pkgsrc changes:
---------------
* Update some PLIST entries since the version of packages documented does
not always match the last patchlevel version of OTP.
* Bump revision
upstream changes:
-----------------
Patch Package: OTP 23.2.6
Git Tag: OTP-23.2.6
Date: 2021-02-25
Trouble Report Id: OTP-17173, OTP-17205, OTP-17220
Seq num: ERIERL-581, ERIERL-608
System: OTP
Release: 23
Application: inets-7.3.2, ssh-4.10.8
Predecessor: OTP 23.2.5
Check out the git tag OTP-23.2.6, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- inets-7.3.2 -----------------------------------------------------
---------------------------------------------------------------------
The inets-7.3.2 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17205 Application(s): inets
Related Id(s): ERIERL-608
Solves CVE-2021-27563, that is make sure no form of
relative path can be used to go outside webservers
directory.
OTP-17220 Application(s): inets
Make sure HEAD requests rejects directory links
Full runtime dependencies of inets-7.3.2: erts-6.0, kernel-3.0,
mnesia-4.12, runtime_tools-1.8.14, ssl-5.3.4, stdlib-3.5
---------------------------------------------------------------------
--- ssh-4.10.8 ------------------------------------------------------
---------------------------------------------------------------------
The ssh-4.10.8 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17173 Application(s): ssh
Related Id(s): ERIERL-581
Don't timeout slow connection setups and tear-downs. A
rare crash risk for the controller is also removed.
Full runtime dependencies of ssh-4.10.8: crypto-4.6.4, erts-9.0,
kernel-5.3, public_key-1.6.1, stdlib-3.4.1
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
Patch Package: OTP 23.2.5
Git Tag: OTP-23.2.5
Date: 2021-02-16
Trouble Report Id: OTP-17185, OTP-17190, OTP-17191
Seq num: ERIERL-606, ERL-1476, GH-4192
System: OTP
Release: 23
Application: erts-11.1.8, ssl-10.2.3, tools-3.4.3
Predecessor: OTP 23.2.4
Check out the git tag OTP-23.2.5, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- erts-11.1.8 -----------------------------------------------------
---------------------------------------------------------------------
The erts-11.1.8 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17185 Application(s): erts
Fixed a bug that could cause some work scheduled for
execution on scheduler threads to be delayed until
other similar work appeared. Beside delaying various
cleanup of internal data structures also the following
could be delayed:
-- Termination of a distribution controller process
-- Disabling of the distribution on a node
-- Gathering of memory allocator information using the
instrument module
-- Enabling, disabling, and gathering of msacc
information
-- Delivery of 'CHANGE' messages when time offset is
monitored
-- A call to erlang:cancel_timer()
-- A call to erlang:read_timer()
-- A call to erlang:statistics(io | garbage_collection
| scheduler_wall_time)
-- A call to ets:all()
-- A call to erlang:memory()
-- A call to erlang:system_info({allocator |
allocator_sizes, _})
-- A call to erlang:trace_delivered()
The bug existed on runtime systems running on all types
of hardware except for x86/x86_64.
Full runtime dependencies of erts-11.1.8: kernel-7.0, sasl-3.3,
stdlib-3.13
---------------------------------------------------------------------
--- ssl-10.2.3 ------------------------------------------------------
---------------------------------------------------------------------
The ssl-10.2.3 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17190 Application(s): ssl
Related Id(s): ERIERL-606
Avoid race when the first two upgrade server handshakes
(that is servers that use a gen_tcp socket as input to
ssl:handshake/2,3) start close to each other. Could
lead to that one of the handshakes would fail.
Full runtime dependencies of ssl-10.2.3: crypto-4.2, erts-10.0,
inets-5.10.7, kernel-6.0, public_key-1.8, stdlib-3.12
---------------------------------------------------------------------
--- tools-3.4.3 -----------------------------------------------------
---------------------------------------------------------------------
The tools-3.4.3 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17191 Application(s): tools
Related Id(s): ERL-1476, GH-4192, OTP-16922
Correct the Xref analysis undefined_functions to not
report internally generated behaviour_info/1.
Full runtime dependencies of tools-3.4.3: compiler-5.0, erts-11.0,
erts-9.1, kernel-5.4, runtime_tools-1.8.14, stdlib-3.4
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
Version 14.16.0 'Fermium' (LTS)
This is a security release.
Notable changes
Vulnerabilities fixed:
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
Version 12.21.0 'Erbium' (LTS)
This is a security release.
Notable changes
Vulnerabilities fixed:
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
Version 10.24.0 'Dubnium' (LTS)
This is a security release.
Notable changes
Vulnerabilities fixed:
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
Python 3.9.2 final
Release date: 2021-02-19
Windows
bpo-43155: PyCMethod_New() is now present in python3.lib.
Python 3.9.2 release candidate 1
Release date: 2021-02-16
Security
bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.
bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.
Core and Builtins
bpo-42819: readline: Explicitly disable bracketed paste in the interactive interpreter, even if it’s set in the inputrc, is enabled by default (eg GNU Readline 8.1), or a user calls readline.read_init_file(). The Python REPL has not implemented bracketed paste support. Also, bracketed mode writes the "\x1b[?2004h" escape sequence into stdout which causes test failures in applications that don’t support it. It can still be explicitly enabled by calling readline.parse_and_bind("set enable-bracketed-paste on"). Patch by Dustin Rodrigues.
bpo-42806: Fix the column offsets for f-strings ast nodes surrounded by parentheses and for nodes that spawn multiple lines. Patch by Pablo Galindo.
bpo-40631: Fix regression where a single parenthesized starred expression was a valid assignment target.
bpo-32381: Fix encoding name when running a .pyc file on Windows: PyRun_SimpleFileExFlags() now uses the correct encoding to decode the filename.
bpo-42536: Several built-in and standard library types now ensure that their internal result tuples are always tracked by the garbage collector:
collections.OrderedDict.items()
dict.items()
enumerate()
functools.reduce()
itertools.combinations()
itertools.combinations_with_replacement()
itertools.permutations()
itertools.product()
itertools.zip_longest()
zip()
Previously, they could have become untracked by a prior garbage collection. Patch by Brandt Bucher.
bpo-42195: The __args__ of the parameterized generics for typing.Callable and collections.abc.Callable are now consistent. The __args__ for collections.abc.Callable are now flattened while typing.Callable’s have not changed. To allow this change, types.GenericAlias can now be subclassed and collections.abc.Callable’s __class_getitem__ will now return a subclass of types.GenericAlias. Tests for typing were also updated to not subclass things like Callable[..., T] as that is not a valid base class. Finally, both types no longer validate their argtypes, in Callable[[argtypes], resulttype] to prepare for PEP 612. Patch by Ken Jin.
Library
bpo-43102: The namedtuple __new__ method had its __builtins__ set to None instead of an actual dictionary. This created problems for introspection tools.
bpo-43108: Fixed a reference leak in the curses module. Patch by Pablo Galindo
bpo-42944: Fix random.Random.sample when counts argument is not None.
bpo-42931: Add randbytes() to random.__all__.
bpo-42780: Fix os.set_inheritable() for O_PATH file descriptors on Linux.
bpo-42851: remove __init_subclass__ support for Enum members
bpo-41748: Fix HTMLParser parsing rules for element attributes containing commas with spaces. Patch by Karl Dubost.
bpo-42759: Fixed equality comparison of tkinter.Variable and tkinter.font.Font. Objects which belong to different Tcl interpreters are now always different, even if they have the same name.
bpo-42756: Configure LMTP Unix-domain socket to use socket global default timeout when a timeout is not explicitly provided.
bpo-23328: Allow / character in username, password fields on _PROXY envars.
bpo-42655: subprocess extra_groups is now correctly passed into setgroups() system call.
bpo-42727: EnumMeta.__prepare__ now accepts **kwds to properly support __init_subclass__
bpo-42681: Fixed range checks for color and pair numbers in curses.
bpo-37961: Fix crash in tracemalloc.Traceback.__repr__() (regressed in Python 3.9).
bpo-42630: tkinter functions and constructors which need a default root window raise now RuntimeError with descriptive message instead of obscure AttributeError or NameError if it is not created yet or cannot be created automatically.
bpo-42644: logging.disable will now validate the types and value of its parameter. It also now accepts strings representing the levels (as does loging.setLevel) instead of only the numerical values.
bpo-36541: Fixed lib2to3.pgen2 to be able to parse PEP-570 positional only argument syntax.
bpo-42517: Enum: private names will raise a DeprecationWarning; in 3.10 they will become normal attributes
bpo-42678: Enum: call __init_subclass__ after members have been added
bpo-42532: Remove unexpected call of __bool__ when passing a spec_arg argument to a Mock.
bpo-42388: Fix subprocess.check_output(…, input=None) behavior when text=True to be consistent with that of the documentation and universal_newlines=True.
bpo-34463: Fixed discrepancy between traceback and the interpreter in formatting of SyntaxError with lineno not set (traceback was changed to match interpreter).
bpo-42375: subprocess module update for DragonFlyBSD support.
bpo-42384: Make pdb populate sys.path[0] exactly the same as regular python execution.
bpo-42383: Fix pdb: previously pdb would fail to restart the debugging target if it was specified using a relative path and the current directory changed.
