4.9.2
* Fixed a bug that caused too many tags to be popped from the tag
stack during tree building, when encountering a closing tag that had
no matching opening tag.
* Fixed a bug that inconsistently moved elements over when passing
a Tag, rather than a list, into Tag.extend().
* Specify the soupsieve dependency in a way that complies with
PEP 508. Patch by Mike Nerone.
* Change the signatures for BeautifulSoup.insert_before and insert_after
(which are not implemented) to match PageElement.insert_before and
insert_after, quieting warnings in some IDEs.
Urwid 2.1.2
* Add pack method to LineBox.
* Add a test to check the linebox.pack is good.
* Add bin/release.sh script to partially automate releases.
* Add workaround for 386
* Fix curses_display python3 ord()
* Fix bumping to dev version in release.sh script
* Fix focus_end on a collapsed tree
* Fix crash with "ellipsis" clipping for py2 tour.py works with py2 now Typo in
tour.py
* Ignore resetting to invalid locale
* Use ord2 for python2/3 compatibility
v3.2.0
Mutate the passed ZipFile object
type instead of making a copy. Prevents issues when
both the local copy and the caller's copy attempt to
close the same file handle.
``Path._next`` now honors subclasses.
``Path.is_file()`` now returns False for non-existent names.
0.28.5
Enabled ignoring duplicated messages which decreases CPU usage, thanks to J. Nick Koston.
Fixed spurious AttributeError: module 'unittest' has no attribute 'mock' in tests.
On NetBSD, further limit the DEPENDS on openssl to i386. It turns out
that the sparc64 and powerpc bootstraps are not linked against openssl
as I previously assumed.
No change to limiting this DEPENDS to 9+. No change to any other OS.
This change is believed to fix rust building on NetBSD 9 sparc64.
As discussed on tech-pkg@.
No longer requires python 2.7
glmark2 2020.04 (20200428)
==========================
* Port Wayland flavor to xdg-shell window management.
* Support recent Android SDK/NDK versions.
* Add support for Windows via WGL and ANGLE-EGL.
* Support Raspberry Pi's dispmanx.
* Use glad for GL headers and dynamic GL library loading.
* Add --data-path command-line option to set data path at runtime.
* Add 'nframes' scene option to limit the number of rendered frames.
* Add F-Droid/fastlane metadata.
Changelog:
Future deprecation notice
=========================
It is now possible[1] to perform chosen-prefix attacks against the
SHA-1 algorithm for less than USD$50K. For this reason, we will be
disabling the "ssh-rsa" public key signature algorithm by default in a
near-future release.
This algorithm is unfortunately still used widely despite the
existence of better alternatives, being the only remaining public key
signature algorithm specified by the original SSH RFCs.
The better alternatives include:
* The RFC8332 RSA SHA-2 signature algorithms rsa-sha2-256/512. These
algorithms have the advantage of using the same key type as
"ssh-rsa" but use the safe SHA-2 hash algorithms. These have been
supported since OpenSSH 7.2 and are already used by default if the
client and server support them.
* The ssh-ed25519 signature algorithm. It has been supported in
OpenSSH since release 6.5.
* The RFC5656 ECDSA algorithms: ecdsa-sha2-nistp256/384/521. These
have been supported by OpenSSH since release 5.7.
To check whether a server is using the weak ssh-rsa public key
algorithm, for host authentication, try to connect to it after
removing the ssh-rsa algorithm from ssh(1)'s allowed list:
ssh -oHostKeyAlgorithms=-ssh-rsa user@host
If the host key verification fails and no other supported host key
types are available, the server software on that host should be
upgraded.
We intend to enable UpdateHostKeys by default in the next OpenSSH
release. This will assist the client by automatically migrating to
better algorithms. Users may consider enabling this option manually.
[1] "SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and
Application to the PGP Web of Trust" Leurent, G and Peyrin, T
(2020) https://eprint.iacr.org/2020/014.pdf
Security
========
* ssh-agent(1): restrict ssh-agent from signing web challenges for
FIDO/U2F keys.
When signing messages in ssh-agent using a FIDO key that has an
application string that does not start with "ssh:", ensure that the
message being signed is one of the forms expected for the SSH protocol
(currently public key authentication and sshsig signatures).
This prevents ssh-agent forwarding on a host that has FIDO keys
attached granting the ability for the remote side to sign challenges
for web authentication using those keys too.
Note that the converse case of web browsers signing SSH challenges is
already precluded because no web RP can have the "ssh:" prefix in the
application string that we require.
