Version 10.21.0 'Dubnium' (LTS)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
CVE-2020-10531: ICU-20958 Prevent SEGV_MAPERR in append (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
Commits
- deps: fix OPENSSLDIR on Windows
- deps: backport ICU-20958 to fix CVE-2020-10531
- (SEMVER-MINOR) deps: update nghttp2 to 1.41.0
- (SEMVER-MINOR) http2: implement support for max settings entries
- napi: fix memory corruption vulnerability
Version 12.18.0 'Erbium' (LTS)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
Commits
- crypto: update root certificates
- (SEMVER-MINOR) deps: update nghttp2 to 1.41.0
- (SEMVER-MINOR) http2: implement support for max settings entries
- napi: fix memory corruption vulnerability
- tls: emit session after verifying certificate
- tools: update certdata.txt
Version 14.4.0 (Current)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
Commits
- crypto: update root certificates
- (SEMVER-MINOR) deps: update nghttp2 to 1.41.0
- (SEMVER-MINOR) http2: implement support for max settings entries
- napi: fix memory corruption vulnerability
- tls: emit session after verifying certificate
- tools: update certdata.txt
perl v5.30.3
Security
[CVE-2020-10543] Buffer overflow caused by a crafted regular expression
A signed "size_t" integer overflow in the storage space calculations for nested regular expression
quantifiers could cause a heap buffer overflow in Perl's regular expression compiler that overwrites memory
allocated after the regular expression storage space with attacker supplied data.
The target system needs a sufficient amount of memory to allocate partial expansions of the nested
quantifiers prior to the overflow occurring. This requirement is unlikely to be met on 64-bit systems.
[CVE-2020-10878] Integer overflow via malformed bytecode produced by a crafted regular expression
Integer overflows in the calculation of offsets between instructions for the regular expression engine could
cause corruption of the intermediate language state of a compiled regular expression. An attacker could
abuse this behaviour to insert instructions into the compiled form of a Perl regular expression.
[CVE-2020-12723] Buffer overflow caused by a crafted regular expression
Recursive calls to "S_study_chunk()" by Perl's regular expression compiler to optimize the intermediate
language representation of a regular expression could cause corruption of the intermediate language state of
a compiled regular expression.
Additional Note
An application written in Perl would only be vulnerable to any of the above flaws if it evaluates regular
expressions supplied by the attacker. Evaluating regular expressions in this fashion is known to be
dangerous since the regular expression engine does not protect against denial of service attacks in this
usage scenario.
Incompatible Changes
There are no changes intentionally incompatible with Perl 5.30.2.
Modules and Pragmata
Updated Modules and Pragmata
o Module::CoreList has been upgraded from version 5.20200314 to 5.20200601_30.
Since do-configure-pre-hook already depends on replace-interpreter, there
is no point in making any other stage depend on that as well. At best,
it has no effect. At worst it creates a hard-to-find difference between
builds that run "bmake install" directly and builds that split the build
into "bmake configure && bmake build && bmake install", as bulk builds
do.
## 1.9.1 - 2020-05-12
- Add :prefix option to declare-source
- Re-enable minimal builds with the debugger.
- Add several flags for configuring Janet on different platforms.
- Fix broken meson build from 1.9.0 and add meson to CI.
- Fix compilation issue when nanboxing is disabled.
## 1.9.0 - 2020-05-10
- Add `:ldflags` option to many jpm declare functions.
- Add `errorf` to core.
- Add `lenprefix` combinator to PEGs.
- Add `%M`, `%m`, `%N`, and `%n` formatters to formatting functions. These are the
same as `%Q`, `%q`, `%P`, and `%p`, but will not truncate long values.
- Add `fiber/root`.
- Add beta `net/` module to core for socket based networking.
- Add the `parse` function to parse strings of source code more conveniently.
- Add `jpm rule-tree` subcommand.
- Add `--offline` flag to jpm to force use of the cache.
- Allow sending pointers and C functions across threads via `thread/send`.
- Fix bug in `getline`.
- Add `sh-rule` and `sh-phony` to jpm's dialect of Janet.
- Change C api's `janet_formatb` -> `janet_formatbv`, and add new function `janet_formatb` to C api.
- Add `edefer` macro to core.
- A struct/table literal/constructor with duplicate keys will use the last value given.
Previously, this was inconsistent between tables and structs, literals and constructor functions.
- Add debugger to core. The debugger functions are only available
in a debug repl, and are prefixed by a `.`.
- Add `sort-by` and `sorted-by` to core.
- Support UTF-8 escapes in strings via `\uXXXX` or `\UXXXXXX`.
- Add `math/erf`
- Add `math/erfc`
- Add `math/log1p`
- Add `math/next`
- Add os/umask
- Add os/perm-int
- Add os/perm-string
- Add :int-permissions option for os/stat.
