This minor release includes 4 security fixes following the security policy
<https://go.dev/security>:
- crypto/rand: rand.Read hangs with extremely large buffers
On Windows, rand.Read will hang indefinitely if passed a buffer larger
than 1 << 32 - 1 bytes.
Thanks to Davis Goodin and Quim Muntal, working at Microsoft on the Go
toolset, for reporting this issue.
This is CVE-2022-30634 and Go issue https://go.dev/issue/52561.
- crypto/tls: session tickets lack random ticket_age_add
Session tickets generated by crypto/tls did not contain a randomly
generated ticket_age_add. This allows an attacker that can observe TLS
handshakes to correlate successive connections by comparing ticket ages
during session resumption.
Thanks to GitHub user @nervuri for reporting this.
This is CVE-2022-30629 and Go issue https://go.dev/issue/52814.
- os/exec: empty Cmd.Path can result in running unintended binary on
Windows
If, on Windows, Cmd.Run, cmd.Start, cmd.Output, or cmd.CombinedOutput
are executed when Cmd.Path is unset and, in the working directory, there
are binaries named either "..com" or "..exe", they will be executed.
Thanks to Chris Darroch (chrisd8088@github.com), brian m. carlson (
bk2204@github.com), and Mikhail Shcherbakov (https://twitter.com/yu5k3)
for reporting this.
This is CVE-2022-30580 and Go issue https://go.dev/issue/52574.
- path/filepath: Clean(`.\c:`) returns `c:` on Windows
On Windows, the filepath.Clean function could convert an invalid path to
a valid, absolute path. For example, Clean(`.\c:`) returned `c:`.
Thanks to Unrud for reporting this issue.
This is CVE-2022-29804 and Go issue https://go.dev/issue/52476.
Version 14.19.3 'Fermium' (LTS)
Notable Changes
This release updates OpenSSL to 1.1.1o. This update is not being treated as a security release as the issues addressed in OpenSSL 1.1.1o were assessed to not affect Node.js 14. See https://nodejs.org/en/blog/vulnerability/openssl-fixes-in-regular-releases-may2022/ for more information on how the May 2022 OpenSSL releases affects other Node.js release lines.
The list of GPG keys used to sign releases has been synchronized with the main branch.
Version 14.19.2 'Fermium' (LTS)
Notable Changes
doc:
New release key for Bryan English
npm:
Upgrade npm to v6.14.17.
V8:
V8 had a stack overflow issue affecting the vm module, cherry-picking cc9a8a37445e from V8 solves this issue.
Using getHeapSnapshot() was causing a Node.js crash due a V8 issue, this is fixed by backporting 367b0c1e7a32 from V8.
Mypy 0.960
Minimal Support for LiteralString
Per-file Timing Stats
Performance Improvements
Experimental Fast Module Lookup
Documentation Updates
Improvements to Plugin System
ParamSpec Improvements
Fixes to Crashes
Was added in pkgsrc at a time when hangs during the build were frequent to
give a visual indicator of progress, but just clutters up bulk build logs
now.
This is a long-overdue update, so there are many changes. Details are in
the Changes file in the distribution.
The mk/ocaml file will be moved to lang/ocaml and the logic for selecting
whether to use the native-code compiler will be factored out into
native.mk to avoid duplications.
This is the final version before OCaml 5.0 arrives, which has
multicore support and should be a major change from the 4.x versions.
Allow copying files with size zero. This behavior differ from PHP 7.4
and break a pear package which contains files with size zero.
Bump PKGREVISION.
XXX: pullup-2022Q1
Allow copying files with size zero. This behavior differ from PHP 7.4
and break a pear package which contains files with size zero.
Bump PKGREVISION.
XXX: pullup-2022Q1
Add NetBSD to the systems which need dl_iterate_phdr(),
and make NetBSD find the debug libraries if present.
Also make the execinfo functions visible, but not sure
that's used by rust.
Back-ported from wip / 1.60.0, but we can't do != in
conditionals here.