* ssh-keygen(1): Enable FIDO 2.1 credProtect extension when generating
a FIDO resident key.
The recent FIDO 2.1 Client to Authenticator Protocol introduced a
"credProtect" feature to better protect resident keys. We use this
option to require a PIN prior to all operations that may retrieve
a resident key from a FIDO token.
Potentially-incompatible changes
================================
This release includes a number of changes that may affect existing
configurations:
* For FIDO/U2F support, OpenSSH recommends the use of libfido2 1.5.0
or greater. Older libraries have limited support at the expense of
disabling particular features. These include resident keys, PIN-
required keys and multiple attached tokens.
* ssh-keygen(1): the format of the attestation information optionally
recorded when a FIDO key is generated has changed. It now includes
the authenticator data needed to validate attestation signatures.
* The API between OpenSSH and the FIDO token middleware has changed
and the SSH_SK_VERSION_MAJOR version has been incremented as a
result. Third-party middleware libraries must support the current
API version (7) to work with OpenSSH 8.4.
* The portable OpenSSH distribution now requires automake to rebuild
the configure script and supporting files. This is not required when
simply building portable OpenSSH from a release tar file.
Changes since OpenSSH 8.3
=========================
New features
------------
* ssh(1), ssh-keygen(1): support for FIDO keys that require a PIN for
each use. These keys may be generated using ssh-keygen using a new
"verify-required" option. When a PIN-required key is used, the user
will be prompted for a PIN to complete the signature operation.
* sshd(8): authorized_keys now supports a new "verify-required"
option to require FIDO signatures assert that the token verified
that the user was present before making the signature. The FIDO
protocol supports multiple methods for user-verification, but
currently OpenSSH only supports PIN verification.
* sshd(8), ssh-keygen(1): add support for verifying FIDO webauthn
signatures. Webauthn is a standard for using FIDO keys in web
browsers. These signatures are a slightly different format to plain
FIDO signatures and thus require explicit support.
* ssh(1): allow some keywords to expand shell-style ${ENV}
environment variables. The supported keywords are CertificateFile,
ControlPath, IdentityAgent and IdentityFile, plus LocalForward and
RemoteForward when used for Unix domain socket paths. bz#3140
* ssh(1), ssh-agent(1): allow some additional control over the use of
ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment variable,
including forcibly enabling and disabling its use. bz#69
* ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a time
limit for keys in addition to its current flag options. Time-
limited keys will automatically be removed from ssh-agent after
their expiry time has passed.
* scp(1), sftp(1): allow the -A flag to explicitly enable agent
forwarding in scp and sftp. The default remains to not forward an
agent, even when ssh_config enables it.
* ssh(1): add a '%k' TOKEN that expands to the effective HostKey of
the destination. This allows, e.g., keeping host keys in individual
files using "UserKnownHostsFile ~/.ssh/known_hosts.d/%k". bz#1654
* ssh(1): add %-TOKEN, environment variable and tilde expansion to
the UserKnownHostsFile directive, allowing the path to be
completed by the configuration (e.g. bz#1654)
* ssh-keygen(1): allow "ssh-add -d -" to read keys to be deleted
from stdin. bz#3180
* sshd(8): improve logging for MaxStartups connection throttling.
sshd will now log when it starts and stops throttling and periodically
while in this state. bz#3055
Bugfixes
--------
* ssh(1), ssh-keygen(1): better support for multiple attached FIDO
tokens. In cases where OpenSSH cannot unambiguously determine which
token to direct a request to, the user is now required to select a
token by touching it. In cases of operations that require a PIN to
be verified, this avoids sending the wrong PIN to the wrong token
and incrementing the token's PIN failure counter (tokens
effectively erase their keys after too many PIN failures).
* sshd(8): fix Include before Match in sshd_config; bz#3122
* ssh(1): close stdin/out/error when forking after authentication
completes ("ssh -f ...") bz#3137
* ssh(1), sshd(8): limit the amount of channel input data buffered,
avoiding peers that advertise large windows but are slow to read
from causing high memory consumption.
* ssh-agent(1): handle multiple requests sent in a single write() to
the agent.
* sshd(8): allow sshd_config longer than 256k
* sshd(8): avoid spurious "Unable to load host key" message when sshd
load a private key but no public counterpart
* ssh(1): prefer the default hostkey algorithm list whenever we have
a hostkey that matches its best-preference algorithm.
