libgit2 0.27.5 (2018/10/5)
This is a security release fixing the following list of issues:
* Submodule URLs and paths with a leading "-" are now ignored. This is due to
the recently discovered CVE-2018-17456, which can lead to arbitrary code
execution in upstream git. While libgit2 itself is not vulnerable, it can
be used to inject options in an implementation which performs a recursive
clone by executing an external command.
* When running repack while doing repo writes, packfile_load__cb() could see
some temporary files in the directory that were bigger than the usual, and
makes memcmp overflow on the p->pack_name string. This issue was reported
and fixed by bisho.
* The configuration file parser used unbounded recursion to parse multiline
variables, which could lead to a stack overflow. The issue was reported by
the oss-fuzz project, issue 10048 and fixed by Nelson Elhage.
* The fix to the unbounded recursion introduced a memory leak in the config
parser. While this leak was never in a public release, the oss-fuzz project
reported this as issue 10127. The fix was implemented by Nelson Elhage and
Patrick Steinhardt.
* When parsing "ok" packets received via the smart protocol, our parsing code
did not correctly verify the bounds of the packets, which could result in a
heap-buffer overflow. The issue was reported by the oss-fuzz project, issue
9749 and fixed by Patrick Steinhardt.
* The parsing code for the smart protocol has been tightened in general,
fixing heap-buffer overflows when parsing the packet type as well as for
"ACK" and "unpack" packets. The issue was discovered and fixed by Patrick
Steinhardt.
* Fixed potential integer overflows on platforms with 16 bit integers when
parsing packets for the smart protocol. The issue was discovered and fixed
by Patrick Steinhardt.
* Fixed potential NULL pointer dereference when parsing configuration files
which have "include.path" or "includeIf..path" statements without a value.
Release notes
Maintenance and security release of the Drupal 8 series.
This release fixes security vulnerabilities. Sites are urged to upgrade
immediately after reading the notes below and the security announcement:
* Drupal Core - Multiple vulnerabilities - SA-CORE-2018-006
No other fixes are included.
Sites on 8.5.x should update immediately to Drupal 8.5.8 instead, and plan to
update to the latest 8.6.x release before May 2019.
Important update information
Site update and module owners planning to update to this should take note of
the following important changes.
For site owners
* Previously, users who didn't have access to use any Content Moderation
transitions were granted implicit access to update content provided the
state of the content did not change. This access has been removed. Site
owners should ensure that all content editor roles have access to
appropriate transitions for moderated content types (including published to
published where appropriate).
* There are no database updates in this release, but site owners will need to
run update.php to ensure a cache clear.
* No changes have been made to the .htaccess, web.config, robots.txt or
default settings.php files in this release, so upgrading custom versions of
those files is not necessary.
For contributed and custom module developers
* \Drupal\Core\EventSubscriber\RedirectResponseSubscriber::sanitizeDestination()
has been removed. If you have extended that class or are calling that
method, you should review your implementation in line with the changes in
the patch.
* An additional method has been added to
StateTransitionValidationInterface. Implementations should review the new
method and ensure compatibility with it.
* ModerationStateConstraintValidator now has two additional service
dependencies. Subclasses will need to update their constructor to inject the
new services.
Ruby 2.3.8 Released
Ruby 2.3.8 has been released. This release includes several security
fixes. Please check the topics below for details.
* CVE-2018-16396: Tainted flags are not propagated in Array#pack and
String#unpack with some directives
* CVE-2018-16395: OpenSSL::X509::Name equality check does not work
correctly This release also includes a non-security fix to support
Visual Studio 2014 with Windows 10 October 2018 Update for
maintenance reasons.
Ruby 2.3 is now under the state of the security maintenance phase,
until the end of the March of 2019. After the date, maintenance of
Ruby 2.3 will be ended. We recommend you start planning migration to
newer versions of Ruby, such as 2.5 or 2.4.
