Python 3.9.9 final
Core and Builtins
bpo-45738: Fix computation of error location for invalid continuation characters in the parser. Patch by Pablo Galindo.
Library
bpo-45235: Reverted an argparse bugfix that caused regression in the handling of default arguments for subparsers. This prevented leaf level arguments from taking precedence over root level arguments.
bpo-45765: In importlib.metadata, fix distribution discovery for an empty path.
bpo-45644: In-place JSON file formatting using python3 -m json.tool infile infile now works correctly, previously it left the file empty. Patch by Chris Wesseling.
Documentation
bpo-45772: socket.socket documentation is corrected to a class from a function.
bpo-45392: Update the docstring of the type built-in to remove a redundant line and to mention keyword arguments for the constructor.
Windows
bpo-45732: Updates bundled Tcl/Tk to 8.6.12.
bpo-45720: Internal reference to shlwapi.dll was dropped to help improve startup time. This DLL will no longer be loaded at the start of every Python process.
The configure test looks for only one particular symbol from the library,
which the native version on illumos does not have, to determine whether
libuuid should be linked against. This results in failure later when
trying to use a different symbol the library.
Fixes native builds, and has no impact on pkgsrc builds.
Vala 0.54.3
===========
* Various improvements and bug fixes:
- codegen: Actually free data when using "remove(_all)"
on GLib.Queue/(S)List [#1238]
- vala:
+ Parameter following ellipsis parameter is not allowed [#1237]
+ More thorough check of ValueType and set CodeNode.error on failure
+ Really check compatiblity of error types for delegate symbol
+ Correctly output signature of callable throwing error
+ Report error for non ErrorType in throws
+ Implement CodeWriter.visit_foreach_statement()/visit_catch_clause()
- parser: Make sure ErrorCodes are accessible as needed
- girparser: Add support for "ref_/ref_sink_/unref_function"
metadata for classes [#1233]
Python 3.9.8
Core and Builtins
bpo-30570: Fixed a crash in issubclass() from infinite recursion when searching pathological __bases__ tuples.
bpo-45494: Fix parser crash when reporting errors involving invalid continuation characters. Patch by Pablo Galindo.
bpo-45385: Fix reference leak from descr_check. Patch by Dong-hee Na.
bpo-45167: Fix deepcopying of types.GenericAlias objects.
bpo-44219: Release the GIL while performing isatty system calls on arbitrary file descriptors. In particular, this affects os.isatty(), os.device_encoding() and io.TextIOWrapper. By extension, io.open() in text mode is also affected. This change solves a deadlock in os.isatty(). Patch by Vincent Michel in bpo-44219.
bpo-44959: Added fallback to extension modules with ‘.sl’ suffix on HP-UX
bpo-44050: Extensions that indicate they use global state (by setting m_size to -1) can again be used in multiple interpreters. This reverts to behavior of Python 3.8.
bpo-45121: Fix issue where Protocol.__init__ raises RecursionError when it’s called directly or via super(). Patch provided by Yurii Karabas.
bpo-45083: When the interpreter renders an exception, its name now has a complete qualname. Previously only the class name was concatenated to the module name, which sometimes resulted in an incorrect full name being displayed.
(This issue impacted only the C code exception rendering, the traceback module was using qualname already).
Library
bpo-45678: Fix bug in Python 3.9 that meant functools.singledispatchmethod failed to properly wrap the attributes of the target method. Patch by Alex Waygood.
bpo-45679: Fix caching of multi-value typing.Literal. Literal[True, 2] is no longer equal to Literal[1, 2].
bpo-45438: Fix typing.Signature string representation for generic builtin types.
bpo-45581: sqlite3.connect() now correctly raises MemoryError if the underlying SQLite API signals memory error. Patch by Erlend E. Aasland.
bpo-39679: Fix bug in functools.singledispatchmethod that caused it to fail when attempting to register a classmethod() or staticmethod() using type annotations. Patch contributed by Alex Waygood.
bpo-45515: Add references to zoneinfo in the datetime documentation, mostly replacing outdated references to dateutil.tz. Change by Paul Ganssle.
bpo-45467: Fix incremental decoder and stream reader in the “raw-unicode-escape” codec. Previously they failed if the escape sequence was split.