* sshd(1): when ordering the hostkey algorithms to request from a
server, prefer certificate types if the known_hosts files contain a key
marked as a @cert-authority; bz#3157
* ssh(1): perform host key fingerprint comparisons for the "Are you
sure you want to continue connecting (yes/no/[fingerprint])?"
prompt with case sensitivity.
* sshd(8): ensure that address/masklen mismatches in sshd_config
yield fatal errors at daemon start time rather than later when
they are evaluated.
* ssh-keygen(1): ensure that certificate extensions are lexically
sorted. Previously if the user specified a custom extension then
the everything would be in order except the custom ones. bz#3198
* ssh(1): also compare username when checking for JumpHost loops.
bz#3057
* ssh-keygen(1): preserve group/world read permission on known_hosts
files across runs of "ssh-keygen -Rf /path". The old behaviour was
to remove all rights for group/other. bz#3146
* ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen
manual page and usage().
* sshd(8): explicitly construct path to ~/.ssh/rc rather than
relying on it being relative to the current directory, so that it
can still be found if the shell startup changes its directory.
bz#3185
* sshd(8): when redirecting sshd's log output to a file, undo this
redirection after the session child process is forked(). Fixes
missing log messages when using this feature under some
circumstances.
* sshd(8): start ClientAliveInterval bookkeeping before first pass
through select() loop; fixed theoretical case where busy sshd may
ignore timeouts from client.
* ssh(1): only reset the ServerAliveInterval check when we receive
traffic from the server and ignore traffic from a port forwarding
client, preventing a client from keeping a connection alive when
it should be terminated. bz#2265
* ssh-keygen(1): avoid spurious error message when ssh-keygen
creates files outside ~/.ssh
* sftp-client(1): fix off-by-one error that caused sftp downloads to
make one more concurrent request that desired. This prevented using
sftp(1) in unpipelined request/response mode, which is useful when
debugging. bz#3054
* ssh(1), sshd(8): handle EINTR in waitfd() and timeout_connect()
helpers. bz#3071
* ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we attempt to
write to it so we don't leave an empty .ssh directory when it's not
needed. bz#3156
* ssh(1), sshd(8): fix multiplier when parsing time specifications
when handling seconds after other units. bz#3171
Portability
-----------
* sshd(8): always send any PAM account messages. If the PAM account
stack returns any messages, always send them to the user and not
just if the check succeeds. bz#2049
* Implement some backwards compatibility for libfido2 libraries
older than 1.5.0. Note that use of an older library will result
in the loss of certain features including resident key support,
PIN support and support for multiple attached tokens.
* configure fixes for XCode 12
* gnome-ssh-askpass3: ensure the "close" button is not focused by
default for SSH_ASKPASS_PROMPT=none prompts. Avoids space/enter
accidentally dismissing FIDO touch notifications.
* gnome-ssh-askpass3: allow some control over textarea colour via
$GNOME_SSH_ASKPASS_FG_COLOR and $GNOME_SSH_ASKPASS_BG_COLOR
environment variables.
* sshd(8): document another PAM spec problem in a frustrated comment
* sshd(8): support NetBSD's utmpx.ut_ss address field. bz#960
* Add the ssh-sk-helper binary and its manpage to the RPM spec file
* Detect the Frankenstein monster of Linux/X32 and allow the sandbox
to function there. bz#3085
Changes since v1.34
v1.35 - 27.09.2020
- Added an option to change interpolation mode to 2-tap linear, just to match
real FT2. This interpolation method is of worse quality than the current one
(4-tap cubic spline).
- Fixed some sample tap bugs with the cubic spline resampling interpolation
- Fixed an issue where unwanted sample data could be shown at the loop end
point of a looped sample in the sample editor.
- Updated some parts of the help text
- Small code cleanup
Changelog:
Version 9.53.2 (2020-09-25)
Highlights in this release include:
The 9.53.2 release is primarily maintenance.
Three issues arose with 9.53.0/1 that prompted the release of
a .2 patch:
A crash (or silent, erroneous exit) on 64 bit Windows and
other LLP64 type environments.
A parameter type mismatch that would cause Ghostcript to
error out during initialisation, which affected 64 big,
big endian architectures.
An expected side effect of another change that prevented
multithreaded rendering and background rendering from
working correctly.
Details of those can be found in the changelog.
The most obvious change is the (re-)introduction of the patch
level to the version number, this helps facilitate a revised
policy on handling security related issues.
To clarify: in the event we decide to release a patch revision,
it will replace the release with the previous patch number.
