______________________________________________________________________________
Announcement ID: openSUSE-SU-2015:0042-1
Rating: moderate
References: #909474#909475
Cross-References: CVE-2014-8137
Affected Products:
openSUSE 13.1
______________________________________________________________________________
An update that solves one vulnerability and has one errata
is now available.
Description:
The follow issues were fixed with this update:
- CVE-2014-8137 double-free in jas_iccattrval_destroy()(bnc#909474)
- CVE-2014-8138 heap overflow in jas_decode() (bnc#909475)
References:
http://support.novell.com/security/cve/CVE-2014-8137.htmlhttps://bugzilla.suse.com/show_bug.cgi?id=909474https://bugzilla.suse.com/show_bug.cgi?id=909475
== Cppcheck-1.68 ==
General changes:
New checks:
- Multifile checking for buffer overruns and uninitialized variables
Improvements:
- Libraries are now able to contain platform specific types
- Improved handling of function overloads
- Improved handling of integer literal suffixes
- Improved stability of template parsing
- Improved accuracy of ValueFlow analysis
- Improved checking of pointer overflow
- Support noexcept(false)
- Support attribute((noreturn))
- A bunch of additions to several Libraries, especially posix.cfg and qt.cfg
Additionally, lots of false positives and bugs have been fixed and several existing checks have been improved.
== Cppcheck-1.67 ==
General changes:
- Library files have now a 'format' attribute. Format version 1 is assumed by default
- Cppcheck does no longer abort checking if unhandled characters (Non-ASCII) are found
New checks:
- Check for unused return values
- Detect shift by too many bits, signed integer overflow and dangerous sign conversion
- Recommend usage of expm1(), log1p(), erfc()
- Division by sizeof() as parameter to memset/memcpy/memmove/etc. as they expect a size in bytes
- Several new va_arg related checks:
-- Wrong parameter passed to va_start()
-- Reference passed to va_start()
-- Missing va_end()
-- Using va_list before it is opened
-- Subsequent calls to va_start/va_copy()
- Initialization by itself in initializer list
- Dead pointer usage when pointer alias local variable that has gone out of scope
Improvements:
- Support uniform initialization syntax (C++11)
- Much improvements to value flow analysis
- Improved AST creation (support placement new, C++-style casts, templates, operator new[], ...)
- Improved lambda support
- Support GCC extension attriute((used)) and MSVC extension __declspec(property)
- Better support for static member variables, inherited variables and namespaces
- Improved typedef support where multiple variables are declared at once
- Avoid checking code multiple times by calculating a checksum. Duplicate preprocessor configurations are eliminated by this.
- Support C++03/C 'auto' keyword
- HTML report: display 'verbose' message using clickable expandable divs
Changes since 1.0.24:
1.1.4 - Released 26-Aug-2014
--------------------------------
- Add magic container infrastructure.
- Add magic containers for 50 recent items for each category.
- Fix bad null termination in AAC parsing.
- Fix requests for the last byte of a file, which affected MKV playback on Philips TV's.
- Support 64-bit time_t values.
1.1.3 - Released 05-June-2014
--------------------------------
- Enhance log level settings.
- Fix Samsung browsing when root_container is set.
- Add Clang compiling support.
- Fix compiling on systems without iconv.
- Add merge_media_dirs option, to revert to the old behavior.
- Add Asus O!Play client support.
- Fix Broken SSDP multicast membership addition.
- Fix crash bug with an emtpy filter argument.
- Accept SMI subtitles in addition to SRT.
- Add BubbleUPnP detection and enable subtitle support.
- Allow the user to specify an arbitrary root container.
- Add libavcodec > 54 / libav 10 compatibility.
- Get embedded cover art from video files with recent libavformat versions.
- Disable Samsung DCM10 capability, as it breaks compatibility with new models.
- Add subtitle support for NetFront™ Living Connect middleware-based clients.
1.1.2 - Released 06-Mar-2014
--------------------------------
- Show client status on our basic presentation page.
- Add a new force_sort_criteria option, to globally override the SortCriteria value sent by the client.
- Fix a couple resource leaks.
- Add configuration include file support.
- Support DLNA/UPnP-AV searches issued by clients using the Grilo framework.
- Fix some clients playing artwork instead of movie.
- Fix bookmarks on Samsung Series E clients.
- Add an extra folder level if there are multiple media locations.
- Fix some multicast membership issues with changing network settings.
- Make max number of children (connections) configurable.
- Fix choppy playback with some file types on Panasonic clients by increasing the max connection limit.
1.1.1 - Released 01-Nov-2013
--------------------------------
- Add network interface monitoring support on Linux.
- Don't require a configured network interface to start up.
- Fix some minor spec compliance issues.
1.1.0 - Released 04-April-2013
--------------------------------
- Add support for other operating systems.
