Changelog:
Fixed in Firefox ESR 38.8
2016-47 Write to invalid HashMap entry through JavaScript.watch()
2016-44 Buffer overflow in libstagefright with CENC offsets
2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)
2016-36 Use-after-free during processing of DER encoded keys in NSS
2016-29 Same-origin policy violation using performance.getEntries and history navigation with session restore
2016-15 Use-after-free in NSS during SSL connections in low memory
2016-07 Errors in mp_div and mp_exptmod cryptographic functions in NSS
Changes in DBI 1.636 - 24th April 2016
Fix compilation for threaded perl <= 5.12 broken in 1.635 RT#113955
Revert change to DBI::PurePerl DESTROY in 1.635
Change t/16destroy.t to avoid race hazard RT#113951
Output perl version and archname in t/01basics.t
Add perl 5.22 and 5.22-extras to travis-ci config
Mozilla Firefox is a free, open-source and cross-platform web browser
for Windows, Linux, MacOS X and many other operating systems.
It is fast and easy to use, and offers many advantages over other web
browsers, such as tabbed browsing and the ability to block pop-up
windows.
Firefox also offers excellent bookmark and history management, and it
can be extended by developers using industry standards such as XML,
CSS, JavaScript, C++, etc. Many extensions are available.
This package tracks Firefox 45 ESR branch.
Changelog from www/firefox 45.0.2:
Fixed in Firefox ESR 45.1
2016-47 Write to invalid HashMap entry through JavaScript.watch()
2016-44 Buffer overflow in libstagefright with CENC offsets
2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)
* Drop buildlink to gstreamer1
Changelog:
New
Improved security of the JavaScript Just In Time (JIT) Compiler
GTK3 integration (GNU/Linux only)
Fixed
Correct rendering for scaled SVGs that use a clip and a mask
Various security fixes
Screen reader behavior with blank spaces in Google Docs corrected
Changed
WebRTC fixes to improve performance and stability
Developer
Display dominator trees in Memory tool
Allocation and garbage collection pause profiling in the performance panel
Launch responsive mode from the Style Editor @media sidebar
HTML5
Added support for document.elementsFromPoint
Added HKDF support for Web Crypto API
Fixed in Firefox 46
2016-48 Firefox Health Reports could accept events from untrusted domains
2016-47 Write to invalid HashMap entry through JavaScript.watch()
2016-46 Elevation of privilege with chrome.tabs.update API in web extensions
2016-45 CSP not applied to pages sent with multipart/x-mixed-replace
2016-44 Buffer overflow in libstagefright with CENC offsets
2016-43 Disclosure of user actions through JavaScript with motion and orientation sensors
2016-42 Use-after-free and buffer overflow in Service Workers
2016-41 Content provider permission bypass allows malicious application to access data
2016-40 Privilege escalation through file deletion by Maintenance Service updater
2016-39 Miscellaneous memory safety hazards (rv:46.0 / rv:45.1 / rv:38.8)
Upstream changes:
(4.2.8p7) 2016/04/26 Released by Harlan Stenn <stenn@ntp.org>
* [Sec 2901] KoD packets must have non-zero transmit timestamps. HStenn.
* [Sec 2936] Skeleton Key: Any system knowing the trusted key can serve
time. Include passive servers in this check. HStenn.
* [Sec 2945] Additional KoD packet checks. HStenn.
* [Sec 2978] Interleave can be partially triggered. HStenn.
* [Sec 3007] Validate crypto-NAKs. Danny Mayer.
* [Sec 3008] Always check the return value of ctl_getitem().
- initial work by HStenn
- Additional cleanup of ctl_getitem by perlinger@ntp.org
* [Sec 3009] Crafted addpeer with hmode > 7 causes OOB error. perlinger@ntp.org
- added more stringent checks on packet content
* [Sec 3010] remote configuration trustedkey/requestkey values
are not properly validated. perlinger@ntp.org
- sidekick: Ignore keys that have an unsupported MAC algorithm
but are otherwise well-formed
* [Sec 3011] Duplicate IPs on unconfig directives will cause an assertion botch
- graciously accept the same IP multiple times. perlinger@ntp.org
* [Sec 3020] Refclock impersonation. HStenn.
* [Bug 2831] Segmentation Fault in DNS lookup during startup. perlinger@ntp.org
- fixed yet another race condition in the threaded resolver code.
* [Bug 2858] bool support. Use stdbool.h when available. HStenn.
* [Bug 2879] Improve NTP security against timing attacks. perlinger@ntp.org
- integrated patches by Loganaden Velvidron <logan@ntp.org>
with some modifications & unit tests
* [Bug 2952] Symmetric active/passive mode is broken. HStenn.