Release notes, highlights and warnings will remain the same,
except for the addition of whatever fix(es) prompted the patch.
Our efforts in code hygiene and maintainability continue.
We have added the capability to build with the Tesseract OCR
engine. In such a build, new devices are available
(pdfocr8/pdfocr24/pdfocr32) which render the output file to an
image, OCR that image, and output the image "wrapped" up as a
PDF file, with the OCR generated text information included as
"invisible" text (in PDF terms, text rendering mode 3).
Due to some patches to the Tesseract sources that are required
(integrated upstream, but awaiting release), time constraints,
and the experimental nature of the feature, we only support
including Tesseract from source, not linking to Tesseract shared
libraries. Whether we add this capability will be largely
dependant on community demand for the feature.
See Enabling OCR for more details.
We have added Python bindings for the gsapi interface, can be
found in demos/python. These are experimental, and we welcome
feedback from interested developers.
For those integrating Ghostscript/GhostPDL via the gsapi
interface, we have added new capabilities to that, specifically
in terms of setting and interrogating device parameters. These,
along with the existing interface calls, are documented in:
Ghostscript Interpreter API
IMPORTANT: In consultation with a representative of (OpenPrinting)
it is our intention to deprecate and, in the not distant future,
remove the OpenPrinting Vector/Raster Printer Drivers (that
is, the opvp and oprp devices).
If you rely on either of these devices, please get in touch
with us, so we can discuss your use case, and revise our plans
accordingly.
IMPORTANT: We have forked LittleCMS2 into LittleCMS2mt (the
"mt" indicating "multi-thread"). LCMS2 is not thread safe and
cannot be made thread safe without breaking the ABI. Our fork
will be thread safe and include performance enhancements (these
changes have all be been offered and rejected upstream). We
will maintain compatibility between Ghostscript and LCMS2 for
a time, but not in perpetuity. If there is sufficient interest,
our fork will be available as its own package separately from
Ghostscript (and MuPDF).
The usual round of bug fixes, compatibility changes, and
incremental improvements.
v1.2.5
* Add schema export API to schema and global maps
* Fix decoding with lax/skip validation modes
* Add *keep_unknown* optional argument for *iter_decode()* methods
Version 2.15.05
Correct %ifid $ and %ifid $$ being treated as true. See section 4.4.6.
Add --reproducible option to suppress NASM version numbers and timestamps in output files. See section 2.1.34.
Version 2.15.04
More sensible handling of the case where one single-line macro definition will shadow another. A warning will be issued, but the additional definition will be allowed. For the existing error case where both a parameterless and parametered macro are created, that warning is promoted to an error by default.
Add special preprocessor tokens %*? and %*?? that expand like %? and %?? in single-line macros only. See section 4.1.6.
Correct the encoding of the ENQCMDS and TILELOADT1 instructions.
Fix case where the COFF backend (the coff, win32 and win64 output formats) would add padding bytes in the middle of a section if a SECTION/SEGMENT directive was provided which repeated an ALIGN= attribute. This neither matched legacy behavior, other backends, or user expectations.
Fix SSE instructions not being recognized with an explicit memory operation size (e.g. movsd qword [eax],xmm0).
The -L+ option no longer enables -Lw, which is mainly useful to debug NASM crashes. See section 2.1.4.
Document long-standing hazards in the use of $ in Dx statements, see section 3.2.1.
The NASM-only RDOFF output format backend, which has been broken since at least NASM 2.14, has been disabled. The RDOFF tools are scheduled to be removed from the NASM distribution in NASM 2.16. If you have a concrete use case for RDOFF, please file a NASM bug report at https://bugs.nasm.us/ as soon as possible. See section 8.13.
PCSX-Reloaded is a forked version of the dead PCSX PlayStation emulator, with
a nicer interface and several improvements to stability and functionality.
PCSX-Reloaded uses the PSEMU plugin interface to provide most functionality;
without them, you will not be able to use it to play games. PCSX-Reloaded
provides a number of plugins to provide basic functionality out of the box.
Fvwm3 is a multiple large virtual desktop window manager, originally (a
looooong time ago!) derived from twm.
Fvwm3 is intended to have a small memory footprint but a rich feature set,
be extremely customizable and extendible, and have a high degree of Motif
mwm compatibility.
avahi 0.8 release brings a number of new features and bug fix changes
including a backward-compatible addition to the D-Bus API and the avahi-core
API.