- Switch to autoconf from our handcrafted genconfig.sh.
- Add configuration option for UUID.
- Add configuration option to specify the user to run as.
- Add support for limiting a media dir to multiple media types.
- Force a rescan if we detect a new or missing media_dir entry.
- Fix crash caused by certain TiVo clients.
- Fix crash bug on video files with some ffmpeg library versions.
- Add support for TiVo MPEG-TS files.
- Add some logging and forking tweaks to work better with systemd.
- Validate or escape user input to prevent SQL injection.
- Add forced sorting support for Panasonic devices.
1.0.25 - Released 13-July-2012
--------------------------------
- Fix a couple crash bugs on malformed WAV files.
- Forcibly tweak the model number for Xbox360 clients, or they might ignore us.
- Enable all network interfaces by default if none were specified.
- Add flag to force downscaled thumbnails rather than using embedded ones.
- Add DirecTV client detection, and fix image resolution issue.
- Add support for the latest ffmpeg/libav library versions.
- Fix a potential crash on requests for a resize of a non-existent image.
- Make DeviceID checking more permissive for Sagem Radio.
This release adds many new features which enhance PostgreSQL's flexibility, scalability and performance for many different types of database users, including improvements to JSON support, replication and index performance.
----------------
Version 3.2:
I made some changes to the Strlcat() function and its usage in
the xnec2c code, to improve safe handling of string
concatenation operations. Hopefully this has not broken the
handling of various strings in xnec2c! ;-)
## 2015-01-12 Release 1.04
Ed J (5):
* Actually include all the tests in the MANIFEST
* use Test::More and warnings
* Tidy t/alias.t
* t/arg.t TODO some actual ARGV testing
* Use Win32::GetConsoleCP/GetConsoleOutputCP if available
Gisle Aas (3):
* Documentation spell fix
* SEE ALSO Term::Encoding [RT#98138]
David Steinbrunner (1):
* typo fix
2.009 2014/01/12
- remove util/analyze.pl. This tool is now together with other SSL tools in
https://github.com/noxxi/p5-ssl-tools
- added ALPN support (needs OpenSSL1.02, Net::SSLeay 1.56+) thanks to TEAM,
RT#101452
2015-01-12 Gisle Aas <gisle@ActiveState.com>
Release 2.54
David Mitchell: silence some compiler warnings
Jonathan Hall: Add ->context() feature
Steve Hay: Sync with blead
bulk88: const the vtable
zefram: 5.6 threads test fix
Changes in DBI 1.633 - 11th Jan 2015
Fixed selectrow_*ref to return undef on error in list context
instead if an empty list.
Changed t/42prof_data.t more informative
Changed $sth->{TYPE} to be NUMERIC in DBD::File drivers as per the
DBI docs. Note TYPE_NAME is now also available. [H.Merijn Brand]
Fixed compilation error on bleadperl due DEFSV no longer being an lvalue
[Dagfinn Ilmari Mannsåker]
Added docs for escaping placeholders using a backslash.
Added docs for get_info(9000) indicating ability to escape placeholders.
Added multi_ prefix for DBD::Multi (Dan Wright) and ad2_ prefix for
DBD::AnyData2
0.35 Wed Jan 07 12:00:00 CT 2014
- Specify a version of JSON::MaybXS in the Makefile to close a test
failure (test case requires version '1.003000' so we made that the
required version).
5.72 2015-01-11
- Added EXPERIMENTAL support for case-insensitive attribute selectors like
[foo="bar" i] to Mojo::DOM::CSS.
- Added max_lines attribute to Mojo::Headers.
- Improved Mojo::Reactor::EV to update the current time before starting a
timer.
- Improved error messages for start-line and header limits.
- Fixed bug in Mojo::Headers where max_line_size was not checked correctly.
- Fixed whitespace bug in Mojo::DOM::CSS.
- Add ${PERL5_LICENSE}
- Add post-patch: target to remove garbage
(upstream)
Update 2.28 to 2.29
2.29 2005-12-10
- Fixed the setCookie() domain checking to be domain agnostic.
- Fixed the print(css => []) issue where entries were not being displayed
one to a line, unless you had postfixed them with \n.
- If you don't specify a -Options hashref for a select box, it now creates
an empty one for you instead of blowing an error since this is a usefull
and valid case.
- Added #VALUE=x# for Feature Request 1398696.
- Worked on fixing Bug#1453214 by making the formSubmittedVariable only be
required when we have form items that depend on it to know what state they
are in. checkbox, select, multi-select, select-picker all depend on it.
- Worked on fixing Bug#1284264 by making the required string only be displayed
when there are user visible required items. Improved the createTemplate()
output to take this into account and to only display the table elements when
there are user visible form items defined.
- Fixing bug #1454087.
