- Libraries and binaries don't have the .note.GNU-stack section stripped
anymore. Previously, "make strip" would strip that section, which
would sometimes (depending on the toolchain) cause binaries to be
incorrectly tagged as needing an executable stack. This is not a
security issue in itself, but an executable stack makes it easier for
an attacker to turn bugs into exploits, so it should be avoided
whenever possible. Thanks to Xavier Stonestreet for reporting and
finding the cause of the problem.
- Link tests are now performed with a regular file as their
output, instead of /dev/null, which makes them more portable to
old/buggy linkers.
Bump default BUILDLINK_API_DEPENDS to match.
most of these simply extend matching from "aarch64" to "aarch64eb"
in various forms of code. most remaining uses in pkgsrc of
"MACHINE_ARCH == aarch64" are because of missing aarch64eb support,
such as most of the binary-bootstrap requiring languages like rust,
go, and java.
no pkg-bump because this shouldn't change packages on systems that
could already build all of these.
- Fix malformed preprocessor directive: ``#ifdef FOO && BAR''
- Use V8_OS_NETBSD instead of defined(__NetBSD__) consistently where appropriate
XXX
Unfortunately, nodejs does not work for aarch64eb yet.
We need to add big-endian support to built-in assembler.
1.3.0.1: Released 2021-02-06
* Fixed build with GHC 9.0.1 (Simon Jakobi).
* Improved test-suite; fixed memory leaks in some tests.
* Moved CI to GitHub Actions.
1.3.0: Released 2020-10-16
* Upgrade included Lua version to new bug-fix release 5.3.6. See the
upstream documentation https://www.lua.org/bugs.html#5.3.5 for the
bugs which have been fixed.
* Stop exporting c_loaded_table and c_prelad_table from module
Foreign.Lua.Raw.Auxiliary. Both values are defined only if the flag
HARDCODE_REG_KEYS is disabled, leading to compilation errors when
the flag is enabled.
* Add new function peekStringy to Peek module. It allows to peek a
value of any IsString type from an UTF-8 encoded string.
* Various improvements to the continuous integration setup, including
cleanup of the config files, version bumps to the ghc/cabal versions
used for testing, and running the linter in a dedicated GitHub
Action.
1.2.0: Released 2020-08-15
* New module Foreign.Lua.Call: the module offers an alternative method
of exposing Haskell functions to Lua. The focus is on
maintainability: types and marshaling methods are made explicit; the
possibility of adding documentation and parameter names improves
error messages and allows for automatic documentation extraction.
Work on this module is ongoing; the interface is likely to
change. Suggestions and feedback are welcome.
* New types Module, Field, and new functions registerModule,
preloadModule, pushModule, and render exported from
Foreign.Lua.Module: this builds on the new Call module and allows
the creation of documented modules as well as automatic generation
of Markdown-formatted module documentation.
* Export new items nth and top from Foreign.Lua.Core and
Foreign.Lua. They are short-hands for nthFromTop and stackTop.
* Performance improvements: Calling of Lua functions and creation of
Haskell data wrapping userdata has been sped up by about 10%. This
is mostly due to using of previously missed optimization
opportunities.
* All foreign imports have been moved to into the new Foreign.Lua.Raw
module. This module will replace the current Foreign.Lua.Core module
in the future and will be distributed as a separate package (likely
starting with the 2.0 release); the remaining parts of the current
Core module will be promoted one level in the module hierarchy.
* The Raw module can be used whenever the full power of HsLua is not
needed.
* Error-signaling of API wrapper functions has been changed: instead
of returning special integer values, functions now take an
additional pointer argument, which is set to the status result of
the computation.
* The Failable type in Core.Error is no longer needed and has been
removed.
* CI builds now include GHC 8.8 and GHC 8.10, ensuring that all GHC
8.* versions are supported.
1.1.2: Released 2020-06-27
* Revert signature of function pushList to it's proper 1.1 value. This
fixes a mistake which caused the 1.1.1 release to be in violation of
the PVP versioning policy.
* Module Foreign.Lua.Peek: add function pushKeyValuePairs (Alex
Loomis).
1.1.1: Released 2020-06-02
WARNING: This version does not conform to the PVP versioning policy,
due to a unintended signature change of function pushList. It is
recommended not to use this version.
* New module Foreign.Lua.Push: provides functions which marshal and
push Haskell values onto Lua's stack.
* Most functions in Foreign.Lua.Types.Pushable are now defined using
functions from this module.
* New module Foreign.Lua.Peek: provides functions which unmarshal and
retrieve Haskell values from Lua's stack. Contrary to peek from
Foreign.Lua.Types.Peekable, the peeker functions in this module will
never throw errors, but use an Either type to signal retrieval
failure.
* The error type PeekError should not be considered final and will
likely be subject to change in later versions.
* Module Foreign.Lua.Utf8: never throw errors when decoding UTF-8
strings. Invalid UTF-8 input bytes no longer cause exceptions, but
are replaced with the Unicode replacement character U+FFFD.
* Fixed missing and faulty Haddock documentation.
* Fixed a bug which caused unnecessary use of strings to represent
floating point numbers under certain configurations.
1.1.0: Released 2020-03-25.
WARNING: The changes in this release are experimental. It is
recommended to skip this release unless the newly introduced features
are required.
* Allow custom error handling: conversion of Lua errors to Haskell
exceptions and back is made configurable. Users can define their own
exception/error handling strategies, even opening up the option to
pass arbitrary exceptions through Lua.
- New types exported from Foreign.Lua.Types:
* ErrorConversion: defines the ways in which exceptions and errors
are handled and converted.
* LuaEnvironment: environment in which Lua computations are
evaluated. Contains the Lua interpreter state and the error
conversion strategy.
- The environment of the Lua type is changed from a plain Lua State
to the above mentioned LuaEnvironment.
- New functions run' is exported from Foreign.Lua.Util and
Foreign.Lua: it is analogous to run, but allows to run
computations with a custom error conversion strategy.
- New function runWithConverter exported from Foreign.Lua.Core.Types
and Foreign.Lua.Core; like run', but takes a custom state.
- New function unsafeRunWith exported from Foreign.Lua.Core.Types
and Foreign.Lua.Core; runs a computation without proper error
handling.
- New function errorConversion exported from Foreign.Lua.Core.Types
and Foreign.Lua.Core: extract the error conversion strategy from
the Lua type.
- New function throwErrorAsException exported from
Foreign.Lua.Core.Error and Foreign.Lua.Core: throws a Lua error as
Haskell exception, using the current error conversion strategy.
- Function runWith is moved from module Foreign.Lua.Core to
Foreign.Lua.Util.
- The module Foreign.Lua.Utf8 is now exported.
GHC has stopped requiring perl since 8.2.1 release. The last component
written in Perl was the evil splitter (-fsplit-objs), which has been
superseded by -fsplit-sections. Hooray!
Now that allocateExec() in rts/sm/Storage.c uses libffi to map executable
pages, we no longer have to disable these protections unless the RTS linker
is to be used.
Version 1.68.0
--------------
- Closed bugs and merge requests:
* 40.rc session crashes in gjs on unlocking (sometimes) [#387, !588, Marco
Trevisan]
* 40.rc: installed-tests installed despite explicitly disabled [#388, !589,
Philip Chimento]
Version 1.67.3
--------------
- Closed bugs and merge requests:
* System.exit() doesn't work inside signal handler [#19, !565, Evan Welsh]
* GdkEvent subtypes trigger assert in Gtk4 [#365, !566, Evan Welsh]
* Replace g_memdup [#375, !567, Philip Chimento]
* 1.67.2: build fails with gcc 11 [#376, !568, Philip Chimento]
* Warnings introspecting array of boxed type as signal argument. [#377, !569,
Carlos Garnacho]
* Add list command to debugger [!571, Nasah Kuma]
* Assertion failure in enqueuePromiseJob [#349, !572, Philip Chimento]
* in interpreter Ctrl-c should exit inner shell if stuck [#98, !574, Philip
Chimento]
* Compiler ambiguity in enum-utils.h on operator overloading [#368, !576,
Chun-wei Fan]
* Fix GJS_DISABLE_JIT not fully disabling JIT [!575, Ivan Molodetskikh]
* Error running gjs built with prefix: g_object_new_is_valid_property: object
class 'GjsContext' has no property named 'program-path' [#381, !577, Sonny
Piers]
* Various maintenance [!578, !586, Philip Chimento]
* Add some profiling labels [!579, Ivan Molodetskikh]
* Some installed tests (introspection) segfault when GTK isn't available
[#383, !580, Olivier Tilloy]
* Installed tests do not install the js/modules subdir [#384, !581, Olivier
Tilloy]
* Installed tests fail because expected path doesn't include project name
[#385, !582, Olivier Tilloy]
* 1.67.2: Regress test hangs / timeouts on i686 [#379, !583, Marco Trevisan]
* object: Do not call any function on disposed GObject pointers [!585, Marco
Trevisan]
Version 1.67.2
--------------
- New language features: Importing ES modules is now supported, both statically
with import statements and dynamically with the import() function. For more
information on how to use modules, see:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/import
Four built-in modules exist: cairo, gettext, gi, and system. Except for gi,
they work similarly to the old-style modules imports.cairo, imports.gettext,
and imports.system. Consult the documentation in doc/Modules.md on how to use
them.
- The debugger now has a "list" command which works very similarly to its GDB
equivalent.
- New API: GObject.ParamSpec.jsobject() works like the other GObject.ParamSpec
types, and allows you to have a GObject property whose value is a JavaScript
object (plain object, Date, Array, etc.)
- New API: System.programPath is the name of the JS program that GJS is running,
or null if there isn't one (for example, in the interactive interpreter.)
- New API: System.programArgs is an array of arguments given to the JS program.