bpo-42318: Fixed support of non-BMP characters in tkinter on macOS.
bpo-42163: Restore compatibility for uname_result around deepcopy and _replace.
bpo-39825: Windows: Change sysconfig.get_config_var('EXT_SUFFIX') to the expected full platform_tag.extension format. Previously it was hard-coded to .pyd, now it is compatible with distutils.sysconfig and will result in something like .cp38-win_amd64.pyd. This brings windows into conformance with the other platforms.
bpo-42059: typing.TypedDict types created using the alternative call-style syntax now correctly respect the total keyword argument when setting their __required_keys__ and __optional_keys__ class attributes.
bpo-39101: Fixed tests using IsolatedAsyncioTestCase from hanging on BaseExceptions.
bpo-42005: Fix CLI of cProfile and profile to catch BrokenPipeError.
bpo-41907: fix format() behavior for IntFlag
bpo-41889: Enum: fix regression involving inheriting a multiply-inherited enum
bpo-41891: Ensure asyncio.wait_for waits for task completion
bpo-41604: Don’t decrement the reference count of the previous user_ptr when set_panel_userptr fails.
bpo-40219: Lowered tkinter.ttk.LabeledScale dummy widget to prevent hiding part of the content label.
bpo-40084: Fix Enum.__dir__: dir(Enum.member) now includes attributes as well as methods.
bpo-39068: Fix initialization race condition in a85encode() and b85encode() in base64. Patch by Brandon Stansbury.
bpo-33289: Correct call to tkinter.colorchooser to return RGB triplet of ints instead of floats. Patch by Cheryl Sabella.
Documentation
bpo-40304: Fix doc for type(name, bases, dict). Patch by Boris Verkhovskiy and Éric Araujo.
bpo-42811: Updated importlib.utils.resolve_name() doc to use __spec__.parent instead of __package__. (Thanks Yair Frid.)
bpo-17140: Add documentation for the multiprocessing.pool.ThreadPool class.
Tests
bpo-42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na.
bpo-40810: In sqlite3, fix CheckTraceCallbackContent for SQLite pre 3.7.15.
Build
bpo-43174: Windows build now uses /utf-8 compiler option.
bpo-42692: Fix __builtin_available check on older compilers. Patch by Joshua Root.
bpo-42604: Now all platforms use a value for the “EXT_SUFFIX” build variable derived from SOABI (for instance in freeBSD, “EXT_SUFFIX” is now “.cpython-310d.so” instead of “.so”). Previosuly only Linux, Mac and VxWorks were using a value for “EXT_SUFFIX” that included “SOABI”.
bpo-42598: Fix implicit function declarations in configure which could have resulted in incorrect configuration checks. Patch contributed by Joshua Root.
bpo-29076: Add fish shell support to macOS installer.
Windows
bpo-41837: Updated Windows installer to include OpenSSL 1.1.1i
bpo-42584: Upgrade Windows installer to use SQLite 3.34.0.
macOS
bpo-42504: Ensure that the value of sysconfig.get_config_var(‘MACOSX_DEPLOYMENT_TARGET’) is always a string, even in when the value is parsable as an integer.
bpo-42361: Update macOS installer build to use Tcl/Tk 8.6.11 (rc2, expected to be final release).
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1i.
bpo-42584: Update macOS installer to use SQLite 3.34.0.
IDLE
bpo-43008: Make IDLE invoke sys.excepthook() in normal, 2-process mode. Patch by Ken Hilton.
bpo-33065: Fix problem debugging user classes with __repr__ method.
bpo-23544: Disable Debug=>Stack Viewer when user code is running or Debugger is active, to prevent hang or crash. Patch by Zackery Spytz.
bpo-32631: Finish zzdummy example extension module: make menu entries work; add docstrings and tests with 100% coverage.
Tools/Demos
bpo-42726: Fixed Python 3 compatibility issue with gdb/libpython.py handling of attribute dictionaries.
bpo-42613: Fix freeze.py tool to use the prope config and library directories. Patch by Victor Stinner.
C API
bpo-43030: Fixed a compiler warning in Py_UNICODE_ISSPACE() on platforms with signed wchar_t.
bpo-42591: Export the Py_FrozenMain() function: fix a Python 3.9.0 regression. Python 3.9 uses -fvisibility=hidden and the function was not exported explicitly and so not exported.
bpo-40052: Fix an alignment build warning/error in function PyVectorcall_Function(). Patch by Andreas Schneider, Antoine Pitrou and Petr Viktorin.
Python 3.8.8
Security
bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.
bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.
Core and Builtins
bpo-42819: readline: Explicitly disable bracketed paste in the interactive interpreter, even if it’s set in the inputrc, is enabled by default (eg GNU Readline 8.1), or a user calls readline.read_init_file(). The Python REPL has not implemented bracketed paste support. Also, bracketed mode writes the "\x1b[?2004h" escape sequence into stdout which causes test failures in applications that don’t support it. It can still be explicitly enabled by calling readline.parse_and_bind("set enable-bracketed-paste on"). Patch by Dustin Rodrigues.
Library
bpo-43108: Fixed a reference leak in the curses module. Patch by Pablo Galindo
bpo-42780: Fix os.set_inheritable() for O_PATH file descriptors on Linux.
bpo-41748: Fix HTMLParser parsing rules for element attributes containing commas with spaces. Patch by Karl Dubost.
bpo-42759: Fixed equality comparison of tkinter.Variable and tkinter.font.Font. Objects which belong to different Tcl interpreters are now always different, even if they have the same name.
bpo-23328: Allow / character in username, password fields on _PROXY envars.
bpo-42681: Fixed range checks for color and pair numbers in curses.
bpo-42531: importlib.resources.path() now works for packages missing the optional __file__ attribute (more specifically, packages whose __spec__.origin is None).
bpo-42388: Fix subprocess.check_output(…, input=None) behavior when text=True to be consistent with that of the documentation and universal_newlines=True.
bpo-42384: Make pdb populate sys.path[0] exactly the same as regular python execution.
bpo-42383: Fix pdb: previously pdb would fail to restart the debugging target if it was specified using a relative path and the current directory changed.
bpo-42318: Fixed support of non-BMP characters in tkinter on macOS.
bpo-42005: Fix CLI of cProfile and profile to catch BrokenPipeError.
bpo-41604: Don’t decrement the reference count of the previous user_ptr when set_panel_userptr fails.
bpo-26407: Unexpected errors in calling the __iter__ method are no longer masked by TypeError in csv.reader(), csv.writer.writerow() and csv.writer.writerows().
bpo-39068: Fix initialization race condition in a85encode() and b85encode() in base64. Patch by Brandon Stansbury.
bpo-36589: The curses.update_lines_cols() function now returns None instead of 1 on success.
bpo-33289: Correct call to tkinter.colorchooser to return RGB triplet of ints instead of floats. Patch by Cheryl Sabella.
Documentation
bpo-40304: Fix doc for type(name, bases, dict). Patch by Boris Verkhovskiy and Éric Araujo.
bpo-42811: Updated importlib.utils.resolve_name() doc to use __spec__.parent instead of __package__. (Thanks Yair Frid.)
Tests
bpo-42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na.
bpo-40810: In sqlite3, fix CheckTraceCallbackContent for SQLite pre 3.7.15.
Build
bpo-29076: Add fish shell support to macOS installer.
Windows
bpo-41837: Updated Windows installer to include OpenSSL 1.1.1i
bpo-42584: Upgrade Windows installer to use SQLite 3.34.0.
macOS
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1i.
bpo-42584: Update macOS installer to use SQLite 3.34.0.
IDLE
bpo-43008: Make IDLE invoke sys.excepthook() in normal, 2-process mode. Patch by Ken Hilton.
bpo-33065: Fix problem debugging user classes with __repr__ method.
bpo-42508: Keep IDLE running on macOS. Remove obsolete workaround that prevented running files with shortcuts when using new universal2 installers built on macOS 11.
bpo-23544: Disable Debug=>Stack Viewer when user code is running or Debugger is active, to prevent hang or crash. Patch by Zackery Spytz.
bpo-32631: Finish zzdummy example extension module: make menu entries work; add docstrings and tests with 100% coverage.
Tools/Demos
bpo-42726: Fixed Python 3 compatibility issue with gdb/libpython.py handling of attribute dictionaries.
C API
bpo-43030: Fixed a compiler warning in Py_UNICODE_ISSPACE() on platforms with signed wchar_t.
bpo-40052: Fix an alignment build warning/error in function PyVectorcall_Function(). Patch by Andreas Schneider, Antoine Pitrou and Petr Viktorin.
This touches all compiled std library files after installation, to avoid
extra recompilations when a dependent package (most likely a newer Go
release) is being built.
Patch from mlelstv@ in PR pkg/55900.
Restore some PLIST content state from prior to the 23.2.4 update,
which mistakenly moved some hipe-related files that get built
universally to the PLIST.hipe list. The "--disable-hipe" option does
not impact everything. Build tested with the hipe option both enabled
and disabled. This should fix build breakages, e.g., NetBSD/aarch64.
(Separately, it's kind of unfortunate that this package uses both PLIST
variables and separate PLIST files to segment content driven by options.
It should really use one approach or the other consistently, but I
haven't touched that here.)
