5.1.0
- Fix message-ordering bug that could result in out-of-order executions,
especially on Windows
- Fix classifiers to indicate dropped Python 2 support
- Remove some dead code
- Support rich-media responses in inspect_requests (tooltips)
5.0.0
- Drop support for Python 2. ipykernel 5.0 requires Python >= 3.4
- Add support for IPython's asynchronous code execution
- Update release process in CONTRIBUTING.md
---------------------------------------------------------------------
--- erts-10.1.3 -----------------------------------------------------
---------------------------------------------------------------------
Note! The erts-10.1.3 application can *not* be applied independently
of other applications on an arbitrary OTP 21 installation.
On a full OTP 21 installation, also the following runtime
dependency has to be satisfied:
-- kernel-6.1 (first satisfied in OTP 21.1)
--- Improvements and New Features ---
OTP-15430 Application(s): erts
Related Id(s): ERIERL-237
Added an optional ./configure flag to compile the
emulator with spectre mitigation:
--with-spectre-mitigation
Note that this requires a recent version of GCC with
support for spectre mitigation and the
--mindirect-branch=thunk flag, such as 8.1.
Full runtime dependencies of erts-10.1.3: kernel-6.1, sasl-3.0.1,
stdlib-3.5
---------------------------------------------------------------------
--- compiler-7.2.7 --------------------------------------------------
---------------------------------------------------------------------
The compiler-7.2.7 application can be applied independently of other
applications on a full OTP 21 installation.
--- Fixed Bugs and Malfunctions ---
OTP-15353 Application(s): compiler
Related Id(s): ERL-753
Fixed a bug where incorrect code was generated
following a binary match guard.
Full runtime dependencies of compiler-7.2.7: crypto-3.6, erts-9.0,
hipe-3.12, kernel-4.0, stdlib-2.5
---------------------------------------------------------------------
--- erts-10.1.2 -----------------------------------------------------
---------------------------------------------------------------------
Note! The erts-10.1.2 application can *not* be applied independently
of other applications on an arbitrary OTP 21 installation.
On a full OTP 21 installation, also the following runtime
dependency has to be satisfied:
-- kernel-6.1 (first satisfied in OTP 21.1)
--- Fixed Bugs and Malfunctions ---
OTP-15421 Application(s): erts
Fixed a rare bug where files could be closed on a
normal instead of an IO scheduler, resulting in system
instability if the operation blocked.
Full runtime dependencies of erts-10.1.2: kernel-6.1, sasl-3.0.1,
stdlib-3.5
---------------------------------------------------------------------
--- public_key-1.6.3 ------------------------------------------------
---------------------------------------------------------------------
The public_key-1.6.3 application can be applied independently of
other applications on a full OTP 21 installation.
--- Fixed Bugs and Malfunctions ---
OTP-15367 Application(s): public_key
Add DSA SHA2 oids in public_keys ASN1-spec and
public_key:pkix_sign_types/1
Full runtime dependencies of public_key-1.6.3: asn1-3.0, crypto-3.8,
erts-6.0, kernel-3.0, stdlib-3.5
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
=============================
Release Notes for Samba 4.9.3
November 27, 2018
=============================
This is a security release in order to address the following defects:
o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
Internal DNS server)
o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers)
o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
configuration (unsupported))
o CVE-2018-16857 (Bad password count in AD DC not always effective)
=======
Details
=======
o CVE-2018-14629:
All versions of Samba from 4.0.0 onwards are vulnerable to infinite
query recursion caused by CNAME loops. Any dns record can be added via
ldap by an unprivileged user using the ldbadd tool, so this is a
security issue.
o CVE-2018-16841:
When configured to accept smart-card authentication, Samba's KDC will call
talloc_free() twice on the same memory if the principal in a validly signed
certificate does not match the principal in the AS-REQ.
This is only possible after authentication with a trusted certificate.
talloc is robust against further corruption from a double-free with
talloc_free() and directly calls abort(), terminating the KDC process.
There is no further vulnerability associated with this issue, merely a
denial of service.
o CVE-2018-16851:
During the processing of an LDAP search before Samba's AD DC returns
the LDAP entries to the client, the entries are cached in a single
memory object with a maximum size of 256MB. When this size is
reached, the Samba process providing the LDAP service will follow the
NULL pointer, terminating the process.