* [Bug 2960] async name resolution fixes for chroot() environments.
Reinhard Max.
* [Bug 2994] Systems with HAVE_SIGNALED_IO fail to compile. perlinger@ntp.org
* [Bug 2995] Fixes to compile on Windows
* [Bug 2999] out-of-bounds access in 'is_safe_filename()'. perlinger@ntp.org
* [Bug 3013] Fix for ssl_init.c SHA1 test. perlinger@ntp.org
- Patch provided by Ch. Weisgerber
* [Bug 3015] ntpq: config-from-file: "request contains an unprintable character"
- A change related to [Bug 2853] forbids trailing white space in
remote config commands. perlinger@ntp.org
* [Bug 3019] NTPD stops processing packets after ERROR_HOST_UNREACHABLE
- report and patch from Aleksandr Kostikov.
- Overhaul of Windows IO completion port handling. perlinger@ntp.org
* [Bug 3022] authkeys.c should be refactored. perlinger@ntp.org
- fixed memory leak in access list (auth[read]keys.c)
- refactored handling of key access lists (auth[read]keys.c)
- reduced number of error branches (authreadkeys.c)
* [Bug 3023] ntpdate cannot correct dates in the future. perlinger@ntp.org
* [Bug 3030] ntpq needs a general way to specify refid output format. HStenn.
* [Bug 3031] ntp broadcastclient unable to synchronize to an server
when the time of server changed. perlinger@ntp.org
- Check the initial delay calculation and reject/unpeer the broadcast
server if the delay exceeds 50ms. Retry again after the next
broadcast packet.
* [Bug 3036] autokey trips an INSIST in authistrustedip(). Harlan Stenn.
* Document ntp.key's optional IP list in authenetic.html. Harlan Stenn.
* Update html/xleave.html documentation. Harlan Stenn.
* Update ntp.conf documentation. Harlan Stenn.
* Fix some Credit: attributions in the NEWS file. Harlan Stenn.
* Fix typo in html/monopt.html. Harlan Stenn.
* Add README.pullrequests. Harlan Stenn.
* Cleanup to include/ntp.h. Harlan Stenn.
---
(4.2.8p6) 2016/01/20 Released by Harlan Stenn <stenn@ntp.org>
* [Sec 2935] Deja Vu: Replay attack on authenticated broadcast mode. HStenn.
* [Sec 2936] Skeleton Key: Any trusted key system can serve time. HStenn.
* [Sec 2937] ntpq: nextvar() missing length check. perlinger@ntp.org
* [Sec 2938] ntpq saveconfig command allows dangerous characters
in filenames. perlinger@ntp.org
* [Sec 2939] reslist NULL pointer dereference. perlinger@ntp.org
* [Sec 2940] Stack exhaustion in recursive traversal of restriction
list. perlinger@ntp.org
* [Sec 2942]: Off-path DoS attack on auth broadcast mode. HStenn.
* [Sec 2945] Zero Origin Timestamp Bypass. perlinger@ntp.org
* [Sec 2948] Potential Infinite Loop in ntpq ( and ntpdc) perlinger@ntp.org
* [Bug 2772] adj_systime overflows tv_usec. perlinger@ntp.org
* [Bug 2814] msyslog deadlock when signaled. perlinger@ntp.org
- applied patch by shenpeng11@huawei.com with minor adjustments
* [Bug 2882] Look at ntp_request.c:list_peers_sum(). perlinger@ntp.org
* [Bug 2891] Deadlock in deferred DNS lookup framework. perlinger@ntp.org
* [Bug 2892] Several test cases assume IPv6 capabilities even when
IPv6 is disabled in the build. perlinger@ntp.org
- Found this already fixed, but validation led to cleanup actions.
* [Bug 2905] DNS lookups broken. perlinger@ntp.org
- added limits to stack consumption, fixed some return code handling
* [Bug 2971] ntpq bails on ^C: select fails: Interrupted system call
- changed stacked/nested handling of CTRL-C. perlinger@ntp.org
- make CTRL-C work for retrieval and printing od MRU list. perlinger@ntp.org
* [Bug 2980] reduce number of warnings. perlinger@ntp.org
- integrated several patches from Havard Eidnes (he@uninett.no)
* [Bug 2985] bogus calculation in authkeys.c perlinger@ntp.org
- implement 'auth_log2()' using integer bithack instead of float calculation
* Make leapsec_query debug messages less verbose. Harlan Stenn.
* Disable incomplete t-ntp_signd.c test. Harlan Stenn.
This release will become the new LTS later in 2016.