Ruby 2.5.2 Released
Ruby 2.5.2 has been released.
This release includes some bug fixes and some security fixes.
* CVE-2018-16396: Tainted flags are not propagated in Array#pack and
String#unpack with some directives
* CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
There are also some bug fixes. See commit logs for more details.
Ruby 2.5.3 Released
Ruby 2.5.3 has been released.
There were some missing files in the release packages of 2.5.2 which are
necessary for building. See details in [Bug #15232].
This release is just for fixing the packaging issue. This release doesn’t
contain any additional bug fixes from 2.5.2.
Ruby 2.4.5 Released
Ruby 2.4.5 has been released.
This release includes about 40 bug fixes after the previous release, and also
includes several security fixes. Please check the topics below for details.
* CVE-2018-16396: Tainted flags are not propagated in Array#pack and
String#unpack with some directives
* CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
See the commit logs for details.
pkgsrc changes:
- Add patches to avoid `%m' in printf(3) for code used as part of tests
- Add support for tests. Please note that ATM, at least on NetBSD/amd64
-current this is the result of the test suite:
PASS: testdither
FAIL: test_analyze
FAIL: test_pdf
FAIL: test_ps
PASS: test_pdf1
FAIL: test_pdf2
The failure assert(3) needs further investigation (sorry!)
Changes:
1.21.3
------
- foomatic-rip: Reset stdin after replacing the underlying file
descriptor (Issue #58).
1.21.2
------
- cups-browsed: Fixed freeing of literal string caused by
Coverity Scan issue fix (Debian bug #907399).
version 1.4.1:
add W504 fixed method
add E402 fixed method
new feature: reading from .flake8 and $HOME/.pycodestyle file that using as autopep8's configuration, and add configuration section into README ()
add --exit-code command line option
case of if --exit-code option is False. this is default
return 1 when error occured
otherwise return 0 (command successful)
case of if --exit-code option is True
return 1 when error occured
return 2 when exists changes in files (command successful)
otherwise return 0 (command successful)
This option is valid for any operating mode such as --diff, --in-place, non option etc
fix bugs
1.0.1:
Fixed an issue where revision descriptions were essentially being formatted twice. Any revision description that contained characters like %, writing output to stdout will fail because the call to config.print_stdout attempted to format any additional args passed to the function. This fix now only applies string formatting if any args are provided along with the output text.
Fixed issue where removed method union_update() was used when a customized MigrationScript instance included entries in the .imports data member, raising an AttributeError.
pytest 3.9.1:
Features
- For test-suites containing test classes, the information about the subclassed module is now output only if a higher verbosity level is specified (at least “-vv”).
pytest 3.9.0:
Deprecations
- The following accesses have been documented as deprecated for years, but are now actually emitting deprecation warnings.
Access of Module, Function, Class, Instance, File and Item through Node instances. Now users will this warning:
usage of Function.Module is deprecated, please use pytest.Module instead
Users should just import pytest and access those objects using the pytest module.
request.cached_setup, this was the precursor of the setup/teardown mechanism available to fixtures. You can consult funcarg comparison section in the docs.
Using objects named "Class" as a way to customize the type of nodes that are collected in Collector subclasses has been deprecated. Users instead should use pytest_collect_make_item to customize node types during collection.
This issue should affect only advanced plugins who create new collection types, so if you see this warning message please contact the authors so they can change the code.
The warning that produces the message below has changed to RemovedInPytest4Warning:
getfuncargvalue is deprecated, use getfixturevalue
- Add a Deprecation warning for pytest.ensuretemp as it was deprecated since a while.
Features
- Improve usage errors messages by hiding internal details which can be distracting and noisy.
This has the side effect that some error conditions that previously raised generic errors (such as ValueError for unregistered marks) are now raising Failed exceptions.
- Improve the error displayed when a conftest.py file could not be imported.
In order to implement this, a new chain parameter was added to ExceptionInfo.getrepr to show or hide chained tracebacks in Python 3 (defaults to True).