It is the same as ARGV but is consistently always present. (ARGV was not
defined in the interactive interpreter or when embedding GJS in a C program.)
- Closed bugs and merge requests:
* Support Native JSObject GType for Signals and Properties [!305, Marco
Trevisan, Philip Chimento]
* Add 'system.programPath' API. [!443, Evan Welsh]
* ESM: Enable static imports. (Part 3) [!450, Evan Welsh, Philip Chimento]
* Refactor ARGV handling and add `system.programArgs` [!455, Evan Welsh,
Philip Chimento]
* Function make the object more C++ friendly [!514, Marco Trevisan]
* ESM: Enable dynamic imports. [!525, Evan Welsh, Philip Chimento]
* Remove JSClass macros from Ns, GType, and Cairo types [!549, Philip
Chimento]
* various documentation improvements [!551, Sonny Piers]
* Replace remaining mentions of window with globalThis [!552, Sonny Piers]
* add .editorconfig file [!553, Sonny Piers]
* Display current line of source code when displaying current frame in
debugger [!554, Nasah Kuma]
* doc: add Clapper and Flatseal to thirty party applications written in GJS
[!555, Sonny Piers]
* Multiline template literals are missing newlines when entered at interactive
prompt [#371, !556, Ales Huzik]
* function: Remove JSClass macros [!558, Philip Chimento, Marco Trevisan]
* Missing classes on global. [#372, !559, Philip Chimento]
* arg: fix build failure with glib main branch [!560, Michael Catanzaro]
* Update to Jasmine 2.9.1 [!561, Evan Welsh]
* Various maintenance [!562, Philip Chimento]
* Add list command to debugger [!563, Nasah Kuma]
* Upgrade to Jasmine 3.6.0 [!564, Evan Welsh]
- Various refactors in preparation for BigInt support in gobject-introspection
[Marco Trevisan]
Version 1.67.1
--------------
- The debugger now has a "backtrace full" command which works very similarly to
its GDB equivalent.
- The GObject.ParamFlags.CONSTRUCT_ONLY flag is now correctly enforced, when
using it on GObject classes defined in JavaScript. This might break code that
was incorrectly trying to set a property that it had previously defined as
construct-only. The workaround is to remove the CONSTRUCT_ONLY flag.
- Fixed exception when calling GObject.Type().
- Several performance improvements.
- Progress on ES Modules.
- Closed bugs and merge requests:
* gobject: Handle CONSTRUCT_ONLY flag [!377, Florian Müllner]
* Add native module registry to global (Part 2) [!456, Evan Welsh]
* testGIMarshalling: Expand test coverage for flags [!479, Simon McVittie]
* Private Objects: Use native allocators and structs [!494, Marco Trevisan]
* Pass-by-reference GValue arguments do not work right [#74, !496, !507, Marco
Trevisan]
* Templated-data-only GjsAutoPointer (and use it more around) [!504, Marco
Trevisan]
* Error in function "_init()" in module "modules/overrides/GObject.js" [#238,
!508, Nina Pypchenko]
* fails to build on 32-bit [#357, !511, Michael Catanzaro]
* Revert "arg-cache: Save space by not caching GType" [!512, Jonas Dreßler]
* gi/wrapperutils: Move gjs_get_string_id() into resolve() implementations
[!513, Jonas Dreßler]
* updates on eslint configuration [!517, Nasah Kuma]
* Update CONTRIBUTING.md about the runner system failure [!518, Nasah Kuma]
* Switch to eslint-plugin-jsdoc and remove lint-condo [!520, #359, Evan Welsh,
Philip Chimento]
* gi: Check property before access [!521, Florian Müllner]
* testGIMarshalling: Actually run the GPtrArray utf8 tests [!522, Marco
Trevisan]
* Add more documents for "imports" and "imports.gi" [!526, wsgalaxy]
* overrides/Gtk: Set BuilderScope in class init [!527, Florian Müllner]
* gi/arg-cache: Only skip array length parameter once [!528, Florian Müllner]
* Copyright conformance with Reuse Software spec [!529, Philip Chimento, Evan
Welsh]
* Remove JSClass macros [!530, !533, !537, Philip Chimento]
* Avoid pulling from DockerHub in CI [!531, Philip Chimento, Marco Trevisan]
* Use GNOME-specific rules with cppcheck [!532, Philip Chimento]
* Fedora 33 CI images [!535, Philip Chimento]
* Fix IWYU bugs [!536, Philip Chimento]
* Reduce bandwidth usage in CI, and pick a more accurate base for diff checks
[!538, Philip Chimento]
* debugger: Make '$$' mean the last value [!539, Philip Chimento]
* Add codespell CI job [#362, !540, !541, !547, Björn Daase]
* Various maintenance [!542, !548, Philip Chimento]
* fix readline build on certain systems [!543, Jakub Kulík]
* build: Require gobject-introspection 1.66.0 [!546, Philip Chimento]
* Add backtrace full command to debugger [#208, !550, Nasah Kuma]
- Various refactors for type safety [Marco Trevisan]
- Various maintenance [Philip Chimento]
Version 1.66.2
--------------
- Performance improvements and crash fixes backported from the development
branch.
- Bug fixes enabling use of GTK 4.
- Closed bugs and merge requests:
* Error in function "_init()" in module "modules/overrides/GObject.js" [#238,
!508, Nina Pypchenko]
* Revert "arg-cache: Save space by not caching GType" [!512, Jonas Dreßler]
* gi/wrapperutils: Move gjs_get_string_id() into resolve() implementations
[!513, Jonas Dreßler]
* overrides/Gtk: Set BuilderScope in class init [!527, Florian Müllner]
* fix readline build on certain systems [!543, Jakub Kulík]
This appears to no longer be needed.
I could swear I had done a successful re-build before the previous commit,
so not sure how that happened.
Build fix, so no revision bump.
Changelog:
* Bugfixes.
Target Specific Changes
AArch64
A bug with the Random Number intrinsics in the arm_acle.h header
that resulted in an incorrect status result being returned has
been fixed.
GCC now supports the Fujitsu A64FX. The associated -mcpu and
-mtune options are -mcpu=a64fx and -mtune=a64fx respectively.
In particular, -mcpu=a64fx generates code for Armv8.2-A with
SVE and tunes the code for the A64FX. This includes tuning the
SVE code, although by default the code is still length-agnostic
and so works for all SVE implementations. Adding -msve-vector-bits=512
makes the code specific to 512-bit SVE.
The current i386 bootstrap is built for NetBSD 8.x, and so is linked
against libstdc++.so.8. NetBSD 9.x still requires compat80 for it to
run.
This isn't a complete workaround, as builds still fail in a sandboxed
environment that doesn't have compat80 installed outside it. Dealing
with that would require another workaround somewhat like the one used
for ghc*, but a little different.
Vala 0.52.1
===========
* Various improvements and bug fixes:
- codegen:
+ Improve handling of ellipsis parameter in get_ccode_name()
+ Fix default value of get_ccode_destroy_notify_pos()
+ Don't override valid target/destroy of previous lambda argument [#59]
+ Don't call *_instance_init() in compact class chainup
- vala: Mark tranformed static member-access as qualified [#270]
- parser: Stricter mode for chained member initializer with --keep-going [#1158]
- girwriter: namespace expects "c:symbol-prefixes" attribute [#1038]
- girwriter: Don't use instance-parameter inside callback [#1167]
- girparser,libvaladoc/girimporter: Don't guess length of xml header, iterate
forward to <repository>
- libvaladoc/girimporter: parse_constant() use "c:identifier" attribute first
* Bindings:
- gsl: Add BLAS module [#1149]
- rest-0.7: Fix OAuthProxyAuthCallback binding
- gtk+-3.0: Fix ModuleInitFunc binding
- gio-2.0: Fix TlsPassword.get_value() binding
- Fix several bindings which lead to invalid code by using them in:
javascriptcoregtk-4.0, libusb, libusb-1.0, pixman-1,
webkit2gtk-web-extension-4.0, x11, zlib,
Vala 0.52.0
===========
* Various improvements and bug fixes:
- codegen: Include "glib.h" for deprecated symbols (GOBJECT) [#1155]
- vala: Improve error for incompatible expressions in conditional expression
- vala: Check for unused attributes unconditionally
- girparser: Allow overriding of "Compact" attribute for classes
- girparser: Handle empty "<type/>" element and report an error
- girparser: Add support for NoWrapper metadata for methods
- build: Add --enable-test-asan configure option
* Bindings:
- gio-2.0: Add some missing NoWrapper and CCode.has_typedef attributes
- gnutls: Fix some binding errors
- gsl: Fix some binding errors
- gstreamer: Update from 1.19.0+ git master
- gtk4: Add Gtk.INVALID_LIST_POSITION [#1151]
- gtk4-unix-print: Switch to gir
- gtk4: Update to 4.1.2
- linux: Provide Input.Event.input_event_sec/input_event_usec fields [#1152]
- vapi: Fix a couple of attribute typos
- webkit2gtk-4.0: Update to 2.31.91
Vala 0.51.91
============
* Various improvements and bug fixes:
- codegen:
+ Error for missing type-arguments of HashTable (de)serialization [#1147]
+ Free intermediate temp-variables of postcondition expression [#80]
+ Use the one available source_reference for internal error [#436]
+ Fix access to captured generics in async method of interfaces [#537]
+ Don't ever create null-aware free macro for GenericType
+ Don't add generics arguments/parameters to async finish method
+ Drop inner casts before converting between generics and integers
- vala:
+ Add missing null-check in DataType.get_type_signature()
+ Check array type of declarations for errornous type-arguments
+ Check (optional) type-arguments of array creation expression
+ Replace all type parameter occurances in parameters for signal delegate
* Bindings:
- glib-2.0,gio-2.0: Add some missing type-arguments
