I am doing this in the freeze period because it is a necessary addition to
effectively be able to let devel/py-protobuf build again. My apologies if
this is not good enough a reason.
=========
FEATURES:
- nsd-control addzones and delzones read list of zones from stdin.
- hmac sha224, sha384 and sha512 support.
- max-interfaces raised to 32.
BUG FIXES:
- Fix#665: when removing subdomain, nsd does not reparse parent zone.
- Fix task and zonestat files to be stored in a subdirectory in tmp
to stop privilege elevation.
- Fix crash in zone parser for relative dname after error in origin.
- Fix that formerrors are ratelimited.
Add a Configure test to verify that including <fenv.h> doesn't produce
a build error, as it will in quite few cases on NetBSD on archs which
are not amd64, i386 or sparc in NetBSD 6.x. If the test build fails,
pretend we don't have fenv.h.
Validated that the result builds on NetBSD/evbarm 6.0 and NetBSD/i386 6.1.5.
Build fix, so no need to bump PKGREVISION.
OK by wiz@
Note that the patch for XSA135 for qemu-traditional, which was
no applied to the 4.5 branch before the release due to an oversight,
is applied here (xentools45/patches/patch-XSA135).
Selected entries from the relase notes:
a246727: cpupool: fix shutdown with cpupools with different schedulers [Dario Faggioli]
5b2f480: libelf: fix elf_parse_bsdsyms call [Roger Pau Monné]
8faef24: VT-d: extend quirks to newer desktop chipsets [Jan Beulich]
24fcf17: x86/VPMU: add lost Intel processor [Alan Robinson]
131889c: x86/crash: don't use set_fixmap() in the crash path [Andrew Cooper]
8791a30: x86/apic: Disable the LAPIC later in smp_send_stop() [Andrew Cooper]
fbd26f2: x86/pvh: disable posted interrupts [Roger Pau Monné]
0d8cbca: libxl: In libxl_set_vcpuonline check for maximum number of VCPUs against the cpumap. [Konrad Rzeszutek Wilk]
bf06e40: libxl: event handling: ao_inprogress does waits while reports outstanding [Ian Jackson]
97051bd: libxl: event handling: Break out ao_work_outstanding [Ian Jackson]
0bc9f98: x86/traps: loop in the correct direction in compat_iret() [Andrew Cooper]
fcfbdb4: gnttab: add missing version check to GNTTABOP_swap_grant_ref handling [Jan Beulich]
09f76cb: cpupools: avoid crashing if shutting down with free CPUs [Dario Faggioli]
f237ee4: cpupool: assigning a CPU to a pool can fail [Dario Faggioli]
b986072: xen: common: Use unbounded array for symbols_offset. [Ian Campbell]
5eac1be: x86/irq: limit the maximum number of domain PIRQs [Andrew Cooper]
9c3d34d: x86: don't unconditionally touch the hvm_domain union during domain construction [Andrew Cooper]
9d5b2b0: tools/xenconsoled: Increase file descriptor limit [Andrew Cooper]
cfc4c43: ocaml/xenctrl: Fix stub_xc_readconsolering() [Andrew Cooper]
032673c: ocaml/xenctrl: Make failwith_xc() thread safe [Andrew Cooper]
c91ed88: ocaml/xenctrl: Check return values from hypercalls [Andrew Cooper]
fa62913: libxl: Domain destroy: fork [Ian Jackson]
c9b13f3: libxl: Domain destroy: unlock userdata earlier [Ian Jackson]
0b19348: libxl: In domain death search, start search at first domid we want [Ian Jackson]
ddfe333: x86: don't change affinity with interrupt unmasked [Jan Beulich]
bf30232: x86: don't clear high 32 bits of RAX on sub-word guest I/O port reads [Jan Beulich]
a824bf9: x86_emulate: fix EFLAGS setting of CMPXCHG emulation [Eugene Korenevsky]
f653b7f: x86/hvm: implicitly disable an ioreq server when it is destroyed [Paul Durrant]
8dbdcc3: x86/hvm: actually release ioreq server pages [Paul Durrant]
56fe488: x86/hvm: fix the unknown nested vmexit reason 80000021 bug [Liang Li]
4a52101: VT-d: improve fault info logging [Jan Beulich]
5a7c042: x86/MSI: fix error handling [Jan Beulich]
51d8325: LZ4 : fix the data abort issue [JeHyeon Yeon]
0327c93: hvmloader: don't treat ROM BAR like other BARs [Jan Beulich]
f2e08aa: domctl/sysctl: don't leak hypervisor stack to toolstacks [Andrew Cooper]
3771b5a: arm64: fix fls() [Jan Beulich]
9246d2e: domctl: don't allow a toolstack domain to call domain_pause() on itself [Andrew Cooper]
f5bca81: Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 GFNs (or less) [Konrad Rzeszutek Wilk]