- Add empty_parameter_set_mark=fail_at_collect ini option for raising an exception when parametrize collects an empty set.
- Log messages generated in the collection phase are shown when live-logging is enabled and/or when they are logged to a file.
- Introduce tmp_path as a fixture providing a Path object.
- Deprecation warnings are now shown even if you customize the warnings filters yourself. In the previous version any customization would override pytest’s filters and deprecation warnings would fall back to being hidden by default.
- Allow specification of timeout for Testdir.runpytest_subprocess() and Testdir.run().
- Add returncode argument to pytest.exit() to exit pytest with a specific return code.
- Reimplement pytest.deprecated_call using pytest.warns so it supports the match='...' keyword argument.
This has the side effect that pytest.deprecated_call now raises pytest.fail.Exception instead of AssertionError.
- Require setuptools>=30.3 and move most of the metadata to setup.cfg.
Bug Fixes
- Improve error message when test functions of unittest.TestCase subclasses use a parametrized fixture.
- request.fixturenames now correctly returns the name of fixtures created by request.getfixturevalue().
- Warning filters passed as command line options using -W now take precedence over filters defined in ini configuration files.
- Fix source reindenting by using textwrap.dedent directly.
- pytest.warn will capture previously-warned warnings in Python 2. Previously they were never raised.
- Resolve symbolic links for args.
This fixes running pytest tests/test_foo.py::test_bar, where tests is a symlink to project/app/tests: previously project/app/conftest.py would be ignored for fixtures then.
- Fix duplicate printing of internal errors when using --pdb.
- pathlib based tmpdir cleanup now correctly handles symlinks in the folder.
- Display the filename when encountering SyntaxWarning.
Improved Documentation
- Update usefixtures documentation to clarify that it can’t be used with fixture functions.
- Update fixture documentation to specify that a fixture can be invoked twice in the scope it’s defined for.
- According to unittest.rst, setUpModule and tearDownModule were not implemented, but it turns out they are. So updated the documentation for unittest.
- Add tempir testing example to CONTRIBUTING.rst guide
Trivial/Internal Changes
- The internal MarkerError exception has been removed.
- Port the implementation of tmpdir to pathlib.
- Exclude 0.00 second entries from --duration output unless -vv is passed on the command-line.
- Fixed formatting of string literals in internal tests.
3.78.0:
This release has deprecated the generation of integers, floats and fractions when the conversion of the upper and/ or lower bound is not 100% exact, e.g. when an integer gets passed a bound that is not a whole number. (:issue:1625)
3.77.0:
This minor release adds functionality to :obj:~hypothesis.settings allowing it to be used as a decorator on :obj:~hypothesis.stateful.RuleBasedStateMachine and :obj:~hypothesis.stateful.GenericStateMachine.
3.76.1:
This patch fixes some warnings added by recent releases of :pypi:pydocstyle and :pypi:mypy.
- Due custom do-{build,test,install} UNLIMIT_RESOURCES were not honored leading
to:
//slurp-ucd
*** - No more room for LISP objects
errors. Adjust these target to honor UNLIMIT_RESOURCES.
- sbcl does not work with PaX MPROTECT because mmap()s by OR'ing all
PROT_{EXEC,READ,WRITE}. Unfortunately src/runtime/sbcl is also
used as part of building needing also `${PAXCTL} +m' in the middle
of the build.
Introduce an SBCL_PAXCTL variable (by default `:') via
patch-src_runtime_GNUmakefile that execute a program against src/runtime/sbcl
and define it for platforms that have a paxctl tool.
Mark bin/sbcl with NOT_PAX_MPROTECT_SAFE too.
- Refactor the environment variables injection logic in do-{build,test,install}
to honor MAKE_ENV and INSTALL_ENV.