- vapi: Update GIR-based bindings
Vala 0.51.90
============
* Various improvements and bug fixes:
- codegen:
+ More use of get_ccode_type_name()
+ "_first_array" parameter for params-array is variadic too
+ Inherit GType from base struct of SimpleType structs
- vala:
+ Report warning if --target-glib=auto was not evaluated successfully
+ Fix ownership inheritance of "unowned var" in foreach statement
+ Use pre-resolved symbol/type of SemanticAnalyzer if possible
- gdbus: Don't leak memory of deserialized arguments on error in wrapper method
- girparser: Reuse populated Node.gtype_struct_for instead of resolving again
- girparser: Evaluate "glib:type-struct" twice to pick up reparented structs
- testrunner: Include Gio-2.0/gio-2.0 for GIR tests too
* Bindings:
- gtk4: Update to 4.1.1+f8f90d85
Vala 0.51.3
===========
* Various improvements and bug fixes:
- codegen:
+ Don't use volatile modifier in glib API when targetting >= 2.68 [glib!1719]
+ CCodeBaseModule.get_type_id_expression () won't return null
+ Don't wrongly emit declaration for default-handler of signals
+ Include "string.h" for strcmp() (POSIX)
- vala:
+ Generics value holding struct pointer requires casting on access [#347]
+ Infer needle type for "in" expression on enum [#1138]
+ Don't allow "in" operation with different enum types [#1139]
+ Improve context check whether property is writeable on assignments
+ Include "stdlib.h" for Enum.to_string() (POSIX) [#1143]
+ Set proper source_reference for implicit "this" and "result" variables
+ Report error for invalid inner operand of unary expressions
- girwriter: Output default handler of signals
* Bindings:
- glib-2.0: Add new symbols from 2.68
- webkit2gtk-4.0: Update to 2.31.90
- vapi: Update GIR-based bindings
Vala 0.51.2
===========
* Various improvements and bug fixes:
- vala:
+ Check type-arguments in base-types/prerequisites of class/interface [#404]
+ Include type-checks in preconditions of methods for type narrowing [#894]
+ Capturing va_list parameters/variables is not allowed [#1136]
+ Properly parse and handle chained initialization of members [#1137]
- codewriter: Output valid vala syntax for LoopStatement and don't write
trailing ";" after body of WithStatement
* Bindings:
+ gstreamer: Update from 1.19.0+ git master
+ vapi: Update GIR-based bindings
Vala 0.51.1
===========
* Highlights:
- Support "binding" to bind GtkCallback to class of given property [#1093]
- Add support for type narrowing [#894]
- Support chain up to simple generics constructor [#342]
- Perform runtime version check of libvala [#88]
- girparser: Handle anonymous delegate not backed by virtual-method or signal
- Add support for 'opaque' compact classes [#1129]
- Add further support for params arrays in constructors [#128]
- Improve handling of "NoWrapper" attribute
- Improve support of SimpleType struct constructors
- Use __attribute__ instead of G_GNUC_* in POSIX profile
- Add SDL 2.x bindings [#1032] amd drop SDL 1.x
* Various improvements and bug fixes:
- codegen:
+ Improve GValueModule.visit_cast_expression()
+ Drop obsolete dedicated handling of property value-parameter
+ Apply CCodeModifiers.PRINTF to "string_printf" (POSIX)
+ Allow CCode.type_cname for classes and use get_ccode_type_name()
+ Always use G_TYPE_INSTANCE_GET_CLASS/INTERFACE for external symbols
+ Also check array type of variable argument for ref parameters
+ Don't leak array memory after it was implicitly copied
+ Use g_boxed_free in free-wrapper for heap-allocated GLib.Value
+ Don't leak GLib.Value when implicitly unboxing it
+ Don't leak memory moving heap-allocated struct to stack
+ Chain up to base struct destroy function
+ Use g_memdup2 if target glib >= 2.68 is set
+ Replace "g_memdup" with "_vala_memdup2" for target glib < 2.68
+ Correctly retrieve symbol_reference of nested cast expressions [#1134]
+ Strip all nested occurances of CCodeCastExpression [#1134]
- vala:
+ Improve detection of duplicate package source files
+ GtkChild fields/properties must be declared as unowned [#1121]
+ Don't allow assigning GtkChild fields/properties [#1121]
+ Apply stricter condition for lambda to delegate assignment
+ Don't allow disposable SimpleType structs
+ Rename Loop to LoopStatement and introduce a common base class
+ GLib.Value unboxing returns unowned value
+ Don't allow GLib.Value casting to nullable struct/simple types
+ Add Block.unreachable_exit and have it set by FlowAnalyzer [#838]
+ Convert Report.*() to real printf-like functions
+ Avoid taking extra reference of foreach collection for index iteration
+ Make sure parent_symbol for special async parameters is available
+ Require a valid DataType instance for every TargetValue
- girparser:
+ Minor improvement to field getter detection
+ Apply "delegate_target" metadata for methods and parameters
+ Apply "destroy_notify_cname" metadata for fields
+ Apply "type_get_function" metadata for classes and inferfaces
+ Set CCode.type_cname for classes if it doesn't match our default
- girwriter: Infer gir_namespace/version from target GIR filename [#606]
- girwriter: Write instance-parameter elements [#1128]
- libvaladoc/html: Don't sort struct fields to keep their original order
- libvaladoc: Correctly retrieve value for Api.Class.is_compact
- libvaladoc: Add wrapper for "agedge" of graphviz
- valadoc: Correctly set verbose flag on CodeContext
- valadoc: Replace png icons with elementary's svg version
* Bindings:
- Add enchant-2 bindings for Enchant 2.x
- Add gnu.vapi with binding for getopt_long() and some other GNU APIs
- Add libunwind-generic binding
- Fix several bindings which lead to invalid code by using them in:
cairo, gobject-2.0, pango, goocanvas-2.0, curses, alsa, bzlib, sqlite3,
libgvc, posix, gstreamer-1.0, gdk-3.0, gdk-x11-3.0, gtk+-3.0, gtk4,
fuse, libxml-2.0
- curses: Remove initial “w” from some Window method names for consistency
- gdk-pixbuf-2.0: Fix Pixbuf.save_to_streamv_async()
- gdk-pixbuf-2.0: Update to 2.42.3~
- gio-2.0: Fix binding of PollableOutputStream.write*_nonblocking()
- gio-2.0,gtk+-3.0,gtk4: Drop explicit c-type attributes of va_list parameters
- gio-2.0: Pick up missing invoker for some AppInfo/File.*() methods
- gio-2.0: Update to 2.67.3
- glib-2.0: Add GLib.[S]List.is_empty() convenience methods for non-null
- glib-2.0: Add new symbols from 2.68
- glib-2.0: Bind assert_cmp* functions [#395]
- glib-2.0: Improve type of OptionEntry.flags field
- glib-2.0: Make PtrArray a subclass of GenericArray
- gobject-2.0: Add new symbols from 2.68
- gstreamer-1.0: Set CCode.type_id of MiniObject to G_TYPE_BOXED [#1133]
- gstreamer: Update from 1.19.0+ git master
- gtk+-2.0,javascriptcoregtk-4.0: Wrong usage of CCode.type_cname attribute
- gtk+-3.0,gtk4: Fix some delegate return values and parameters
- gtk4: Update to 4.1.0+2712f536
- posix: Add POSIX, GNU and BSD Regex APIs
- webkit2gtk-4.0: Update to 2.31.1
Real changes are in devel/devel/ruby-activestorage61 only.
## Rails 6.1.3.1 (March 26, 2021) ##
* Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed
mime types data.
*George Claghorn*
Real changes are in devel/ruby-activestorage60 only.
## Rails 6.0.3.6 (March 26, 2021) ##
* Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed
mime types data.
*George Claghorn*
Real changes are in devel/ruby-activestorage52 only.
## Rails 5.2.5 (March 26, 2021) ##
* Marcel is upgraded to version 1.0.0 to avoid a dependency on GPL-licensed
mime types data.
*George Claghorn*
* The Poppler PDF previewer renders a preview image using the original
document's crop box rather than its media box, hiding print margins. This
matches the behavior of the MuPDF previewer.
*Vincent Robert*
Ruby 3.0.1 Released (2021-04-05)
Ruby 3.0.1 has been released.
This release includes security fixes. Please check the topics below
for details.
* CVE-2021-28965: XML round-trip vulnerability in REXML
* CVE-2021-28966: Path traversal in Tempfile on Windows
See the commit logs for details.
Ruby 2.7.3 Released (2021-04-05)
This release includes security fixes. Please check the topics below for
details.
* CVE-2021-28965: XML round-trip vulnerability in REXML
* CVE-2021-28966: Path traversal in Tempfile on Windows
See the commit logs for details.
Ruby 2.6.7 Released (2021-04-05)
This release includes security fixes. Please check the topics below for
details.
* CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in
WEBrick
* CVE-2021-28965: XML round-trip vulnerability in REXML
See the commit logs for details.
By this release, we end the normal maintenance phase of Ruby 2.6, and Ruby
2.6 enters the security maintenance phase. This means that we will no
longer backport any bug fixes to Ruby 2.6 except security fixes. The term
of the security maintenance phase is scheduled for a year. Ruby 2.6 reaches
EOL and its official support ends by the end of the security maintenance
phase. Therefore, we recommend that you start to plan upgrade to Ruby 2.7
or 3.0.
This release introduces fixes for better support of Erlang/OTP 24+.
1. Enhancements
Elixir
[Kernel] Update formatting when printing warnings and errors from Erlang/OTP 24+
[Kernel] Support float-16 on bitstrings
Mix
[mix local.rebar] This task will now install rebar3 version 3.14.4, compiled with Erlang/OTP 21
Version 14.16.1 'Fermium' (LTS)
This is a security release.