bpo-45461: Fix incremental decoder and stream reader in the “unicode-escape” codec. Previously they failed if the escape sequence was split.
bpo-45239: Fixed email.utils.parsedate_tz() crashing with UnboundLocalError on certain invalid input instead of returning None. Patch by Ben Hoyt.
bpo-44904: Fix bug in the doctest module that caused it to fail if a docstring included an example with a classmethod property. Patch by Alex Waygood.
bpo-45406: Make inspect.getmodule() catch FileNotFoundError raised by :’func:inspect.getabsfile, and return None to indicate that the module could not be determined.
bpo-45262: Prevent use-after-free in asyncio. Make sure the cached running loop holder gets cleared on dealloc to prevent use-after-free in get_running_loop
bpo-45386: Make xmlrpc.client more robust to C runtimes where the underlying C strftime function results in a ValueError when testing for year formatting options.
bpo-45371: Fix clang rpath issue in distutils. The UnixCCompiler now uses correct clang option to add a runtime library directory (rpath) to a shared library.
bpo-20028: Improve error message of csv.Dialect when initializing. Patch by Vajrasky Kok and Dong-hee Na.
bpo-45343: Update bundled pip to 21.2.4 and setuptools to 58.1.0
bpo-41710: On Unix, if the sem_clockwait() function is available in the C library (glibc 2.30 and newer), the threading.Lock.acquire() method now uses the monotonic clock (time.CLOCK_MONOTONIC) for the timeout, rather than using the system clock (time.CLOCK_REALTIME), to not be affected by system clock changes. Patch by Victor Stinner.
bpo-45328: Fixed http.client.HTTPConnection to work properly in OSs that don’t support the TCP_NODELAY socket option.
bpo-1596321: Fix the threading._shutdown() function when the threading module was imported first from a thread different than the main thread: no longer log an error at Python exit.
bpo-45274: Fix a race condition in the Thread.join() method of the threading module. If the function is interrupted by a signal and the signal handler raises an exception, make sure that the thread remains in a consistent state to prevent a deadlock. Patch by Victor Stinner.
bpo-45238: Fix unittest.IsolatedAsyncioTestCase.debug(): it runs now asynchronous methods and callbacks.
bpo-36674: unittest.TestCase.debug() raises now a unittest.SkipTest if the class or the test method are decorated with the skipping decorator.
bpo-45235: Fix an issue where argparse would not preserve values in a provided namespace when using a subparser with defaults.
bpo-45234: Fixed a regression in copyfile(), copy(), copy2() raising FileNotFoundError when source is a directory, which should raise IsADirectoryError
bpo-45228: Fix stack buffer overflow in parsing J1939 network address.
bpo-45192: Fix the tempfile._infer_return_type function so that the dir argument of the tempfile functions accepts an object implementing the os.PathLike protocol.
Patch by Kyungmin Lee.
bpo-45160: When tracing a tkinter variable used by a ttk OptionMenu, callbacks are no longer made twice.
bpo-35474: Calling mimetypes.guess_all_extensions() with strict=False no longer affects the result of the following call with strict=True. Also, mutating the returned list no longer affects the global state.
bpo-45166: typing.get_type_hints() now works with Final wrapped in ForwardRef.
bpo-45097: Remove deprecation warnings about the loop argument in asyncio incorrectly emitted in cases when the user does not pass the loop argument.
bpo-45081: Fix issue when dataclasses that inherit from typing.Protocol subclasses have wrong __init__. Patch provided by Yurii Karabas.
bpo-24444: Fixed an error raised in argparse help display when help for an option is set to 1+ blank spaces or when choices arg is an empty container.
bpo-45021: Fix a potential deadlock at shutdown of forked children when using concurrent.futures module
bpo-45030: Fix integer overflow in pickling and copying the range iterator.
bpo-39039: tarfile.open raises ReadError when a zlib error occurs during file extraction.
bpo-44594: Fix an edge case of ExitStack and AsyncExitStack exception chaining. They will now match with block behavior when __context__ is explicitly set to None when the exception is in flight.
