Changelog:
No new functionality is introduced in this release. This release fixes several
issues:
- Bug 1606992 - Cache the most recent PBKDF1 password hash, to speed up
repeated SDR
operations when using profiles using that hash. This is covering additional
cases
not covered by NSS 3.49.1, important with the increased KDF iteration
counts.
- Bug 1608327 - Fix compilation problems with NEON-specific code in freebl
- Bug 1608895 - Fix a taskcluster issue with Python 2 / Python 3
NSS 3.49.2 requires NSPR 4.24 or newer.
* Fix runtime error by pthread_equal() misuse.
Changelog:
NSPR 4.25 contains the following changes:
- fixed reading files larger than 4 GB on Win32
- changes to NSPR test tools to allow them to run on our CI
- added support for Xtensa architecture
Django 2.2.10 fixes a security issue:
CVE-2020-7471: Potential SQL injection via StringAgg(delimiter)
StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter.
Django 1.11.28 fixes a security issue:
CVE-2020-7471: Potential SQL injection via StringAgg(delimiter)
StringAgg aggregation function was subject to SQL injection, using a suitably crafted delimiter.
Main changes in version 3.5.1
The main changes in version 3.5.1 are:
The default used when the PATH environment variable is unset is now "/bin:/usr/bin" instead of ":/bin:/usr/bin". This is relevant when the dialog argument of the Dialog constructor contains no slash (/), which is the case by default. The benefit of this change is that in such a situation (PATH unset and dialog argument containing no slash), the dialog-like program will not be searched in the current directory anymore (unless of course the current directory is /bin or /usr/bin). This is a much safer behavior; fortunately, the risky behavior only ever existed on bogus setups where the PATH environment variable is unset.
Note that in this respect, we have been following what the GNU C Library (glibc) does for its execvp() function—the corresponding change in glibc happened in version 2.24, released in 2016.
When a Dialog instance is created, it now immediately stores the result of calling os.path.realpath() on the specified executable (which is searched using the PATH if the dialog argument passed to the constructor contains no slash—cf. documentation of the Dialog constructor). This way, a pythondialog-based program can change its current directory after creating a Dialog instance without fearing that this might cause subsequent Dialog method calls to fail or to invoke an executable from a different directory (additionally, os.path.realpath() resolves symbolic links).
The Python 2 backport of pythondialog has been released for this version and should be on par with pythondialog 3.5.1 (this is why version 3.5.0 of the backport has been skipped). The packaging of the backport has been switched from distutils to setuptools too, just as was done in pythondialog 3.5.0 (see below). As a consequence, it is now available in wheel format. However, as said above, Python 2 is deprecated and the Python 2 backport of pythondialog is not supported anymore. Don't expect any further updates to it.
Main changes in version 3.5.0
The main change in version 3.5.0 is:
pythondialog's packaging has been switched from distutils to setuptools (this is the modern way, see the Python Packaging User Guide). Thanks to this change, pythondialog is now available in wheel format. The normal installation method using pip didn't change (see the INSTALL file for details).
The Python 2 backport of pythondialog has not been released for this version (version 3.5.1 will be the last one).
0.36.1:
- Added support for CASCADE option when dropping views
- Added `aliases` parameter to create_materialized_view function.
0.36.0:
- Removed explain and explain_analyze due to the internal changes in SQLAlchemy version 1.3.
0.35.0:
- Removed some deprecation warnings
- Added Int8RangeType
1.3.13
[orm] [bug] [engine]
Added test support and repaired a wide variety of unnecessary reference cycles created for short-lived objects, mostly in the area of ORM queries. Thanks much to Carson Ip for the help on this.
[orm] [bug]
Fixed regression in loader options introduced in 1.3.0b3 via 4468 where the ability to create a loader option using PropComparator.of_type() targeting an aliased entity that is an inheriting subclass of the entity which the preceding relationship refers to would fail to produce a matching path. See also 5082 fixed in this same release which involves a similar kind of issue.
[orm] [bug]
Fixed regression in joined eager loading introduced in 1.3.0b3 via 4468 where the ability to create a joined option across a with_polymorphic() into a polymorphic subclass using RelationshipProperty.of_type() and then further along regular mapped relationships would fail as the polymorphic subclass would not add itself to the load path in a way that could be located by the loader strategy. A tweak has been made to resolve this scenario.
