* Noteworthy changes in release 3.8.2 (2021-09-25) [stable]
Fixed portability issues of bison on Cygwin.
Improvements in glr2.cc: add support for custom error messages (`%define
parse.error custom`), allow linking several parsers together.
pkgsrc changes:
- Take MAINTAINERship
Changes:
(Manually filled to only highlight major changes)
1.22.x
------
- Added support for `kubectl debug' ephemeral containers
(compatible with old API)
1.21.x
------
- Update kubectl kustomize to 4.0.5
- Default Container Annotation: Pod with multiple containers can use
kubectl.kubernetes.io/default-container annotation to have a container
preselected for kubectl commands. More can be read in KEP-2227.
3.8.3
** Bug
* [MNG-7045] - Drop CDI API from Maven
* [MNG-7214] - Bad transitive dependency parent from CDI API
* [MNG-7215] - [Regression] Maven Site Plugin cannot resolve parent site descriptor without locale
* [MNG-7216] - Revert MNG-7170
* [MNG-7218] - [Regression] o.a.m.model.Build.getSourceDirectory() incorrectly returns absolute dir on 3.8.2
* [MNG-7219] - [Regression] plexus-cipher missing from transitive dependencies
* [MNG-7220] - [REGRESSION] test-classpath incorrectly resolved
* [MNG-7251] - Fix threadLocalArtifactsHolder leaking into cloned project
* [MNG-7253] - Relocation message is never shown
** New Feature
* [MNG-7164] - Add constructor MojoExecutionException(Throwable)
** Improvement
* [MNG-7235] - Speed improvements when calculating the sorted project graph
* [MNG-7236] - The DefaultPluginVersionResolver should cache results for the session
** Task
* [MNG-7252] - Fix warnings issued by dependency:analyze
* [MNG-7254] - Expand Windows native libraries for Jansi due to JDK-8195129 (workaround)
3.8.2
** Sub-task
* [MNG-6281] - ArrayIndexOutOfBoundsException caused by pom.xml with invalid/duplicate XML
** Bug
* [MNG-4706] - Multithreaded building can create bad files for downloaded artifacts in local repository
* [MNG-5307] - NPE during resolution of dependencies - parallel mode
* [MNG-5315] - Artifact resolution sporadically fails in parallel builds
* [MNG-5838] - Maven on No-File-Lock Systems
* [MNG-5868] - Adding serval times the same artifact via MavenProjectHelper (attachArtifact) keep adding to the List duplicate artifacts
* [MNG-6071] - GetResource ('/) returns 'null' if build is started with -f
* [MNG-6216] - ArrayIndexOutOfBoundsException when parsing POM
* [MNG-6239] - Jansi messes up System.err and System.out
* [MNG-6380] - Option -Dstyle.color=always doesn't force color output
* [MNG-6604] - Intermittent failures while downloading GAVs from Nexus
* [MNG-6648] - 'mavenrc_pre' script does not receive arguments like mavenrc in Bourne shell does
* [MNG-6719] - mvn color output escape keys w/ "| tee xxx.log" on Win with git/bash
* [MNG-6737] - StackOverflowError when version ranges are unsolvable and graph contains a cycle
* [MNG-6767] - Plugin with ${project.groupId} resolved improperly
* [MNG-6819] - NullPointerException for DefaultArtifactDescriptorReader.loadPom
* [MNG-6828] - DependencyResolutionException breaks serialization
* [MNG-6842] - ProjectBuilderTest uses Guava, but Guava is not defined in dependencies
* [MNG-6843] - Parallel build fails due to missing JAR artifacts in compilePath
* [MNG-6850] - Prevent printing the EXEC_DIR when it's just a disk letter
* [MNG-6921] - Maven compile with properties ${artifactId} and ${project.build.finalName} occurs java.lang.NullPointerException
* [MNG-6937] - StringSearchModelInterpolatorTest fails on symlinked paths
* [MNG-6964] - Maven version sorting is internally inconsistent
* [MNG-6983] - Plugin key can get out of sync with artifactId and groupId
* [MNG-7000] - metadata.mdo contains invalid link to schema
* [MNG-7032] - Option -B still showing formatting when used with --version
* [MNG-7034] - StackOverflowError thrown if a cycle exists in BOM imports
* [MNG-7090] - mvnDebug does not work on Java 11+
* [MNG-7127] - NullPointerException in MavenCliTest.testStyleColors in JDK 16
* [MNG-7155] - make sources jar reproducible (upgrade maven-source-plugin to 3.2.1)
* [MNG-7161] - Error thrown during uninstalling of JAnsi
** New Feature
* [MNG-7149] - Introduce MAVEN_DEBUG_ADDRESS in mvnDebug scripts
** Improvement
* [MNG-2802] - Concurrent-safe access to local Maven repository
* [MNG-6471] - Parallel builder should use the module name as thread name
* [MNG-6754] - Set the same timestamp in multi module builds
* [MNG-6810] - Remove profiles in maven-model
* [MNG-6811] - Remove unnecessary filtering configuration
* [MNG-6816] - Prefer System.lineSeparator() over system properties
* [MNG-6827] - Replace deprecated StringUtils#defaultString() from Plexus Utils
* [MNG-6837] - Simplify detection of the MAVEN_HOME and make it fully qualified on Windows
* [MNG-6844] - Use StandardCharsets and remove outdated @SuppressWarnings
* [MNG-6853] - Don't box primitives where it's not needed
* [MNG-6859] - Build not easily reproducible when built from source release archive
* [MNG-6873] - Inconsistent library versions notice
* [MNG-6967] - Improve the command line output from maven-artifact
* [MNG-6987] - Reorder groupId before artifactId when writing an exclusion using maven-model
* [MNG-7010] - Omit "NB: JAVA_HOME should point to a JDK not a JRE" except when that is the problem
* [MNG-7064] - Use HTTPS for schema location in global settings.xml
* [MNG-7080] - Add a --color option
* [MNG-7170] - Allow to associate pomFile/${basedir} with DefaultProjectBuilder.build(ModelSource, ...)