7fe1c1b: x86: don't apply reboot quirks if reboot set by user [Ross Lagerwall]
969df12: Revert "cpupools: update domU's node-affinity on the cpupool_unassign_cpu() path" [Jan Beulich]
483c6cd: honor MEMF_no_refcount in alloc_heap_pages() [Jan Beulich]
6616c4d: tools: libxl: Explicitly disable graphics backends on qemu cmdline [Ian Campbell]
d0b141e: x86/tboot: invalidate FIX_TBOOT_MAP_ADDRESS mapping after use [Jan Beulich]
902998e: x86emul: fully ignore segment override for register-only operations [Jan Beulich]
25c6ee8: pre-fill structures for certain HYPERVISOR_xen_version sub-ops [Aaron Adams]
7ef0364: x86/HVM: return all ones on wrong-sized reads of system device I/O ports [Jan Beulich]
3665563: tools/libxc: Don't leave scratch_pfn uninitialised if the domain has no memory [Andrew Cooper]
75ac8cf: x86/nmi: fix shootdown of pcpus running in VMX non-root mode [Andrew Cooper]
1e44c92: x86/hvm: explicitly mark ioreq server pages dirty [Paul Durrant]
2bfef90: x86/hvm: wait for at least one ioreq server to be enabled [Paul Durrant]
d976397: x86/VPMU: disable when NMI watchdog is on [Boris Ostrovsky]
84f2484: libxc: introduce a per architecture scratch pfn for temporary grant mapping [Julien Grall]
6302c61: Install libxlutil.h [Jim Fehlig]
d8e78d6: bunzip2: off by one in get_next_block() [Dan Carpenter]
8a855b3: docs/commandline: correct information for 'x2apic_phys' parameter [Andrew Cooper]
3a777be: x86: vcpu_destroy_pagetables() must not return -EINTR [Konrad Rzeszutek Wilk]
1acb3b6: handle XENMEM_get_vnumainfo in compat_memory_op [Wei Liu]
4eec09f: x86: correctly check for sub-leaf zero of leaf 7 in pv_cpuid() [Jan Beulich]
7788cbb: x86: don't expose XSAVES capability to PV guests [Jan Beulich]
4cfc54b: xsm/evtchn: never pretend to have successfully created a Xen event channel [Andrew Cooper]
2fdd521: common/memory: fix an XSM error path [Jan Beulich]
ad83ad9: x86emul: tighten CLFLUSH emulation [Jan Beulich]
1928318: dt-uart: use ':' as separator between path and options [Ian Campbell]
9ae1853: libxl: Don't ignore error when we fail to give access to ioport/irq/iomem [Julien Grall]
In addition, this release also contains the following fixes to qemu-traditional:
afaa35b: ... by default. Add a per-device "permissive" mode similar to pciback's to allow restoring previous behavior (and hence break security again, i.e. should be used only for trusted guests). [Jan Beulich]
3cff7ad: Since the next patch will turn all not explicitly described fields read-only by default, those fields that have guest writable bits need to be given explicit descriptors. [Jan Beulich]
ec61b93: The adjustments are solely to make the subsequent patches work right (and hence make the patch set consistent), namely if permissive mode (introduced by the last patch) gets used (as both reserved registers and reserved fields must be similarly protected from guest access in default mode, but the guest should be allowed access to them in permissive mode). [Jan Beulich]
37c77b8: xen_pt_emu_reg_pcie[]'s PCI_EXP_DEVCAP needs to cover all bits as read- only to avoid unintended write-back (just a precaution, the field ought to be read-only in hardware). [Jan Beulich]
2dc4059: This is just to avoid having to adjust that calculation later in multiple places. [Jan Beulich]
29d9566: xen_pt_pmcsr_reg_write() needs an adjustment to deal with the RW1C nature of the not passed through bit 15 (PCI_PM_CTRL_PME_STATUS). [Jan Beulich]
2e19270: There's no point in xen_pt_pmcsr_reg_{read,write}() each ORing PCI_PM_CTRL_STATE_MASK and PCI_PM_CTRL_NO_SOFT_RESET into a local emu_mask variable - we can have the same effect by setting the field descriptor's emu_mask member suitably right away. Note that xen_pt_pmcsr_reg_write() is being retained in order to allow later patches to be less intrusive. [Jan Beulich]
751d20d: Without this the actual XSA-131 fix would cause the enable bit to not get set anymore (due to the write back getting suppressed there based on the OR of emu_mask, ro_mask, and res_mask). [Jan Beulich]
51f3b5b: ... to avoid allowing the guest to cause the control domain's disk to fill. [Jan Beulich]