[orm] [bug]
Repaired a warning in the ORM flush process that was not covered by test coverage when deleting objects that use the “version_id” feature. This warning is generally unreachable unless using a dialect that sets the “supports_sane_rowcount” flag to False, which is not typically the case however is possible for some MySQL configurations as well as older Firebird drivers, and likely some third party dialects.
[orm] [bug]
Fixed bug where usage of joined eager loading would not properly wrap the query inside of a subquery when Query.group_by() were used against the query. When any kind of result-limiting approach is used, such as DISTINCT, LIMIT, OFFSET, joined eager loading embeds the row-limited query inside of a subquery so that the collection results are not impacted. For some reason, the presence of GROUP BY was never included in this criterion, even though it has a similar effect as using DISTINCT. Additionally, the bug would prevent using GROUP BY at all for a joined eager load query for most database platforms which forbid non-aggregated, non-grouped columns from being in the query, as the additional columns for the joined eager load would not be accepted by the database.
[orm] [performance]
Identified a performance issue in the system by which a join is constructed based on a mapped relationship. The clause adaption system would be used for the majority of join expressions including in the common case where no adaptation is needed. The conditions under which this adaptation occur have been refined so that average non-aliased joins along a simple relationship without a “secondary” table use about 70% less function calls.
[engine] [bug]
Fixed issue where the collection of value processors on a Compiled object would be mutated when “expanding IN” parameters were used with a datatype that has bind value processors; in particular, this would mean that when using statement caching and/or baked queries, the same compiled._bind_processors collection would be mutated concurrently. Since these processors are the same function for a given bind parameter namespace every time, there was no actual negative effect of this issue, however, the execution of a Compiled object should never be causing any changes in its state, especially given that they are intended to be thread-safe and reusable once fully constructed.
[sql] [usecase]
A function created using GenericFunction can now specify that the name of the function should be rendered with or without quotes by assigning the quoted_name construct to the .name element of the object. Prior to 1.3.4, quoting was never applied to function names, and some quoting was introduced in 4467 but no means to force quoting for a mixed case name was available. Additionally, the quoted_name construct when used as the name will properly register its lowercase name in the function registry so that the name continues to be available via the func. registry.
[postgresql] [usecase]
Added support for prefixes to the CTE construct, to allow support for Postgresql 12 “MATERIALIZED” and “NOT MATERIALIZED” phrases. Pull request courtesy Marat Sharafutdinov.
[postgresql] [bug]
Fixed issue where the PostgreSQL dialect would fail to parse a reflected CHECK constraint that was a boolean-valued function (as opposed to a boolean-valued expression).
[postgresql] [tests]
Improved detection of two phase transactions requirement for the PostgreSQL database by testing that max_prepared_transactions is set to a value greater than 0. Pull request courtesy Federico Caselli.
[mssql] [bug]
Fixed issue where a timezone-aware datetime value being converted to string for use as a parameter value of a mssql.DATETIMEOFFSET column was omitting the fractional seconds.
[bug] [ext]
Fixed bug in sqlalchemy.ext.serializer where a unique BindParameter object could conflict with itself if it were present in the mapping itself, as well as the filter condition of the query, as one side would be used against the non-deserialized version and the other side would use the deserialized version. Logic is added to BindParameter similar to its “clone” method which will uniquify the parameter name upon deserialize so that it doesn’t conflict with its original.
[bug] [tests]
Fixed a few test failures which would occur on Windows due to SQLite file locking issues, as well as some timing issues in connection pool related tests; pull request courtesy Federico Caselli.
1.3.12
[orm] [bug]
Fixed issue involving lazy="raise" strategy where an ORM delete of an object would raise for a simple “use-get” style many-to-one relationship that had lazy=”raise” configured. This is inconsistent vs. the change introduced in 1.3 as part of 4353, where it was established that a history operation that does not expect emit SQL should bypass the lazy="raise" check, and instead effectively treat it as lazy="raise_on_sql" for this case. The fix adjusts the lazy loader strategy to not raise for the case where the lazy load was instructed that it should not emit SQL if the object were not present.