Notable Changes
Vulnerabilities fixed:
CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh
Impacts:
All versions of the 14.x, 12.x and 10.x releases lines
Version 12.22.1 'Erbium' (LTS)
This is a security release.
Notable Changes
Vulnerabilities fixed:
CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh
Impacts:
All versions of the 14.x, 12.x and 10.x releases lines
Version 12.22.0 'Erbium' (LTS)
Notable changes
The legacy HTTP parser is runtime deprecated
The legacy HTTP parser, selected by the --http-parser=legacy command line option, is deprecated with the pending End-of-Life of Node.js 10.x (where it is the only HTTP parser implementation provided) at the end of April 2021. It will now warn on use but otherwise continue to function and may be removed in a future Node.js 12.x release.
The default HTTP parser based on llhttp is not affected. By default it is stricter than the now deprecated legacy HTTP parser. If interoperability with HTTP implementations that send invalid HTTP headers is required, the HTTP parser can be started in a less secure mode with the --insecure-http-parser command line option.
ES Modules
ES Modules are now considered stable.
node-api
Updated to node-api version 8 and added an experimental API to allow retrieval of the add-on file name.
New API's to control code coverage data collection
v8.stopCoverage() and v8.takeCoverage() have been added.
New API to monitor event loop utilization by Worker threads
worker.performance.eventLoopUtilization() has been added.
Version 10.24.1 'Dubnium' (LTS)
This is a security release.
Notable Changes
Vulerabilties fixed:
CVE-2021-3450: OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines
CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh
Impacts:
All versions of the 14.x, 12.x and 10.x releases lines
these were disabled in the pkgsrc infrastructure some time ago because
they cannot be built cleanly with older compilers while gcc6 can.
this all seems to be separate from the ada bits in gcc-5-aux which may
still be useful.
Python 3.9.4
Core and Builtins
bpo-43710: Reverted the fix for https://bugs.python.org/issue42500 as it changed the PyThreadState struct size and broke the 3.9.x ABI in the 3.9.3 release (visible on 32-bit platforms using binaries compiled using an earlier version of Python 3.9.x headers).
Library
bpo-26053: Fixed bug where the pdb interactive run command echoed the args from the shell command line, even if those have been overridden at the pdb prompt.
Key off BUILD_TARGET instead of whether we're cross-building,
as bootstrap kits *can* be built natively (yes, the former state
was my suggestion, but on second thought this is more correct).
Python 3.9.3 final
Security
bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network.
Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo.
Core and Builtins
bpo-43660: Fix crash that happens when replacing sys.stderr with a callable that can remove the object while an exception is being printed. Patch by Pablo Galindo.
bpo-43555: Report the column offset for SyntaxError for invalid line continuation characters. Patch by Pablo Galindo.
bpo-43517: Fix misdetection of circular imports when using from pkg.mod import attr, which caused false positives in non-trivial multi-threaded code.
bpo-35883: Python no longer fails at startup with a fatal error if a command line argument contains an invalid Unicode character. The Py_DecodeLocale() function now escapes byte sequences which would be decoded as Unicode characters outside the [U+0000; U+10ffff] range.
bpo-43406: Fix a possible race condition where PyErr_CheckSignals tries to execute a non-Python signal handler.
bpo-42500: Improve handling of exceptions near recursion limit. Converts a number of Fatal Errors in RecursionErrors.
Library
bpo-43433: xmlrpc.client.ServerProxy no longer ignores query and fragment in the URL of the server.
bpo-35930: Raising an exception raised in a “future” instance will create reference cycles.
bpo-43577: Fix deadlock when using ssl.SSLContext debug callback with ssl.SSLContext.sni_callback().
bpo-43521: ast.unparse can now render NaNs and empty sets.
bpo-43423: subprocess.communicate() no longer raises an IndexError when there is an empty stdout or stderr IO buffer during a timeout on Windows.
bpo-27820: Fixed long-standing bug of smtplib.SMTP where doing AUTH LOGIN with initial_response_ok=False will fail.
The cause is that SMTP.auth_login _always_ returns a password if provided with a challenge string, thus non-compliant with the standard for AUTH LOGIN.
Also fixes bug with the test for smtpd.
bpo-43332: Improves the networking efficiency of http.client when using a proxy via set_tunnel(). Fewer small send calls are made during connection setup.
bpo-43399: Fix ElementTree.extend not working on iterators when using the Python implementation
bpo-43316: The python -m gzip command line application now properly fails when detecting an unsupported extension. It exits with a non-zero exit code and prints an error message to stderr.
bpo-43260: Fix TextIOWrapper can not flush internal buffer forever after very large text is written.
bpo-42782: Fail fast in shutil.move() to avoid creating destination directories on failure.
bpo-37193: Fixed memory leak in socketserver.ThreadingMixIn introduced in Python 3.7.
Documentation
bpo-43199: Answer “Why is there no goto?” in the Design and History FAQ.
bpo-43407: Clarified that a result from time.monotonic(), time.perf_counter(), time.process_time(), or time.thread_time() can be compared with the result from any following call to the same function - not just the next immediate call.
bpo-27646: Clarify that ‘yield from <expr>’ works with any iterable, not just iterators.
bpo-36346: Update some deprecated unicode APIs which are documented as “will be removed in 4.0” to “3.12”. See PEP 623 for detail.
Tests
bpo-37945: Fix test_getsetlocale_issue1813() of test_locale: skip the test if setlocale() fails. Patch by Victor Stinner.
bpo-41561: Add workaround for Ubuntu’s custom OpenSSL security level policy.
bpo-43288: Fix test_importlib to correctly skip Unicode file tests if the fileystem does not support them.
Build
bpo-43631: Update macOS, Windows, and CI to OpenSSL 1.1.1k.
bpo-43617: Improve configure.ac: Check for presence of autoconf-archive package and remove our copies of M4 macros.
macOS
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1j.
IDLE
bpo-42225: Document that IDLE can fail on Unix either from misconfigured IP masquerage rules or failure displaying complex colored (non-ascii) characters.
bpo-43283: Document why printing to IDLE’s Shell is often slower than printing to a system terminal and that it can be made faster by pre-formatting a single string before printing.
Python 3.8.9 final
Security
bpo-42988: CVE-2021-3426: Remove the getfile feature of the pydoc module which could be abused to read arbitrary files on the disk (directory traversal vulnerability). Moreover, even source code of Python modules can contain sensitive data like passwords. Vulnerability reported by David Schwörer.
bpo-43285: ftplib no longer trusts the IP address value returned from the server in response to the PASV command by default. This prevents a malicious FTP server from using the response to probe IPv4 address and port combinations on the client network.
Code that requires the former vulnerable behavior may set a trust_server_pasv_ipv4_address attribute on their ftplib.FTP instances to True to re-enable it.
bpo-43439: Add audit hooks for gc.get_objects(), gc.get_referrers() and gc.get_referents(). Patch by Pablo Galindo.
Core and Builtins
bpo-43660: Fix crash that happens when replacing sys.stderr with a callable that can remove the object while an exception is being printed. Patch by Pablo Galindo.
bpo-35883: Python no longer fails at startup with a fatal error if a command line argument contains an invalid Unicode character. The Py_DecodeLocale() function now escapes byte sequences which would be decoded as Unicode characters outside the [U+0000; U+10ffff] range.
bpo-43406: Fix a possible race condition where PyErr_CheckSignals tries to execute a non-Python signal handler.
Library
bpo-35930: Raising an exception raised in a “future” instance will create reference cycles.
bpo-43577: Fix deadlock when using ssl.SSLContext debug callback with ssl.SSLContext.sni_callback().
bpo-43423: subprocess.communicate() no longer raises an IndexError when there is an empty stdout or stderr IO buffer during a timeout on Windows.
bpo-27820: Fixed long-standing bug of smtplib.SMTP where doing AUTH LOGIN with initial_response_ok=False will fail.
The cause is that SMTP.auth_login _always_ returns a password if provided with a challenge string, thus non-compliant with the standard for AUTH LOGIN.
Also fixes bug with the test for smtpd.
bpo-43399: Fix ElementTree.extend not working on iterators when using the Python implementation
bpo-43316: The python -m gzip command line application now properly fails when detecting an unsupported extension. It exits with a non-zero exit code and prints an error message to stderr.
bpo-43260: Fix TextIOWrapper can not flush internal buffer forever after very large text is written.
bpo-42782: Fail fast in shutil.move() to avoid creating destination directories on failure.
bpo-37193: Fixed memory leak in socketserver.ThreadingMixIn introduced in Python 3.7.
Documentation
bpo-43199: Answer “Why is there no goto?” in the Design and History FAQ.
bpo-43407: Clarified that a result from time.monotonic(), time.perf_counter(), time.process_time(), or time.thread_time() can be compared with the result from any following call to the same function - not just the next immediate call.
bpo-27646: Clarify that ‘yield from <expr>’ works with any iterable, not just iterators.
bpo-36346: Update some deprecated unicode APIs which are documented as “will be removed in 4.0” to “3.12”. See PEP 623 for detail.
Tests
bpo-37945: Fix test_getsetlocale_issue1813() of test_locale: skip the test if setlocale() fails. Patch by Victor Stinner.
bpo-41561: Add workaround for Ubuntu’s custom OpenSSL security level policy.
Build
bpo-43631: Update macOS, Windows, and CI to OpenSSL 1.1.1k.
bpo-43617: Improve configure.ac: Check for presence of autoconf-archive package and remove our copies of M4 macros.
macOS
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1j.
