An exploit was discovered, that allows to crash any 0.7 Teeworlds server.
Though it does not compromise the security of the host (e.g. no arbitrary
accesses in memory) it lets an attacker force a server to repetitively shut
down (CVE-2020-12066).
The 0.7.5 release is a security update that aims to patch this server
exploit. As such, it is very light in features, and is mostly made of fixes.
2015-06-28
Powermanga 0.93.1
- Fixes the speed of the stars after a new game that follows congratulation.
- Clears all gems after the final boss. Thanks to Josh Triplett for the report
(Debian #764009)
- Disable insecure temporary file "/tmp/powermanga-log.txt". Thanks to
Josh Triplett for the report (Debian #764144)
- Translation of the man page in French.
- Fix file permissions in HTML directory. Thanks to nemysisbsd for
the report.
- Allows the joystick to be configured either from the command line or
from the config file. Thanks to Maurerp for the patch.
- The __FUNCTION__ macro has been replaced by __func__ macro. ISO C does not
support ‘__FUNCTION__’ predefined identifier. (Debian #778072)
- Remove -Werror and -pedantic flags for non-test builds.
2014-09-20
Powermanga 0.93
- Fix man page: The option to play the game in fullscreen mode
must be --fullscreen not --full. (Patch Debian)
- Added keywords and a comment in German and French to the desktop file
(Patch Debian)
- Fix configure.ac: Add custom CFLAGS (Patch Debian)
- Fix segmentation fault in the About menu (English version)
- Fixes wrong joystick behaviour in display_sdl.c and allows the ship to move
to the left side again. Thanks to Kalle Olavi Niemitalo for the report
(Debian #561670)
- Allow compilation with Clang
2014-08-19
Powermanga 0.92
- Fix Debian bug #478213
- Fix configure.ac: replace AM_CONFIG_HEADER to AC_CONFIG_HEADERS
- Add explicitly link with needed libm, fix Debian bug #632945
- Fix PNG_iTXt_SUPPORTED support
- Add italian language
- Fix negative coordinates explosions that caused a segmentation fault.
2012-08-26
Powermanga 0.91
- Update "configure.ac" file.
- Fix compilation warnings (GCC 4.6.3 and Visual Studio)
- Fix alignment constraint (ARM and MIPS processors)
- Adds the ability to export all the game's graphics in PNG files
using the command line.
- Build test (without sound support) with Visual Studio and run
successfully on Windows Mobile (HTC Touch P3450)
- Recognizes all the joysticks connected at startup
- Rewrites the file "music_game.zik" with Milkytracker.
Now the library "SDL_mixer" can read and play this module.
- The application switches to pause when it loses focus.
- Minor bugfixes and improvements
pkgsrc changes:
- Patches for NetBSD support removed (merged upstream)
- Define "SOLARIS" for SunOS based operating systems
- MESSAGE replaced by file "share/doc/doomlegacy/INSTALL.pkgsrc"
- Man page is now installed in section 6
- Patch to disable launcher replaced by startscript
(upstream suggested to use an unsupported option for this purpose)
- Patch for extended node support added (Feature request #95)
Supported formats: DeeP V4, ZDoom uncompressed, ZDoom compressed
Without this patch the engine may crash with unsupported node formats
- Patch for local blockmap creation added
Command line option "-blockmap" added for activation (no automatic mode)
The extended node and blockmap patches allow to play modern PWADs like NOVA III
and Lost Civilization.
Upstream changelog since 1.47.2 is very long, refer to this page:
http://doomlegacy.sourceforge.net/docs/whatsnew.html
libexif-0.6.22 (2020-05-18):
* New translations: ms
* Updated translations for most languages
* Fixed C89 compatibility
* Fixed warnings on recent versions of autoconf
* Some useful EXIF 2.3 tag added:
* EXIF_TAG_GAMMA
* EXIF_TAG_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_IMAGE_NUMBER_OF_COMPOSITE_IMAGE
* EXIF_TAG_SOURCE_EXPOSURE_TIMES_OF_COMPOSITE_IMAGE
* EXIF_TAG_GPS_H_POSITIONING_ERROR
* EXIF_TAG_CAMERA_OWNER_NAME
* EXIF_TAG_BODY_SERIAL_NUMBER
* EXIF_TAG_LENS_SPECIFICATION
* EXIF_TAG_LENS_MAKE
* EXIF_TAG_LENS_MODEL
* EXIF_TAG_LENS_SERIAL_NUMBER
* Lots of fixes exposed by fuzzers like AFL, ClusterFuzz, OSSFuzz and others.