Python 3.9.13
Core and Builtins
gh-92311: Fixed a bug where setting frame.f_lineno to jump over a list comprehension could misbehave or crash.
gh-92112: Fix crash triggered by an evil custom mro() on a metaclass.
gh-92036: Fix a crash in subinterpreters related to the garbage collector. When a subinterpreter is deleted, untrack all objects tracked by its GC. To prevent a crash in deallocator functions expecting objects to be tracked by the GC, leak a strong reference to these objects on purpose, so they are never deleted and their deallocator functions are not called. Patch by Victor Stinner.
gh-91421: Fix a potential integer overflow in _Py_DecodeUTF8Ex.
bpo-46775: Some Windows system error codes(>= 10000) are now mapped into the correct errno and may now raise a subclass of OSError. Patch by Dong-hee Na.
bpo-46962: Classes and functions that unconditionally declared their docstrings ignoring the --without-doc-strings compilation flag no longer do so.
The classes affected are pickle.PickleBuffer, testcapi.RecursingInfinitelyError, and types.GenericAlias.
The functions affected are 24 methods in ctypes.
Patch by Oleg Iarygin.
bpo-36819: Fix crashes in built-in encoders with error handlers that return position less or equal than the starting position of non-encodable characters.
Library
gh-91581: utcfromtimestamp() no longer attempts to resolve fold in the pure Python implementation, since the fold is never 1 in UTC. In addition to being slightly faster in the common case, this also prevents some errors when the timestamp is close to datetime.min. Patch by Paul Ganssle.
gh-92530: Fix an issue that occurred after interrupting threading.Condition.notify().
gh-92049: Forbid pickling constants re._constants.SUCCESS etc. Previously, pickling did not fail, but the result could not be unpickled.
bpo-47029: Always close the read end of the pipe used by multiprocessing.Queue after the last write of buffered data to the write end of the pipe to avoid BrokenPipeError at garbage collection and at multiprocessing.Queue.close() calls. Patch by Géry Ogam.
gh-91910: Add missing f prefix to f-strings in error messages from the multiprocessing and asyncio modules.
gh-91810: ElementTree method write() and function tostring() now use the text file’s encoding (“UTF-8” if not available) instead of locale encoding in XML declaration when encoding="unicode" is specified.
gh-91832: Add required attribute to argparse.Action repr output.
gh-91734: Fix OSS audio support on Solaris.
gh-91700: Compilation of regular expression containing a conditional expression (?(group)...) now raises an appropriate re.error if the group number refers to not defined group. Previously an internal RuntimeError was raised.
gh-91676: Fix unittest.IsolatedAsyncioTestCase to shutdown the per test event loop executor before returning from its run method so that a not yet stopped or garbage collected executor state does not persist beyond the test.
gh-90568: Parsing \N escapes of Unicode Named Character Sequences in a regular expression raises now re.error instead of TypeError.
gh-91595: Fix the comparison of character and integer inside Tools.gdb.libpython.write_repr(). Patch by Yu Liu.
gh-90622: Worker processes for concurrent.futures.ProcessPoolExecutor are no longer spawned on demand (a feature added in 3.9) when the multiprocessing context start method is "fork" as that can lead to deadlocks in the child processes due to a fork happening while threads are running.
gh-91575: Update case-insensitive matching in the re module to the latest Unicode version.
gh-91581: Remove an unhandled error case in the C implementation of calls to datetime.fromtimestamp with no time zone (i.e. getting a local time from an epoch timestamp). This should have no user-facing effect other than giving a possibly more accurate error message when called with timestamps that fall on 10000-01-01 in the local time. Patch by Paul Ganssle.
bpo-34480: Fix a bug where _markupbase raised an UnboundLocalError when an invalid keyword was found in marked section. Patch by Marek Suscak.
bpo-27929: Fix asyncio.loop.sock_connect() to only resolve names for socket.AF_INET or socket.AF_INET6 families. Resolution may not make sense for other families, like socket.AF_BLUETOOTH and socket.AF_UNIX.
bpo-43323: Fix errors in the email module if the charset itself contains undecodable/unencodable characters.
bpo-46787: Fix concurrent.futures.ProcessPoolExecutor exception memory leak
bpo-46415: Fix ipaddress.ip_{address,interface,network} raising TypeError instead of ValueError if given invalid tuple as address parameter.
bpo-44911: IsolatedAsyncioTestCase will no longer throw an exception while cancelling leaked tasks. Patch by Bar Harel.
bpo-44493: Add missing terminated NUL in sockaddr_un’s length
This was potentially observable when using non-abstract AF_UNIX datagram sockets to processes written in another programming language.
bpo-42627: Fix incorrect parsing of Windows registry proxy settings
bpo-36073: Raise ProgrammingError instead of segfaulting on recursive usage of cursors in sqlite3 converters. Patch by Sergey Fedoseev.
