Changes:
Version 9.50 (2019-09-30)
Highlights in this release include:
* The change to version 9.50 (rather than the intended 9.28) follows
recognition of the extent and importance of the file access control
redesign/reimplementation outlined below.
* The file access control capability (enable with -dSAFER) has been
completely rewritten, with a ground-up rethink of the design. For more
details, see: SAFER.
It is important to note that -dSAFER now only enables the file access
controls, and no longer applies restrictions to standard Postscript
functionality (specifically, restrictions on setpagedevice. If your
application relies on these Postscript restrictions, see OLDSAFER, and
please get in touch, as we do plan to remove those Postscript restrictions
unless we have reason not to.
IMPORTANT: File access controls are now enabled by default. In order to run
Ghostscript without these controls, see NOSAFER
Important Note for Windows Users: See below under Incompatible Changes
* IMPORTANT: We are in the process of forking LittleCMS. LCMS2 is not thread
safe, and cannot be made thread safe without breaking the ABI. Our fork
will be thread safe, and include performance enhancements (these changes
have all be been offered and rejected upstream). We will maintain
compatibility between Ghostscript and LCMS2 for a time, but not in
perpetuity. Our fork will be available as its own package separately from
Ghostscript (and MuPDF).
* The usual round of bug fixes, compatibility changes, and incremental
improvements.
* Special thanks to Akira Kakuto, Paul Wessel, William Bader, Nelson H. F.
Beebe and everyone else who put time and effort into testing this new
release.
For a list of open issues, or to report problems, please visit
bugs.ghostscript.com.
Incompatible changes
* There are a couple of subtle incompatibilities between the old and new
SAFER implementations. Firstly, as mentioned above, SAFER now leaves
standard Postcript functionality unchanged (except for the file access
limitations). Secondly, the interaction with save/restore operations,
see SAFER.
Important Note for Windows Users:
The file/path pattern matching is case sensitive, even on Windows. This is
a change in behaviour compared to the old code which, on Windows, was case
insensitive. This is in recognition of changes in Windows behaviour, in
that it now supports (although does not enforce) case sensitivity.
* The following is not strictly speaking new to 9.50, as not much has changed
since 9.27 in this area, but for those who don't upgrade with every
release:
The process of "tidying" the Postscript name space should have removed only
non-standard and undocumented operators. Nevertheless, it is possible that
any integrations or utilities that rely on those non-standard and
undocumented operators may stop working, or may change behaviour.
If you encounter such a case, please contact us (either the #ghostscript
IRC channel, or the gs-devel mailing list would be best), and we'll work
with you to either find an alternative solution or return the previous
functionality, if there is genuinely no other option.
One case we know this has occurred is GSView 5 (and earlier). GSView 5
support for PDF files relied upon internal use only features which are no
longer available. GSView 5 will still work as previously for Postscript
files. For PDF files, users are encouraged to look at MuPDF.
pkgsrc changes:
- Update HOMEPAGE
Changes:
Version 0.17 (2019 October 1)
* Updated documentation with accurate contact information.
* Moved version number to jbig2.h, and adapted configure
correspondingly. Added pkg-config file to be installed
along side library. Added run-time check of version
number so that the correct header is used with the matching
binary library.
* Bug fixes.
Changes since 19.3.15:
When a package-settable variable gets a default value using the ?=
operator, pkglint no longer suggests to include bsd.prefs.mk, since that
doesn't make sense. Including bsd.prefs.mk only defines user-settable
and system-provided variables.
User and group names may be a single character only. While not widely
used, it's syntactically valid and there's no reason to prevent this.
In variable assignments, when pkglint removes unnecessary whitespace
between the variable name and the operator, it keeps the indentation of
the variable value the same as before. Previously, the indentation had
been changed, which required another run of pkglint --autofix.
PREFIX can only be used as a replacement for LOCALBASE after the whole
package Makefile has been loaded. This is because PREFIX is defined
very late, by bsd.pkg.mk. Therefore, don't suggest to replace LOCALBASE
with PREFIX in .if conditions.
When pkglint suggests to replace INSTALL_DATA_DIR commands with setting
INSTALLATION_DIRS instead, paths with a trailing slash are correctly
looked up in the PLIST. This suggests to use AUTO_MKDIRS more often.
1.19.2
Folders like .cache won't be pruned from the node_modules after each install.
Correctly installs workspace child dependencies when workspace child not symlinked to root.
Makes running scripts with Plug'n Play possible on node 13.
Change run command to check cwd/node_modules/.bin for commands. Fixes run in workspaces.