[orm] [bug]
Fixed regression introduced in 1.3.0 related to the association proxy refactor in 4351 that prevented composite() attributes from working in terms of an association proxy that references them.
[orm] [bug]
Setting persistence-related flags on relationship() while also setting viewonly=True will now emit a regular warning, as these flags do not make sense for a viewonly=True relationship. In particular, the “cascade” settings have their own warning that is generated based on the individual values, such as “delete, delete-orphan”, that should not apply to a viewonly relationship. Note however that in the case of “cascade”, these settings are still erroneously taking effect even though the relationship is set up as “viewonly”. In 1.4, all persistence-related cascade settings will be disallowed on a viewonly=True relationship in order to resolve this issue.
[orm] [bug] [py3k]
Fixed issue where when assigning a collection to itself as a slice, the mutation operation would fail as it would first erase the assigned collection inadvertently. As an assignment that does not change the contents should not generate events, the operation is now a no-op. Note that the fix only applies to Python 3; in Python 2, the __setitem__ hook isn’t called in this case; __setslice__ is used instead which recreates the list item-by-item in all cases.
[orm] [bug]
Fixed issue where by if the “begin” of a transaction failed at the Core engine/connection level, such as due to network error or database is locked for some transactional recipes, within the context of the Session procuring that connection from the conneciton pool and then immediately returning it, the ORM Session would not close the connection despite this connection not being stored within the state of that Session. This would lead to the connection being cleaned out by the connection pool weakref handler within garbage collection which is an unpreferred codepath that in some special configurations can emit errors in standard error.
[sql] [bug]
Fixed bug where “distinct” keyword passed to select() would not treat a string value as a “label reference” in the same way that the select.distinct() does; it would instead raise unconditionally. This keyword argument and the others passed to select() will ultimately be deprecated for SQLAlchemy 2.0.
[sql] [bug]
Changed the text of the exception for “Can’t resolve label reference” to include other kinds of label coercions, namely that “DISTINCT” is also in this category under the PostgreSQL dialect.
[sqlite] [bug]
Fixed issue to workaround SQLite’s behavior of assigning “numeric” affinity to JSON datatypes, first described at Support for SQLite JSON Added, which returns scalar numeric JSON values as a number and not as a string that can be JSON deserialized. The SQLite-specific JSON deserializer now gracefully degrades for this case as an exception and bypasses deserialization for single numeric values, as from a JSON perspective they are already deserialized.
[mssql] [bug]
Repaired support for the mssql.DATETIMEOFFSET datatype on PyODBC, by adding PyODBC-level result handlers as it does not include native support for this datatype. This includes usage of the Python 3 “timezone” tzinfo subclass in order to set up a timezone, which on Python 2 makes use of a minimal backport of “timezone” in sqlalchemy.util.
3.4.1
* Move the username argument in the Redis and Connection classes to the
end of the argument list. This helps those poor souls that specify all
their connection options as non-keyword arguments.
* Prior to ACL support, redis-py ignored the username component of
Connection URLs. With ACL support, usernames are no longer ignored and
are used to authenticate against an ACL rule. Some cloud vendors with
managed Redis instances (like Heroku) provide connection URLs with a
username component pre-ACL that is not intended to be used. Sending that
username to Redis servers < 6.0.0 results in an error. Attempt to detect
this condition and retry the AUTH command with only the password such
that authentication continues to work for these users.
* Removed the __eq__ hooks to Redis and ConnectionPool that were added
in 3.4.0. This ended up being a bad idea as two separate connection
pools be considered equal yet manage a completely separate set of
connections.
## 2.10.0 (21 January 2020)
This release introduces several new features, such as support for local paths in
remotes, Kerberos support, and official binaries for S390x and little-endian
64-bit PowerPC systems. In addition, numerous bugs have been fixed and
miscellaneous issues have been addressed.
## 2.9.2 (12 December 2019)
This release fixes a few regressions, such as a possible nil pointer
dereference, a failure to retry batch requests, and a bug where repositories
could fail to be detected on Windows.