## 1.15.2 - 2021-02-15
- Fix bug in windows version of `os/spawn` and `os/execute` with setting environment variables.
- Fix documentation typos.
- Fix peg integer reading combinators when used with capture tags.
## 1.15.0 - 2021-02-08
- Fix `gtim` and `ltim` bytecode instructions on non-integer values.
- Clean up output of flychecking to be the same as the repl.
- Change behavior of `debug/stacktrace` with a nil error value.
- Add optional argument to `parser/produce`.
- Add `no-core` option to creating standalone binaries to make execution faster.
- Fix bug where a buffer overflow could be confused with an out of memory error.
- Change error output to `file:line:column: message`. Column is in bytes - tabs
are considered to have width 1 (instead of 8).
Python 3.7.10
Security
bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.
bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.
bpo-42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
bpo-42051: The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files.
bpo-40791: Add volatile to the accumulator variable in hmac.compare_digest, making constant-time-defeating optimizations less likely.
Library
bpo-42103: InvalidFileException and RecursionError are now the only errors caused by loading malformed binary Plist file (previously ValueError and TypeError could be raised in some specific cases).
bpo-41976: Fixed a bug that was causing ctypes.util.find_library() to return None when triying to locate a library in an environment when gcc>=9 is available and ldconfig is not. Patch by Pablo Galindo
Documentation
bpo-17140: Add documentation for the multiprocessing.pool.ThreadPool class.
Tests
bpo-42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na.
bpo-41944: Tests for CJK codecs no longer call eval() on content received via HTTP.
Python 3.6.13 final
Security
bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.
bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.
bpo-42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
bpo-42051: The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files.
bpo-40791: Add volatile to the accumulator variable in hmac.compare_digest, making constant-time-defeating optimizations less likely.
Core and Builtins
bpo-35560: Fix an assertion error in format() in debug build for floating point formatting with “n” format, zero padding and small width. Release build is not impacted. Patch by Karthikeyan Singaravelan.
Library
bpo-42103: InvalidFileException and RecursionError are now the only errors caused by loading malformed binary Plist file (previously ValueError and TypeError could be raised in some specific cases).
Tests
bpo-42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na.
bpo-41944: Tests for CJK codecs no longer call eval() on content received via HTTP.
- By default, if now propagates its child exit code when it exits.
- backtick now propagates failure by default; its options have slightly
different semantics (-i becomes default, new -x introduced).
pkgsrc changes:
- Add manual pages by flexibeast.
Version 10.23.3 'Dubnium' (LTS)
Notable changes
The update to npm 6.14.11 has been relanded so that npm correctly reports its version.
Version 10.23.2 'Dubnium'
Notable changes
Release keys have been synchronized with the main branch.
deps:
upgrade npm to 6.14.11
v1.3
Compatibility:
Tested with Python 3.9.0
Additions:
To help avoid compiler warning about uninitialized members, extra members are added to the PyModuleDef structure for Python 2: m_slots, m_traverse, m_clear and m_free. Under Python 2, they must be set to NULL (usually by continuing to leave them out).
This a meta package including Ruby 3.0 full release.
It includes ruby30-base, ruby30-gdbm, ruby30-fiddle and ruby30-readline
package.
No package should depend on this package directly.
Ruby is the interpreted scripting language for quick and easy Object
Oriented Programming. It has many features to process text files and to do
system management tasks (as in Perl). It is simple, straight-forward, and
extensible.
Features of Ruby are shown below.
+ Simple Syntax
+ *Normal* Object-Oriented features (ex. class, method calls)
+ *Advanced* Object-Oriented features (ex. Mix-in, Singleton-method)
+ Operator Overloading
+ Exception Handling
+ Iterators and Closures
+ Garbage Collection
+ Dynamic Loading of Object files (on some architecture)
+ Highly Portable (works on many UNIX machines, and on DOS, Windows,
Mac, etc.)
Ruby 3.0 introduces a number of new features and performance
improvements, most notably:
* Performance
- MJIT
* Concurrency
- Ractor
- Fiber Scheduler
* Typing (Static Analysis)
- RBS
- TypeProf
This package is Ruby 3.0 release minimum base package.
While here point out that the aarch64 equivalent patch was sent upstream.
Bump PKGREVISION. fix gcc*-libs PKGREVISION accordingly.
Fixes PR pkg/55992: math/blas fails on NetBSD/sparc64
Fixes report by Connor McLaughlan on pkgsrc-users
Version 14.15.5 'Fermium' (LTS)
Notable Changes
deps:
upgrade npm to 6.14.11
V8: backport dfcf1e86fac0
Note: Node.js is not believed to be vulnerable to CVE-2021-21148.
stream,zlib: do not use _stream_* anymore
databases/ruby-activerecord60:
## Rails 6.0.3.5 (February 10, 2021) ##
* Fix possible DoS vector in PostgreSQL money type
Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter. This patch
fixes the regexp.
Thanks to @dee-see from Hackerone for this patch!
[CVE-2021-22880]
*Aaron Patterson*
www/ruby-actionpack60
## Rails 6.0.3.5 (February 10, 2021) ##
* Prevent open redirect when allowed host starts with a dot
[CVE-2021-22881]
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
issue and the patch!
*Aaron Patterson*
## Rails 5.2.4.5 (February 10, 2021) ##
* Fix possible DoS vector in PostgreSQL money type
Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter. This patch
fixes the regexp.
Thanks to @dee-see from Hackerone for this patch!
[CVE-2021-22880]
*Aaron Patterson*
Fixes build with current ocaml.
Note: this update includes the import semantics fixes from 8.11 that
break a lot of developments.
pkgsrc change: docs build now works.
Summary of changes in 8.12:
Coq version 8.12 integrates many usability improvements, in particular
with respect to notations, scopes and implicit arguments, along with
many bug fixes and major improvements to the reference manual. The
main changes include:
New binder notation for non-maximal implicit arguments using [ ]
allowing to set and see the implicit status of arguments
immediately.
New notation Inductive I A | x : s := ... to distinguish the
uniform from the non-uniform parameters in inductive definitions.
More robust and expressive treatment of implicit inductive
parameters in inductive declarations.
Improvements in the treatment of implicit arguments and partially
applied constants in notations, parsing of hexadecimal number
notation and better handling of scopes and coercions for printing.
A correct and efficient coercion coherence checking algorithm,
avoiding spurious or duplicate warnings.
An improved Search command which accepts complex queries. Note
that this takes precedence over the now deprecated ssreflect
search.
Many additions and improvements of the standard library.
Improvements to the reference manual include a more logical
organization of chapters along with updated syntax descriptions
that match Coq's grammar in most but not all chapters.
Additionally, the omega tactic is deprecated in this version of Coq,
and we recommend users to switch to lia in new proof scripts (see also
the warning message in the corresponding chapter).
Summary of changes in 8.11:
The main changes brought by Coq version 8.11 are:
Ltac2, a new tactic language for writing more robust larger scale
tactics, with built-in support for datatypes and the multi-goal
tactic monad.
Primitive floats are integrated in terms and follow the binary64
format of the IEEE 754 standard, as specified in the
Coq.Float.Floats library.
Cleanups of the section mechanism, delayed proofs and further
restrictions of template polymorphism to fix soundness issues
related to universes.
New unsafe flags to disable locally guard, positivity and universe
checking. Reliance on these flags is always printed by Print
Assumptions.
Fixed bugs of Export and Import that can have a significant impact
on user developments (common source of incompatibility!).
New interactive development method based on vos interface files,
allowing to work on a file without recompiling the proof parts of
their dependencies.
New Arguments annotation for bidirectional type inference
configuration for reference (e.g. constants, inductive)
applications.
New refine attribute for Instance can be used instead of the
removed Refine Instance Mode.
Generalization of the under and over tactics of SSReflect to
arbitrary relations.
Revision of the Coq.Reals library, its axiomatisation and
instances of the constructive and classical real numbers.
Additionally, while the omega tactic is not yet deprecated in this
version of Coq, it should soon be the case and we already recommend
users to switch to lia in new proof scripts (see also the warning
message in the corresponding chapter).
The full (huge) changelog is here:
https://coq.inria.fr/distrib/V8.12.2/refman/changes.html
GHC: The Glasgow Haskell Compiler.
The Glasgow Haskell Compiler is a robust, fully-featured, optimising
compiler for the functional programming language Haskell 98
(http://www.haskell.org). GHC compiles Haskell to either native code
or C. It implements numerous experimental language extensions to
Haskell, including concurrency, a foreign language interface, several
type-system extensions, exceptions, and so on. GHC comes with a
generational garbage collector, a space and time profiler, and a
comprehensive set of libraries.
This package provides the 9.0.x release series.
GHC: The Glasgow Haskell Compiler.
The Glasgow Haskell Compiler is a robust, fully-featured, optimising
compiler for the functional programming language Haskell 98
(http://www.haskell.org). GHC compiles Haskell to either native code
or C. It implements numerous experimental language extensions to
Haskell, including concurrency, a foreign language interface, several
type-system extensions, exceptions, and so on. GHC comes with a
generational garbage collector, a space and time profiler, and a
comprehensive set of libraries.
