Release 2.4.1 Sun May 23 2021
Bug fixes:
#488#490 Autotools: Fix installed header expat_config.h for multilib
systems; regression introduced in 2.4.0 by pull request #486
Other changes:
#491#492 Version info bumped from 9:0:8 to 9:1:8;
see https://verbump.de/ for what these numbers do
Special thanks to:
Gentoo's QA check "multilib_check_headers"
Release 2.4.0 Sun May 23 2021
Security fixes:
#34#466#484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
(denial-of-service; flavors targeting CPU time or RAM or both,
leveraging general entities or parameter entities or both)
by tracking and limiting the input amplification factor
(<amplification> := (<direct> + <indirect>) / <direct>).
By conservative default, amplification up to a factor of 100.0
is tolerated and rejection only starts after 8 MiB of output bytes
(=<direct> + <indirect>) have been processed.
The fix adds the following to the API:
- A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
signals this specific condition.
- Two new API functions ..
- XML_SetBillionLaughsAttackProtectionMaximumAmplification and
- XML_SetBillionLaughsAttackProtectionActivationThreshold
.. to further tighten billion laughs protection parameters
when desired. Please see file "doc/reference.html" for details.
If you ever need to increase the defaults for non-attack XML
payload, please file a bug report with libexpat.
- Two new XML_FEATURE_* constants ..
- that can be queried using the XML_GetFeatureList function, and
- that are shown in "xmlwf -v" output.
- Two new environment variable switches ..
- EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
- EXPAT_ENTITY_DEBUG=(0|1)
.. for runtime debugging of accounting and entity processing.
Specific behavior of these values may change in the future.
- Two new command line arguments "-a FACTOR" and "-b BYTES"
for xmlwf to further tighten billion laughs protection
parameters when desired.
If you ever need to increase the defaults for non-attack XML
payload, please file a bug report with libexpat.
Bug fixes:
#332#470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
for UTF-16 payloads containing CDATA sections.
#485#486 Autotools: Fix generated CMake files for non-64bit and
non-Linux platforms (e.g. macOS and MinGW in particular)
that were introduced with release 2.3.0
Other changes:
#468#469 xmlwf: Improve help output and the xmlwf man page
#463 xmlwf: Improve maintainability through some refactoring
#477 xmlwf: Fix man page DocBook validity
#458#459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR
and CMAKE_INSTALL_INCLUDEDIR
#471#481 CMake: Add support for standard variable BUILD_SHARED_LIBS
#457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters
#467 Resolve macro HAVE_EXPAT_CONFIG_H
#472 Delete unused legacy helper file "conftools/PrintPath"
#473#483 Improve attribution
#464#465#477 doc/reference.html: Fix XHTML validity
#475#478 doc/reference.html: Replace the 90s look by OK.css
#479 Version info bumped from 8:0:7 to 9:0:8
due to addition of new symbols and error codes;
see https://verbump.de/ for what these numbers do
Infrastructure:
#456 CI: Enable periodic runs
#457 CI: Start covering the list of exported symbols
#474 CI: Isolate coverage task
#476#482 CI: Adapt to breaking changes in image "ubuntu-18.04"
#477 CI: Cover well-formedness and DocBook/XHTML validity
of doc/reference.html and doc/xmlwf.xml
Special thanks to:
Dimitry Andric
Eero Helenius
Nick Wellnhofer
Rhodri James
Tomas Korbar
Yury Gribov
and
Clang LeakSan
JetBrains
OSS-Fuzz
v2.1.0
Changed
- Allow claims validation without making JWT signature validation mandatory.
Fixed
- Remove padding from JWK test data.
- Make `kty` mandatory in JWK to be compliant with RFC7517.
- Allow JWK without `alg` to be compliant with RFC7517.
- Allow to verify with private key on ECAlgorithm, as well as on Ed25519Algorithm.
Added
- Add caching by default to PyJWKClient
- Add missing exceptions.InvalidKeyError to jwt module __init__ imports
- Add support for ES256K algorithm
- Add `from_jwk()` to Ed25519Algorithm
- Add `to_jwk()` to Ed25519Algorithm
- Export `PyJWK` and `PyJWKSet`
xml2-config from libxml2 >= 2.9.11 now exits with non-zero status
for invalid arguments. libxslt called xml2-config with the invalid
`print` option to probe for its existence, so with new libxml2 it
now skipped detection via xml2-config entirely causing a build
failure.
Apply upstream patch to correct this invalid xml2-config usage.