Documentation
gh-91888: Add a new gh role to the documentation to link to GitHub issues.
gh-91783: Document security issues concerning the use of the function shutil.unpack_archive()
gh-91547: Remove “Undocumented modules” page.
bpo-44347: Clarify the meaning of dirs_exist_ok, a kwarg of shutil.copytree().
bpo-38668: Update the introduction to documentation for os.path to remove warnings that became irrelevant after the implementations of PEP 383 and PEP 529.
bpo-47138: Pin Jinja to a version compatible with Sphinx version 2.4.4.
bpo-46962: All docstrings in code snippets are now wrapped into PyDoc_STR() to follow the guideline of PEP 7’s Documentation Strings paragraph. Patch by Oleg Iarygin.
bpo-26792: Improve the docstrings of runpy.run_module() and runpy.run_path(). Original patch by Andrew Brezovsky.
bpo-45790: Adjust inaccurate phrasing in Defining Extension Types: Tutorial about the ob_base field and the macros used to access its contents.
bpo-42340: Document that in some circumstances KeyboardInterrupt may cause the code to enter an inconsistent state. Provided a sample workaround to avoid it if needed.
bpo-41233: Link the errnos referenced in Doc/library/exceptions.rst to their respective section in Doc/library/errno.rst, and vice versa. Previously this was only done for EINTR and InterruptedError. Patch by Yan “yyyyyyyan” Orestes.
bpo-38056: Overhaul the Error Handlers documentation in codecs.
bpo-13553: Document tkinter.Tk args.
Tests
gh-91607: Fix test_concurrent_futures to test the correct multiprocessing start method context in several cases where the test logic mixed this up.
bpo-47205: Skip test for sched_getaffinity() and sched_setaffinity() error case on FreeBSD.
bpo-29890: Add tests for ipaddress.IPv4Interface and ipaddress.IPv6Interface construction with tuple arguments. Original patch and tests by louisom.
Build
bpo-47103: Windows PGInstrument builds now copy a required DLL into the output directory, making it easier to run the profile stage of a PGO build.
Windows
bpo-47194: Update zlib to v1.2.12 to resolve CVE-2018-25032.
bpo-46785: Fix race condition between os.stat() and unlinking a file on Windows, by using errors codes returned by FindFirstFileW() when appropriate in win32_xstat_impl.
bpo-40859: Update Windows build to use xz-5.2.5
Tools/Demos
gh-91583: Fix regression in the code generated by Argument Clinic for functions with the defining_class parameter.
0.4.3 - 2022-05-11
Fixed
* Restore the 0.4.1 behavior for libcst.helpers.get_absolute_module
0.4.2 - 2022-05-04
Fixed
* native: Avoid crashing by making IntoPy conversion fallible
* native: make sure ParserError's line is zero-indexed
* Fix space validation for AsName and Await
* Qualified Name Provider: Fix returned qname for symbols that are prefixes of each other
* Rename Codemod: Correct last renamed import from
* Many changes to the Apply Type Comments codemod:
* Allow for skipping quotes when applying type comments
* Port pyre fixes
* Preserve as-imports when merging type annotations.
* Qualify imported symbols when the dequalified form would cause a conflict
* Add an argument to always qualify imported type annotations.
Added
* Create an AddTrailingCommas codemod
* Define gather global names visitor
Updated
* Support module and package names in the codemod context
* Drop support for running libcst using a python 3.6 interpreter
* Update relative import logic to match cpython
* Scope Provider: Consider access information when computing qualified names for nodes
- build without x11
- bundle libstdc++.so.9 & libgcc_s.so.1 from base so it works with
base clang as well as future NetBSD releases
- don't ship external debug symbols (.diz), demos, src.zip
- build in clean chroot with pkgsrc bootstrapped to /root/pkg
- upload pgp signatures to nbftp
This mimics how it was done for openjdk11 &
takes bootstraps down from ~300MB to ~100MB.