6.13.2:
BUG FIXES
* fix docs target typo
* fix(packageRelativePath): fix 'where' for file deps
* Revert "windows: Add preliminary WSL support for npm and npx"
* remove unnecessary package.json read when reading shrinkwrap
* fix(fund): open url for string shorthand
* Don't log error message if git tagging is disabled
* Warn the user that it is uninstalling npm-install
Moved nodejs to nodejs10 - version 10.17.0
Version 12.13.1 'Erbium' (LTS):
Notable changes
Experimental support for building Node.js with Python 3 is improved.
ICU time zone data is updated to version 2019c. This fixes the date offset in Brazil.
Version 13.3.0:
Notable Changes
fs:
Reworked experimental recursive rmdir()
The maxBusyTries option is renamed to maxRetries, and its default is set to 0. The emfileWait option has been removed, and EMFILE errors use the same retry logic as other errors. The retryDelay option is now supported. ENFILE errors are now retried.
http:
Make maximum header size configurable per-stream or per-server
http2:
Make maximum tolerated rejected streams configurable
Allow to configure maximum tolerated invalid frames
wasi:
Introduce initial WASI support
Exim version 4.93
-----------------
JH/01 OpenSSL: With debug enabled output keying information sufficient, server
side, to decode a TLS 1.3 packet capture.
JH/02 OpenSSL: Suppress the sending of (stateful) TLS1.3 session tickets.
Previously the default library behaviour applied, sending two, each in
its own TCP segment.
JH/03 Debug output for ACL now gives the config file name and line number for
each verb.
JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.
JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.
JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
buffer overrun for (non-chunking) other transports.
JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under
TLS1.3, means that a server rejecting a client certificate is not visible
to the client until the first read of encrypted data (typically the
response to EHLO). Add detection for that case and treat it as a failed
TLS connection attempt, so that the normal retry-in-clear can work (if
suitably configured).
JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part
and/or domain. Found and fixed by Jason Betts.
JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid
configuration). If a CNAME target was not a wellformed name pattern, a
crash could result.
JH/09 Logging: Fix initial listening-on line for multiple ports for an IP when
the OS reports them interleaved with other addresses.
JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was
used both for input and for a verify callout, both encrypted, SMTP
responses being sent by the server could be lost. This resulted in
dropped connections and sometimes bounces generated by a peer sending
to this system.
JH/11 Harden plaintext authenticator against a badly misconfigured client-send
string. Previously it was possible to cause undefined behaviour in a
library routine (usually a crash). Found by "zerons".
JH/12 Bug 2384: fix "-bP smtp_receive_timeout". Previously it returned no
output.
JH/13 Bug 2386: Fix builds with Dane under LibreSSL 2.9.0 onward. Some old
API was removed, so update to use the newer ones.
JH/14 Bug 1891: Close the log file if receiving a non-smtp message, without
any timeout set, is taking a long time. Previously we would hang on to a
rotated logfile "forever" if the input was arriving with long gaps
(a previous attempt to fix addressed lack, for a long time, of initial
input).
HS/01 Bug 2390: Use message_id for tempfile creation to avoid races in a
shared (NFS) environment. The length of the tempfile name is now
4 + 16 ("hdr.$message_exim_id") which might break on file
systems which restrict the file name length to lower values.
(It was "hdr.$pid".)
HS/02 Bug 2390: Use message_id for tempfile creation to avoid races in a
shared (NFS) environment.
HS/03 Bug 2392: exigrep does case sensitive *option* processing (as it
did for all versions <4.90). Notably -M, -m, --invert, -I may be
affected.
JH/15 Use unsigned when creating bitmasks in macros, to avoid build errors
on some platforms for bit 31.
JH/16 GnuTLS: rework ciphersuite strings under recent library versions. Thanks
to changes apparently associated with TLS1.3 handling some of the APIs
previously used were either nonfunctional or inappropriate. Strings
like TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM__AEAD:256
and TLS1.2:ECDHE_SECP256R1__RSA_SHA256__AES_128_CBC__SHA256:128 replace
the previous TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 .
This affects log line X= elements, the $tls_{in,out}_cipher variables,
and the use of specific cipher names in the encrypted= ACL condition.
JH/17 OpenSSL: the default openssl_options now disables ssl_v3.
JH/18 GnuTLS: fix $tls_out_ocsp under hosts_request_ocsp. Previously the
verification result was not updated unless hosts_require_ocsp applied.
JH/19 Bug 2398: fix listing of a named-queue. Previously, even with the option
queue_list_requires_admin set to false, non-admin users were denied the
facility.
JH/20 Bug 2389: fix server advertising of usable certificates, under GnuTLS in
directory-of-certs mode. Previously they were advertised despite the
documentation.
JH/21 The smtp transport option "hosts_noproxy_tls" is now unset by default.