## 2.9.1 (25 November 2019)
This release fixes a few regressions, such as the ability to use HTTP/1.1 when
required, addresses a race condition, and switches the cookie jar parser to
something that's easier for distributions to package.
## 2.9.0 (17 October 2019)
This release adds support for DragonFly BSD, adds a new `git lfs dedup` command
to save space if the file system supports it, adds support for file URLs,
improves the performance when walking the repository, contains improvements
to use HTTP/2 when available and cookies when required, and numerous other bug
fixes, features, and modifications.
## 2.8.0 (23 July 2019)
This release adds support for SOCKS proxies and Windows junctions, adds native
packages for Debian 10 and similar distributions, reduces the number of
situations in which running `git lfs fetch --all` is required, improves
compatibility with Cygwin, and numerous other bug fixes and modifications.
3.9.6:
Resolved issues
* Fix building of wheels for OSX by explicitly setting `sysroot` location.
3.9.5:
Resolved issues
* RSA OAEP decryption was not verifying that all ``PS`` bytes are zero.
* GH-372: fixed memory leak for operations that use memoryviews when `cffi` is not installed.
* Fixed wrong ASN.1 OID for HMAC-SHA512 in PBE2.
New features
* Updated Wycheproof test vectors to version 0.8r12.
pkgsrc changes: clean up PKG_OPTIONS and enable several backends default.
Quote from release announce:
This release is a security release resolving several issues found in
the prior Squid releases.
The major changes to be aware of:
* SQUID-2020:1 Improper Input Validation issues in HTTP Request
processing
(CVE-2020-8449, CVE-2020-8450)
This issue allows attackers to perform denial of service on the
proxy and all clients using it.
This issue potentially allows attackers to bypass security access
controls in systems between client and proxy.
This issue potentially allows remote code execution under the
proxy low-privilege level. While restricted, it does have access
to a wide range of information about the network structure and
other clients using the proxy.
This issue is limited to Squid acting as a reverse-proxy. Some
effects also require allow_direct permissions.
See the advisory for updated patches:
<http://www.squid-cache.org/Advisories/SQUID-2020_1.txt>
Please note that NTLM is a deprecated authentication mechanism.
All users of this tool are advised to plan migration to
Negotiate/Kerberos authentication.
* SQUID-2020:2 Information Disclosure issue in FTP Gateway.
(CVE-2019-12528)
Certain FTP server responses can result in Squid revealing
random amounts of memory content from heap.
When Squid mempools feature is enabled the leak is limited to
lines in FTP directory listings, possibly from other clients.
When mempools is disabled the information may be anything from
the heap area including information from other processes on the
machine.
See the advisory for more details:
<http://www.squid-cache.org/Advisories/SQUID-2020_2.txt>
* SQUID-2020:3 Buffer Overflow issue in ext_lm_group_acl helper.
(CVE-2020-8517)
This problem is limited to installations using the ext_lm_group_acl
binary (previously shipped as mswin_check_lm_group).
Due to incorrect input validation the NTLM authentication
credentials parser in ext_lm_group_acl may write to memory
outside the credentials buffer.
On systems with memory access protections this can result in
the the helper process being terminated unexpectedly. Resulting
in Squid process also terminating and a denial of service for
all clients using the proxy.
See the advisory for more details:
<http://www.squid-cache.org/Advisories/SQUID-2020_3.txt>
* Bug 5008: SIGBUS in PagePool::level() with custom rock slot size
This shows up as SMP Squids crashing on arm64 with a SIGBUS error. The
issues was incorrect memory alignment with certain cache sizes. This
Squid release now forces alignment of the critical rock page details.
* Bug 4735: Truncated chunked responses cached as whole
This bug shows up as clients getting the cached truncated response
objects until the cache object expires or is force removed.
In absence of partial-object caching this Squid release treats
incomplete responses as non-cacheable and prevents the chunked encoding
terminator chunk being delivered to the active client(s).
* Fix server_cert_fingerprint on cert validator-reported errors
This bug shows up as a server_cert_fingerprint ACL mismatch when
sslproxy_cert_error directive was applied to validation errors reported
by the certificate validator, because the ACL could not find the server
certificate.
All users of Squid are urged to upgrade as soon as possible.