This package provides the 8.10.x release series.
pkgsrc changes:
---------------
* Fix PLIST when the hive option is enabled.
upstream changes:
-----------------
Patch Package: OTP 23.2.4
Git Tag: OTP-23.2.4
Date: 2021-02-04
Trouble Report Id: OTP-16239, OTP-17139, OTP-17161, OTP-17174
Seq num: ERIERL-597, ERL-1458
System: OTP
Release: 23
Application: snmp-5.7.3, ssl-10.2.2
Predecessor: OTP 23.2.3
Check out the git tag OTP-23.2.4, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- snmp-5.7.3 ------------------------------------------------------
---------------------------------------------------------------------
The snmp-5.7.3 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17161 Application(s): snmp
[manager] In a function handling snmp errors, an unused
result (_Error) could result in matching issues and
therefor case clause runtime errors (crash). Note that
this would only happen in *very* unusual error cases.
Full runtime dependencies of snmp-5.7.3: crypto-3.3, erts-6.0,
kernel-3.0, mnesia-4.12, runtime_tools-1.8.14, stdlib-2.5
---------------------------------------------------------------------
--- ssl-10.2.2 ------------------------------------------------------
---------------------------------------------------------------------
The ssl-10.2.2 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17139 Application(s): ssl
Related Id(s): ERL-1458, OTP-16239
Avoid that upgrade (from TCP to TLS) servers starts
multiple session cache handlers for the same server.
This applies to Erlang distribution over TLS servers.
OTP-17174 Application(s): ssl
Related Id(s): ERIERL-597
Legacy cipher suites defined before TLS-1.2 (but still
supported) should be possible to use in TLS-1.2. They
where accidentally excluded for available cipher suites
for TLS-1.2 in OTP-23.2.2.
--- Improvements and New Features ---
OTP-16239 Application(s): ssl
Related Id(s): ERL-1458, OTP-17139
Enable Erlang distribution over TLS to run TLS-1.3,
although TLS-1.2 will still be default.
Full runtime dependencies of ssl-10.2.2: crypto-4.2, erts-10.0,
inets-5.10.7, kernel-6.0, public_key-1.8, stdlib-3.12
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
Patch Package: OTP 23.2.3
Git Tag: OTP-23.2.3
Date: 2021-01-20
Trouble Report Id: OTP-17097, OTP-17107, OTP-17108, OTP-17110
Seq num: ERIERL-586, ERL-1442
System: OTP
Release: 23
Application: crypto-4.8.3, erts-11.1.7, snmp-5.7.2,
ssh-4.10.7
Predecessor: OTP 23.2.2
Check out the git tag OTP-23.2.3, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- crypto-4.8.3 ----------------------------------------------------
---------------------------------------------------------------------
The crypto-4.8.3 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17107 Application(s): crypto
Adding missing flag in BN-calls in SRP.
Full runtime dependencies of crypto-4.8.3: erts-9.0, kernel-5.3,
stdlib-3.4
---------------------------------------------------------------------
--- erts-11.1.7 -----------------------------------------------------
---------------------------------------------------------------------
The erts-11.1.7 application can be applied independently of other
applications on a full OTP 23 installation.
--- Improvements and New Features ---
OTP-17097 Application(s): erts
Make windows installer remove write access rights for
non admin users when installing to a non default
directory. Reduces the risk for DLL sideloading, but
the user should always be aware of the access rights
for the installation.
Full runtime dependencies of erts-11.1.7: kernel-7.0, sasl-3.3,
stdlib-3.13
---------------------------------------------------------------------
--- snmp-5.7.2 ------------------------------------------------------
---------------------------------------------------------------------
The snmp-5.7.2 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17110 Application(s): snmp
Related Id(s): ERIERL-586
[manager] Misspelled priv protocol (atom) made it
impossible to update usm user 'priv_key' configuration
for usmAesCfb128Protocol via function calls.
Full runtime dependencies of snmp-5.7.2: crypto-3.3, erts-6.0,
kernel-3.0, mnesia-4.12, runtime_tools-1.8.14, stdlib-2.5
---------------------------------------------------------------------
--- ssh-4.10.7 ------------------------------------------------------
---------------------------------------------------------------------
The ssh-4.10.7 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17108 Application(s): ssh
Related Id(s): ERL-1442
The SSH daemon erroneously replaced LF with CRLF also
when there was no pty requested from the server.
Full runtime dependencies of ssh-4.10.7: crypto-4.6.4, erts-9.0,
kernel-5.3, public_key-1.6.1, stdlib-3.4.1
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
## 1.14.2 - 2021-01-23
- Allow `JANET_PROFILE` env variable to load a profile before loading the repl.
- Update `tracev` macro to allow `def` and `var` inside to work as expected.
- Use `(dyn :peg-grammar)` for passing a default grammar to `peg/compile` instead of loading
`default-peg-grammar` directly from the root environment.
- Add `ev/thread` for combining threading with the event loop.
- Add `ev/do-thread` to make `ev/thread` easier to use.
- Automatically set supervisor channel in `net/accept-loop` and `net/server` correctly.
Remove workaround for RHEL 7. This workaround resulted in gcc/configure
failing to find dlfcn.h. The build doesn't appear to need it.
Fixes install on both Fedora 33 and CentOS 7 (the docker image, at least).
Jim Tcl version 0.80:
---------------------
Bugs fixed in version 0.80
return -level 0 -code xxx now returns the correct result
regexp - fix an issue with failed optional group
oo - fix an issue when no class variables are given
oo - fix super invocation with multiple inheritance levels
tailcall - fix to avoid growing the C stack frame
regsub -all with \A now works correctly
scan - fix an issue with chars vs bytes in utf-8 mode
aio - fix eventloop and eof for ssl connections
lsearch -regexp - fix the case where the pattern begins with a dash
lsearch -command - handle the case with too few args
Disallow renaming a local proc with upcall to avoid inconsistent behaviour
Features and improvements added in version 0.80
Dictionaries now preserve insertion order
string map and string compare now support embedded nulls
string match and other glob matches now support embedded nulls
Variable and proc names now support embedded nulls
Interactive mode now prints results containing embedded nulls
Generate a build warning if system is non-Y2038 compliant
package names added as an alias for package list
file rootname, file dirname are now more consistent with Tcl
aio - add Server Name Indication (SNI) ssl support
aio - add socket pty support
The 0d radix prefix is now supported for decimal (base 10)
String comparison operators lt, gt, le and ge are now supported
dict getwithdefault (and the alias dict getdef) are now supported
Build has coverage support, and test coverage is now over 90%
Performance improvements in a number of areas
Jim Tcl version 0.79:
---------------------
Bugs fixed in version 0.79
aio - Fix closing stdin in bootstrap jimsh
clock scan - Unspecified fields use the current date/time
Fix linenoise assertion failure on Windows
file - Improved support for trailing slashes in pathnames
regexp, regsub - Various fixes in UTF-8 mode
$(...) syntax now properly returns non-error codes
Features added in version 0.78
file - Add mtimeus for microsecond resolution
file - Add missing split subcommand
lreplace - Implement TIP #505
aio - Add dgram unix socket support
aio - Add support for lock -wait
aio copyto - Significantly improve performance
aio tty - Allow setting echo
signal - Add block for blocking signals with SIG_IGN
Add built-in JSON support with the json extension
Improve performance when indexing UTF-8 strings
Other changes
Documentation updates to improve consistency, remove obsolete commands, add some missing commands
exec no longer forces SIGPIPE disposition to SIG_DFL
Update autosetup to v0.6.9 with optimised insert/delete
Jim Tcl version 0.78:
---------------------
Bugs fixed in version 0.78
local - Fix crash when local command is deleted
history - When creating ~/.jim_history, set permissions to 0600 for security
exec - Fix windows exec with empty or unset env
exec - Fix check for | and |&
jim.c - Fix Object leak in zlib support
signal - Restore default signal handling on interp exit
dict - Fix [dict values] with duplicate values
Fix ‘/’ command, divide by zero
expr - Replace expression engine to fix a number of problems
zlib - Various fixes
lsort -unique - Fix case with no duplicates
aio tempname - Fix a crash when the template is invalid
Tcl compatibility - Error on extra characters after close brace
eventloop - Return from callback is not an error
oo - Fix methods for superclasses
Various refcount and edge case fixes found by fuzz testing
Features added in version 0.78
Add support for utf-8 wide characters
aio - Add tty for termios settings
aio - Add sockopt for broadcast, tcp_nodelay, etc.
utf-8 - Update UnicodeData.txt to 9.0.0
jimsh - Add support for jimsh -
jimsh - Scriptable command-line completion support via tcl::autocomplete
history - Add autocompletion support history completion <cmd>
Add support for -commands to many commands
Add pkg-config support - jimtcl.pc
clock - Add -gmt option to format and scan
tree - Allow nodes to be deleted
defer, $jim::defer - Allow scripts to run on proc exit
eventloop - Support sub-millisecond timer resolution
Support lambda even if references are disabled
Performance - Improve a number of common cases through caching
signal, exec, wait, pid, pipe - Many improvements
build - Support --silent-rules, and enable by default
regexp - Implement class shorthand escapes in brackets
linenoise (jimsh) - Add ^Z (SUSP) support
linenoise (jismh) - Update to support multiline mode
Other changes
signal - Remove the signal command from child interpreters
os.wait is now wait
aio ssl now upgrades the current channel rather than creating a new channel
Update autosetup to v0.6.8
This is a copy of the previous lang/erlang of that release, with a few bits
tidied up, and configured to live alongside the newer lang/erlang package by
using a versioned library directory.
