This fixes a security issue (https://github.com/golang/go/issues/23867).
Also:
These releases include fixes to the compiler, runtime, go command, and the
archive/zip, crypto/tls, crypto/x509, encoding/json, net, net/http, and
net/http/pprof packages.
ok wiz@ for committing during freeze
This will fix functionality of this package if libmagic is not available.
Bump PKGREVISION for those platforms where it is the case (NFC otherwise).
Tested on NetBSD/amd64.
Thanks richard@ for the heads up.
Python 3.6.5:
Security
* Minimal fix to prevent buffer overrun in os.symlink on Windows
* Regexes in difflib and poplib were vulnerable to catastrophic backtracking. These regexes formed potential DOS vectors (REDOS). They have been refactored. This resolves CVE-2018-1060 and CVE-2018-1061.
Core and Builtins
* Fixed jumping out of “with” block by setting f_lineno.
* Prevent jumps from ‘return’ and ‘exception’ trace events.
* Update Valgrind suppression list to account for the rename of Py_ADDRESS_IN_RANG to address_in_range.
* Pdb and other debuggers dependent on bdb.py will correctly step over (next command) native coroutines.
* Improve suggestion when the Python 2 form of print statement is either present on the same line as the header of a compound statement or else terminated by a semi-colon instead of a newline.
* Fix possible crashing in builtin Unicode decoders caused by write out-of- bound errors when using customized decode error handlers.
* Improved frozenset() hash to create more distinct hash values when faced with datasets containing many similar values.
* The __debug__ constant is now optimized out at compile time. This fixes also bpo-22091.
* sys.flags.hash_randomization is now properly set to 0 when hash randomization is turned off by PYTHONHASHSEED=0.
* The optimizer is now protected from spending much time doing complex calculations and consuming much memory for creating large constants in constant folding.
* repr() on a dict containing its own values() or items() no longer raises RecursionError; OrderedDict similarly. Instead, use ..., as for other recursive structures.
* Leading whitespace is now correctly ignored when generating suggestions for converting Py2 print statements to Py3 builtin print function calls.
* The repr of deeply nested dict now raises a RecursionError instead of crashing due to a stack overflow.
Library
* lib2to3 now properly supports trailing commas after *args and **kwargs in function signatures.
* Avoid failing in multiprocessing.Process if the standard streams are closed or None at exit.
* Skip sending/receiving data after SSL transport closing.
* Fix ctypes pass-by-value for structs on 64-bit Cygwin/MinGW.
* Fix inspect.signature() for single-parameter partialmethods.
* Expose several missing constants in zlib and fix corresponding documentation.
* Fixed tarfile.itn handling of out-of-bounds float values.
* The ssl module now detects missing NPN support in LibreSSL.
* dbm.open() now encodes filename with the filesystem encoding rather than default encoding.
* In os.dup2, don’t check every call whether the dup3 syscall exists or not.
* Rewrite confusing message from setup.py upload from “No dist file created in earlier command” to the more helpful “Must create and upload files in one command”.
* In tkinter, after_cancel(None) now raises a ValueError instead of canceling the first scheduled function.
* Make sure sys.argv remains as a list when running trace.
* Fixed asyncio.Condition issue which silently ignored cancellation after notifying and cancelling a conditional lock.
* Fixed refleaks of __init__() methods in various modules. (Contributed by Oren Milman)
* Fixed guessing quote and delimiter in csv.Sniffer.sniff() when only the last field is quoted.
* socket: Remove TCP_FASTOPEN, TCP_KEEPCNT flags on older version Windows during run-time.
* Fix a rare but potential pre-exec child process deadlock in subprocess on POSIX systems when marking file descriptors inheritable on exec in the child process. This bug appears to have been introduced in 3.4.
* The ctypes module used to depend on indirect linking for dlopen. The shared extension is now explicitly linked against libdl on platforms with dl.
* Fixed asyncio.Lock() safety issue which allowed acquiring and locking the same lock multiple times, without it being free.
* Do not include name field in SMTP envelope from address.