- Add `jpm repl` subcommand, as well as `post-deps` macro in project.janet files.
- Various bug fixes.
Version 14.3.0 (Current)
Notable Changes
REPL previews improvements with autocompletion
The output preview is changed to generate previews for autocompleted input instead of the actual input.
Pressing <enter> during a preview is now going to evaluate the whole string including the autocompleted part. Pressing <escape> cancels that behavior.
Support for Top-Level Await
It's now possible to use the await keyword outside of async functions.
These packages are susceptible to bugs when confronted with non-ASCII
characters.
See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94182.
It takes some time to analyze and fix these individually, therefore they
are only marked as "needs work".
Dumb package that selects and installs a binary rust distribution
based on its guess of your platform (FreeBSD, NetBSD, Linux x86_64 are
all supported). These binaries are the official ones provided by
rust upstream and are the same as those provided by the `rustup` tool.
You can choose to use a binary rust distribution by setting:
RUST_TYPE=bin in mk.conf
(or source distribution with RUST_TYPE=src).
Currently, RUST_TYPE=bin by default ONLY for NetBSD-x86_64. This is
because TNF has been shown to _repeatedly_ be unable and _unwilling_ to
ensure that rust-dependent packages build properly on their
infrastructure, and NetBSD users are all suffering for it.
This was based on minskim's work in pkgsrc-wip.
It was tested by building librsvg and firefox-esr with the resulting
binaries.
pygls (pronounced like "pie glass") is a pythonic generic implementation
of the Language Server Protocol for use as a foundation for writing
language servers using Python (e.g. Python, XML, etc.). It allows
you to write your own language server in just a few lines of code.
## v1.10.3 (2020-04-25)
### 1. Bug fixes
#### Elixir
* [Code] Return `[{mod, bin}]` from `Code.compile_file/2`, `Code.require_file/2`, `Code.load_file/2`
* [Code] Make sure the formatter respects newlines before and after module attributes
* [Kernel.ParallelCompiler] Fix a bug where the parallel compiler would raise in long compilation cycles
* [Kernel.ParallelCompiler] Fix a bug where the parallel compiler would raise if some of the modules being compiled referred to a module that has been loaded directly to memory
* [Module] Fix accidental breaking change where bodiless clauses had their body value on `@on_definition` callbacks set to an empty list instead of `nil`
* [String] Undeprecate `String.normalize/2` normalize and fix infinite loop caused by certain invalid strings
#### ExUnit
* [ExUnit.Assertions] Fix pattern matching diff when matching on pinned variables
* [ExUnit.Assertions] Fix pattern matching diff when matching variable struct names
* [ExUnit.Assertions] Fix pattern matching diff when matching on the binary concat operator (`<>`) and the left side is not a literal string
* [ExUnit.Assertions] Fix pattern matching diff when matching on pseudo-vars (`__MODULE__`, `__DIR__`, etc)
#### Mix
* [mix release] Respect the `:path` option when creating a `:tar` file for releases
Changelog:
5.2.0
- Core libraries
- Fix `memory-statistics` by returning semi-space bytes and used
semi-space bytes like the documentation says. Old implementation
returned full-heap size and (full-heap - used-semi-space).
- for-each and map now behave consistently in compiled and interpreted
mode, like in SRFI-1. They now stop when the shortest list is
exhausted instead of raising an exception (fixes#1422).
- There is now a srfi-88 module which contains just the three
procedures from the (chicken keyword) module defined by the SRFI.
- A feature identifier named "srfi-88" is now registered.
- The procedures `record-printer` and `set-record-printer!` and a
corresponding SRFI-17 setter have been added. These deprecate
`define-record-printer` which isn't a "real" definition (see #1294).
- On Windows, `decompose-directory` no longer crashes when a drive
letter is present in the supplied path string.
- irregex-replace[/all] have been fixed for empty matches, so they
will no longer drop characters and ignore the replacement (#1661).
- Irregex has been updated to upstream 0.9.7, which also improves
how empty matches are treated in irregex-fold and irregex-split.
- Runtime system
- Quoted empty keywords like ||: and :|| are now read like prescribed
by SRFI-88 in the corresponding keyword mode. Symbols containing
quoted empty prefixes or suffixes like ||:abc and abc:|| will be
read correctly as symbols now (fixes#1625, thanks to Andy Bennett).
- IEEE floating point negative zero is now properly handled: it can
be read, written and distinguished by eqv? and equal?, but not =
(fixes#1627, thanks to John Cowan).
- ##sys#check-exact and its C implementations C_i_check_exact and
C_i_check_exact_2 have been deprecated (see also #1631).
- When garbage collector is manually invoked from a finalizer, raise
an error instead of hanging forever (fixes#1586).