This version is required for at least databases/couchdb, and may be required
for other software that is incompatible with OTP 23.
Fix TLS/SSL network connection.
Avoid: javax.net.ssl.SSLException: Unexpected error:
java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty
From jperkin@. Thank you.
Vala 0.50.3
===========
* Various improvements and bug fixes:
- codegen:
+ Use CCodeInvalidExpression instead of place holders
+ Don't leak memory of already assigned out-parameter on error [#1123]
+ Don't leak memory on internal value comparison of property setter
+ Fix assignment of casted struct value to property [#1126]
- vala:
+ Report an error if gio-2.0 is missing for DBus support
+ Add missing TraverseVisitor.visit_addressof_expression()
+ value_type of PointerIndirection expressions must not be owned [#1118]
+ SliceExpression need to return heap-allocated or unowned references [#1120]
+ Accept "unowned var" as type for foreach variable declaration [#152]
+ Ownership transfer of inline-allocated array is not allowed [#931]
- tests: Use Automake’s parallel test driver to speed up running tests [#1094]
- testrunner: A lot of simplifications
* Bindings:
- gio-2.0: Fix DBusSubtreeIntrospectFunc binding
- gstreamer-1.0: Fix direction of GLib.Value typed parameters [#1014]
- gstreamer: Update from 1.19.0+ git master
- gtk4: Use correct cheader_include for wayland/x11 gdk backend [#1112]
- gtk4: Don't rename binding for gtk_css_provider_load_from_data [#1117]
- gtk4: Update to 4.0.1
- webkit2gtk-4.0: Update to 2.30.3
Incompatible Changes
There are no changes intentionally incompatible with Perl 5.32.0.
If any exist, they are bugs, and we request that you submit a
report. See "Reporting Bugs" below.
Modules and Pragmata
Updated Modules and Pragmata
Data::Dumper has been upgraded from version 2.174 to 2.174_01.
A number of memory leaks have been fixed.
DynaLoader has been upgraded from version 1.47 to 1.47_01.
Module::CoreList has been upgraded from version 5.20200620 to
5.20210123.
Opcode has been upgraded from version 1.47 to 1.48.
A warning has been added about evaluating untrusted code with
the perl interpreter.
Safe has been upgraded from version 2.41 to 2.41_01.
A warning has been added about evaluating untrusted code with
the perl interpreter.
Documentation
New Documentation
perlgov
Documentation of the newly formed rules of governance for Perl.
perlsecpolicy
Documentation of how the Perl security team operates and how the
team evaluates new security reports.
Changes to Existing Documentation
We have attempted to update the documentation to reflect the changes
listed in this document. If you find any we have missed, open an
issue at https://github.com/Perl/perl5/issues.
Additionally, the following selected changes have been made:
perlop
Document range op behaviour change.
Diagnostics
The following additions or changes have been made to diagnostic
output, including warnings and fatal error messages. For the complete
list of diagnostic messages, see perldiag.
Changes to Existing Diagnostics
\K not permitted in lookahead/lookbehind in regex; marked by
<-- HERE in m/%s/
This error was incorrectly produced in some cases involving
nested lookarounds. This has been fixed.
[GH #18123]
Configuration and Compilation
Newer 64-bit versions of the Intel C/C++ compiler are now
recognized and have the correct flags set.
We now trap SIGBUS when Configure checks for va_copy.
On several systems the attempt to determine if we need va_copy
or similar results in a SIGBUS instead of the expected SIGSEGV,
which previously caused a core dump.
[GH #18148]
Testing
Tests were added and changed to reflect the other additions and
changes in this release.
Platform Support
Platform-Specific Notes
MacOS (Darwin)
The hints file for darwin has been updated to handle future
macOS versions beyond 10. Perl can now be built on macOS Big
Sur.
[GH #17946, GH #18406] Minix
Build errors on Minix have been fixed.
[GH #17908]
Selected Bug Fixes
Some list assignments involving undef on the left-hand side
were over-optimized and produced incorrect results.
[GH #16685, GH #17816]
Fixed a bug in which some regexps with recursive subpatterns
matched incorrectly.
[GH #18096]
Fixed a deadlock that hung the build when Perl is compiled for
debugging memory problems and has PERL_MEM_LOG enabled.
[GH #18341]
Fixed a crash in the use of chained comparison operators when
run under "no warnings 'uninitialized'".
[GH #17917, GH #18380]
Exceptions thrown from destructors during global destruction
are no longer swallowed.
[GH #18063]
* cmd/go: packages using cgo can cause arbitrary code execution at build time
The go command may execute arbitrary code at build time when cgo is in use on
Windows. This may occur when running “go get”, or any other command that builds
code. Only users who build untrusted code (and don’t execute it) are affected.
In addition to Windows users, this can also affect Unix users who have “.”
listed explicitly in their PATH and are running “go get” or build commands
outside of a module or with module mode disabled.
Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
This issue is CVE-2021-3115 and Go issue golang.org/issue/43783.
For more background on the cmd/go change and help deciding whether your own
programs might have similar issues, see our blog post at
https://blog.golang.org/path-security.
* crypto/elliptic: incorrect operations on the P-224 curve
The P224() Curve implementation can in rare circumstances generate incorrect
outputs, including returning invalid points from ScalarMult.
The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages
support P-224 ECDSA keys, but they are not supported by publicly trusted
certificate authorities. No other standard library or golang.org/x/crypto
package supports or uses the P-224 curve.
The incorrect output was found by the elliptic-curve-differential-fuzzer
project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).
This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.
* cmd/go: packages using cgo can cause arbitrary code execution at build time
The go command may execute arbitrary code at build time when cgo is in use on
Windows. This may occur when running “go get”, or any other command that builds
code. Only users who build untrusted code (and don’t execute it) are affected.
In addition to Windows users, this can also affect Unix users who have “.”
listed explicitly in their PATH and are running “go get” or build commands
outside of a module or with module mode disabled.
Thanks to RyotaK (https://twitter.com/ryotkak) for reporting this issue.
This issue is CVE-2021-3115 and Go issue golang.org/issue/43783.
For more background on the cmd/go change and help deciding whether your own
programs might have similar issues, see our blog post at
https://blog.golang.org/path-security.
* crypto/elliptic: incorrect operations on the P-224 curve
The P224() Curve implementation can in rare circumstances generate incorrect
outputs, including returning invalid points from ScalarMult.
The crypto/x509 and golang.org/x/crypto/ocsp (but not crypto/tls) packages
support P-224 ECDSA keys, but they are not supported by publicly trusted
certificate authorities. No other standard library or golang.org/x/crypto
package supports or uses the P-224 curve.
The incorrect output was found by the elliptic-curve-differential-fuzzer
project running on OSS-Fuzz and reported by Philippe Antoine (Catena cyber).
This issue is CVE-2021-3114 and Go issue golang.org/issue/43786.
## 1.14.1 - 2021-01-18
- Add `doc-of` for reverse documentation lookup.
- Add `ev/give-supervsior` to send a message to the supervising channel.
- Add `ev/gather` and `chan` argument to `ev/go`. This new argument allows "supervisor channels"
for fibers to enable structured concurrency.
- Make `-k` flag work on stdin if no files are given.
- Add `flycheck` function to core.
- Make `backmatch` and `backref` more expressive in pegs.
- Fix buggy `string/split`.
- Add `fiber/last-value` to get the value that was last yielded, errored, or signaled
by a fiber.
- Remove `:generate` verb from `loop` macros. Instead, use the `:in` verb
which will now work on fibers as well as other data structures.
- Define `next`, `get`, and `in` for fibers. This lets
`each`, `map`, and similar iteration macros can now iterate over fibers.
- Remove macro `eachy`, which can be replaced by `each`.
- Add `dflt` argument to find-index.
- Deprecate `file/popen` in favor of `os/spawn`.
- Add `:all` keyword to `ev/read` and `net/read` to make them more like `file/read`. However, we
do not provide any `:line` option as that requires buffering.
- Change repl behavior to make Ctrl-C raise SIGINT on posix. The old behavior for Ctrl-C,
to clear the current line buffer, has been moved to Ctrl-Q.
- Importing modules that start with `/` is now the only way to import from project root.
Before, this would import from / on disk. Previous imports that did not start with `.` or `/`
are now unambiguously importing from the syspath, instead of checking both the syspath and
the project root. This is backwards incompatible and dependencies should be updated for this.
- Change hash function for numbers.
- Improve error handling of `dofile`.
- Bug fixes in networking and subprocess code.
- Use markdown formatting in more places for docstrings.
When building some package, I found that the lack of quoting of
PYVERSSUFFIX caused a syntax error due to it ending up empty. Add
quotes, which should be harmless to others and resolved the issue.
(Leftover from the freeze.)
