VALID_SCHEMES (gcalenko, Sasha)
.......PS. [ZBX-11675] fixed crash that could occur during connection
failures to MySQL (Sergejs, vso)
..F....... [ZBX-12617] fixed sorting by host name for items on
availability report page (gcalenko)
........S. [ZBX-12696] fixed trigger not being calculated for newly
received item values if last one of those is unsupported value (vso)
..F....... [ZBX-12548] fixed notification sound not being played for
message with timeout set to greater than minute (gcalenko)
...G...... [ZBX-12653] fixed heap corruption in Windows agent;
thanks to Ronnie Kaech for the patch (abs)
A......... [ZBX-12660] fixed result of hostinterface.replacehostinterfaces
method (Sasha)
..F....... [ZBX-12469] added new context for 'Second' string to be
properly translated in maintenance period form (gcalenko)
.......PS. [ZBX-12493] fixed address and ports array size in
zbx_init_ipmi_host() to match OpenIPMI internals (Andris, vso)
..F....... [ZBX-12623] fixed label macro resolving in maps (vjaceslavs)
..F.....S. [ZBX-11042] allowed libcurl to choose SMTP authentication
mechanism other than PLAIN (gleb, vjaceslavs)
..F....... [ZBX-8997] fixed trigger expression validation test
form (gcalenko, Sasha)
..F.I...S. [ZBX-12434] fixed housekeeping of problems and events for
deleted items and triggers; added optional database patch
to cleanup problems for deleted items and triggers (vso)
..F....... [ZBX-12646] fixed incorrect SQL query in availability reports (Sasha)
..F....... [ZBX-12545] fixed undefined index error on latest data
page when host was deleted in another session (gcalenko)
..F....... [ZBX-12321] fixed removal of multiselect options using
backspace button (miks)
..F....... [ZBX-12416] optimized data selection of user preferences
stored in profiles (gcalenko)
..F....... [ZBX-11607] fixed a rounding of large unsigned numbers (miks)
..F....... [ZBX-12404] fixed visibility of item data first row for
'latest data' page and 'audit log' page (gcalenko)
..F....... [ZBX-12463] fixed undefined index error in "Last 20 issues" (Sasha)
........S. [ZBX-12186] fixed parallel processing of multiple values
for same lld rule (vjaceslavs)
..F....... [ZBX-11887] fixed improper DB::refreshIds() call when
selected row is locked (miks)
..F....... [ZBX-12022] fixed trigger resolving in services configuration;
fixed popup window size (miks)
..F....... [ZBX-12429] fixed template replacement in mass update form (gcalenko)
..F....... [ZBX-12396] fixed an error in screens if screen trigger
overview element contains deleted host group (miks)
..F....... [ZBX-12439] fixed macro name field length in host configuration
form (gcalenko)
...G...PS. [ZBX-10820] fixed potential loss of data when server/proxy
processes zabbix_sender data (Andris)
........S. [ZBX-12446] fixed discovery and auto registration to accept
empty DNS names (vso)
........S. [ZBX-12295] fixed possible accumulation of executed tasks in
database (Sergejs)
........S. [ZBX-12318] fixed maintenance status not being updated in cache
if host is disabled (vso)
.......PS. [ZBX-12224] fixed connection to Oracle database when database
server gives out warnings (gleb)
...G...PS. [ZBX-12195] fixed contamination of script output with Zabbix'es
own log messages when logging level is set to 4 or 5 and
LogType=console (gleb)
...G...... [ZBX-12270] fixed processing of AIX item 'system.stat[ent]'
in agent; thanks to Marc for patch (Andris)
..F....... [ZBX-12277] fixed trigger expression test form incorrectly
replacing macros (Ivo)
DEPRECATIONS/CHANGES:
- API HTTP client behavior: When calling `NewClient` the API no longer
modifies the provided client/transport.
- AWS EC2 client nonce behavior: The client nonce generated by the
backend that gets returned along with the authentication response
will be audited in plaintext.
- AWS Auth role options: The API will now error when trying to create
or update a role with the mutually-exclusive options
`disallow_reauthentication` and `allow_instance_migration`.
- SSH CA role read changes: When reading back a role from the `ssh`
backend, the TTL/max TTL values will now be an integer number of
seconds rather than a string. This better matches the API elsewhere
in Vault.
- SSH role list changes: When listing roles from the `ssh` backend via
the API, the response data will additionally return a `key_info` map
that will contain a map of each key with a corresponding object
containing the `key_type`.
- More granularity in audit logs: Audit request and response entires
are still in RFC3339 format but now have a granularity of
nanoseconds.
- High availability related values have been moved out of the
`storage` and `ha_storage` stanzas, and into the top-level
configuration. `redirect_addr` has been renamed to `api_addr`.