- Minor mostly cosmetic adjustments (use ${RM}, not rm)
Bump PKGREVISION
This avoids errors when running from a read-only pkgsrc checkout as the
resulting packages cannot be written to the default PACKAGES directory. The
binary packages aren't useful anyway, as they are often built with reduced
configuration options due to the limited bootstrap environment.
Fixes issue reported by Julien Savard and others.
This is for when GNU features are required that aren't available in some
other greps, for example -o or --color. If ggrep is requested then it
takes precedence over grep/egrep/fgrep and the GNU versions are used for
all three.
BSD grep aims for GNU compatibility so it is anticipated that it can be
used as a native tool to avoid a dependency on textproc/grep on platforms
that provide it.
Push diff implementation (from libdiff) directly into the code instead of using the external library. From a patch by Anton Lindqvist as suggested on the OpenBSD ports mailing lits. Thank you!
Significantly update the diffing algorithm. First, make some general fixes to the algorithm. Second, improve the "optimisations" phase by adding top-down analysis that matches un-matched, non-terminal adjacent children. This helps with text changes in text-only paragraphs. Third, add a SES (shortest edit script) computation for matched adjacent text nodes. Lastly, add the new diff function manpages.
Portability: don't use %F for date formatting. This doesn't work with some libc versions. Also some documentation readability improvements.
Strip leading white-space from metadata extracted using -X. Sync with newest oconfigure.
Document the metadata functionality in lowdown(5), thanks to Christina Sophonpanich (thanks!). Also sync with newest oconfigure.
Add a "diff" tool, lowdown-diff(1). This utility uses an algorithm adapted from Detecting Changes in XML Documents to compute the semantic difference between two parse trees. It is fully documented. While there, also add more inter-paragraph spacing to -Tms output, producing more elegant documents, and continue fleshing out lowdown(5). Also add some more metadata recognition in -s output for all modes (copyright, affiliation, etc.).
Re-wrote escape parser to -Tms and -Tman to respect roff special characters. Have e-mail autolinks respect the mailto: in pdfhref'd output, and have links with mailto: omit the schema in display just like in -Thtml. Make block-list-items render properly in -Tms and -Tman. Also introduce lowdown(5), a work-in-progress to document the Markdown formatting accepting by this system. The first were noted, and the last contributed in full, by Christina Sophonpanich — thanks!
Fixed compilation on Linux and Mac OS X by adding memrchr compatibility. Noted by Christina Sophonpanich — thanks!
Considerable clean-up of -Tms and -Tman, with the aim of much higher PDF output quality: proper nested list support, hyperlinks, PS/PDF TOC, and even some images (PS/EPS only—experimental!). Also, after some pointers on the groff mailing list, use the correct invocation for generating PDF output. Fix up footnote printing to use automatic -ms macros and registers, if applicable.
Also added support for the "affiliation" metadata keyword.
Added some CommonMark support, initially just escaped newlines, supported only when the commonmark input flag is specified. Removed the sphd input flag in favour of commonmark. Also fixed raw HTML block outputting and setext-style level-two headers.
version 0.7.6 (released 2018-10-16)
* Fixed CVE-2018-10933
* Added support for OpenSSL 1.1
* Added SHA256 support for ssh_get_publickey_hash()
* Fixed config parsing
* Fixed random memory corruption when importing pubkeys
version 0.7.5 (released 2017-04-13)
* Fixed a memory allocation issue with buffers
* Fixed PKI on Windows
* Fixed some SSHv1 functions
* Fixed config hostname expansion
version 0.7.4 (released 2017-02-03)
* Added id_ed25519 to the default identity list
* Fixed sftp EOF packet handling
* Fixed ssh_send_banner() to confirm with RFC 4253
* Fixed some memory leaks
ccmake needs wsyncup(3) and since NetBSD 8.0 it is present on NetBSD.
Handle that via `USE_CURSES= wsyncup' and remove enforcements about
ncurses in CMakeLists.txt and Source/Checks/Curses/CMakeLists.txt.
Bump PKGREVISION