7f99bb9: It's being used by the hypervisor. For now simply mimic a device not capable of masking, and fully emulate any accesses a guest may issue nevertheless as simple reads/writes without side effects. [Jan Beulich]
6fc82bf: The old logic didn't work as intended when an access spanned multiple fields (for example a 32-bit access to the location of the MSI Message Data field with the high 16 bits not being covered by any known field). Remove it and derive which fields not to write to from the accessed fields' emulation masks: When they're all ones, there's no point in doing any host write. [Jan Beulich]
e42b84c: fdc: force the fifo access to be in bounds of the allocated buffer [Petr Matousek]
62e4158: xen: limit guest control of PCI command register [Jan Beulich]
3499745: cirrus: fix an uninitialized variable [Jan Beulich]
This release also contains the security fixes for XSA-117 to XSA-136, with the exception of XSA-124 which documents security risks of non-standard PCI device functionality that cannot be addressed in software. It also includes an update to XSA-98 and XSA-59.
=== 2.4.8 / 2015-06-08
Bug fixes:
* Tightened API endpoint checks for CVE-2015-3900
=== 2.4.7 / 2015-05-14
Bug fixes:
* Backport: Limit API endpoint to original security domain for CVE-2015-3900.
Fix by claudijd
Changelog:
MongoDB 3.0.4 is released
June 6, 2015
MongoDB 3.0.4 is out and is ready for production deployment. This release contains only fixes since 3.0.3, and is a recommended upgrade for all 3.0 users.
Fixed in this release:
SERVER-17923 Creating/dropping multiple background indexes on the same collection can cause fatal error on secondaries
SERVER-18079 Large performance drop with documents > 16k on Windows
SERVER-18190 Secondary reads block replication
SERVER-18213 Lots of WriteConflict during multi-upsert with WiredTiger storage engine
SERVER-18316 Database with WT engine fails to recover after system crash
SERVER-18475 authSchemaUpgrade fails when the system.users contains non MONGODB-CR users
SERVER-18629 WiredTiger journal system syncs wrong directory
SERVER-18822 Sharded clusters with WiredTiger primaries may lose writes during chunk migration
Announcing MongoDB 3.0 and Bug Hunt Winners
March 3, 2015
Today MongoDB 3.0 is generally available; you can download now.
Our community was critical to ensuring the quality of the release. Thank you to everyone who participated in our 3.0 Bug Hunt. From the submissions, we've selected winners based on the user impact and severity of the bugs found.
First Prize
Mark Callaghan, Member of Technical Staff, Facebook
During the 3.0 release cycle, Mark submitted 10 bug reports and collaborated closely with the MongoDB engineering team to debug the issues he uncovered. As a first place winner, Mark will receive a free pass to MongoDB World in New York City on June 1-2, including a front row seat to the keynote sessions. Mark was also eligible to receive a $1,000 Amazon gift card but opted to donate the award to a charity. We are donating $1,000 to CodeStarters.org in his name.
Honorable Mentions
Nick Judson, Conevity
Nick submitted SERVER-17299, uncovering excessive memory allocation on Windows when using "snappy" compression in WiredTiger.
Koshelyaev Konstantin, RTEC
Koshelyaev submitted SERVER-16664, which uncovered a memory overflow in WiredTiger when using "zlib" compression.
Tim Callaghan, Crunchtime!
In submitting SERVER-16867, Tim found an uncaught WriteConflict exception affecting replicated writes during insert-heavy workloads.
Nathan Arthur, PreEmptive Solutions
Nathan submitted SERVER-16724, which found an issue with how collection metadata is persisted.
Thijs Cadier, AppSignal
Thijs submitted SERVER-16197, which revealed a bug in the build system interaction with the new MongoDB tools.
Nick, Koshelyaev, Tim, Nathan, and Thijs will also receive tickets to MongoDB World in New York City on June 1-2 (with reserved front-row seat for keynote sessions), $250 Amazon Gift Cards, and MongoDB t-shirts.
Congratulations to the winners and thanks to everyone who downloaded, tested and gave feedback on the release candidates.