There is no further vulnerability associated with this issue, merely a
denial of service.
o CVE-2018-16852:
During the processing of an DNS zone in the DNS management DCE/RPC server,
the internal DNS server or the Samba DLZ plugin for BIND9, if the
DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS
property is set, the server will follow a NULL pointer and terminate.
There is no further vulnerability associated with this issue, merely a
denial of service.
o CVE-2018-16853:
A user in a Samba AD domain can crash the KDC when Samba is built in the
non-default MIT Kerberos configuration.
With this advisory we clarify that the MIT Kerberos build of the Samba
AD DC is considered experimental. Therefore the Samba Team will not
issue security patches for this configuration.
o CVE-2018-16857:
AD DC Configurations watching for bad passwords (to restrict brute forcing
of passwords) in a window of more than 3 minutes may not watch for bad
passwords at all.
For more details and workarounds, please refer to the security advisories.
Trying to mix and match pkgsrc and bundled dependencies resulted in conflicts
between libgit and http-parser, such that cargo was unable to fetch indexes
from crates.io with spurious network error regarding Content-Type headers.
While here add a note about why these dependencies are currently disabled.
Bump PKGREVISION.
## Rails 5.1.6.1 (November 27, 2018) ##
* Do not deserialize GlobalID objects that were not generated by Active Job.
Trusting any GlobaID object when deserializing jobs can allow attackers to access
information that should not be accessible to them.
Fix CVE-2018-16476.
*Rafael Mendonça França*
pkgsrc changes:
- Remove lround patches: lround is no longer used
- Remove #ifndef blocks to rip out XShm support. Unfortunately
the logic is much more convoluted now and #ifndef parts of the code
no longer scale.
Please note that this can break support on Interix!
Changes:
1.5.1
*****
Kim Woelders (13):
- Fix build without HAVE_X11_SHM_FD (T6752)
- XPM loader: Fix potential use of uninitialized value (T6746)
- BMP loader: Fix infinite loop with invalid bmp images (T6749)
- PNM loader: Simplify (fixing ASCII format parsing issues T6751)
- BMP loader: Fix warnings found with -O3
- Maximum image dimension should be 32767, not 32766
- PNG loader: Correct various error handling cases
- Add missing const to imlib_apply_filter() script argument
- Warning fixes in imlib2_... programs
- imlib2_view: Limit window dimensions to 32767
- grab.c: Fix gcc8 warning
- imlib2_conv.c: Fix gcc8 warning
- 1.5.1.
1.5.0
*****
Alexander Volkov (3):
- put a check for shared memory inside __imlib_ShmGetXImage()
- introduce __imlib_ShmDestroyXImage() instead of __imlib_ShmDetach()
- Add support for MIT-SHM FD-passing
Kim Woelders (19):
- XPM loader: Fix incorrect image invalidation.
- Make some more functions static.
- Introduce __imlib_LoadImageData()
- Remove redundant CAST_IMAGE()
- imlib2_grab: Always use imlib_create_scaled_image_from_drawable() to grab image
- imlib_create_scaled_image_from_drawable(): speed up 1:1 case
- imlib_create_scaled_image_from_drawable(): Drop shape handling if unshaped
- Indent
- Autofoo cosmetics
- Strip trailing whitespace, cosmetics
- Fix potential OOB memory access if border elements are negative
- Fix potential OOB memory access if border sizes exceed image dimensions
- Introduce IMLIB2_SHM_OPT to enable overriding/testing SHM modes
- Add IMLIB2_XIMAGE_CACHE_COUNT to enable testing the ximage cache
- Refactor the XImage cache
- Add imlib_get_cache_used()
- Expose XImage cache control functions
- Drop -Waggregate-return
- 1.5.0.
## Rails 4.2.11 (November 27, 2018) ##
* Do not deserialize GlobalID objects that were not generated by Active Job.
Trusting any GlobaID object when deserializing jobs can allow attackers to access
information that should not be accessible to them.
Fix CVE-2018-16476.
*Rafael Mendonça França*