Geany 1.36 (September 28, 2019)
General
* Give precedence to user-defined filetype extension mappings over default
ones (PR#2166).
* Give precedence to the longest matching filetype pattern (Issue#1499,
Issue#1921, PR#2167).
* Place the socket file in `$XDG_RUNTIME_DIR` when available
(Thomas Martitz, PR#2222).
Bug fixes
* Improve path ellipsising in Go To Tag filetype popup
(Thomas Martitz, PR#2262).
Interface
* Show group prefix for the Various preferences (PR#2176).
* Show the GTK/GLib versions in about dialog (PR#2163).
Editor
* Update Scintilla to version 3.10.4 (PR#2138).
* Add support for fractional font sizes (Pedro Henrique Antunes de Oliveira,
Issue#703, PR#2250).
Filetypes
* Add Apple Swift filetype (Ankit Pati, PR#1323).
* Add Nim filetype (Simon Krauter, Issue#1772, PR#2085).
* Update NSIS keywords (PR#2181).
* Update error matching for the CUDA filetype (Rajesh Pandian M,
Issue#2213, PR#2218).
* Add Kotlin custom filetype (Issue#1581, PR#2186).
* Add Groovy custom filetype (PR#2188).
* Add TypeScript custom filetype (Issue#1449, PR#2187).
* Small update of Django keywords (PR#2315).
* Don't suggest to override all settings through *Tools->Configuration
Files* (Issue#1552, PR#2168).
Windows
* Migrate the installer to NSIS 3 (Issue#1302, PR#2181).
* Fix build on recent MSYS2 (Issue#2261, PR#2263).
Internationalization
* New translations: ku
* Updated translations: da, de, es, fr, it, ja, lv, pt, sk, sv, zh_CN
3.7.1:
Added code of conduct reference file to the root directory
Moved contributing file to the root directory
Added better templates for new issue requests
Fixed a bug where creating a page via the cms.api.create_page ignores left/right positions.
Fixed documentation example for urls.py when using multiple languages.
Mark public static placeholder dirty when published.
Fixed a bug where request.current_page would always be the public page, regardless of the toolbar status (draft / live). This only affected custom urls from an apphook.
Fixed a bug where the menu would render draft pages even if the page on the request was a public page. This happens when a user without change permissions requests edit mode.
Fixed the 'urls.W001' warning with custom apphook urls
Prevent non-staff users to login with the django CMS toolbar
Added missing {% trans %} to toolbar shortcuts.
Fixed branch and release policy.
Improved and simplified permissions documentation.
Improved apphooks documentation.
Improved CMSPluginBase documentation.
Improved documentation related to nested plugins.
Updated installation tutorial.
Fixed a simple typo in the docstring for cms.utils.helpers.normalize_name.
3.7.0:
Introduced Django 2.2 support.
Introduced Python 3.7 support.
Fixed test suite.
Fixed override urlconf_module so that Django system checks don't crash.
3.6.0:
Removed the cms moderator command.
Dropped Django < 1.11 support.
Removed the translatable content get / set methods from CMSPlugin model.
Removed signal handlers for Page, Title, Placeholder and CMSPlugin models.
Moved Title.meta_description length restriction from model to form and increased its max length to 320 characters.
Added page_title parameter for cms.api.create_page() and cms.api.create_title().
Introduced Django 2.0 support.
Introduced Django 2.1 support.
1.5.0:
Added support for Django 3.0
Added support for Python 3.8
1.4.0:
Introduced support for Django 2.2 and django CMS 3.7
Removed support for Django 2.0
Extended test matrix
Fixed screenshot tests for Django 2.1 and higher
Added new classifiers
In addition to about two years of changes, this contains notably the
following security fix:
When int is 32 bits wide (on 32-bit architectures like 386 and arm), an
overflow could occur, causing a panic, due to malformed ASN.1 being
passed to any of the ASN1 methods of String.
Tested on linux/386 and darwin/amd64.
This fixes CVE-2020-7919 and was found thanks to the Project Wycheproof
test vectors.
pkgsrc changes:
Once again, the acme subdirectory was removed as it introduces a circular
dependency with go-net.
Prodded several times by ng0@