- define-record-type will now give an error if the constructor
definition refers to field that's not listed elsewhere (see #1633)
- Added new -:hu option to set the memory usage low watermark
percentage at which the heap should be shrunk, and changed the
calculation to actually reflect this (see #1379).
- Compiler
- Fixed a bug in lfa2 pass which caused "if" or "cond" nodes to be
incorrectly unboxed if the "else" branch had a flonum result type
(#1624, thanks to Sven Hartrumpf)
- Inline files no longer refer to unexported foreign stub functions
(fixes#1440, thanks to "megane").
- In some cases, rest argument lists do not need to be reified, which
should make using optional arguments and case-lambda faster (#1623).
- Values from foreign types which have an argument or return value
converter are no longer inferred to have the Scheme type which
corresponds to the raw foreign type, which was incorrect (#1649).
- Module system
- Trying to export a foreign variable, define-inlined procedure or
define-constant variable gives a friendly error instead of saying
the variable doesn't exist (fixes#1346).
- When modules are registered, they no longer pollute the global
environment with imports made in that module (fixes#1548)
- Tools
- The new "-module-registration" options causes module registration
code to always be included in the program, even when it has also
been emitted as a separate file (for example with "-J").
- chicken-install now correctly checks server response code to avoid
interpreting error response bodies (like 404, 500) as Scheme code.
- chicken-install now follows HTTP redirects when downloading eggs.
- chicken-install will now change to the correct drive before
attempting to change to the egg directory (fixes#1647).
Python 3.8.3 final
Core and Builtins
bpo-40527: Fix command line argument parsing: no longer write errors multiple times into stderr.
bpo-40417: Fix imp module deprecation warning when PyImport_ReloadModule is called. Patch by Robert Rouhani.
bpo-39562: The constant values of future flags in the __future__ module are updated in order to prevent collision with compiler flags. Previously PyCF_ALLOW_TOP_LEVEL_AWAIT was clashing with CO_FUTURE_DIVISION.
Library
bpo-40559: Fix possible memory leak in the C implementation of asyncio.Task.
bpo-40355: Improve error reporting in ast.literal_eval() in the presence of malformed ast.Dict nodes instead of silently ignoring any non-conforming elements. Patch by Curtis Bucher.
bpo-40459: platform.win32_ver() now produces correct ptype strings instead of empty strings.
bpo-40398: typing.get_args() now always returns an empty tuple for special generic aliases.
Documentation
bpo-40561: Provide docstrings for webbrowser open functions.
bpo-39435: Fix an incorrect signature for pickle.loads() in the docs
Windows
bpo-40458: Increase reserved stack space to prevent overflow crash on Windows.
C API
bpo-40412: Nullify inittab_copy during finalization, preventing future interpreter initializations in an embedded situation from crashing.
Update php72 to 7.2.31 (PHP 7.2.31).
14 May 2020, PHP 7.2.31
- Core:
. Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned).
(CVE-2019-11048) (cmb)
. Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp
files are not cleaned). (CVE-2019-11048) (cmb)
Update php73 to 7.3.18 (PHP 7.3.18).
14 May 2020, PHP 7.3.18
- Core:
. Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned).
(CVE-2019-11048) (cmb)
. Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp
files are not cleaned). (CVE-2019-11048) (cmb)
. Fixed bug #79434 (PHP 7.3 and PHP-7.4 crash with NULL-pointer dereference
on !CS constant). (Nikita)
. Fixed bug #79477 (casting object into array creates references). (Nikita)
. Fixed bug #79470 (PHP incompatible with 3rd party file system on demand).
(cmb)
. Fixed bug #78784 (Unable to interact with files inside a VFS for Git
repository). (cmb)
- DOM:
. Fixed bug #78221 (DOMNode::normalize() doesn't remove empty text nodes).
(cmb)
- FCGI:
. Fixed bug #79491 (Search for .user.ini extends up to root dir). (cmb)
- MBString:
. Fixed bug #79441 (Segfault in mb_chr() if internal encoding is unsupported).
(Girgias)
- OpenSSL:
. Fixed bug #79497 (stream_socket_client() throws an unknown error sometimes
with <1s timeout). (Joe Cai)
- Phar:
. Fix bug #79503 (Memory leak on duplicate metadata). (cmb)
- SimpleXML:
. Fixed bug #79528 (Different object of the same xml between 7.4.5 and
7.4.4). (cmb)
- Standard:
. Fixed bug #79468 (SIGSEGV when closing stream handle with a stream filter
appended). (dinosaur)
The list of files is generated via find(1) and contains each file
individually. Some of these files are modified, some aren't. Those
files that aren't modified are redundant, but since they are not listed
explicitly in the package Makefile, there is no superfluous code.
Avoiding such superfluous code is the whole goal of SUBST_NOOP_OK.