Documentation
bpo-45726: Improve documentation for functools.singledispatch() and functools.singledispatchmethod.
bpo-45680: Amend the docs on GenericAlias objects to clarify that non-container classes can also implement __class_getitem__. Patch contributed by Alex Waygood.
bpo-45655: Add a new “relevant PEPs” section to the top of the documentation for the typing module. Patch by Alex Waygood.
bpo-45604: Add level argument to multiprocessing.log_to_stderr function docs.
bpo-45464: Mention in the documentation of Built-in Exceptions that inheriting from multiple exception types in a single subclass is not recommended due to possible memory layout incompatibility.
bpo-45449: Add note about PEP 585 in collections.abc.
bpo-45516: Add protocol description to the importlib.abc.Traversable documentation.
bpo-20692: Add Programming FAQ entry explaining that int literal attribute access requires either a space after or parentheses around the literal.
bpo-45216: Remove extra documentation listing methods in difflib. It was rendering twice in pydoc and was outdated in some places.
Tests
bpo-45578: Add tests for dis.distb()
bpo-45577: Add subtests for all pickle protocols in test_zoneinfo.
bpo-43592: test.libregrtest now raises the soft resource limit for the maximum number of file descriptors when the default is too low for our test suite as was often the case on macOS.
bpo-40173: Fix test.support.import_helper.import_fresh_module().
bpo-45280: Add a test case for empty typing.NamedTuple.
bpo-45269: Cover case when invalid markers type is supplied to c_make_encoder.
bpo-45209: Fix UserWarning: resource_tracker warning in _test_multiprocessing._TestSharedMemory.test_shared_memory_cleaned_after_process_termination
bpo-45195: Fix test_readline.test_nonascii(): sometimes, the newline character is not written at the end, so don’t expect it in the output. Patch by Victor Stinner.
bpo-45156: Fixes infinite loop on unittest.mock.seal() of mocks created by create_autospec().
bpo-45042: Fixes that test classes decorated with @hashlib_helper.requires_hashdigest were skipped all the time.
Build
bpo-43158: setup.py now uses values from configure script to build the _uuid extension module. Configure now detects util-linux’s libuuid, too.
bpo-45571: Modules/Setup now use PY_CFLAGS_NODIST instead of PY_CFLAGS to compile shared modules.
bpo-45532: Update sys.version to use main as fallback information. Patch by Jeong YunWon.
bpo-45405: Prevent internal configure error when running configure with recent versions of non-Apple clang. Patch by David Bohman.
bpo-45220: Avoid building with the Windows 11 SDK previews automatically. This may be overridden by setting the DefaultWindowsSDKVersion environment variable before building.
Windows
bpo-45337: venv now warns when the created environment may need to be accessed at a different path, due to redirections, links or junctions. It also now correctly installs or upgrades components when the alternate path is required.
macOS
bpo-44828: Avoid tkinter file dialog failure on macOS 12 Monterey when using the Tk 8.6.11 provided by python.org macOS installers. Patch by Marc Culler of the Tk project.
IDLE
bpo-45296: On Windows, change exit/quit message to suggest Ctrl-D, which works, instead of <Ctrl-Z Return>, which does not work in IDLE.
C API
bpo-44687: BufferedReader.peek() no longer raises ValueError when the entire file has already been buffered.
bpo-44751: Remove crypt.h include from the public Python.h header.
go1.17.3 (released 2021-11-04) includes security fixes to the archive/zip and
debug/macho packages, as well as bug fixes to the compiler, linker, runtime,
the go command, the misc/wasm directory, and to the net/http and syscall
packages. See the Go 1.17.3 milestone on our issue tracker for details.
A Python 3.6+ implementation of the Language Server Protocol.
This is a fork of the python-language-server project, maintained
by the Spyder IDE team and the community.
0.36.2
Flatten folding regions
Enable code folding results aggregation
0.36.1
Add code in front of the diagnostic message for flake8.
Pass document path to jedi_names when a file is not placed in a module.
0.36.0
Allow passing explicit environment variables to Jedi environment
Add document path to Jedi's sys_path
Resolve flake8_executable allowing ~/${HOME} paths
Pass server settings to new workspaces
Synchronize document text updates
Correct method and attribute detection on document/symbols call
Specify relevant document path when retrieving some plugin settings
0.35.1
Fix ujson dependency for Python 2.
0.35.0
Allow usage of Pylint via stdin.
Require python-jsonrpc-server >= 0.4.0
Update ujson dependency to work with its latest release.
Move CI to Github Actions.
0.34.1
Make flake8 plugin use stdin.