Changes since version 2.0.7
New in version 2.1.0
* minor incompatible change: the MAKE-EA internal function, used
in the assembler, has been removed (affecting some libraries
defining their own Virtual Operations)
* new feature: SB-EXT:PRIMITIVE-OBJECT-SIZE can be used to
interrogate the low-level size in memory of objects. (#1636910,
reported by anquegi)
* platform support:
* pass required -std argument to the compiler on Solaris
(#1885751, thanks to Jesse Off)
* better treatment of non-ASCII program arguments on Windows
(#1907970, reported by Timofei Shatrov)
* implement the improved TYPEP with structure types on all
other supported platforms (32-bit PowerPC, ARM, ARM64, MIPS,
SPARC, RISC-V)
* enhancement: stream dispatch (to vanilla ANSI / Gray / Simple
variants) has been rewritten and optimized, fixing a number of
bugs including:
* performance of WRITE-SEQUENCE on composite streams (#309136)
* handling of CLOSE on SYNONYM-STREAM (#1904257, reported by
Richard M Kreuter)
* handling of CLOSE on BROADCAST-STREAM with no components
(#1904722, reported by Richard M Kreuter)
* loading SB-SIMPLE-STREAMS breaks functionality of other
stream classes (#1908132)
* some excessive consing in READ-LINE
* enhancements related to RUN-PROGRAM:
* improved the documentation related to the ARGS argument
(#806733, reported by mon_key)
* added a PRESERVE-FDS argument
* bug fix: ensure that TYPE-OF returns something even on internal
instances, which may become visible in the debugger. (#1908261,
reported by Philipp Marek)
* bug fix: iteration variables established by standard forms
should always be considered used by the compiler. (#719585,
reported by Roman Marynchak)
* bug fix: don't allow compiler transformations to weaken the
requirement against extended (list-form) function names in
FUNCALL and related operators. (#310069)
* bug fix: improve automated version number generation in
branches. (#897867, thanks to Martin Cracauer)
* bug fix: add possibly-spurious futex wakes when unwinding from a
call to futex-wait, to avoid deadlocks from interrupted
waits. (#1038034)
* bug fixes in the compiler:
* error on malformed DESTRUCTURING-BIND (#1738638)
* error on malformed SPECIAL declaration (#1740756)
* error from use of VALUES type in COERCE (#1887712)
* enforcement of FTYPE types involving &OPTIONAL (#1903932)
* checking for proper-list-ness before applying transforms (#1905512)
* compilation of LAMBDA form including a malformed DEFUN (#1906056)
* memory fault from VALUES-related handling in high DEBUG code
(#1906563)
* transforms handle explicit NIL arguments in :END arguments
to SEARCH (#1907924)
* bug fix: return COMPILED-FUNCTION for TYPE-OF on compiled
functions. (#1906583)
* some bugs were also closed in this release cycle as obsolete,
having been fixed by the passage of time or other change in the
environment:
* floating point error reporting on OS X (#309454)
* load-shared-library not working from non-main threads on OS
X (#592425)
* optimization: CONSTANTLY on constant arguments returns a more
efficient function. (#1852585)
* optimization: perform fewer Lisp/Alien representation
conversions in callbacks.
* optimization: perform fewer redundant widetag tests when doing
type tests of complicated union types.
* optimization: signed-integer division on machine-word sized
operands is now implemented using multiplication, affecting
TRUNCATE, FLOOR, CEILING, MOD and REM. (This optimization was
already performed on unsigned-integer division)
New in version 2.0.11
* minor incompatible change: (ARRAY NIL (*)) is not a subtype of
STRING, as is consistent with a majority of maintained CL
implementations.
* minor incompatible change: ARRAY-RANK-LIMIT is decreased from
65529 to 256
* optimization: TYPEP on structure types is faster and more
compact on x86[-64] and ppc64.
* optimization: LOGCOUNT is faster on arm64.
* optimization: SIGNUM can be inlined if its argument type is
known. (#1903533)
* bug fix: compiler crash in tail call handling. (#1903938)
* bug fix: crash in traceroot. (#1903419, reported by Michal Herda)
* bug fix: DESCRIBE called with a string as second argument no
longer mutates that string. (#1903901, reported by Michal Herda)
* bug fix: stack clobbering by 256-bit SIMD packs on
x86-64. (#1901685, reported by Marco Heisig)
New in version 2.0.10
* minor incompatible change: the funarg given to
SB-SPROF:MAP-TRACES does not receive a wallclock time with each
trace.
* minor incompatible change: INTERNAL-TIME-UNITS-PER-SECOND has
been increased to 10^6 on 64-bit architectures.
* minor incompatible change: SIGPIPE is ignored by default again. (#1897624)
* minor incompatible change: the system code compiled under the
:LINKAGE-TABLE feature is now unconditionally compiled in, and
the corresponding entry in *FEATURES* has been removed.
* enhancement: style-warnings are issued for variables which have
an assignment but no "for-value reference" (per CLHS glossary
entry)
* bug fix: SB-CLTL2:MACROEXPAND-ALL did not expand
MULTIPLE-VALUE-BIND and MULTIPLE-VALUE-SETQ
* bug fix: CPUID-based feature detection had an index/mask
confusion (#1899239)
* bug fix: fix a deadlock on Windows (#1896802)
* bug fix: eliminate type errors when wall clocks go back
(#1028026, #1032111)
* bug fix: fix EOF handling in read-char-no-hang on concatenenated
streams (#690408, reported by Willem Broekema)
* bug fix: fix MAP-INTO on extended sequences (#1855375, thanks to
James Kalenius)
* bug fix: SB-GMP can now raise -1, 0 and 1 to the power of a
bignum. (thanks to Aaron Chen)
* bug fixes in tests:
* add a C function declaration (#1897627, thanks to Bob Felts)
* parse vmmap output more liberally (#1897722, reported by Bob Felts)
New in version 2.0.9
* incompatible change: HPPA and DEC Alpha architecture support has
been removed.
* minor incompatible change: the compiler signals a warning at
compile-time when an initform of T, NIL or 0 does not match a
STANDARD-CLASS slot's declared type.
* minor incompatible change: the runtime no longer uses SIGPIPE
internally, so the signal is deliverable to user code as is
customary. Ignoring the signal - in lieu of the OS default of
process termination - is obtainable via (SB-SYS:ENABLE-INTERRUPT
SB-UNIX:SIGPIPE :IGNORE).
* platform support:
* a number of obsolete portability layers (particularly on the
Windows platform) have been removed in favour of direct
calling of the native interfaces.
* RUN-PROGRAM now accepts a :WINDOW argument to control
whether a subprocess window should be displayed. (Thanks to
Luis Borges de Oliveira)
* the use of futexes implied by :SB-FUTEX is now implemented on FreeBSD.
* bug fix: SB-SPROF can distinguish between SBCL-internal assembly routines.
* bug fix: SB-SPROF has better output in its reports for anonymous
functions.
* optimization: CALL-NEXT-METHOD with supplied arguments in
required positions is now faster if the supplied arguments are
EQL to the original arguments.
New in version 2.0.8
* platform support:
* added support for NetBSD/aarch64;
* threads on Linux now have OS-visible names;
* removed unnecessary emulation of pthread functions on Windows;
* work around a sigwait() bug on Mac OS X;
* allow safepoint build on Mac OS X, though it probably
doesn't work very well (reported by Chris Wagner, #1382811)
* removed stub support for HPUX.
* optimization: SB-THREAD:MAKE-THREAD is faster on most platforms.
* optimization: faster RATIONAL when the result is a RATIO.
* optimization: improved cross-type comparisons (float/ratio/bignum).
* bug fix: EQUALP on pathnames was wrong
* bug fixes: fix compiler issues in:
* COUNT (#1889391)
* VECTOR-LENGTH (#1888919)
* constant-folding (#1888384)
* FIND and POSITION (#1887316)
6.14.11
DEPENDENCIES
ini@1.3.8
bl@3.0.1 - devDep
DOCUMENTATION
docs: update link to CLI issues
TESTING
add s390x, ppc64 and ppc64el in supported cpu list
v1.11.3
1. Enhancements
Elixir
[Macro] Add Macro.unique_var/2 and Macro.generate_unique_arguments/2
2. Bug fixes
Elixir
[Code] Do not raise when checking for operator ambiguity when :static_atoms_encoder is set in Code.string_to_quoted
[Kernel] Emit undefined function warnings from with
[Kernel] Do not fail type checking when literals are used in guards
[Module] Do not warn for attributes used in @after_compile
[Record] Make sure nested record names do not clobber each other
ExUnit
[ExUnit.Assertions] Do not crash if there are macros and module attributes on the left side of ++
IEx
[IEx.Helpers] Do not use Unicode chars if ANSI is disabled
Mix
[mix deps.compile] Fix compatibility with rebar v3.14
[mix release] Do not use private ram_file:compress/1
[mix xref] Do not crash when retrieving calls for modules in memory
- forstdin QoL changes: now it exits 1 if it doesn't read anything,
and it only splits on newlines by default.
- forbacktickx, which is a wrapper to forstdin, gets the same changes.
- Line-processing binaries now chomp by default. Substitution
binaries do not.
- New -N option everywhere to disable chomping.
- New "default" directive to trap, replacing the irrelevant "timeout".
Add RUBYGEM_VERBOSE user-settable variable. It is useful for developers.
RUBYGEM_VERBOSE
Execute gem with verbose option.