IDLE
bpo-42225: Document that IDLE can fail on Unix either from misconfigured IP masquerage rules or failure displaying complex colored (non-ascii) characters.
bpo-43283: Document why printing to IDLE’s Shell is often slower than printing to a system terminal and that it can be made faster by pre-formatting a single string before printing.
use of these packages was disabled in the pkgsrc infrastructure in
january because they were causing problems on platforms with older
compilers that can build gcc6 just fine:
glibc + FORTIFY + gcc48,gcc49,gcc5 = build failures.
gcc48 and newer require a c++98 compiler, same as all gcc versions up
to 11, so are not useful for bootstrapping.
gcc5 has additional Ada bits, someone needs to determine if they're
useful before it can go.
The final compiler will be dynamically linked with OpenSSL and curl,
but this is undesirable in the case of bootstraps where it might be
built against a version incompatible with version the user has.
Discussed with he@.
upstream changes:
-----------------
Patch Package: OTP 23.3.1
Git Tag: OTP-23.3.1
Date: 2021-03-30
Trouble Report Id: OTP-17279
Seq num:
System: OTP
Release: 23
Application: ssh-4.11.1
Predecessor: OTP 23.3
Check out the git tag OTP-23.3.1, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- ssh-4.11.1 ------------------------------------------------------
---------------------------------------------------------------------
The ssh-4.11.1 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17279 Application(s): ssh
The idle_time timer was not cancelled when a channel
was opened within the timeout time on an empty
connection that have had channels previously.
Full runtime dependencies of ssh-4.11.1: crypto-4.6.4, erts-9.0,
kernel-5.3, public_key-1.6.1, stdlib-3.4.1
---------------------------------------------------------------------
Changes for 23.3 are at https://erlang.org/download/OTP-23.3.README
Havard would like all rusts to be built with rust-cargo-static,
because this makes it easier to produce working bootstaps.
In order to do this, we need to handle the OpenSSL and curl
dependencies in older bootstrap kits properly.
This means, for the remaining bootstraps that do not yet have
cargo with static/vendored dependencies:
- depend on base 8.0 openssl (compat80) on i386.
- depend on pkgsrc curl on aarch64 and earmv7.
the armv7 bootstrap is built for 9.0 so does not need compat80.
the aarch64 bootstrap is built for 8.99.50 so does not need compat80.
This reduces the external dynamic dependencies, because this
bootstrap kit is built with the --enable-cargo-native-static
option, and is verified to fix the build for martin@
* Move PRINT_PLIST_AWK for ${RUBY_SUFFIX} from gem.mk to rubyversion.mk.
It was previously committed in gem.mk.
* Add support ${RUBY_SUFFIX} to online manual.
0.20.0 (released 2021-01-25)
==============================
Removals
------------------------------
* Python 3.5 is no longer supported.
New Features
------------------------------
* `let` macro now supports extended iterable unpacking syntax.
* New contrib module `pprint`, a Hy equivalent of `python.pprint`.
Bug Fixes
------------------------------
* Fixed a bug that made `hy.eval` from Python fail on `require`.
* Fixed a bug that prevented pickling of keyword objects.
* Fixed a compiler crash from `setv` with an odd number of arguments in
`defclass`.
0.19.0 (released 2020-07-16)
==============================
Breaking Changes
------------------------------
* `parse-args` is no longer implemented with `eval`; so e.g. you should
now say `:type int` instead of `:type 'int`.
New Features
------------------------------
* Python 3.9 is now supported.
Bug Fixes
------------------------------
* Improved support for nesting anaphoric macros by only applying
symbol replacement where absolutely necessary.
* Quoted f-strings are no longer evaluated prematurely.
* Fixed a regression in the production of error messages for empty
expressions.
* Fixed a scoping bug for code executed with `hy -c`.
* Fixed a bug in the compilation of multiple `require`\s.
* Fixed various bugs in command-line option parsing.
macOS on ARM has had 1.16 as the default already for a while. The next
branch should have it for all OSes. Some build breakage has been fixed
already in separate commits.
ok before freeze wiz@
go1.15.8 (released 2021/02/04) includes fixes to the compiler, linker, runtime,
the go command, and the net/http package. See the Go 1.15.8 milestone on our
issue tracker for details.
go1.15.9 (released 2021/03/10) includes security fixes to the encoding/xml
package. See the Go 1.15.9 milestone on our issue tracker for details.
go1.15.10 (released 2021/03/11) includes fixes to the compiler, the go command,
and the net/http, os, syscall, and time packages. See the Go 1.15.10 milestone
on our issue tracker for details.
## 1.15.4 - 2021-03-16
- Increase default nesting depth of pretty printing to `JANET_RECURSION_GUARD`
- Update meson.build
- Add option to automatically add shebang line in installed scripts with `jpm`.
- Add `partition-by` and `group-by` to the core.
- Sort keys in pretty printing output.
## 1.15.3 - 2021-02-28
- Fix a fiber bug that occured in deeply nested fibers
- Add `unref` combinator to pegs.
- Small docstring changes.
go1.16.2 (released 2021/03/11) includes fixes to cgo, the compiler, linker,
the go command, and the syscall and time packages. See the Go 1.16.2 milestone
on our issue tracker for details.
- encoding/xml: infinite loop when using xml.NewTokenDecoder with a
custom TokenReader
The Decode, DecodeElement, and Skip methods of an xml.Decoder provided by
xml.NewTokenDecoder may enter an infinite loop when operating on a custom
xml.TokenReader which returns an EOF in the middle of an open XML element.
Thanks to Sam Whited for reporting this issue.
This issue is CVE-2021-27918 and Go issue golang.org/issue/44913.
- archive/zip: panic when calling Reader.Open
The Reader.Open API, new in Go 1.16, will panic when used on a ZIP archive
containing files that start with "../".
This issue is CVE-2021-27919 and Go issue golang.org/issue/44916.
Add php80 package version 8.0.3 (PHP 8.0.3) with current PHP framework
of pkgsrc.
PHP is a widely-used open source general-purpose scripting language
that is especially suited for web development and can be embedded
into HTML. It is modular, and object-oriented. Much of its syntax
is borrowed from C, Java and Perl with a couple of unique PHP-specific
features thrown in. The language is designed to allow web developers
to write dynamically generated pages quickly.
PHP 8.0 comes with numerous improvements and new features such as
* Union Types
* Named Arguments
* Match Expressions
* Attributes
* Constructor Property Promotion
* Nullsafe Operator
* Weak Maps
* Just In Time Compilation
* And much much more...
Add code frament for supporting php-json.
With forthcoming php80, php-json will not separate package from php80 since
PHP 8 always build json extension in it.
Changes since last version: an option to create a version that supports
32-bit values for the X86/64 platform with a heap size of up to 16Gb.
Otherwise, minor bugfixes and changes.
The package has also been updated to remove some superfluous patches that
have been moved upstream and fix a build problem reported in PR pkg/55569
pkgsrc changes:
---------------
* Update some PLIST entries since the version of packages documented does
not always match the last patchlevel version of OTP.
* Bump revision
upstream changes:
-----------------
Patch Package: OTP 23.2.7
Git Tag: OTP-23.2.7
Date: 2021-03-03
Trouble Report Id: OTP-12960, OTP-17228
Seq num: ERIERL-598, ERIERL-614
System: OTP
Release: 23
Application: kernel-7.2.1, ssl-10.2.4
Predecessor: OTP 23.2.6
Check out the git tag OTP-23.2.7, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- kernel-7.2.1 ----------------------------------------------------
---------------------------------------------------------------------
The kernel-7.2.1 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-12960 Application(s): kernel
Related Id(s): ERIERL-598, PR-4509
When using the DNS resolver option
servfail_retry_timeout it did not honour the overall
call time-out in e.g inet_res:getbyname/3. This
misbehaviour has now been fixed. Also, the
servfail_retry_timeout behaviour has been improved to
only be enforced for servers that gives a servfail
answer.
Full runtime dependencies of kernel-7.2.1: erts-11.0, sasl-3.0,
stdlib-3.13
---------------------------------------------------------------------
--- ssl-10.2.4 ------------------------------------------------------
---------------------------------------------------------------------
The ssl-10.2.4 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17228 Application(s): ssl
Related Id(s): ERIERL-614
Enhance logging option log_level to support none and
all, also restore backwards compatibility for log_alert
option.
Full runtime dependencies of ssl-10.2.4: crypto-4.2, erts-10.0,
inets-5.10.7, kernel-6.0, public_key-1.8, stdlib-3.12
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
20200120
+ resync with my-autoconf.
+ fix typos found with codespell.
+ when reading input in interactive mode, provide for extending the
buffer size for very long lines (Original-Mawk #59).
20200106
+ correct line-number shown in too-many-arguments error message for
the case where the function is a forward reference (report by
"mukti").
+ fix install for manpage when configure --srcdir option is used
(report by Rajeev V Pillai).
+ use both CFLAGS/LDFLAGS when linking in makefile (report by
Rajeev V Pillai).
+ fix clang-9 warning in bi_funct.c (report by Rajeev V Pillai).
+ minor improvement to gcc warning options, from vile
20191231
+ updated configure macros
+ update config.guess and config.sub
20190203
+ improve manpage formatting, e.g., for man2html
+ improve debug-traces
20190129
+ eliminate non-portable tdestroy() from zmalloc no-leaks code.
+ updated configure macros
+ update config.guess and config.sub
20181114
+ revert a change for memory-leaks which made the forced-exit via a
user function inconsistent with earlier versions (report by Sihera
Andre).
+ amend a change for memory-leaks to avoid a double-free (Original-Mawk
#56).