The following significant changes have been made since the
previous Node.js v5.0.0 release.
Buffer
- New Buffer constructors have been added #4682 and #5833.
- Existing Buffer() and SlowBuffer() constructors have been
deprecated in docs #4682 and #5833.
- Previously deprecated Buffer APIs are removed #5048, #4594.
- Improved error handling #4514.
- The Buffer.prototype.lastIndexOf() method has been added #4846.
Cluster
- Worker emitted as first argument in 'message' event #5361.
- The worker.exitedAfterDisconnect property replaces
worker.suicide #3743.
Console
- Calling console.timeEnd() with an unknown label now emits a
process warning rather than throwing #5901.
Crypto
- Improved error handling #3100, #5611.
- Simplified Certificate class bindings #5382.
- Improved control over FIPS mode #5181.
- pbkdf2 digest overloading is deprecated #4047.
Dependencies
- Reintroduce shared c-ares build support #5775.
- V8 updated to 5.0.71.35 #6372.
DNS
- Add dns.resolvePtr() API to query plain DNS PTR records #4921.
Domains
- Clear stack when no error handler #4659.
Events
- The EventEmitter.prototype._events object no longer inherits
from Object.prototype #6092.
- The EventEmitter.prototype.prependListener() and
EventEmitter.prototype.prependOnceListener() methods have been
added #6032.
File System
- The fs.realpath() and fs.realpathSync() methods have been
updated to use a more efficient libuv-based implementation. This
change includes the removal of the cache argument and the method
can throw new errors #3594.
- FS apis can now accept and return paths as Buffers #5616.
- Error handling and type checking improvements #5616, #5590,
#4518, #3917.
- fs.read's string interface is deprecated #4525.
HTTP
- 'clientError' can now be used to return custom errors from an
HTTP server #4557.
pkgsrc changes:
o Update MASTER_SITES (archive/ subdirectory contains all the distfiles,
latest stable version and also older ones)
o Bump BUILDLINK_A[BP]I_DEPENDS.mupdf to 1.9a due to several API and ABI
changes
Changes:
MuPDF 1.9a (2016-04-26)
-----------------------
Version 1.9a is a bug fix release. If you run into issues with selecting or
searching for text with ligatures, you should upgrade from 1.9.
MuPDF 1.9 (2016-04-18)
-----------------------
The 1.9 release is here!
Headline changes:
* New command line tools: create and run.
* New low-level Java interface for desktop and android.
* Bidirectional layout for Arabic and Hebrew scripts.
* Shaping complex scripts for EPUB text layout.
* Noto fallback fonts for EPUB layout.
mutool create:
* Create new PDF files from scratch.
* Read an annotated content stream in a text file and write a PDF file,
automatically embedding font and image resources.
mutool run:
* Run javascript scripts with MuPDF bindings.
* The interface is similar to the new Java interface.
mutool draw:
* Optional multi-threaded operation (Windows and pthreads).
* Optional low memory mode (primarily for testing).
Upstream Release Notes
HPLIP 3.16.3 - This release has the following changes:
Added Support for the Following New Printers:
- HP PageWide Pro 577dw Multifunction Printer
- HP PageWide Pro 577z Multifunction Printer
- HP PageWide Pro 552dw Printer
- HP PageWide Pro 452dw Printer
- HP PageWide Pro 452dn Printer
- HP PageWide Pro 477dw Multifunction Printer
- HP PageWide Pro 477dn Multifunction Printer
- HP DeskJet GT 5810 All-in-One Printer
- HP DeskJet GT 5820 All-in-One Printer
Added support for the following new Distro's:
- Ubuntu 16.04 (beta)
Issues fixed:
- Traceback error occurs when ESC button is hit upon the promt for
root/superuser credentials while installing hp-plugin.
Announcements:
- Discontinued the RPM packaging for RHEL-5.X
This release adds ALTSVC frame support in libnghttp2. nghttp gets new option to exercise expect/continue dance with server. nghttpx gets several new features, robust load balancing, and bug fixes.