* Fix email address header parsing error when the username is an empty quoted string.
* distutils’ upload command no longer corrupts tar files ending with a CR byte, and no longer tries to convert CR to CRLF in any of the upload text fields.
* uuid.uuid1 no longer raises an exception if a 64-bit hardware address is encountered.
* Fix the error handling in Aifc_read.initfp() when the SSND chunk is not found.
* On FreeBSD and Solaris, os.strerror() now always decode the byte string from the current locale encoding, rather than using ASCII/surrogateescape in some cases.
* The nis module is now compatible with new libnsl and headers location.
* Improve ABCMeta._dump_registry() output readability
* glibc has removed Sun RPC. Use replacement libtirpc headers and library in nis module.
* Ensure that truncate() preserves the file position (as reported by tell()) after writes longer than the buffer size.
* Don’t unsubscribe signals in asyncio UNIX event loop on interpreter shutdown.
* The SSL module no longer sends IP addresses in SNI TLS extension on platforms with OpenSSL 1.0.2+ or inet_pton.
* urllib.parse.urlsplit() does not convert zone-id (scope) to lower case for scoped IPv6 addresses in hostnames now.
* Fix bdist_wininst of distutils for CRT v142: it binary compatible with CRT v140.
* A single empty field is now always quoted when written into a CSV file. This allows to distinguish an empty row from a row consisting of a single empty field.
* Raise NotImplementedError instead of SystemError on platforms where chmod(..., follow_symlinks=False) is not supported.
* The getnode() ip getter now uses ‘ip link’ instead of ‘ip link list’.
* Ensure TCP_NODELAY is set on Linux. Tests by Victor Stinner.
* The locale.localeconv() function now sets temporarily the LC_CTYPE locale to the LC_NUMERIC locale to decode decimal_point and thousands_sep byte strings if they are non-ASCII or longer than 1 byte, and the LC_NUMERIC locale is different than the LC_CTYPE locale. This temporary change affects other threads.
Same change for the str.format() method when formatting a number (int, float, float and subclasses) with the n type (ex: '{:n}'.format(1234)).
* Importing native path module (posixpath, ntpath) now works even if the os module still is not imported.
Changes between 1.0.2n and 1.0.2o [27 Mar 2018]
*) Constructed ASN.1 types with a recursive definition could exceed the stack
Constructed ASN.1 types with a recursive definition (such as can be found
in PKCS7) could eventually exceed the stack given malicious input with
excessive recursion. This could result in a Denial Of Service attack. There
are no such structures used within SSL/TLS that come from untrusted sources
so this is considered safe.
This issue was reported to OpenSSL on 4th January 2018 by the OSS-fuzz
project.
(CVE-2018-0739)
[Matt Caswell]
Ruby 2.2.10 Released Posted by usa on 28 Mar 2018
Ruby 2.2.10 has been released. This release includes several security
fixes. Please check the topics below for details.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
Ruby 2.2 is under the state of the security maintenance phase, until the end
of the March of 2018. After the date, maintenance of Ruby 2.2 will be ended.
So, this release is expected to be the last release of Ruby 2.2. We will
never make a new release of Ruby 2.2 unless Ruby 2.2.10 has a serious
regression bug. We recommend you migrating to newer versions of Ruby, such as
2.5.
Ruby 2.3.7 Released Posted by usa on 28 Mar 2018
Ruby 2.3.7 has been released.
This release includes about 70 bug fixes after the previous release, and also
includes several security fixes. Please check the topics below for details.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
See the ChangeLog for details.
After this release, we will end the normal maintenance phase of Ruby 2.3, and
start the security maintenance phase of it. This means that after the release
of 2.3.7 we will never backport any bug fixes to 2.3 except security fixes.
The term of the security maintenance phase is scheduled for 1 year. By the
end of this term, official support of Ruby 2.3 will be over. Therefore, we
recommend that you start planning to upgrade to Ruby 2.5 or 2.4.
Ruby 2.5.1 Released Posted by naruse on 28 Mar 2018
Ruby 2.5.1 has been released.