* CVE-2018-20030: Fix for recursion DoS
* CVE-2020-13114: Time consumption DoS when parsing canon array markers
* CVE-2020-13113: Potential use of uninitialized memory
* CVE-2020-13112: Various buffer overread fixes due to integer overflows in maker notes
* CVE-2020-0093: read overflow
* CVE-2019-9278: replaced integer overflow checks the compiler could optimize away by safer constructs
* CVE-2020-12767: fixed division by zero
* CVE-2016-6328: fixed integer overflow when parsing maker notes
* CVE-2017-7544: fixed buffer overread
0.6.2 2020-03-24 A Spring'20 Release.
- A scalable (.svg) icon version has been added.
- Make man page compression reproducible (after request
by Jelle van der Waa, while on the Vee-Ones, thanks).
- Ditching deprecated QTime methods for QElapsedTimer's
(in compliance to Qt >= 5.14.0).
- Bumped copyright headers into the New Year (2020).
v1.5.4: Painful tardiness
- SSH: Fix wrong malloc size, causing crash.
v1.5.3: Time delayed progress
- Update manpage with missing entry. (#937)
- Rename sidebar widget to mode-switcher and allow configuration from theme.
- Timing: Moving timing output to glib debug system.
- SSH: Fix unitialized variable issue.
- SSH: resolve ':' conflict in history entries.
- RASI Lexer: Fix nested () in variable default field.
- USABILITY: When mode not found, show in gui not just on commandline.
- ICON: Allow aligning image in icon widget.
- Meson build system: cleanups and improvements.
- Meson build system: add documentation (#943)
- Window: Fix default formatting and remove (invalid) deprecation warning.
- DMenu: Add support for showing icons infront of displayed list.
- Overlay: Fix overlay widget to correctly integrate in new theme format.
- Update libnkutils, libgwater.
- SSH: be case-insensitive when parsing keywords.
- DMENU: Add format option to strip pango markup from return value.
- ListView: allow user to change ellipsizing displayed value at run-time.
Release 2.11 (2011-10-09)
- Converted from Glade to GtkBuilder.
- Fixed typo in German translation (Alek).
- "build" script runs autoconf and build the documentation if necessary. This
is needed for Git checkouts.
- Don't lower panel when the pointer moves over an applet. Reported by mark76
on IRC.
- Centre the pinboard image correctly if larger than the screen (Mohamed Amine
IL Idrissi). Patch sent to Ubuntu anonymously and forwarded; see Ubuntu bug
#615490.
- Depend on 0compile 0.19.1. Fixes bug using distribution-provided pkg-config.
- Added build dependency on pkg-config.
- Bugfix: unselect item when menu is closed. We used to listen for
"unmap_event", but this is no longer emitted in recent versions of GTK.
Switched to using "selection-done" instead. Closes#2925212 (reported by
Barry Kauler).
- Added button to options window to create the 'rox' start up script (Stephen
Watson).
- Updated Italian translation (Yuri).
- Updated Brazilian Portuguese translation (Sérgio Cipolla).
- Updated Spanish and Galician translations (Antonio Sánchez). The
how-to-change-permissions explanation had a mistake that made the help window
appear blank.
- Updated Spanish translation (Antonio Sánchez and Luis Felipe Abad).
- Turn the error on invalid line breaks in uri_list_to_glist into a warning
(Stephen Watson). Firefox 3.5 upto and including 3.5.2 gets it wrong, but we
don't want to stop drops working until they fix it.
- Eliminated the duplicated code between pixmap_background_thumb() and
pixmap_try_thumb(). pixmap_background_thumb() now calls pixmap_try_thumb() to
get from memory or load from cache (Stephen Watson).
- Added option to place panels under the control of the _NET_WORKAREA property
(Stephen Watson). Note it only checks the work area at the point it creates
the panel.
- Fix bug in XDG MIME magic: if two matches at the same priority returned
exactly the same type, it was considered a conflict (Stephen Watson).
- Newer versions of GTK+ issue warnings if a spin button has a non-zero page
size (Stephen Watson).
- If a file has a thumbnail, display it in the infobox (Stephen Watson).
Update bind914 to 9.14.12 (BIND 9.14.12).
Note from release announce:
BIND 9.14.12 is the final planned release in the now End-of-Life (EOL)
9.14 branch.
--- 9.14.12 released ---
5395. [security] Further limit the number of queries that can be
triggered from a request. Root and TLD servers
are no longer exempt from max-recursion-queries.
Fetches for missing name server address records
are limited to 4 for any domain. (CVE-2020-8616)
[GL #1388]
5390. [security] Replaying a TSIG BADTIME response as a request could
trigger an assertion failure. (CVE-2020-8617)
[GL #1703]
5376. [bug] Fix ineffective DNS rebinding protection when BIND is
configured as a forwarding DNS server. Thanks to Tobias
Klein. [GL #1574]
5358. [bug] Inline master zones whose master files were touched
but otherwise unchanged and were subsequently reloaded
may have stopped re-signing. [GL !3135]
5357. [bug] Newly added RRSIG records with expiry times before
the previous earliest expiry times might not be
re-signed in time. This was a side effect of 5315.