Fix error when formatting if continuation lines are incorrectly indented when using autopep8.
0.34.0
Add option to configure flake8 executable.
Read pycodestyle and flake8 configurations per workspace.
Parse ignore arguments in flake8 to avoid issues with Atom.
0.33.3
Do not start shutdown sequence on TCP when not checking parent process
0.33.2
Do not create documents from a textDocument/rename
Fix some code quality and bug-risk issues
0.33.1
Add support for autopep8 aggressive option from config file
0.33.0
Add optional class objects to completion list.
Fix completions with one arg.
Remove pycodestyle plugin's dependency on autopep8.
go1.16.10 (released 2021-11-04) includes security fixes to the archive/zip and
debug/macho packages, as well as bug fixes to the compiler, linker, runtime,
the misc/wasm directory, and to the net/http package. See the Go 1.16.10
milestone on our issue tracker for details.
## 1.18.1 - 2021-10-16
- Fix some documentation typos
- Fix - Set pipes passed to subprocess to blocking mode.
- Fix `-r` switch in repl.
## 1.18.0 - 2021-10-10
- Allow `ev/cancel` to work on already scheduled fibers.
- Fix bugs with ev/ module.
- Add optional `base` argument to scan-number
- Add `-i` flag to janet binary to make it easier to run image files from the command line
- Remove `thread/` module.
- Add `(number ...)` pattern to peg for more efficient number parsing using Janet's
scan-number function without immediate string creation.
## 1.17.2 - 2021-09-18
- Remove include of windows.h from janet.h. This caused issues on certain projects.
- Fix formatting in doc-format to better handle special characters in signatures.
- Fix some marshalling bugs.
- Add optional Makefile target to install jpm as well.
- Supervisor channels in threads will no longer include a wasteful copy of the fiber in every
message across a thread.
- Allow passing a closure to `ev/thread` as well as a whole fiber.
- Allow passing a closure directly to `ev/go` to spawn fibers on the event loop.
## 1.17.1 - 2021-08-29
- Fix docstring typos
- Add `make install-jpm-git` to make jpm co-install simpler if using the Makefile.
- Fix bugs with starting ev/threads and fiber marshaling.
## 1.17.0 - 2021-08-21
- Add the `-E` flag for one-liners with the `short-fn` syntax for argument passing.
- Add support for threaded abstract types. Threaded abstract types can easily be shared between threads.
- Deprecate the `thread` library. Use threaded channels and ev instead.
- Channels can now be marshalled.
- Add the ability to close channels with `ev/chan-close` (or `:close`).
- Add threaded channels with `ev/thread-chan`.
- Add `JANET_FN` and `JANET_REG` macros to more easily define C functions that export their source mapping information.
- Add `janet_interpreter_interupt` and `janet_loop1_interrupt` to interrupt the interpreter while running.
- Add `table/clear`
- Add build option to disable the threading library without disabling all threads.
- Remove JPM from the main Janet distribution. Instead, JPM must be installed
separately like any other package.
- Fix issue with `ev/go` when called with an initial value and supervisor.
- Add the C API functions `janet_vm_save` and `janet_vm_load` to allow
saving and restoring the entire VM state.
Vala 0.54.2
===========
* Various improvements and bug fixes:
- vala:
+ Multi-dimensional params-array not allowed [#1230]
+ Accept NullType as generic type argument
+ Set source references of created DataType instances in OCE
* Bindings:
- gio-2.0: Update to 2.71.0~a0d2efdc
- glib-2.0: Update 2.70 symbols
- gtk4: Update to 4.5.0~da5efea6
Changes from 5.1.0 to 5.1.1
---------------------------
1. Infrastructure upgrades: Bison 3.8, Gettext 0.20.2, Automake 1.16.4,
and (will wonders never cease) Autoconf 2.71.
2. asort and asorti now allow FUNCTAB and SYMTAB as the first argument if a
second destination array is supplied. Similarly, using either array as
the second argument is now a fatal error. Additionally, using either
array as the destination for split(), match(), etc. also causes a
fatal error.
3. The new -I/--trace option prints a trace of the byte codes as they
are executed.
4. A number of subtle bugs relating to MPFR mode that caused differences
between regular operation and MPFR mode have been fixed.