This release includes some bug fixes and some security fixes.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
There are also some bug fixes. See commit logs for more details.
Ruby 2.4.4 Released Posted by nagachika on 28 Mar 2018
Ruby 2.4.4 has been released.
This release includes some bug fixes and some security fixes.
* CVE-2017-17742: HTTP response splitting in WEBrick
* CVE-2018-6914: Unintentional file and directory creation with directory
traversal in tempfile and tmpdir
* CVE-2018-8777: DoS by large request in WEBrick
* CVE-2018-8778: Buffer under-read in String#unpack
* CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
* CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
* Multiple vulnerabilities in RubyGems
There are also some bug fixes. See commit logs for more details.
Admin
- Avoid logging IP addresses in mod_register when it's not desired
- Command 'reload-config' allows to reload certificates
- Get rid of 'fs' package dependency
- Improve log message when module startup has failed
- mod_muc_admin: New command get_room_affiliation
- prosody2ejabberd: Report meaningful error when luerl is not
available
Configure
- Accept atoms in api_permission command lists and commands with
numbers in them
- Validate additional listen opts: inet, inet6, backlog
- Remove 'iqdisc' option
- New option –enable-group=xxx
- New option 'negotiation_timeout'
- New option 'new_sql_schema'
- New option 'validate_stream'
- ejabberd_service: New option 'global_routes' for
- mod_avatar: New 'rate_limit' option
- mod_block_strangers: New 'access' option
- mod_block_strangers: New 'captcha' option
- mod_pubsub: New option 'force_node_config'
Miscelanea
- Simplify ejabberd_sup code
- New gen_mod mod_options/1 callback to provide known options and
defaults
- Replace ?MYLANG with connection's language wherever possible
- sql/*: Add username to peer indexes
- cyrsasl: Simplify code for splitting auth string in cyrsasl
- ejabberd_auth: Cache 'isuser' queries to external auth program
- ejabberd_web_admin: Hardcode required ACL rules
- mod_admin_extra: Command check_password_hash supports all hash
methods
- mod_admin_extra: Fix srg_get_info command with @all@ and @online@
- mod_avatar: Fulfill all requirements of XEP-0398 v0.2.0
- mod_avatar: Improve validation of 'convert' option
- mod_block_strangers: Bounce groupchat to bare JID
- mod_block_strangers: Fix a typo in call to create_captcha()
- mod_caps: Only store CAPS if contact is subscribed
- mod_carboncopy: Copy outgoing MUC PMs
- mod_mam: Really run use_cache/1 and cache_nodes/1 callbacks
- mod_pubsub: Remove items of unregistered user
- mod_push_keepalive: Preserve timeout on resumption
- mod_shared_roster: Try to fix ejabberd_c2s:process_info: got
unexpected info
- mod_shared_roster_ldap: Fix processing of ldap_memberattr_format_re
option
- mod_stream_mgmt: Abort connection on count error
- mod_stream_mgmt: Clean up on timed out resumption
Changelog:
Fixed Searching message bodies of messages in local folders,
including filter and quick filter operations, did not find
content in message attachments
Fixed Better error handling for Yahoo accounts
Fixed Various security fixes
#CVE-2018-5127: Buffer overflow manipulating SVG animatedPathSegList
#CVE-2018-5129: Out-of-bounds write with malformed IPC messages
#CVE-2018-5144: Integer overflow during Unicode conversion
#CVE-2018-5146: Out of bounds memory write in libvorbis
#CVE-2018-5125: Memory safety bugs fixed in Firefox 59, Firefox ESR 52.7,
and Thunderbird 52.7
#CVE-2018-5145: Memory safety bugs fixed in Firefox ESR 52.7 and
Thunderbird 52.7
What's new in Drupal 8.5.0?
This new version makes Media module available for all, improves
migrations significantly, stabilizes the Content Moderation and
Settings Tray modules, serves dynamic pages faster with BigPipe enabled
by default, and introduces a new experimental entity layout user
interface. The release includes several very important fixes for
workflows of content translations and supports running on PHP 7.2.