Changelog:
Bugfixes since 1.4.2
Fixed "-d:fulldebug switch does not compile with gc:arc" (#16214)
Fixed "Strange behavior when calling into Nim" (#16249)
Fixed "VC++ winnt.h fatal error "No Target Architecture" in stdlib_io." (#14259)
Fixed "osLastError may randomly raise defect and crash" (#16359)
Fixed "& shows as & in docs" (#16364)
Fixed "gc:arc - SIGSEGV for rawAlloc on windows" (#16365)
Fixed "generic importc proc's don't work (breaking lots of vmops procs for js)" (#16428)
Fixed "[ARC] Compiler error with a closure proc in a macro " (#15043)
Fixed "genericAssignAux runtime error" (#16706)
Fixed "Concept: codegen ignores parameter passing" (#16897)
Fixed "{.push exportc.} interacts with anonymous functions" (#16967)
Fixed "ARC exports a dangerous 'dispose' proc" (#17003)
Fixed "Cursor inference leading to corrupt memory with a tuple" (#17033)
Fixed "toOpenArray doesn't work in VM; toOpenArray with var openArray doesn't work in nim js" (#15952)
Fixed "memory allocation during {.global.} init breaks GC" (#17085)
this has been broken in all platforms' bulk builds for quite some time.
there is a much newer version being worked on in wip, but for now it is
probably best to start by installing lang/rakudo.
pkgsrc changes:
---------------
* Update some PLIST entries since the version of packages documented does
not always match the last patchlevel version of OTP.
* Bump revision
upstream changes:
-----------------
Patch Package: OTP 23.2.6
Git Tag: OTP-23.2.6
Date: 2021-02-25
Trouble Report Id: OTP-17173, OTP-17205, OTP-17220
Seq num: ERIERL-581, ERIERL-608
System: OTP
Release: 23
Application: inets-7.3.2, ssh-4.10.8
Predecessor: OTP 23.2.5
Check out the git tag OTP-23.2.6, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- inets-7.3.2 -----------------------------------------------------
---------------------------------------------------------------------
The inets-7.3.2 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17205 Application(s): inets
Related Id(s): ERIERL-608
Solves CVE-2021-27563, that is make sure no form of
relative path can be used to go outside webservers
directory.
OTP-17220 Application(s): inets
Make sure HEAD requests rejects directory links
Full runtime dependencies of inets-7.3.2: erts-6.0, kernel-3.0,
mnesia-4.12, runtime_tools-1.8.14, ssl-5.3.4, stdlib-3.5
---------------------------------------------------------------------
--- ssh-4.10.8 ------------------------------------------------------
---------------------------------------------------------------------
The ssh-4.10.8 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17173 Application(s): ssh
Related Id(s): ERIERL-581
Don't timeout slow connection setups and tear-downs. A
rare crash risk for the controller is also removed.
Full runtime dependencies of ssh-4.10.8: crypto-4.6.4, erts-9.0,
kernel-5.3, public_key-1.6.1, stdlib-3.4.1
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
Patch Package: OTP 23.2.5
Git Tag: OTP-23.2.5
Date: 2021-02-16
Trouble Report Id: OTP-17185, OTP-17190, OTP-17191
Seq num: ERIERL-606, ERL-1476, GH-4192
System: OTP
Release: 23
Application: erts-11.1.8, ssl-10.2.3, tools-3.4.3
Predecessor: OTP 23.2.4
Check out the git tag OTP-23.2.5, and build a full OTP system
including documentation. Apply one or more applications from this
build as patches to your installation using the 'otp_patch_apply'
tool. For information on install requirements, see descriptions for
each application version below.
---------------------------------------------------------------------
--- erts-11.1.8 -----------------------------------------------------
---------------------------------------------------------------------
The erts-11.1.8 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17185 Application(s): erts
Fixed a bug that could cause some work scheduled for
execution on scheduler threads to be delayed until
other similar work appeared. Beside delaying various
cleanup of internal data structures also the following
could be delayed:
-- Termination of a distribution controller process
-- Disabling of the distribution on a node
-- Gathering of memory allocator information using the
instrument module
-- Enabling, disabling, and gathering of msacc
information
-- Delivery of 'CHANGE' messages when time offset is
monitored
-- A call to erlang:cancel_timer()
-- A call to erlang:read_timer()
-- A call to erlang:statistics(io | garbage_collection
| scheduler_wall_time)
-- A call to ets:all()
-- A call to erlang:memory()
-- A call to erlang:system_info({allocator |
allocator_sizes, _})
-- A call to erlang:trace_delivered()
The bug existed on runtime systems running on all types
of hardware except for x86/x86_64.
Full runtime dependencies of erts-11.1.8: kernel-7.0, sasl-3.3,
stdlib-3.13
---------------------------------------------------------------------
--- ssl-10.2.3 ------------------------------------------------------
---------------------------------------------------------------------
The ssl-10.2.3 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17190 Application(s): ssl
Related Id(s): ERIERL-606
Avoid race when the first two upgrade server handshakes
(that is servers that use a gen_tcp socket as input to
ssl:handshake/2,3) start close to each other. Could
lead to that one of the handshakes would fail.
Full runtime dependencies of ssl-10.2.3: crypto-4.2, erts-10.0,
inets-5.10.7, kernel-6.0, public_key-1.8, stdlib-3.12
---------------------------------------------------------------------
--- tools-3.4.3 -----------------------------------------------------
---------------------------------------------------------------------
The tools-3.4.3 application can be applied independently of other
applications on a full OTP 23 installation.
--- Fixed Bugs and Malfunctions ---
OTP-17191 Application(s): tools
Related Id(s): ERL-1476, GH-4192, OTP-16922
Correct the Xref analysis undefined_functions to not
report internally generated behaviour_info/1.
Full runtime dependencies of tools-3.4.3: compiler-5.0, erts-11.0,
erts-9.1, kernel-5.4, runtime_tools-1.8.14, stdlib-3.4
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
Version 14.16.0 'Fermium' (LTS)
This is a security release.
Notable changes
Vulnerabilities fixed:
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
Version 12.21.0 'Erbium' (LTS)
This is a security release.
Notable changes
Vulnerabilities fixed:
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
Version 10.24.0 'Dubnium' (LTS)
This is a security release.
Notable changes
Vulnerabilities fixed:
CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210216.txt
Python 3.9.2 final
Release date: 2021-02-19
Windows
bpo-43155: PyCMethod_New() is now present in python3.lib.
Python 3.9.2 release candidate 1
Release date: 2021-02-16
Security
bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.
bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.
Core and Builtins
bpo-42819: readline: Explicitly disable bracketed paste in the interactive interpreter, even if it’s set in the inputrc, is enabled by default (eg GNU Readline 8.1), or a user calls readline.read_init_file(). The Python REPL has not implemented bracketed paste support. Also, bracketed mode writes the "\x1b[?2004h" escape sequence into stdout which causes test failures in applications that don’t support it. It can still be explicitly enabled by calling readline.parse_and_bind("set enable-bracketed-paste on"). Patch by Dustin Rodrigues.
bpo-42806: Fix the column offsets for f-strings ast nodes surrounded by parentheses and for nodes that spawn multiple lines. Patch by Pablo Galindo.
bpo-40631: Fix regression where a single parenthesized starred expression was a valid assignment target.
bpo-32381: Fix encoding name when running a .pyc file on Windows: PyRun_SimpleFileExFlags() now uses the correct encoding to decode the filename.
bpo-42536: Several built-in and standard library types now ensure that their internal result tuples are always tracked by the garbage collector:
collections.OrderedDict.items()
dict.items()
enumerate()
functools.reduce()
itertools.combinations()
itertools.combinations_with_replacement()
itertools.permutations()
itertools.product()
itertools.zip_longest()
zip()
Previously, they could have become untracked by a prior garbage collection. Patch by Brandt Bucher.
bpo-42195: The __args__ of the parameterized generics for typing.Callable and collections.abc.Callable are now consistent. The __args__ for collections.abc.Callable are now flattened while typing.Callable’s have not changed. To allow this change, types.GenericAlias can now be subclassed and collections.abc.Callable’s __class_getitem__ will now return a subclass of types.GenericAlias. Tests for typing were also updated to not subclass things like Callable[..., T] as that is not a valid base class. Finally, both types no longer validate their argtypes, in Callable[[argtypes], resulttype] to prepare for PEP 612. Patch by Ken Jin.
Library
bpo-43102: The namedtuple __new__ method had its __builtins__ set to None instead of an actual dictionary. This created problems for introspection tools.
bpo-43108: Fixed a reference leak in the curses module. Patch by Pablo Galindo
bpo-42944: Fix random.Random.sample when counts argument is not None.
bpo-42931: Add randbytes() to random.__all__.
bpo-42780: Fix os.set_inheritable() for O_PATH file descriptors on Linux.
bpo-42851: remove __init_subclass__ support for Enum members
bpo-41748: Fix HTMLParser parsing rules for element attributes containing commas with spaces. Patch by Karl Dubost.
bpo-42759: Fixed equality comparison of tkinter.Variable and tkinter.font.Font. Objects which belong to different Tcl interpreters are now always different, even if they have the same name.
bpo-42756: Configure LMTP Unix-domain socket to use socket global default timeout when a timeout is not explicitly provided.
bpo-23328: Allow / character in username, password fields on _PROXY envars.
bpo-42655: subprocess extra_groups is now correctly passed into setgroups() system call.
bpo-42727: EnumMeta.__prepare__ now accepts **kwds to properly support __init_subclass__
bpo-42681: Fixed range checks for color and pair numbers in curses.
bpo-37961: Fix crash in tracemalloc.Traceback.__repr__() (regressed in Python 3.9).
bpo-42630: tkinter functions and constructors which need a default root window raise now RuntimeError with descriptive message instead of obscure AttributeError or NameError if it is not created yet or cannot be created automatically.