5. The API now handles MPFR/GMP values slightly differently, requiring
different memory management for those values. See the manual for the
details if you have an extension using those values. As a result,
the minor version was incremented.
6. $0 and the fields are now cleared before starting a BEGINFILE rule.
7. The duplication of m4 and build-aux directories between the main
directory and the extension directory has been removed. This
simplifies the distribution.
8. The test suite has been improved, making it easier to run the entire
suite with -M. Use `GAWK_TEST_ARGS=-M make check' to do so.
9. Profiling and pretty-printing output has been modified slightly so
that functions are presented in a reasonable order with respect
to the namespaces that contain them.
10. Several example programs in the manual have been updated to their
modern POSIX equivalents.
11. A number of examples in doc/gawkinet.texi have been updated for
current times. Thanks to Juergen Kahrs for the work.
12. Handling of Infinity and NaN values has been improved.
13. There has been a general tightening up of the use of const and
of types.
14. The "no effect" lint warnings have been fixed up and now behave
more sanely.
15. The manual has been updated with much more information about what is
and is not a bug, and the changes in the gawk mailing lists.
16. The behavior of strongly-typed regexp constants when passed as the
third argument to sub() or gsub() has been clarified in the code and
in the manual.
17. Similar to item #4 above, division by zero is now fatal in MPFR
mode, as it is in regular mode.
18. There have been numerous minor code cleanups and bug fixes. See the
ChangeLog for details.
3.8.0: 2020-10-29
=================
* Better handling of invalid bytecode magic
* Support running from 3.9 and 3.10 although we do not support those bytecodes
* Redo version comparisons using tuples instead of floats. This is needed for Python 3.10
* Split out into 3 branches so that the master branch can assume Python 3.6+ conventions, especially type annotations
* Source Fragment fixes
* Lambda-bug fixes 360
* Bug fixes
This is a security fix release.
28 Oct 2021, PHP 7.3.32
- FPM:
. Fixed bug #81026 (PHP-FPM oob R/W in root process leading to privilege
escalation). (CVE-2021-21703) (Jakub Zelenka)
Correct a merge botch introduced in a previous commit. It was intended
that a variable be redefined, but it was committed in an incomplete
testing state.
Version 12.22.7 'Erbium' (LTS)
This is a security release.
Notable changes
CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2021-22959 after publication.
CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at CVE-2021-22960 after publication.
Version 14.18.1 'Fermium' (LTS)
This is a security release.
Notable changes
CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). More details will be available at CVE-2021-22959 after publication.
CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)
The parse ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. More details will be available at CVE-2021-22960 after publication.
This relates to the case when GCC is built using clang host CC. In that
case the runtime libraries are not built with RELRO for some reason.
for the gcc*-libs/ packages, mark them as RELRO_SUPPORTED=no unconditionally.
RELRO status depends on how the parent gcc package was built so we don't
need nor care about the RELRO status here.
Vala 0.54.1
===========
* Regression and bug fixes:
- codegen:
+ Add type declaration for implicit temporary local variable
+ Sealed class in external package is not special [#1229]
* Bindings:
- gstreamer: Update from 1.19.0+ git master
- gtk4: Update to 4.5.0~3e20ecd6
This minor release includes a security fix according to the new security policy.
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js,
passing very large arguments can cause portions of the module to be overwritten
with data from the arguments.
If using wasm_exec.js to execute WASM modules, users will need to replace their
copy (as described in https://golang.org/wiki/WebAssembly#getting-started)
after rebuilding any modules.
This is issue 48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this
issue.
This minor release includes a security fix according to the new security policy.
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js,
passing very large arguments can cause portions of the module to be overwritten
with data from the arguments.
If using wasm_exec.js to execute WASM modules, users will need to replace their
copy (as described in https://golang.org/wiki/WebAssembly#getting-started)
after rebuilding any modules.
This is issue 48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this
issue.
This defaults to WRKSRC and allows packages that aren't primarily
written in rust, but have a rust component that needs to be built, to
support the correct operation of cargo within their source tree.
It's already added to bootstrap tools by mk, and adding it here actually
has the opposite effect of what's intended. It seems to confuse the
tools infrastructure and defer its dependency, i.e. until it's too late,
causing "digest: not found" errors if it's not already installed.