A single TCP connection by a client will now hold a TLS connection open
for multiple message deliveries, by default. Previoud the default was to
not do so.
JH/22 The smtp transport option "hosts_try_dane" now enables all hosts by
default. If built with the facility, DANE will be used. The facility
SUPPORT_DANE is now enabled in the prototype build Makefile "EDITME".
JH/23 The build default is now for TLS to be included; the SUPPORT_TLS define
is replaced with DISABLE_TLS. Either USE_GNUTLS or (the new) USE_OPENSSL
must be defined and you must still, unless you define DISABLE_TLS, manage
the the include-dir and library-file requirements that go with that
choice. Non-TLS builds are still supported.
JH/24 Fix duplicated logging of peer name/address, on a transport connection-
reject under TFO.
JH/25 The smtp transport option "hosts_try_fastopen" now enables all hosts by
default. If the platform supports and has the facility enabled, it will
be requested on all coneections.
JH/26 The PIPE_CONNECT facility is promoted from experimental status and is now
controlled by the build-time option SUPPORT_PIPE_CONNECT.
PP/01 Unbreak heimdal_gssapi, broken in 4.92.
JH/27 Bug 2404: Use the main-section configuration option "dsn_from" for
success-DSN messages. Previously the From: header was always the default
one for these; the option was ignored.
JH/28 Fix the timeout on smtp response to apply to the whole response.
Previously it was reset for every read, so a teergrubing peer sending
single bytes within the time limit could extend the connection for a
long time. Credit to Qualsys Security Advisory Team for the discovery.
JH/29 Fix DSN Final-Recipient: field. Previously it was the post-routing
delivery address, which leaked information of the results of local
forwarding. Change to the original envelope recipient address, per
standards.
JH/30 Bug 2411: Fix DSN generation when RFC 3461 failure notification is
requested. Previously not bounce was generated and a log entry of
error ignored was made.
JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917)
JH/32 Introduce a general tainting mechanism for values read from the input
channel, and values derived from them. Refuse to expand any tainted
values, to catch one form of exploit.
JH/33 Bug 2413: Fix dkim_strict option. Previously the expansion result
was unused and the unexpanded text used for the test. Found and
fixed by Ruben Jenster.
JH/34 Fix crash after TLS shutdown. When the TCP/SMTP channel was left open,
an attempt to use a TLS library read routine dereffed a nul pointer,
causing a segfault.
JH/35 Bug 2409: filter out-of-spec chars from callout response before using
them in our smtp response.
JH/36 Have the general router option retry_use_local_part default to true when
any of the restrictive preconditions are set (to anything). Previously it
was only for check_local user. The change removes one item of manual
configuration which is required for proper retries when a remote router
handles a subset of addresses for a domain.
JH/37 Appendfile: when evaluating quota use (non-quota_size_regex) take the file
link count into consideration.
HS/04 Fix handling of very log lines in -H files. If a -<key> <value> line
caused the extension of big_buffer, the following lines were ignored.
JH/38 Bug 1395: Teach the DNS negative-cache about TTL value from the SOA in
accordance with RFC 2308. Previously there was no expiry, so a longlived
receive process (eg. due to ACL delays) versus a short SOA value could
surprise.
HS/05 Handle trailing backslash gracefully. (CVE-2019-15846)
JH/39 Promote DMARC support to mainline.
JH/40 Bug 2452: Add a References: header to DSNs.
JH/41 With GnuTLS 3.6.0 (and later) do not attempt to manage Diffie-Hellman
parameters. The relevant library call is documented as "Deprecated: This
function is unnecessary and discouraged on GnuTLS 3.6.0 or later. Since
3.6.0, DH parameters are negotiated following RFC7919."
HS/06 Change the default of dnssec_request_domains to "*"
JH/42 Bug 2545: Fix CHUNKING for all RCPT commands rejected. Previously we
carried on and emitted a BDAT command, even when PIPELINING was not
active.
JH/43 Bug 2465: Fix taint-handling in dsearch lookup. Previously a nontainted
buffer was used for the filename, resulting in a trap when tainted
arguments (eg. $domain) were used.
JH/44 With OpenSSL 1.1.1 (onwards) disable renegotiation for TLS1.2 and below;
recommended to avoid a possible server-load attack. The feature can be
re-enabled via the openssl_options main cofiguration option.
JH/45 local_scan API: documented the current smtp_printf() call. This changed
for version 4.90 - adding a "more data" boolean to the arguments.
Bumped the ABI version number also, this having been missed previously;
release versions 4.90 to 4.92.3 inclusive were effectively broken in
respect of usage of smtp_printf() by either local_scan code or libraries
accessed via the ${dlfunc } expansion item. Both will need coding
adjustment for any calls to smtp_printf() to match the new function
signature; a FALSE value for the new argument is always safe.