- A new `seal` stanza has been added to the configuration file, which
is optional and enables configuration of the seal type to use for
additional data protection, such as using HSM or Cloud KMS solutions
to encrypt and decrypt data.
FEATURES:
- RSA Support for Transit Backend: Transit backend can now generate
RSA keys which can be used for encryption and signing.
- Identity System: Now in open source and with significant
enhancements, Identity is an integrated system for understanding
users across tokens and enabling easier management of users directly
and via groups.
- External Groups in Identity: Vault can now automatically assign
users and systems to groups in Identity based on their membership in
external groups.
- Seal Wrap / FIPS 140-2 Compatibility (Enterprise): Vault can now
take advantage of FIPS 140-2-certified HSMs to ensure that Critical
Security Parameters are protected in a compliant fashion.
- Control Groups (Enterprise): Require multiple members of an Identity
group to authorize a requested action before it is allowed to run.
- Cloud Auto-Unseal (Enterprise): Automatically unseal Vault using AWS
KMS and GCP CKMS.
- Sentinel Integration (Enterprise): Take advantage of HashiCorp
Sentinel to create extremely flexible access control policies - even
on unauthenticated endpoints.
- Barrier Rekey Support for Auto-Unseal (Enterprise): When using
auto-unsealing functionality, the `rekey` operation is now
supported; it uses recovery keys to authorize the master key rekey.
- Operation Token for Disaster Recovery Actions (Enterprise): When
using Disaster Recovery replication, a token can be created that can
be used to authorize actions such as promotion and updating primary
information, rather than using recovery keys.
- Trigger Auto-Unseal with Recovery Keys (Enterprise): When using
auto-unsealing, a request to unseal Vault can be triggered by a
threshold of recovery keys, rather than requiring the Vault process to
be restarted.
- UI Redesign (Enterprise): All new experience for the Vault
Enterprise UI. The look and feel has been completely redesigned to
give users a better experience and make managing secrets fast and
easy.
- UI: SSH Secret Backend (Enterprise): Configure an SSH secret
backend, create and browse roles. And use them to sign keys or
generate one time passwords.
- UI: AWS Secret Backend (Enterprise): You can now configure the AWS
backend via the Vault Enterprise UI. In addition you can create
roles, browse the roles and Generate IAM Credentials from them
in the UI.
IMPROVEMENTS:
- api: Add ability to set custom headers on each call
- command/server: Add config option to disable requesting client
certificates
- core: Disallow mounting underneath an existing path, not just over
- physical/file: Use `700` as permissions when creating directories.
The files themselves were `600` and are all encrypted, but this
doesn't hurt.
- secret/aws: Add ability to use custom IAM/STS endpoints
- secret/cassandra: Work around Cassandra ignoring consistency levels
for a user listing query
- secret/pki: Private keys can now be marshalled as PKCS#8
- secret/pki: Allow entering URLs for `pki` as both comma-separated
strings and JSON arrays
- secret/ssh: Role TTL/max TTL can now be specified as either a string
or an integer
- secret/transit: Sign and verify operations now support a `none` hash
algorithm to allow signing/verifying pre-hashed data
- secret/database: Add the ability to glob allowed roles in the
Database Backend
- ui (enterprise): Support for RSA keys in the transit backend
- ui (enterprise): Support for DR Operation Token generation,
promoting, and updating primary on DR Secondary clusters
BUG FIXES:
- api: Fix panic when setting a custom HTTP client but with a nil
transport
- api: Fix authing to the `cert` backend when the CA for the client
cert is not known to the server's listener
- auth/approle: Create role ID index during read if a role is missing
one
- auth/aws: Don't allow mutually exclusive options
- auth/radius: Fix logging in in some situations
- core: Fix memleak when a connection would connect to the cluster
port and then go away
- core: Fix panic if a single-use token is used to step-down or seal
- core: Set rather than add headers to prevent some duplicated headers
in responses when requests were forwarded to the active node
- physical/etcd3: Fix some listing issues due to how etcd3 does prefix
matching
- physical/etcd3: Fix case where standbys can lose their etcd client
lease
- physical/file: Fix listing when underscores are the first component
of a path
- plugins: Allow response errors to be returned from backend plugins
- secret/transit: Fix panic if the length of the input ciphertext was
less than the expected nonce length
- ui (enterprise): Reinstate support for generic secret backends -
this was erroneously removed in a previous release
global `_res' variable. That's not supported on NetBSD, and IME
causes the zabbix agent daemon to exit shortly after having been started.
Convert to instead using res_ninit(), res_nsend(), and res_nclose().
Bump PKGREVISION.
This patch is a workaround for a perl core problem.
The patch has not been accepted upstream, and in its current form
introduces other bugs, see https://rt.perl.org/Ticket/Display.html?id=132448
Bump PKGREVISION.