Python 3.10
Summary – Release highlights
New syntax features:
PEP 634, Structural Pattern Matching: Specification
PEP 635, Structural Pattern Matching: Motivation and Rationale
PEP 636, Structural Pattern Matching: Tutorial
bpo-12782, Parenthesized context managers are now officially allowed.
New features in the standard library:
PEP 618, Add Optional Length-Checking To zip.
Interpreter improvements:
PEP 626, Precise line numbers for debugging and other tools.
New typing features:
PEP 604, Allow writing union types as X | Y
PEP 613, Explicit Type Aliases
PEP 612, Parameter Specification Variables
Important deprecations, removals or restrictions:
PEP 644, Require OpenSSL 1.1.1 or newer
PEP 632, Deprecate distutils module.
PEP 623, Deprecate and prepare for the removal of the wstr member in PyUnicodeObject.
PEP 624, Remove Py_UNICODE encoder APIs
PEP 597, Add optional EncodingWarning
Announce: Rakudo compiler, Release #150 (2021.09)
On behalf of the Rakudo development team, I?m very happy to announce the
September 2021 release of Rakudo #150. Rakudo is an implementation of the Raku^
1 language.
The source tarball for this release is available from https://rakudo.org/files/
rakudo. Pre-compiled archives will be available shortly.
New in 2021.09:
* Additions:
+ Introduce the safe-snapper module. It is a shorthand for loading
Telemetry and starting a snapper with control-c safety, allowing one to
stop the script with control-c and still get a report [87152eba]
+ Add ability to subtract an Instant value from a DateTime object and
vice versa [9a4af4b6]
+ Add Numeric coercer to DateTime [67138ec0]
* Changes:
+ Make the sprintf method show its format string on error [ea8a95e5]
[57841911]
+ The test named parameter of the dir routine now handles Junctions
[21a7117d]
+ Improve error message for the X::Pragma::CannotPrecomp exception
[a52f1f62][fe461d17]
* Efficiency:
+ Numerous small speed-ups and memory-related improvements [94462dfa]
[3aba9707][3c1c709c]
* Fixes:
+ Properly handle List of Lists in the List.fmt method [a86ec91e]
+ Don't lose concurrent modifications to %!conc_table [72bc5623]
+ Fix potential race in Metamodel::Concretization [d666dfe8]
+ Make the default scheduler properly see RAKUDO_MAX_THREADS env variable
[b14d404a]
* Internal:
+ Support ROAST_TIMING_SCALE in telemetry tests [9681a093]
+ Fix false positive in basic telemetry test [c0a6823b]
+ Pass along whether the Rakudo runner was called with --full-cleanup
[5492452b]
+ Update the concretization table more sparingly [b236dcfd]
- Adaptation to skalibs-2.11.0.0.
- New binary: case. It compares a value against a series of regular
expressions, executing into another command line on the first match.
Vala 0.54.0
===========
* Various improvements and bug fixes:
- vala: Warn about unsupported cast to void and drop it [#1070]
- vala: Don't restrict element type of GLib.Array [#1227]
- valadoc: Correctly format background of inline @link's [#1226]
* Bindings:
- gio-2.0: Unhide a few usable symbols which are marked not introspectable [#1222]
Vala 0.53.2
===========
* Various improvements and bug fixes:
- codegen:
+ Fix property access inside opaque compact class
+ Add missing cast to access base-class members in class/static ctor [#1221]
* Bindings:
- glib-2.0: Current constants in GLib.Math are part of glib.h [#1220]
- glib-2.0: Add RefString since 2.58 [#723]
- gstreamer: Update from 1.19.0+ git master
- gtk4: Update to 4.5.0~e681fdd9
- vapi: Update GIR-based bindings
Vala 0.53.1
===========
* Highlights:
- Support explicit nullable var-type declarations [#1146]
- Add support for variadic delegates [#160]
- Add support for sealed classes [#278]
- Add support for null-safe access operator [#522]
- Emit external creation methods in bindings
- Introduce VALA_EXPORT for public symbols to improve portability
- girwriter:
+ Use "optional" and "nullable" instead of deprecated "allow-none"
+ Improve struct creation method binding
- girparser:
+ Improve instance method detection [#1210]
+ Never skip "function" elements
+ Add "move-to" value of functions as Version.replacement
* Various improvements and bug fixes:
- codegen:
+ Use ssize_t for length variables in common array helper functions
+ Fix support for public fields on GLib.Source subclasses
- vala:
+ Add Profile.LIBC as synonym for POSIX and accept "libc" profile
+ Improve semantic check of simple type structs