[GL !3137]
Update bind911 to 9.11.19 (BIND 9.11.19).
--- 9.11.19 released ---
5404. [bug] 'named-checkconf -z' could incorrectly indicate
success if errors were found in one view but not in a
subsequent one. [GL #1807]
5398. [bug] Named could fail to restart if a zone with a double
quote (") in its name was added with 'rndc addzone'.
[GL #1695]
5395. [security] Further limit the number of queries that can be
triggered from a request. Root and TLD servers
are no longer exempt from max-recursion-queries.
Fetches for missing name server address records
are limited to 4 for any domain. (CVE-2020-8616)
[GL #1388]
5394. [cleanup] Named formerly attempted to change the effective UID and
GID in named_os_openfile(), which could trigger a
spurious log message if they were already set to the
desired values. This has been fixed. [GL #1042]
[GL #1090]
5390. [security] Replaying a TSIG BADTIME response as a request could
trigger an assertion failure. (CVE-2020-8617)
[GL #1703]
5387. [func] Warn about AXFR streams with inconsistent message IDs.
[GL #1674]
Changes:
- Bugfixes on QUOTA
- Various warning fixes & build fixes
- Added IMAP CLIENTID / SMTP CLIENTID support
- Use Cyrus SASL 2.1.27
- Support of TLS SNI
- LMDB for cache DB
- Fixed build with recent versions of curl
0.29.18
Bugs fixed
* Exception position reporting could run into race conditions on threaded code.
It now uses function-local variables again.
* Error handling early in the module init code could lead to a crash.
* Error handling in ``cython.array`` creation was improved to avoid calling
C-API functions with an error held.
* A memory corruption was fixed when garbage collection was triggered during calls
to ``PyType_Ready()`` of extension type subclasses.
* Memory view slicing generated unused error handling code which could negatively
impact the C compiler optimisations for parallel OpenMP code etc. Also, it is
now helped by static branch hints.
* Cython's built-in OpenMP functions were not translated inside of call arguments.
* Complex buffer item types of structs of arrays could fail to validate.
* Decorators were not allowed on nested `async def` functions.
* C-tuples could use invalid C struct casting.
* Optimised ``%d`` string formatting into f-strings failed on float values.
* Optimised aligned string formatting (``%05s``, ``%-5s``) failed.
* When importing the old Cython ``build_ext`` integration with distutils, the
additional command line arguments leaked into the regular command.
* When using the ``CYTHON_NO_PYINIT_EXPORT`` option in C++, the module init function
was not declared as ``extern "C"``.
* Three missing timedelta access macros were added in ``cpython.datetime``.
Redis 6.0.3:
Upgrade urgency CRITICAL: a crash introduced in 6.0.2 is now fixed.
Redis 6.0.2:
Upgrade urgency MODERATE: many not critical bugfixes in different areas.
Critical fix to client side caching when
keys are evicted from the tracking table but
no notifications are sent.
The following are the most serious fix:
* XPENDING should not update consumer's seen-time
* optimize memory usage of deferred replies - fixed
* Fix CRC64 initialization outside the Redis server itself.
* stringmatchlen() should not expect null terminated strings.
* Cluster nodes availability checks improved when there is
high Pub/Sub load on the cluster bus.
* Redis Benchmark: Fix coredump because of double free
* Tracking: send eviction messages when evicting entries.
* rax.c updated from upstream antirez/rax.
* fix redis 6.0 not freeing closed connections during loading.
New features:
dd
* Support setcpuaffinity on linux/bsd
* Client Side Caching: Add Tracking Prefix Number Stats in Server Info
* Add --user argument to redis-benchmark.c (ACL)
Pkgsrc changes:
* None.
Upstream changes:
This release fixes CVE-2020-12662 and CVE-2020-12663.
Bug Fixes:
- CVE-2020-12662 Unbound can be tricked into amplifying an incoming
query into a large number of queries directed to a target.
- CVE-2020-12663 Malformed answers from upstream name servers can be
used to make Unbound unresponsive.
Pointed out by wiz@.
This occured in math/libixion/Makefile.common until 2020-05-19, and still
occurs in math/xyconvert/Makefile. In all other packages, PKGDIR is
prefixed with ${.CURDIR} and is thus an absolute path.
It should not be necessary to always specify PATCHDIR as an absolute
path, and the code in mk/pkgformat/pkg/metadata.mk seems to be the only
place where relative paths are handled wrong.