2.9.12:
"Brown paper bag release, some recently added sources were missing from
the 2.9.11 tarball."
2.9.11:
"Prompted by CVE-2021-3541, but this includes an awful lot of serious bug
fixes by Nick and others."
upstream changes:
-----------------
Version 1.0.11
o Updating fast_yaml to version 1.0.31.
o Fix unused variable warning
o Update copyright year to 2021
o Export include_files/3 to fix several Dialyzer warnings
Version 1.0.10
o Updating fast_yaml to version 1.0.30.
Changelog:
version 2.35
* Release
version 2.34+02
* Some petty optimisation in text output (replace ' '+ '\n' by '\n').
* Correct bug in text mode (012 by Florian Angeletti).
On bad combination of indentation and version 2.34+01
* Correct bug in text mode (012 by Florian Angeletti).
On bad combination of indentation and underlining.
version 2.34
* Add command \formatlinks for greater control over navigation links.
version 2.33
* Compatibility from 4.02.3 to 4.10.0
version 2.32
* Introduce SVG arrows, contribution by Florian Angeletti
version 2.31
* Correct doc typos.
version 2.30
* Better error message when several \documentclass are present.
version 2.29+5
version 2.29+4
version 2.29+3
version 2.29+2
* mathjax 'automatic' support
version 2.29+1
* mathjax support
version 2.29
* Correct bug around double quotes. Notice that the "plain" status
of double quotes is no expansion, by contrast with all other special
characters.
version 2.28
* lstlisting: find files lstlang?.sty in path (as latex does).
version 2.27
* info: Add initial capitals for some words
(workaround against (reported) info reader v 6.0 bug
version 2.26
* add a warning in case of missing \end{document}
* cleveref.hva patch (removes extra white space), credit: Tim Bourke.
version 2.25
* Oups !! Forgot to add svg.hva, corrected.
version 2.24
* Add svg.hva style file, to produce svg images.
* More robust build.
- Removes patches to sys-info crate, since the latest release adds
NetBSD Support.
Changes since 0.18.0:
v0.18.1
Bugfixes
* Mouse support and screen clearing broken for less versions with minor
version number (581.2), see #1629 and #1639 (@aswild)
Other
* Input::ordinary_file and Input::with_name now accept Path rather than
OsStr see #1571 (@matklad)
* The LESS environment variable is now included in bat --diagnostic,
see #1589 (@Enselic)
* Increased min. required Rust version to 1.45
Syntaxes
* Improved the Syslog syntax highlighting, see #1606 (@keith-hall)
* Replaced "Advanced CSV" with a custom CSV syntax definition written
especially for bat; see #1574 (@keith-hall)
* Added SystemVerilog file syntax, see #1580 (@SeanMcLoughlin)
* Added Solidity and Vyper syntax, see #1602 (@Ersikan)
New themes
* Dark+ VS Code theme, see #1588 and #1598 (@PatriotRossii)
Version 5.9.1 (28 April 2021)
* Fix build break when SQLite3 is not installed. #1195
Version 5.9.0 (25 April 2021)
* Use #define for custom configuration in dictionaries. #1128
* Panic-mode fixes and extensions. In link-parser see !help panic_variables.
* English dict: fix silly mistake with "I love cats and dogs".
* Disable maintainer-mode in `configure.ac`.
* Fix very rare crash/corruption introduced in v.5.8.1 #1142
* English dict: fix problems with "just/only".
* English dict: work on hesitation markers.
* Fix multi-threading mem-leak. #1149
* Provide emscripten javascript wrapper for the command-line parser.
* Public API shared library entry points exported automatically. #1182
* Provide bindings for the Vala programming language.
* Increase number of allowed idiom expressions. #1187
* Replace O(n^2) idiom loading algo by an O(n log n) algo. #1194
* Disable SAT solver by default.
* New tool: Sentence generator! This is an experimental prototype.
All changes for pthai.el module
- in pthai-play-thaiword, fix logic when sox/play not found
- display duplicate word counts in pthai-unique-word-count
- fix splitting when last character is punctuation and last word is english
- add pthai-say-*-thai-only function to say thai words only buffer/line/region
- add pthai-find-word-regexp to search for words in dictionary/wordlist
Release 1.4.3 - May 12 2021
---------------------------
* Added support for background images in worksheets. See
:func:`set_background` and :ref:`ex_background`.
A high performance csv viewer with cjk/emoji support.
Features:
-Small and fast (see benchmarks below).
-Correctly handles CJK characters and emoji.
-Support different styles.