Possible values: Yes No
Default: No
Passing LDFLAGS verbatim no longer works, prefix each of them with -ccopt,
this seems to work across more ocaml binaries than -ldopt.
Tested across a number of packages that previously failed.
New in 2020.12:
* Removals:
+ Deprecated method candidates (subbuf(Any:U) on Buf, chdir(Str(), :$!test) on IO::Path)
and indir(IO() $path, &what, :$test!) subroutine candidate that were
throwing an exception instead of a deprecation warning for a long time
were removed from CORE [9040318]
* Additions:
+ Add new method deterministic to Iterator role [87fc041][b83b1b3][
b63c0e0][c37a88e][96285af]
+ Introduce %*SUB-MAIN-OPTS<coerce-allomorphs-to> setting [bd5eba4][
49eecd6]
+ Add a new candidate to spurt routine and method.
It does not have an argument taking content to write,
making it similar to the touch utility [f2ea0a6]
+ Add :emit-on-empty and :emit-once-on-empty methods to Supply.batch
method [cb8eb68]
+ Add :emit-timed to Supply.batch method [492651e]
+ Make is DEPRECATED trait introspectable on Routine instances [0d1c8a8]
* Changes:
+ Improve output of Attribute documentation when rendered with
Pod::To::Text [a0a8a51]
+ Increase sensitivity of Supply.batch(:seconds) x 1000 [aecfc9b]
+ The cas subroutine now accepts Mu as both its target and values [
998cae5]
+ Defined List instances no longer return True when calling ACCEPT
with an undefined List (i.e. List ~~ () returns False now) [9fd79f9]
+ Mark the base native array class as Positional [d1d2546]
* Efficiency:
+ Implement metamodel transparency of nominalizables and fix handling of
definite parameters, gaining back some performance loss introduced with
the new coercion protocol in previous release
[d37906d][ed16d6c][b5465b1][e481619]
+ Fix a shaped array performance problem [f27e212]
+ Make execution of some kinds of when faster [c080e59][0006475][b3a2558]
+ Make cas subroutine ~10% faster [484f870]
+ Make @a[*-1] candidates about 60% faster [2d5d3bf]
+ Optimize some array operators [4ac0f73]
+ Make array access [$i] with $i being a native int about 2x as fast [
7c0956b]
+ Improve the performance of signature binding [b1f59a2]
+ Speed up various aspects of native 1-dim shaped arrays and
native arrays in general
[42fceb0][2c5b545][3def3ce][705e6e6][a76e2b6][60fa48e]
[6792cc4][bd944e7][2274aa8][392d8be][1c43c46]
* Fixes:
+ Fix number of issues with REPL execution. e.g. it "forgetting" previous
multi sub declarations, calling WHAT on native type
[7c0a81f][eae309a][e46a1da][f2851b9][e8ab527][0d6278f]
[6f7718c][be45507]
+ Fix roles not being auto-punned for postcifcumfix:<( )>, by
implementing an invocation protocol for roles [79d2aea]
[5a22a7c][77a7bd2][17223fc][4009f40][538ad1b][9f98595]
+ Fix concurrency issue in compilations with heredocs [147bae3]
+ Fix subsets of coercions [af43ef6]
+ Fix an issue with splitdir method of IO::Spec::Unix
leading to action at a distance bugs [3d46341][f154244]
+ Fix argument of a coercion type not having a workable default value
[44cc88b][856dfb2]
+ Fix error reporting for slurpy named parameters with type constraints [
e1f09cf]
+ Fix behavior of postcircumfix [ ] called with Iterable on
native array [4304e25]
+ Disallow calling of postcircumfix [ ] with type objects [6c7044e]
+ Fix a bug in set symmetric difference logic [7b6de5c]
+ Make Num coercer demand definite invocant [a75b3fa]
+ Add missing handling of adverbs :kv, :p, :k, :v for
1-dim shaped native arrays, also support many adverbs at once
(e.g. :exists:(kv|p) [0f4970d][02e48d8]
+ Give stub packages created by package_at_key a proper longname [aab4f55
]
+ Fix raku method called on CompUnit::Repository::Distribution instance [
7d0813c]
+ Fix proper reporting of the X::Parameter::RW exception message [1732054
]
+ Fix RAKUDO_MODULE_DEBUG output when the message contains meta
characters [b58510f]
+ The Test module now correctly handles RAKU_TEST_TIMES environment
variable,
previously called PERL6_TEST_TIMES [d84ed4e]
* Internal:
+ Remove deprecated functionality to core epilogue [7406f8c]
+ Introduce Rakudo::Iterator.TailWith [f6c7ddb][9dbb52f]
+ Add sink-all method to a number of PredictiveIterators [cf0f2f2]
+ Make Iterator.sink-all default to using skip-one [f0ebdd0]
+ Add raku method to Rakudo::Internals::IterationSet for easier debugging
[0d301fa]
+ Remove all easily removable nqp::stmts from Rakudo code [f2f2cf8]
+ Another round of nqp::if -> ternaries [aba90b0]
+ Fix unwanted references to other compilations by CompilerServices [
d0de766]
+ Type IO::Socket::INET family/type/protocol values [534cc54]
+ Add missing debug type names for easier debugging [a68b8ab]
+ Move "is test-assertion" to candidates [15ec4fe]
+ Adapt filenames in binary release scripts [3748884]
+ Various cleanup and micro-optimization changes [1801a5a]
[eabdee4][45246ae][6852f40][dce6804][c663cc3][1712f03]
[b525c4d][6ee47f0][912381b][2ce5260][80f9283][161325e]
[65f24a8][c02c9cd][46e9468][82d31e0][137d49b][53ad24a]
[1331ffd][c4c4ba9]
Version 10.23.1 'Dubnium' (LTS)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8265: use-after-free in TLSWrap (High) Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits
CVE-2020-8287: HTTP Request Smuggling in nodejs Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html).
CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High) This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt
Version 12.20.1 'Erbium' (LTS)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8265: use-after-free in TLSWrap (High) Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits
CVE-2020-8287: HTTP Request Smuggling in nodejs Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html).
CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High) This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt
Version 14.15.4 'Fermium' (LTS)
Notable Changes
Vulnerabilities fixed:
CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt
CVE-2020-8265: use-after-free in TLSWrap (High)
Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
CVE-2020-8287: HTTP Request Smuggling in nodejs (Low)
Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html).
Other OS bundle the necessary libraries with the bootstrap kits, and enabling
this option would mean having to carry additional patches for the bundled zlib
etc.
Camlp5 Version 7.13:
--------------------
* [03 Sep 20] Support for Ocaml 4.11.1.
Camlp5 Version 7.12:
--------------------
* [29 Apr 20] upgrade to minimal support for Ocaml 4.11.0
(specifically 4.11.0+dev2-2020-04-22). This does not provide
support for any new stuff in 4.11.0; indeed, stuff may break. This
is just minimal "build and bootstrap" support.
Python 3.8.7
Core and Builtins
bpo-32381: Fix encoding name when running a .pyc file on Windows: PyRun_SimpleFileExFlags() now uses the correct encoding to decode the filename.
bpo-42536: Several built-in and standard library types now ensure that their internal result tuples are always tracked by the garbage collector:
collections.OrderedDict.items()
dict.items()
enumerate()
functools.reduce()
itertools.combinations()
itertools.combinations_with_replacement()
itertools.permutations()
itertools.product()
itertools.zip_longest()
zip()
Previously, they could have become untracked by a prior garbage collection. Patch by Brandt Bucher.
Library
bpo-42630: tkinter functions and constructors which need a default root window raise now RuntimeError with descriptive message instead of obscure AttributeError or NameError if it is not created yet or cannot be created automatically.
bpo-42644: logging.disable will now validate the types and value of its parameter. It also now accepts strings representing the levels (as does loging.setLevel) instead of only the numerical values.
bpo-36541: Fixed lib2to3.pgen2 to be able to parse PEP-570 positional only argument syntax.
bpo-42375: subprocess module update for DragonFlyBSD support.
bpo-39825: Windows: Change sysconfig.get_config_var('EXT_SUFFIX') to the expected full platform_tag.extension format. Previously it was hard-coded to .pyd, now it is compatible with distutils.sysconfig and will result in something like .cp38-win_amd64.pyd. This brings windows into conformance with the other platforms.
bpo-39101: Fixed tests using IsolatedAsyncioTestCase from hanging on BaseExceptions.
bpo-41907: fix format() behavior for IntFlag
bpo-41889: Enum: fix regression involving inheriting a multiply-inherited enum
bpo-41891: Ensure asyncio.wait_for waits for task completion
bpo-40219: Lowered tkinter.ttk.LabeledScale dummy widget to prevent hiding part of the content label.
bpo-40084: Fix Enum.__dir__: dir(Enum.member) now includes attributes as well as methods.
Documentation
bpo-17140: Add documentation for the multiprocessing.pool.ThreadPool class.
Build
bpo-42604: Now all platforms use a value for the “EXT_SUFFIX” build variable derived from SOABI (for instance in freeBSD, “EXT_SUFFIX” is now “.cpython-310d.so” instead of “.so”). Previosuly only Linux, Mac and VxWorks were using a value for “EXT_SUFFIX” that included “SOABI”.
bpo-42598: Fix implicit function declarations in configure which could have resulted in incorrect configuration checks. Patch contributed by Joshua Root.