+ Refactor UnresolvedSymbol/Type constructors
+ Properly check GLib.Object naming convention for properties
+ Add foreach statement support for GLib.GenericArray
- build: Add "test-asan" make target for convenience
- build: Add --enable-test-ubsan configure option and "test-ubsan" make target
- build: Use jing to verify generated GIR file, if available
- testrunner: Allow checking generated C sources
* Bindings:
- Remove gedit-2.20 and webkit-1.0 bindings
- gio-2.0,glib-2.0: Add new symbols from 2.69.0
- gio-2.0: Improve DatagramBased.create_source() binding
- glib-2.0: Wrap TimeZone.identifier() constuctor for proper error support
- gstreamer-rtp-1.0: Fix some bindings errors [#1177]
- gstreamer: Update from 1.19.0+ git master
- javascriptcoregtk-4.0: Fix JSC.Class.add_property() binding
- linux: Add SocketCAN bindings, and ISOTP constants and options
- webkit2gtk-4.0: Update to 2.33.3
the PLIST is target-specific and it's possible that files for multiple
targets are generated (this is the case on NetBSD/amd64). Since the
static PLIST can't support multiple targets currently, switch to a
generated one.
This release contains only bug fixes:
Elixir
* [Code] Make sure that bindings in the default context returned by
Code.eval_* functions are not returned as tagged tuples
* [Kernel] Do not crash when handling ambiguity errors
* [Range] Still match on old range patterns throughout the stdlib
IEx
* [IEx.Autocomplete] Do not error autocompletion with module
attribute
Mix
* [Mix] Rename inconsistent :exit_code option to :exit_status on
Mix.raise/2
Version 14.17.6 'Fermium' (LTS)
This is a security release.
Notable Changes
These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, and npm arborist.
Version 14.17.5 'Fermium' (LTS)
This is a security release.
Notable Changes
CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.
CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.
Version 12.22.6 'Erbium' (LTS)
This is a security release.
Notable Changes
These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, and npm arborist.
Version 12.22.5 'Erbium' (LTS)
This is a security release.
Notable Changes
CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.
CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.
Version 12.22.4 'Erbium' (LTS)
This is a security release.
Notable Changes
CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930
go1.17.1 (released 2021-09-09) includes a security fix to the archive/zip
package, as well as bug fixes to the compiler, linker, the go command, and to
the crypto/rand, embed, go/types, html/template, and net/http packages.
go1.16.8 (released 2021-09-09) includes a security fix to the archive/zip
package, as well as bug fixes to the archive/zip, go/internal/gccgoimporter,
html/template, net/http, and runtime/pprof packages.
Packaged for wip by Kamel Ibn Aziz Derouiche and myself.
Csmith is a tool that can generate random C programs that statically
and dynamically conform to the C99 standard. Thus, it is useful for
stress-testing compilers, static analyzers, and other tools that
process C code.
The full gamut of security fixes for this release is unknown, but, at
minimum, CVE-2020-16042 is addressed. (A full change log seems elusive:
the package's README points to a broken link, Mozilla advisories about
"memory safety hazards" can point to bug reports that can't be viewed,
etc.) This is the most current version that Debian has integrated,
which is where our package points to.
Successful build tests on:
NetBSD amd64/9.2_STABLE (with both Rust 1.52.1 and 1.54)
NetBSD i386/9.2_STABLE
OmniOS r151036
Fedora Linux 34 was not testable, as our packaging of LLVM 12.0.1 fails
to build on it. The upstream configuration continues to cap macOS build
support at 10.15.4. I updated our existing patch to allow 10.15.7, but
have no ability to test that OS, and no idea if 11.x would work.
This is effectively a minor leaf package now, and may best be removed
in future. I've updated this just in case issues emerge with the polkit
switch to duktape, which will first appear in our 2021Q3 branch. (That
is, I'm not aware of any issues, and definitely prefer duktape from a
packaging perspective.)
The previous change only worked for the build of go itself, any dependencies
that used the same go code were broken. Fixes www/gitea and others.
Needs to be fixed properly by creating a native illumos bootstrap kit.