-Support tsv and custom delimiters.
-Able to generate markdown table (with --style markdown option).
Release 2.3.0 Thu March 25 2021
Bug fixes:
#438 When calling XML_ParseBuffer without a prior successful call to
XML_GetBuffer as a user, no longer trigger undefined behavior
(by adding an integer to a NULL pointer) but rather return
XML_STATUS_ERROR and set the error code to (new) code
XML_ERROR_NO_BUFFER. Found by UBSan (UndefinedBehaviorSanitizer)
of Clang 11 (but not Clang 9).
#444 xmlwf: Exit status 2 was used for both:
- malformed input files (documented) and
- invalid command-line arguments (undocumented).
The case of invalid command-line arguments now
has its own exit status 4, resolving the ambiguity.
Other changes:
#439 xmlwf: Add argument -k to allow continuing after
non-fatal errors
#439 xmlwf: Add section about exit status to the -h help output
#422#426#447 Windows: Drop support for Visual Studio <=14.0/2015
#434 Windows: CMake: Detect unsupported Visual Studio at
configure time (rather than at compile time)
#382#428 testrunner: Make verbose mode (argument "-v") report
about passed tests, and make default mode report about
failures, as well.
#442 CMake: Call "enable_language(CXX)" prior to tinkering
with CMAKE_CXX_* variables
#448 Document use of libexpat from a CMake-based project
#451 Autotools: Install CMake files as generated by CMake 3.19.6
so that users with "find_package(expat [..] CONFIG [..])"
are served on distributions that are *not* using the CMake
build system inside for libexpat packaging
#436#437 Autotools: Drop obsolescent macro AC_HEADER_STDC
#450#452 Autotools: Resolve use of obsolete macro AC_CONFIG_HEADER
#441 Address compiler warnings
#443 Version info bumped from 7:12:6 to 8:0:7
due to addition of error code XML_ERROR_NO_BUFFER
(see https://verbump.de/ for what these numbers do)
Infrastructure:
#435#446 Replace Travis CI by GitHub Actions
Special thanks to:
Alexander Richardson
Oleksandr Popovych
Thomas Beutlich
Tim Bray
and
Clang LeakSan, Clang 11 UBSan and the Clang team
RQRCode
RQRCode is a library for creating and rendering QR codes into various
formats. It has a simple interface with all the standard QR code options.
It was adapted from the Javascript library by Kazuhiko Arase.
* QR code is trademarked by Denso Wave inc
* Minimum Ruby version is `>= 2.3`
RQRCodeCore
rqrcode_core is a Ruby library for encoding QR Codes. The simple interface
(with no runtime dependencies) allows you to create QR Code data structures.
It was originally adapted in 2008 from a Javascript library by Kazuhiko
Arase: https://github.com/kazuhikoarase.
Features
* rqrcode_core is a ruby only library. It requires no native libraries. Just
Ruby!
* It is an encoding library. You can't decode QR codes with it.
* The interface is simple and assumes you just want to encode a string into
a QR code.
* QR code is trademarked by Denso Wave inc.
rqrcode_core is the basis of the popular rqrcode gem:
https://github.com/whomwah/rqrcode. This gem allows you to generate
different renderings of your QR code, including png, svg and ansi.
Upstream changes:
2.100 2021-02-04
- Declare vars with our instead of use vars (GH #7, thanks to Grinnz)
- Quote $VERSION to preserve formatting (GH #6, thanks to Grinnz)
2.000 2020-11-09
- Switch to XSLoader rather than DynaLoader (GH #5, thanks to atoomic)
Real changes are in www/ruby-actionpack61 only.
## Rails 6.1.3.2 (May 05, 2021) ##
* Prevent open redirects by correctly escaping the host allow list
CVE-2021-22903
* Prevent catastrophic backtracking during mime parsing
CVE-2021-22902
* Prevent regex DoS in HTTP token authentication
CVE-2021-22904
* Prevent string polymorphic route arguments.
`url_for` supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
*Gannon McGibbon*
Real changes are in www/ruby-actionpack60 only.
## Rails 6.0.3.7 (May 05, 2021) ##
* Prevent catastrophic backtracking during mime parsing
CVE-2021-22902
* Prevent regex DoS in HTTP token authentication
CVE-2021-22904
* Prevent string polymorphic route arguments.
`url_for` supports building polymorphic URLs via an array
of arguments (usually symbols and records). If a developer passes a
user input array, strings can result in unwanted route helper calls.
CVE-2021-22885
*Gannon McGibbon*