Tools/Demos
bpo-42613: Fix freeze.py tool to use the prope config and library directories. Patch by Victor Stinner.
Python 3.8.7 release candidate 1
Security
bpo-42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
bpo-42051: The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files.
bpo-40791: Add volatile to the accumulator variable in hmac.compare_digest, making constant-time-defeating optimizations less likely.
Core and Builtins
bpo-41686: On Windows, the SIGINT event, _PyOS_SigintEvent(), is now created even if Python is configured to not install signal handlers (if PyConfig.install_signal_handlers equals to 0, or Py_InitializeEx(0)).
bpo-42143: Fix handling of errors during creation of PyFunctionObject, which resulted in operations on uninitialized memory. Patch by Yonatan Goldschmidt.
bpo-41984: The garbage collector now tracks all user-defined classes. Patch by Brandt Bucher.
bpo-41909: Fixed stack overflow in issubclass() and isinstance() when getting the __bases__ attribute leads to infinite recursion.
bpo-41894: When loading a native module and a load failure occurs, prevent a possible UnicodeDecodeError when not running in a UTF-8 locale by decoding the load error message using the current locale’s encoding.
Library
bpo-17735: inspect.findsource() now raises OSError instead of IndexError when co_lineno of a code object is greater than the file length. This can happen, for example, when a file is edited after it was imported. PR by Irit Katriel.
bpo-42116: Fix handling of trailing comments by inspect.getsource().
bpo-42482: TracebackException no longer holds a reference to the exception’s traceback object. Consequently, instances of TracebackException for equivalent but non-equal exceptions now compare as equal.
bpo-42406: We fixed an issue in pickle.whichmodule in which importing multiprocessing could change the how pickle identifies which module an object belongs to, potentially breaking the unpickling of those objects.
bpo-42328: Fixed tkinter.ttk.Style.map(). The function accepts now the representation of the default state as empty sequence (as returned by Style.map()). The structure of the result is now the same on all platform and does not depend on the value of wantobjects.
bpo-42014: The onerror callback from shutil.rmtree now receives correct function when os.open fails.
bpo-42237: Fix os.sendfile() on illumos.
bpo-42249: Fixed writing binary Plist files larger than 4 GiB.
bpo-35455: On Solaris, thread_time() is now implemented with gethrvtime() because clock_gettime(CLOCK_THREAD_CPUTIME_ID) is not always available. Patch by Jakub Kulik.
bpo-41754: webbrowser: Ignore NotADirectoryError when calling xdg-settings.
bpo-29566: binhex.binhex() consisently writes macOS 9 line endings.
bpo-42183: Fix a stack overflow error for asyncio Task or Future repr().
The overflow occurs under some circumstances when a Task or Future recursively returns itself.
bpo-42103: InvalidFileException and RecursionError are now the only errors caused by loading malformed binary Plist file (previously ValueError and TypeError could be raised in some specific cases).
bpo-41491: plistlib: fix parsing XML plists with hexadecimal integer values
bpo-32498: Clearer exception message when passing an argument of type bytes to urllib.parse.unquote(). This is only for 3.8; in 3.9 and later this function accepts bytes inputs as well. PR by Irit Katriel.
bpo-42065: Fix an incorrectly formatted error from _codecs.charmap_decode() when called with a mapped value outside the range of valid Unicode code points. PR by Max Bernstein.
bpo-41966: Fix pickling pure Python datetime.time subclasses. Patch by Dean Inwood.
bpo-41976: Fixed a bug that was causing ctypes.util.find_library() to return None when triying to locate a library in an environment when gcc>=9 is available and ldconfig is not. Patch by Pablo Galindo
bpo-41900: C14N 2.0 serialisation in xml.etree.ElementTree failed for unprefixed attributes when a default namespace was defined.
bpo-41855: In importlib.metadata, fix issue where multiple children can be returned from FastPath.zip_children(). Backport of python-devs/importlib_metadata#117.
bpo-41840: Fix a bug in the symtable module that was causing module-scope global variables to not be reported as both local and global. Patch by Pablo Galindo.
bpo-41831: str() for the type attribute of the tkinter.Event object always returns now the numeric code returned by Tk instead of the name of the event type.
bpo-41662: No longer override exceptions raised in __len__() of a sequence of parameters in sqlite3 with ProgrammingError.
bpo-41662: Fixed crash when mutate list of parameters during iteration in sqlite3.
bpo-34215: Clarify the error message for asyncio.IncompleteReadError when expected is None.
bpo-41316: Fix the tarfile module to write only basename of TAR file to GZIP compression header.
bpo-12800: Extracting a symlink from a tarball should succeed and overwrite the symlink if it already exists. The fix is to remove the existing file or symlink before extraction. Based on patch by Chris AtLee, Jeffrey Kintscher, and Senthil Kumaran.
bpo-16936: Allow ctypes.wintypes to be imported on non-Windows systems.
bpo-40592: shutil.which() now ignores empty entries in PATHEXT instead of treating them as a match.
bpo-40492: Fix --outfile for cProfile / profile not writing the output file in the original directory when the program being profiled changes the working directory. PR by Anthony Sottile.
bpo-40105: ZipFile truncates files to avoid corruption when a shorter comment is provided in append (“a”) mode. Patch by Jan Mazur.
bpo-27321: Fixed KeyError exception when flattening an email to a string attempts to replace a non-existent Content-Transfer-Encoding header.
bpo-32793: Fix a duplicated debug message when smtplib.SMTP.connect() is called.
Documentation
bpo-42153: Fix the URL for the IMAP protocol documents.
bpo-41910: Document the default implementation of object.__eq__.
bpo-41774: In Programming FAQ “Sequences (Tuples/Lists)” section, add “How do you remove multiple items from a list”.
bpo-39416: Document some restrictions on the default string representations of numeric classes.
Tests
bpo-41473: Reenable test_gdb on gdb 9.2 and newer: https://bugzilla.redhat.com/show_bug.cgi?id=1866884 bug is fixed in gdb 10.1.
bpo-42553: Fix test_asyncio.test_call_later() race condition: don’t measure asyncio performance in the call_later() unit test. The test failed randomly on the CI.
bpo-40754: Include _testinternalcapi module in Windows installer for test suite
bpo-41739: Fix test_logging.test_race_between_set_target_and_flush(): the test now waits until all threads complete to avoid leaking running threads.
bpo-41944: Tests for CJK codecs no longer call eval() on content received via HTTP.
bpo-41939: Fix test_site.test_license_exists_at_url(): call urllib.request.urlcleanup() to reset the global urllib.request._opener. Patch by Victor Stinner.
bpo-41561: test_ssl: skip test_min_max_version_mismatch when TLS 1.0 is not available
bpo-41602: Add tests for SIGINT handling in the runpy module.
bpo-41306: Fixed a failure in test_tk.test_widgets.ScaleTest happening when executing the test with Tk 8.6.10.
Build
bpo-42398: Fix a race condition in “make regen-all” when make -jN option is used to run jobs in parallel. The clinic.py script now only use atomic write to write files. Moveover, generated files are now left unchanged if the content does not change, to not change the file modification time.
Windows
bpo-42120: Remove macro definition of copysign (to _copysign) in headers.
bpo-38439: Updates the icons for IDLE in the Windows Store package.
bpo-41557: Update Windows installer to use SQLite 3.33.0.
bpo-38324: Avoid Unicode errors when accessing certain locale data on Windows.
macOS
bpo-38443: The --enable-universalsdk and --with-universal-archs options for the configure script now check that the specified architectures can be used.
bpo-41471: Ignore invalid prefix lengths in system proxy excludes.
bpo-41557: Update macOS installer to use SQLite 3.33.0.
IDLE
bpo-42426: Fix reporting offset of the RE error in searchengine.
bpo-42415: Get docstrings for IDLE calltips more often by using inspect.getdoc.
bpo-33987: Mostly finish using ttk widgets, mainly for editor, settings, and searches. Some patches by Mark Roseman.
bpo-41775: Use ‘IDLE Shell’ as shell title
bpo-40511: Typing opening and closing parentheses inside the parentheses of a function call will no longer cause unnecessary “flashing” off and on of an existing open call-tip, e.g. when typed in a string literal.
bpo-38439: Add a 256×256 pixel IDLE icon to the Windows .ico file. Created by Andrew Clover. Remove the low-color gif variations from the .ico file.
C API
bpo-41986: Py_FileSystemDefaultEncodeErrors and Py_UTF8Mode are available again in limited API.
Provides a header only, C++11 interface to R's C interface. Compared
to other approaches 'cpp11' strives to be safe against long jumps from
the C API as well as C++ exceptions, conform to normal R function
semantics and supports interaction with 'ALTREP' vectors.
ChangeLog:
2020-12-23 Simon Sobisch <simonsobisch@gnu.org>
* configure.ac: version 3.1.2
2020-12-15 Simon Sobisch <simonsobisch@gnu.org>
* configure.ac: fixed use of MPIR_LIBS
This results in a successful build and a js78 executable that runs in
my test environment (the most recent OmniOS release). However, test
suite execution yields an immediate failure with the message "too much
recursion", so it seems more work is still required here.