These PLIST files have been autogenerated by mk/haskell.mk using
HS_UPDATE_PLIST=yes during a bulk build. They will help to track changes
to the packages. The Haskell packages didn't have PLIST files because
their paths contained package hashes. These hashes are now determined by
mk/haskell.mk, which makes it easy to generate easy to read PLIST files.
Changes since 2020-01-19:
2020-04-12:
- added cross realm support
- added AggregateError and Promise.any
- added env, uid and gid options in os.exec()
- misc bug fixes
2020-03-16:
- reworked error handling in std and os libraries: suppressed I/O
exceptions in std FILE functions and return a positive errno value
when it is explicit
- output exception messages to stderr
- added std.loadFile(), std.strerror(), std.FILE.prototype.tello()
- added JS_GetRuntimeOpaque(), JS_SetRuntimeOpaque(), JS_NewUint32()
- updated to Unicode 13.0.0
- misc bug fixes
Chibi-Scheme is a very small library intended for use as an extension
and scripting language in C programs. In addition to support for
lightweight VM-based threads, each VM itself runs in an isolated heap
allowing multiple VMs to run simultaneously in different OS threads.
The default repl language contains all bindings from R7RS small,
available explicitly as the (scheme small) library.
Support for additional languages such as JavaScript, Go, Lua and Bash
are planned for future releases. Scheme is chosen as a substrate
because its first class continuations and guaranteed tail-call
optimization makes implementing other languages easy.
Version 12.16.3 'Erbium' (LTS), @targos
Notable Changes
Dependencies:
Updated OpenSSL to 1.1.1g
Updated c-ares to 1.16.0
Updated experimental uvwasi to 0.0.6
ESM (experimental):
Additional warnings are no longer printed for modules that use conditional exports or package name self resolution
ruby26-base and beyond don't need this patch anymore. They get the
configuration directory from Gem::ConfigFile::SYSTEM_CONFIG_PATH, which
is set to RbConfig::CONFIG["sysconfdir"], which in turn is set to
PKGSYSCONFDIR.
Version 14.1.0
Notable Changes
deps: upgrade openssl sources to 1.1.1g
doc: add juanarbol as collaborator
http: doc deprecate abort and improve docs
module: do not warn when accessing __esModule of unfinished exports
n-api: detect deadlocks in thread-safe function
src: deprecate embedder APIs with replacements
stream:
* don't emit end after close
* don't wait for close on legacy streams
* pipeline should only destroy un-finished streams
vm: add importModuleDynamically option to compileFunction
Version 14.0.0 (Current)
Notable Changes
ECMAScript Modules - Experimental Warning Removal
New V8 ArrayBuffer API
cli, report: move --report-on-fatalerror to stable
deps: upgrade to libuv 1.37.0
fs: add fs/promises alias module
Vala 0.48.5
===========
* Regression and bug fixes:
- Revert "vala: Set default_construction_method in semantic-analyzer check
if required" [#982]
- tests: Fix make dist
Vala 0.48.4
===========
* Various improvements and bug fixes:
- codegen:
+ Fix binary 'in' operator on array with boxed value-typed needle [#951]
+ Use get_value_*_function() in GSignalModule.generate_marshaller() [#468]
+ Correctly handle signals returning real non-nullable struct [#466]
+ Use specified indices to access multidimensional array constants [#905]
+ Fix base-access to non-abstract/non-virtual properties [#204]
+ Fix default of CCode.pos for parameters in async methods
- vala:
+ Set default_construction_method in semantic-analyzer check if required
+ Fix cleaning of output in CodeContext.pkg_config_modversion()
+ Don't use possibly uninitialized backing field of package_name [#971]
+ Add SourceReference.contains() and SourceLocation.to_string()
+ Check assigned handler of dynamic signal before proceeding further
+ Don't perform version check on internal lambda method
+ Perform version check for types of non-external variable declarations
+ Quote symbol on report by version attribute check
+ Ensure non-empty argument list for "disconnect" before accessing it
- girparser
+ Move special handling for certain parameters to process_callable()
+ Drop special handling of GLib.Data, GLib.PtrArray and GLib.String
+ Improve detection of AsyncReadyCallback/AsyncResult parameters [#340]
- parser: Handle incomplete expression statements
* Bindings:
- gio-2.0: Add "async_result_pos" attributes to *.call_with_unix_fd_list()
[#340]
- glib-2.0: Fix Filename.canonicalize() binding of g_canonicalize_filename
- glib-2.0: Guard Pid.to_string() with GLIB_2_50 to deal with G_PID_FORMAT
- gstreamer-app-1.0: Don't merge Src.push_buffer_*() signal with its method
[#968]
- gstreamer-1.0: Don't skip GST_*_FORMAT strings [#970]
- gtk4: Update to 3.98.3
- vapi: Update GIR-based bindings