Changelog:
Release 1.8.1 May 7th 2015
Make "operation canceled" error a soft error
Do not throw an error for files that are scheduled to be removed, but can not be found on the server. (#2919)
Windows: Reset QNAM to proper function after hibernation. (#2899, #2895, #2973)
Fix argument verification of --confdir (#2453)
Fix a crash when accessing a dangling UploadDevice pointer (#2984)
Add-folder wizard: Make sure there is a scrollbar if folder names are too long (#2962)
Add-folder Wizard: Select the newly created folder
Activity: Correctly restore column sizes (#3005)
SSL Button: do not crash on empty certificate chain
SSL Button: Make menu creation lazy (#3007, #2990)
Lookup system proxy async to avoid hangs (#2993, #2802)
ShareDialog: Some GUI refinements
ShareDialog: On creation of a share always retrieve the share. This makes sure that if a default expiration date is set this is reflected in the dialog. (#2889)
ShareDialog: Only show share dialog if we are connected.
HttpCreds: Fill pw dialog with previous password. (#2848, #2879)
HttpCreds: Delete password from old location. (#2186)
Do not store Session Cookies in the client cookie storage
CookieJar: Don't accidentally overwrite cookies. (#2808)
ProtocolWidget: Always add seconds to the DateTime locale. (#2535)
Updater: Give context as to which app is about to be updated (#3040)
Windows: Add version information for owncloud.exe. This should help us know what version or build number a crash report was generated with.
Fix a crash on shutdown in ~SocketApi (#3057)
SyncEngine: Show more timing measurements (#3064)
Discovery: Add warning if returned etag is 0
Fix a crash caused by an invalid DiscoveryDirectoryResult::iterator (#3051)
Sync: Fix sync of deletions during 503. (#2894)
Handle redirect of auth request. (#3082)
Discovery: Fix parsing of broken XML replies, which fixes local file disappearing (#3102)
Migration: Silently restore files that were deleted locally by bug (#3102)
Sort folder sizes SelectiveSyncTreeView numerically (#3112)
Sync: PropagateDownload: Read the mtime from the file system after writing it (#3103)
Sync: Propagate download: Fix restoring files for which the conflict file exists (#3106)
Use identical User Agents and version for csync and the Qt parts
Prevent another crash in ~SocketApi (#3118)
Windows: Fix rename of finished file (#3073)
AccountWizard: Fix auth error handling (#3155)
Documentation fixes
Infrastructure/build fixes
Win32/OS X: Apply patch from OpenSSL to handle oudated intermediates gracefully (#3087)
* Approved by wiz@.
Changelog:
Network Security Services (NSS) is a patch release for NSS 3.19.
No new functionality is introduced in this release. This release addresses
a backwards compatibility issue with the NSS 3.19.1 release.
Notable Changes:
* In NSS 3.19.1, the minimum key sizes that the freebl cryptographic
implementation (part of the softoken cryptographic module used by default
by NSS) was willing to generate or use was increased - for RSA keys, to
512 bits, and for DH keys, 1023 bits. This was done as part of a security
fix for Bug 1138554 / CVE-2015-4000. Applications that requested or
attempted to use keys smaller then the minimum size would fail. However,
this change in behaviour unintentionally broke existing NSS applications
that need to generate or use such keys, via APIs such as
SECKEY_CreateRSAPrivateKey or SECKEY_CreateDHPrivateKey.
In NSS 3.19.2, this change in freebl behaviour has been reverted. The fix
for Bug 1138554 has been moved to libssl, and will now only affect the
minimum keystrengths used in SSL/TLS.
Changelog:
Version 8.0.4 June 9th 2015
occ can now optionally run the update routines without disabling all third party apps
Database handling changes which should improve performance on big systems
better support for very old cURL versions (for QNAP users)
Extended X-Accel-Redirect functionality in nginx
Added work-around for file transfers on 32bit systems
Improved quota calculation
Many fixes and improvements to sharing
Several fixes to upgrade process
Fix deleted folders on client not showing up in trash
fix inability to delete files when quota is 0
Change WebDAV error to 500 instead of 403 on denying overwrite of read-only file
Fixed enforcing expiration date
Fix to Provisioning API
Fixing shared document editing by shared LDAP users
IE 8/9 fixes
Several smaller fixes
find their parent GCC package libraries first in RPATH at install time
but will correctly resolve to their own copies at runtime thanks to the
additional paths encoded at build time. Fixes CHECK_WRKREF builds.
* Fix CVE-2015-3225.
* Only count files (not all form elements) against the Multipart File Limit.
* Work around a Rails incompatibility in our private API