The existing API is still fully supported however clients using the new
API will not work with older Avahi releases. The avahi-client library is not
affected. See the "API Changes" section for further details.
New Features:
- New options for filtering reflected queries between networks (reflect-filter)
- New mainloop integration for Qt5 and libevent
- docs/THREADS: Information for multi-threaded avahi-client apps
- Listen on loopback interfaces by default, allowing local-only services to be
consumed by the local machine
- New D-Bus V2 API and additions to the avahi-core API for splitting "New"
calls into "Prepare" and "Start". See "API Changes" for more details.
* Add support for binary values in TXT records in XML service files by
specifying value-format="text|binary-hex|binary-base64". If not specified,
defaults to the normal value of "text" (thus backwards compatible)
* avahi-gobject: Allow starting the client in a custom GMainContext by
passing context to ga_client_start_in_context instead of ga_client_start
(avahi-gobject minor version has been incremented)
Security Fixes:
- Drop legacy unicast queries from address not on local link which can lead to
UDP traffic amplification attacks (CVE-2017-6519)
For full details, see:
https://github.com/lathiat/avahi/blob/v0.8/docs/NEWS
1.66.0 - 2020-09-12
-------------------
* Support the gtk-doc action syntax :mr:`203`
* Meson fixes with glib and/or g-i is a subproject :mr:`206` :mr:`208`
* GITypeInfo storage type utility API :mr:`205`
* Meson: Fix build as subproject :mr:`214`
* Fixing XDG_DATA_DIRS logic :mr:`215`
* libgirepository: Add a couple missing nullable annotations :mr:`217` :mr:`225`
* dumper: Fix missing symbols in LTO case or with overridden symbol visibility settings :mr:`216`
* Documentation improvements: :mr:`220` :mr:`232`
* Remove old autoconf fallback code for the python tools :mr:`221`
* meson: Rename option `gi_cross_use_{host -> prebuilt}_gi` mr:`211`
* meson: Don't override finding executables when using pre-built tools. :mr:`212`
* meson: gir: add a dependency for g-ir-compiler for building .girs :mr:`228`
* meson: Use pkgconfig generator :mr:`207`
* Fix gi-dump-types.c to build on Windows :mr:`218`
* giscanner: parse block comments for members and fields :mr:`230`
* Add the notion of standalone doc sections :mr:`226`
* giscanner: Add support for using clang-cl :mr:`234`
* giscanner: Fix section matching for documentation :mr:`237`
Highlights:
* Fixes to the new `statx()` calls - note that since GLib 2.65.2 uses `statx()`
(if available) instead of `stat()`/`fstat()`/`lstat()`/`fstatat()`, syscall
sandboxing for third party applications might need to be updated
* Fix deadlock in `g_subprocess_communicate_async()` (work by Alexander Larsson) (#2182)
* Add `%f`/microsecond placeholder support to `g_date_time_format()` (work by Johan Bjäreholt) (!1605)
* Add `GUri` API for parsing, building and representing URIs according to
[RFC 3986](https://tools.ietf.org/html/rfc3986) (work by Marc-Andre Lureau) (#110)
* D-Bus credentials support on macOS (#507)
* Year 2038 fixes involving new API in `GBookmarkFile` (#1931)
For full details, see:
https://gitlab.gnome.org/GNOME/glib/-/blob/2.66.0/NEWS
Upstream NEWS:
We are pleased to announce the release of GNU Gama 2.10!
One major update that is visible to the end users is the change in the
'update_constrained_coordinates' parameter. This parameter was
deprecated in 2.09 and has now been completely removed.
Another big change is the addition of output in GNU Octave format.
The GNU Octave *.m output file contains adjustment results from
gama-local, in matrix format that includes the following sections:
* General adjustment parameters - number of squares, observations,
sum of squares, etc.
* IDs and coordinates of fixed points
* Information about the adjustment - adjusted and constrained
coordinates, their indexes and covariances. Observation
covariances and weight matrix and equation system matrices.
The main motivation for introducing GNU Octave output was to have an
experimental tool for computation of statistical parameters that are not
directly available in gama-local (e.g. reliability matrix).
GNU Octave output defines an explicit set of conditions to calculate the
adjustment of free networks (networks with a singular project equation
system). The differences between coordinates are tested with a tolerance
of 1e-3 millimeters.
This criterion may fail for poorly conditioned systems (typically
networks with a "bad"configuration).
Syntax of the GNU Octave .m output was tested for compatibility with
MATLAB R2013b (8.2.0.701).