Buffer:
- Buffer.prototype.compare can now compare sub-ranges of two
Buffers.
deps:
- update to http-parser 2.7.0
- update ESLint to 2.7.0
net:
- adds support for passing DNS lookup hints to createConnection()
node:
- Make the builtin libraries available for the --eval and --print
CLI options
npm:
- upgrade npm to 3.8.6
repl:
- Pressing enter in the repl will repeat the last command by default
if no input has been received. This behaviour was in node
previously and was not removed intentionally.
src:
- add SIGINFO to supported signals
streams:
- Fix a regression that caused by net streams requesting multiple
chunks synchronously when combined with cork/uncork
zlib:
- The flushing flag is now configurable allowing for decompression
of partial data
* Install index.theme to same directory it always was in
* Install into oxygen/base/ so icons move from apps don't clash with
version installed by those apps
* Replicate symlinks from breeze-icons
* Add new emblem-added and emblem-remove icons for sync with breeze
Changes
* CMake requirement aligned with libphonon (2.6.2 => 2.8.9)
Bug Fixes
* Fixed finding GStreamer 1.0
* Only build X11 renderer if X11 is found (enables building on OSX
and Windows)
Changes
* VLC 2.0 support was removed, VLC 2.1 is at least required to use the
backend
* CMake requirement aligned with libphonon (2.6.2 => 2.8.9)
* Muting is now implemented asynchronously
Bug Fixes
* Restore build support with Qt <= 5.2 in the Qt 5 build.
* Fixed building videowidget for OSX.
* Fixed schemeless URLs
VLC 2.2 API Pickup
* New device listing API used for listing devices without PulseAudio
enabled
* New internal signals for muting, corking, and volume changes (these
directly relate to new AudioOutputInterface49 API in libphonon providing
these new libvlc features with appropriate frontend control in libphonon)
* This partially improves PulseAudio integration as at least volume and
mute control is now working correctly again via libvlc natively.
PulseAudio Limitations
* PulseAudio support is still not fully backed via libvlc and cannot be
correctly intercepted by libphonon. As a result the following features
continue to not work correctly:
* runtime-device-rerouting: changing the device order in the Phonon
configuration at runtime cannot force libvlc to use the correct
device, if a device was manually set before it will not automatically
migrate to a new device
* runtime-device-selection: selecting a device at runtime is not possible
(see above), as a result applications wanting to do this will get no
result and a warning will be shown. This also means that the
configuration module's Test button does not actually play a sound for
anything but the primary device.
* stream-category: setting a stream category (pulesaudio role) is not
possible, all streams are always category Video
Changes
* Builsystem helpers are now installed to CMAKE_INSTALL_DATAROOTDIR
* CMake 2.8.9 is required to use GNUInstallDirs and for the Qt5 code
branches
* automoc4 support was removed. Building always use the cmake built-in
solution now.
* Qt5 and Qt4 builds use different CMake configurations now
* Qt4 is as it always has been
* Qt5 moved away from crudely ported Qt4 configurations to using
extra-cmake-modules' KDE compiler and cmake flags.
* Installation paths and so forth are still jointly configured as to
retain backwards compatibility (i.e. Qt5 build does not follow ECM's
KDEInstallationPaths)
Bug Fixes
* VolumeSlider has seen async behavior improvements making the slider
not hop around when changing the volume rapidly and the backend is
lagging a bit behind. The volume change now occurs upon slider release
rather than instantly.
* Fixed a duble encoding issue with local paths that contain percent
encoded characters being double-encoded
New API
* New AudioOutputInterface49 for backends to implement. This interface
implements long-existing frontend interfaces for muting, giving the
backend easier access and control.
* setMuted(bool) mutes an AudioOuput (without the 4.9 interface this
is done via setVolume(0.0) on the backend)
* mutedChanged(bool) signal emitted by the backend to asyncronuously
notify of the mute application
* The interface is only used if PulseSupport is not intercepting calls
* New methods to differntiate states of PulseSupport
* request(bool) is used by backends to request PulseAudio usage but no
interception, this essentially enables device listing but lets
everything else fall through to the backend (the existing isActive()
method will not return true after request(true), which makes it
different from enable(true))
* isRequested() is a getter for request()'s state
* isUsable() is part of the previouys isActive() behavior, it is true
iff pulseaudio can be used (daemon running, connected etc)
* isUsed() is a combination of isRequested() and isUsable() (i.e. active
but not intercepting)
* The existing isActive() communicates the same state as before (active
and intercepting) but now also takes requested into consideration
* Enabling always implies requsting automatically, so request(false)
and enable(true) will ultimately still restul in isRequested==true
- Add a way to get the frequency for a mode as a floating number
- Reduce log spam in thumbnailing
- Capitalize language and territory names
- Add default keyboard layout for Mexico and Guatemala
- Avoid a crash when thumbnailing
- Be more careful when parsing locales
- Fix a compiler warning in gnome-rr
- Fix turning off tiled monitors
- Fix thumbnailing of animations
- Support g_autoptr() for all libgnome-desktop object types
- Remove unused EDID parsing code
- Support underscanning
- Export dpms information
- Add support for tiled monitors
- Fix build of installed-tests
- Add support for overscan compensation in displays (#748560)
- Translation updates