bpo-42644: logging.disable will now validate the types and value of its parameter. It also now accepts strings representing the levels (as does loging.setLevel) instead of only the numerical values.
bpo-36541: Fixed lib2to3.pgen2 to be able to parse PEP-570 positional only argument syntax.
bpo-42517: Enum: private names will raise a DeprecationWarning; in 3.10 they will become normal attributes
bpo-42678: Enum: call __init_subclass__ after members have been added
bpo-42532: Remove unexpected call of __bool__ when passing a spec_arg argument to a Mock.
bpo-42388: Fix subprocess.check_output(…, input=None) behavior when text=True to be consistent with that of the documentation and universal_newlines=True.
bpo-34463: Fixed discrepancy between traceback and the interpreter in formatting of SyntaxError with lineno not set (traceback was changed to match interpreter).
bpo-42375: subprocess module update for DragonFlyBSD support.
bpo-42384: Make pdb populate sys.path[0] exactly the same as regular python execution.
bpo-42383: Fix pdb: previously pdb would fail to restart the debugging target if it was specified using a relative path and the current directory changed.
bpo-42318: Fixed support of non-BMP characters in tkinter on macOS.
bpo-42163: Restore compatibility for uname_result around deepcopy and _replace.
bpo-39825: Windows: Change sysconfig.get_config_var('EXT_SUFFIX') to the expected full platform_tag.extension format. Previously it was hard-coded to .pyd, now it is compatible with distutils.sysconfig and will result in something like .cp38-win_amd64.pyd. This brings windows into conformance with the other platforms.
bpo-42059: typing.TypedDict types created using the alternative call-style syntax now correctly respect the total keyword argument when setting their __required_keys__ and __optional_keys__ class attributes.
bpo-39101: Fixed tests using IsolatedAsyncioTestCase from hanging on BaseExceptions.
bpo-42005: Fix CLI of cProfile and profile to catch BrokenPipeError.
bpo-41907: fix format() behavior for IntFlag
bpo-41889: Enum: fix regression involving inheriting a multiply-inherited enum
bpo-41891: Ensure asyncio.wait_for waits for task completion
bpo-41604: Don’t decrement the reference count of the previous user_ptr when set_panel_userptr fails.
bpo-40219: Lowered tkinter.ttk.LabeledScale dummy widget to prevent hiding part of the content label.
bpo-40084: Fix Enum.__dir__: dir(Enum.member) now includes attributes as well as methods.
bpo-39068: Fix initialization race condition in a85encode() and b85encode() in base64. Patch by Brandon Stansbury.
bpo-33289: Correct call to tkinter.colorchooser to return RGB triplet of ints instead of floats. Patch by Cheryl Sabella.
Documentation
bpo-40304: Fix doc for type(name, bases, dict). Patch by Boris Verkhovskiy and Éric Araujo.
bpo-42811: Updated importlib.utils.resolve_name() doc to use __spec__.parent instead of __package__. (Thanks Yair Frid.)
bpo-17140: Add documentation for the multiprocessing.pool.ThreadPool class.
Tests
bpo-42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na.
bpo-40810: In sqlite3, fix CheckTraceCallbackContent for SQLite pre 3.7.15.
Build
bpo-43174: Windows build now uses /utf-8 compiler option.
bpo-42692: Fix __builtin_available check on older compilers. Patch by Joshua Root.
bpo-42604: Now all platforms use a value for the “EXT_SUFFIX” build variable derived from SOABI (for instance in freeBSD, “EXT_SUFFIX” is now “.cpython-310d.so” instead of “.so”). Previosuly only Linux, Mac and VxWorks were using a value for “EXT_SUFFIX” that included “SOABI”.
bpo-42598: Fix implicit function declarations in configure which could have resulted in incorrect configuration checks. Patch contributed by Joshua Root.
bpo-29076: Add fish shell support to macOS installer.
Windows
bpo-41837: Updated Windows installer to include OpenSSL 1.1.1i
bpo-42584: Upgrade Windows installer to use SQLite 3.34.0.
macOS
bpo-42504: Ensure that the value of sysconfig.get_config_var(‘MACOSX_DEPLOYMENT_TARGET’) is always a string, even in when the value is parsable as an integer.
bpo-42361: Update macOS installer build to use Tcl/Tk 8.6.11 (rc2, expected to be final release).
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1i.
bpo-42584: Update macOS installer to use SQLite 3.34.0.
IDLE
bpo-43008: Make IDLE invoke sys.excepthook() in normal, 2-process mode. Patch by Ken Hilton.
bpo-33065: Fix problem debugging user classes with __repr__ method.
bpo-23544: Disable Debug=>Stack Viewer when user code is running or Debugger is active, to prevent hang or crash. Patch by Zackery Spytz.
bpo-32631: Finish zzdummy example extension module: make menu entries work; add docstrings and tests with 100% coverage.
Tools/Demos
bpo-42726: Fixed Python 3 compatibility issue with gdb/libpython.py handling of attribute dictionaries.
bpo-42613: Fix freeze.py tool to use the prope config and library directories. Patch by Victor Stinner.
C API
bpo-43030: Fixed a compiler warning in Py_UNICODE_ISSPACE() on platforms with signed wchar_t.
bpo-42591: Export the Py_FrozenMain() function: fix a Python 3.9.0 regression. Python 3.9 uses -fvisibility=hidden and the function was not exported explicitly and so not exported.
bpo-40052: Fix an alignment build warning/error in function PyVectorcall_Function(). Patch by Andreas Schneider, Antoine Pitrou and Petr Viktorin.
Python 3.8.8
Security
bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.
bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.
Core and Builtins
bpo-42819: readline: Explicitly disable bracketed paste in the interactive interpreter, even if it’s set in the inputrc, is enabled by default (eg GNU Readline 8.1), or a user calls readline.read_init_file(). The Python REPL has not implemented bracketed paste support. Also, bracketed mode writes the "\x1b[?2004h" escape sequence into stdout which causes test failures in applications that don’t support it. It can still be explicitly enabled by calling readline.parse_and_bind("set enable-bracketed-paste on"). Patch by Dustin Rodrigues.
Library
bpo-43108: Fixed a reference leak in the curses module. Patch by Pablo Galindo
bpo-42780: Fix os.set_inheritable() for O_PATH file descriptors on Linux.
bpo-41748: Fix HTMLParser parsing rules for element attributes containing commas with spaces. Patch by Karl Dubost.
bpo-42759: Fixed equality comparison of tkinter.Variable and tkinter.font.Font. Objects which belong to different Tcl interpreters are now always different, even if they have the same name.
bpo-23328: Allow / character in username, password fields on _PROXY envars.
bpo-42681: Fixed range checks for color and pair numbers in curses.
bpo-42531: importlib.resources.path() now works for packages missing the optional __file__ attribute (more specifically, packages whose __spec__.origin is None).
bpo-42388: Fix subprocess.check_output(…, input=None) behavior when text=True to be consistent with that of the documentation and universal_newlines=True.
bpo-42384: Make pdb populate sys.path[0] exactly the same as regular python execution.
bpo-42383: Fix pdb: previously pdb would fail to restart the debugging target if it was specified using a relative path and the current directory changed.
bpo-42318: Fixed support of non-BMP characters in tkinter on macOS.
bpo-42005: Fix CLI of cProfile and profile to catch BrokenPipeError.
bpo-41604: Don’t decrement the reference count of the previous user_ptr when set_panel_userptr fails.
bpo-26407: Unexpected errors in calling the __iter__ method are no longer masked by TypeError in csv.reader(), csv.writer.writerow() and csv.writer.writerows().
bpo-39068: Fix initialization race condition in a85encode() and b85encode() in base64. Patch by Brandon Stansbury.
bpo-36589: The curses.update_lines_cols() function now returns None instead of 1 on success.
bpo-33289: Correct call to tkinter.colorchooser to return RGB triplet of ints instead of floats. Patch by Cheryl Sabella.
Documentation
bpo-40304: Fix doc for type(name, bases, dict). Patch by Boris Verkhovskiy and Éric Araujo.
bpo-42811: Updated importlib.utils.resolve_name() doc to use __spec__.parent instead of __package__. (Thanks Yair Frid.)
Tests
bpo-42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na.
bpo-40810: In sqlite3, fix CheckTraceCallbackContent for SQLite pre 3.7.15.
Build
bpo-29076: Add fish shell support to macOS installer.
Windows
bpo-41837: Updated Windows installer to include OpenSSL 1.1.1i
bpo-42584: Upgrade Windows installer to use SQLite 3.34.0.
macOS
bpo-41837: Update macOS installer build to use OpenSSL 1.1.1i.
bpo-42584: Update macOS installer to use SQLite 3.34.0.
IDLE
bpo-43008: Make IDLE invoke sys.excepthook() in normal, 2-process mode. Patch by Ken Hilton.
bpo-33065: Fix problem debugging user classes with __repr__ method.
bpo-42508: Keep IDLE running on macOS. Remove obsolete workaround that prevented running files with shortcuts when using new universal2 installers built on macOS 11.
bpo-23544: Disable Debug=>Stack Viewer when user code is running or Debugger is active, to prevent hang or crash. Patch by Zackery Spytz.
bpo-32631: Finish zzdummy example extension module: make menu entries work; add docstrings and tests with 100% coverage.
Tools/Demos
bpo-42726: Fixed Python 3 compatibility issue with gdb/libpython.py handling of attribute dictionaries.
C API
bpo-43030: Fixed a compiler warning in Py_UNICODE_ISSPACE() on platforms with signed wchar_t.
bpo-40052: Fix an alignment build warning/error in function PyVectorcall_Function(). Patch by Andreas Schneider, Antoine Pitrou and Petr Viktorin.
This touches all compiled std library files after installation, to avoid
extra recompilations when a dependent package (most likely a newer Go
release) is being built.