JH/46 FreeBSD: fix use of the sendfile() syscall. The shim was not updating
the file-offset (which the Linux syscall does, and exim expects); this
resulted in an indefinite loop.
JH/47 ARC: fix crash in signing, triggered when a configuration error failed
to do ARC verification. The Authentication-Results: header line added
by the configuration then had no ARC item.
Noteworthy changes in version 2.2.19:
* gpg: Fix double free when decrypting for hidden recipients.
Regression in 2.2.18.
* gpg: Use auto-key-locate for encryption even for mail addressed
given with angle brackets.
* gpgsm: Add special case for certain expired intermediate
certificates.
It's not always possible to include go-package.mk earlier than bsd.prefs.mk
in a package, for example if the package defines its own do-install target,
so move out the *_SUPPORTED variables that need to be included first.
upstream changes:
-----------------
Fix for an Exim interoperability problem when postscreen after-220 checks
are enabled. Bug introduced in Postfix 3.4: the code that detected
"PIPELINING after BDAT" looked at the wrong variable. The warning now says
"BDAT without valid RCPT", and the error is no longer treated as a command
PIPELINING error, thus allowing mail to be delivered. Meanwhile, Exim has
been fixed to stop sending BDAT commands when postscreen rejects all RCPT
commands.
Usability bug, introduced in Postfix 3.4: the parser for key/certificate
chain files rejected inputs that contain an EC PARAMETERS object. While
this is technically correct (the documentation says what types are allowed)
this is surprising behavior because the legacy cert/key parameters will
accept such inputs. For now, the parser skips object types that it does not
know about for usability, and logs a warning because ignoring inputs is not
kosher.
Bug introduced in Postfix 2.8: don't gratuitously enable all after-220
tests when only one such test is enabled. This made selective tests
impossible with 'good' clients. This will be fixed in older Postfix
versions at some later time.
Curiously, the only thing stopping this from building was the second
accept4() test in the configure script, which doesn't supply the
necessary linker arguments. Elsewhere, the build configuration does
correctly set those same arguments. On current members of the SunOS
family, this meant it would falsely think accept4() wasn't defined
when it really was, which would then lead to a signature mismatch
during compilation.
Changes:
6.22.02 - 20191204
------------------
Fix version in configure.ac
6.22.01 - 20191201
------------------
undo PR/88: Preserve empty arguments in :q, since it breaks
$ set x=""
$ alias test "echo "\""$x:q"\"" is working."
$ alias test
echo "
Changes since 19.3.14:
Invalid lines in PLIST files are now reported as errors instead of
warnings. If pkglint doesn't know about it, it must be an error.
In PLIST files, all paths are validated to be canonical. That is, no
dotdot components, no absolute paths, no extra slashes, no intermediate
dot components.
Fewer notes for unexpanded variable expressions in DESCR files. Before,
the text $@ was reported as possible Makefile variable even though it
was just a Perl expression.
README files are allowed again in pkgsrc package directories. There was
no convincing argument why these should be forbidden.
A few diagnostics have been changed from NOTE to WARNING or from WARNING
to ERROR, to match their wording.
When pkglint suggests to replace :M with ==, the wording is now "can be
made" instead of "should".
Release 2.2.2:
Incompatible changes
* For security reason of python, parallel mode is disabled on macOS and
Python3.8+
Bugs fixed
* LaTeX: 2019-10-01 LaTeX release breaks :file:`sphinxcyrillic.sty`
* i18n: French, Hindi, Chinese, Japanese and Korean translation messages
has been broken
* parallel build causes AttributeError on macOS and Python3.8
3.13.1
Fix a regression when specifying keyword arguments to the atomic() or
transaction() helper methods. Note: this only occurs if you were using Sqlite
and were explicitly setting the lock_type= parameter.
3.13.0
CockroachDB support added
This will be a notable release as it adds support for
CockroachDB, a distributed, horizontally-scalable
SQL database.
CockroachDB usage overview
CockroachDB API documentation
Other features and fixes
Allow FOR UPDATE clause to specify one or more tables (FOR UPDATE OF...).
Support for Postgres LATERAL join.
Properly wrap exceptions raised during explicit commit/rollback in the appropriate peewee-specific exception class.
Capture original exception object and expose it as exc.orig on the wrapped exception.
Properly introspect SMALLINT columns in Postgres schema reflection.
More flexible handling of passing database-specific arguments to atomic() and transaction() context-manager/decorator.
Fix non-deterministic join ordering issue when using the filter() API across several tables