Patch from mlelstv@ in PR pkg/55900.
Restore some PLIST content state from prior to the 23.2.4 update,
which mistakenly moved some hipe-related files that get built
universally to the PLIST.hipe list. The "--disable-hipe" option does
not impact everything. Build tested with the hipe option both enabled
and disabled. This should fix build breakages, e.g., NetBSD/aarch64.
(Separately, it's kind of unfortunate that this package uses both PLIST
variables and separate PLIST files to segment content driven by options.
It should really use one approach or the other consistently, but I
haven't touched that here.)
## 1.15.2 - 2021-02-15
- Fix bug in windows version of `os/spawn` and `os/execute` with setting environment variables.
- Fix documentation typos.
- Fix peg integer reading combinators when used with capture tags.
## 1.15.0 - 2021-02-08
- Fix `gtim` and `ltim` bytecode instructions on non-integer values.
- Clean up output of flychecking to be the same as the repl.
- Change behavior of `debug/stacktrace` with a nil error value.
- Add optional argument to `parser/produce`.
- Add `no-core` option to creating standalone binaries to make execution faster.
- Fix bug where a buffer overflow could be confused with an out of memory error.
- Change error output to `file:line:column: message`. Column is in bytes - tabs
are considered to have width 1 (instead of 8).
Python 3.7.10
Security
bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.
bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.
bpo-42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
bpo-42051: The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files.
bpo-40791: Add volatile to the accumulator variable in hmac.compare_digest, making constant-time-defeating optimizations less likely.
Library
bpo-42103: InvalidFileException and RecursionError are now the only errors caused by loading malformed binary Plist file (previously ValueError and TypeError could be raised in some specific cases).
bpo-41976: Fixed a bug that was causing ctypes.util.find_library() to return None when triying to locate a library in an environment when gcc>=9 is available and ldconfig is not. Patch by Pablo Galindo
Documentation
bpo-17140: Add documentation for the multiprocessing.pool.ThreadPool class.
Tests
bpo-42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na.
bpo-41944: Tests for CJK codecs no longer call eval() on content received via HTTP.
Python 3.6.13 final
Security
bpo-42967: Fix web cache poisoning vulnerability by defaulting the query args separator to &, and allowing the user to choose a custom separator.
bpo-42938: Avoid static buffers when computing the repr of ctypes.c_double and ctypes.c_longdouble values.
bpo-42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
bpo-42051: The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files.
bpo-40791: Add volatile to the accumulator variable in hmac.compare_digest, making constant-time-defeating optimizations less likely.
Core and Builtins
bpo-35560: Fix an assertion error in format() in debug build for floating point formatting with “n” format, zero padding and small width. Release build is not impacted. Patch by Karthikeyan Singaravelan.
Library
bpo-42103: InvalidFileException and RecursionError are now the only errors caused by loading malformed binary Plist file (previously ValueError and TypeError could be raised in some specific cases).
Tests
bpo-42794: Update test_nntplib to use offical group name of news.aioe.org for testing. Patch by Dong-hee Na.
bpo-41944: Tests for CJK codecs no longer call eval() on content received via HTTP.
- By default, if now propagates its child exit code when it exits.
- backtick now propagates failure by default; its options have slightly
different semantics (-i becomes default, new -x introduced).
pkgsrc changes:
- Add manual pages by flexibeast.
Version 10.23.3 'Dubnium' (LTS)
Notable changes
The update to npm 6.14.11 has been relanded so that npm correctly reports its version.
Version 10.23.2 'Dubnium'
Notable changes
Release keys have been synchronized with the main branch.
deps:
upgrade npm to 6.14.11
v1.3
Compatibility:
Tested with Python 3.9.0
Additions:
To help avoid compiler warning about uninitialized members, extra members are added to the PyModuleDef structure for Python 2: m_slots, m_traverse, m_clear and m_free. Under Python 2, they must be set to NULL (usually by continuing to leave them out).
This a meta package including Ruby 3.0 full release.
It includes ruby30-base, ruby30-gdbm, ruby30-fiddle and ruby30-readline
package.
No package should depend on this package directly.
Ruby is the interpreted scripting language for quick and easy Object
Oriented Programming. It has many features to process text files and to do
system management tasks (as in Perl). It is simple, straight-forward, and
extensible.
Features of Ruby are shown below.
+ Simple Syntax
+ *Normal* Object-Oriented features (ex. class, method calls)
+ *Advanced* Object-Oriented features (ex. Mix-in, Singleton-method)
+ Operator Overloading
+ Exception Handling
+ Iterators and Closures
+ Garbage Collection
+ Dynamic Loading of Object files (on some architecture)
+ Highly Portable (works on many UNIX machines, and on DOS, Windows,
Mac, etc.)
Ruby 3.0 introduces a number of new features and performance
improvements, most notably:
* Performance
- MJIT
* Concurrency
- Ractor
- Fiber Scheduler
* Typing (Static Analysis)
- RBS
- TypeProf
This package is Ruby 3.0 release minimum base package.
While here point out that the aarch64 equivalent patch was sent upstream.
Bump PKGREVISION. fix gcc*-libs PKGREVISION accordingly.
Fixes PR pkg/55992: math/blas fails on NetBSD/sparc64
Fixes report by Connor McLaughlan on pkgsrc-users
Version 14.15.5 'Fermium' (LTS)
Notable Changes
deps:
upgrade npm to 6.14.11
V8: backport dfcf1e86fac0
Note: Node.js is not believed to be vulnerable to CVE-2021-21148.
stream,zlib: do not use _stream_* anymore
databases/ruby-activerecord60:
## Rails 6.0.3.5 (February 10, 2021) ##
* Fix possible DoS vector in PostgreSQL money type
Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter. This patch
fixes the regexp.
Thanks to @dee-see from Hackerone for this patch!
[CVE-2021-22880]
*Aaron Patterson*
www/ruby-actionpack60
## Rails 6.0.3.5 (February 10, 2021) ##
* Prevent open redirect when allowed host starts with a dot
[CVE-2021-22881]
Thanks to @tktech (https://hackerone.com/tktech) for reporting this
issue and the patch!
*Aaron Patterson*
## Rails 5.2.4.5 (February 10, 2021) ##
* Fix possible DoS vector in PostgreSQL money type
Carefully crafted input can cause a DoS via the regular expressions used
for validating the money format in the PostgreSQL adapter. This patch
fixes the regexp.
Thanks to @dee-see from Hackerone for this patch!
[CVE-2021-22880]
*Aaron Patterson*
Fixes build with current ocaml.
Note: this update includes the import semantics fixes from 8.11 that
break a lot of developments.
pkgsrc change: docs build now works.
Summary of changes in 8.12:
Coq version 8.12 integrates many usability improvements, in particular
with respect to notations, scopes and implicit arguments, along with
many bug fixes and major improvements to the reference manual. The
main changes include:
New binder notation for non-maximal implicit arguments using [ ]
allowing to set and see the implicit status of arguments
immediately.
New notation Inductive I A | x : s := ... to distinguish the
uniform from the non-uniform parameters in inductive definitions.
More robust and expressive treatment of implicit inductive
parameters in inductive declarations.
Improvements in the treatment of implicit arguments and partially
applied constants in notations, parsing of hexadecimal number
notation and better handling of scopes and coercions for printing.
A correct and efficient coercion coherence checking algorithm,
avoiding spurious or duplicate warnings.
An improved Search command which accepts complex queries. Note
that this takes precedence over the now deprecated ssreflect
search.
Many additions and improvements of the standard library.
Improvements to the reference manual include a more logical
organization of chapters along with updated syntax descriptions
that match Coq's grammar in most but not all chapters.
Additionally, the omega tactic is deprecated in this version of Coq,
and we recommend users to switch to lia in new proof scripts (see also
the warning message in the corresponding chapter).
Summary of changes in 8.11:
The main changes brought by Coq version 8.11 are:
Ltac2, a new tactic language for writing more robust larger scale
tactics, with built-in support for datatypes and the multi-goal
tactic monad.
Primitive floats are integrated in terms and follow the binary64
format of the IEEE 754 standard, as specified in the
Coq.Float.Floats library.
Cleanups of the section mechanism, delayed proofs and further
restrictions of template polymorphism to fix soundness issues
related to universes.
New unsafe flags to disable locally guard, positivity and universe
checking. Reliance on these flags is always printed by Print
Assumptions.
Fixed bugs of Export and Import that can have a significant impact
on user developments (common source of incompatibility!).
New interactive development method based on vos interface files,
allowing to work on a file without recompiling the proof parts of
their dependencies.
New Arguments annotation for bidirectional type inference
configuration for reference (e.g. constants, inductive)
applications.
New refine attribute for Instance can be used instead of the
removed Refine Instance Mode.
Generalization of the under and over tactics of SSReflect to
arbitrary relations.
Revision of the Coq.Reals library, its axiomatisation and
instances of the constructive and classical real numbers.
Additionally, while the omega tactic is not yet deprecated in this
version of Coq, it should soon be the case and we already recommend
users to switch to lia in new proof scripts (see also the warning
message in the corresponding chapter).
The full (huge) changelog is here:
https://coq.inria.fr/distrib/V8.12.2/refman/changes.html
GHC: The Glasgow Haskell Compiler.
The Glasgow Haskell Compiler is a robust, fully-featured, optimising
compiler for the functional programming language Haskell 98
(http://www.haskell.org). GHC compiles Haskell to either native code
or C. It implements numerous experimental language extensions to
Haskell, including concurrency, a foreign language interface, several
type-system extensions, exceptions, and so on. GHC comes with a
generational garbage collector, a space and time profiler, and a
comprehensive set of libraries.
This package provides the 9.0.x release series.