* [MNG-7180] - Make --color option behave more like BSD/GNU grep's --color option
* [MNG-7181] - Make --version support -q
* [MNG-7185] - Describe explicit and recommended version for VersionRange.createFromVersionSpec()
* [MNG-7190] - Load mavenrc from /usr/local/etc also in Bourne shell script
** Task
* [MNG-6598] - Maven 3.6.0 and Surefire problem
* [MNG-6884] - Cleanup POM File after version upgrade
* [MNG-7172] - Remove expansion of Jansi native libraries
* [MNG-7184] - document .mavenrc/maven_pre.bat|cmd scripts and
MAVEN_SKIP_RC environment variable
3.8.1
This release with CVE fixes is a result based on the findings and feedback of Jonathan Leitschuh
and Olaf Flebbe.
One of the changes that might impact your builds is the way custom repositories defined in
dependency POMs will be handled.
By default external insecure repositories will now be blocked (localhost over HTTP will still
work).
Configuration can be adjusted via the conf/settings.xml.
Release Notes - Maven - Version 3.8.1
** Bug
* [MNG-7128] - improve error message when blocked repository defined in build POM
** New Feature
* [MNG-7116] - Add support for mirror selector on external:http:*
* [MNG-7117] - Add support for blocking mirrors
* [MNG-7118] - Block external HTTP repositories by default
** Dependency upgrade
* [MNG-7119] - Upgrade Maven Wagon to 3.4.3
* [MNG-7123] - Upgrade Maven Resolver to 1.6.2
This minor release includes a security fix according to the new security policy.
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js,
passing very large arguments can cause portions of the module to be overwritten
with data from the arguments.
If using wasm_exec.js to execute WASM modules, users will need to replace their
copy (as described in https://golang.org/wiki/WebAssembly#getting-started)
after rebuilding any modules.
This is issue 48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this
issue.
Security Vulnerabilities fixed in Firefox ESR 91.2
#CVE-2021-38496: Use-after-free in MessageTask
#CVE-2021-38497: Validation message could have been overlaid on another
origin
#CVE-2021-38498: Use-after-free of nsLanguageAtomService object
#CVE-2021-32810: Data race in crossbeam-deque
#CVE-2021-38500: Memory safety bugs fixed in Firefox 93, Firefox ESR 78.15,
and Firefox ESR 91.2
This minor release includes a security fix according to the new security policy.
When invoking functions from WASM modules, built using GOARCH=wasm GOOS=js,
passing very large arguments can cause portions of the module to be overwritten
with data from the arguments.
If using wasm_exec.js to execute WASM modules, users will need to replace their
copy (as described in https://golang.org/wiki/WebAssembly#getting-started)
after rebuilding any modules.
This is issue 48797 and CVE-2021-38297. Thanks to Ben Lubar for reporting this
issue.
4.1.0 (2021-10-05)
------------------
API Changes (Backward-Compatible)
- Support for Python 3.9 has been added.
- Support for Python 3.10 has been added.
- New example for a Python socket HTTP/2 client.
- New `OutputLogger` for use with ``h2.config.logger``. This is only provided
for convenience and not part of the stable API.
Bugfixes
- Header validation now rejects empty header names with a ProtocolError. While
hpack decodes such header blocks without issues, they violate the
HTTP semantics.
- Fix TE header name in error message.
Changes since 4.13.11
---------------------
* BUG 14806: Address a signifcant performance regression in database access
in the AD DC since Samba 4.12.
* BUG 14807: Fix performance regression in lsa_LookupSids3/LookupNames4 since
Samba 4.9 by using an explicit database handle cache.
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
* BUG 14818: Address flapping samba_tool_drs_showrepl test.
* BUG 14819: Address flapping dsdb_schema_attributes test.
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
* BUG 14784: Fix CTDB flag/status update race conditions.
* BUG 14817: An unuthenticated user can crash the AD DC KDC by omitting the
server name in a TGS-REQ.
PostgreSQL 14 contains many new features and enhancements, including:
Stored procedures can now return data via OUT parameters.
The SQL-standard SEARCH and CYCLE options for common table expressions have been implemented.
Subscripting can now be applied to any data type for which it is a useful notation, not only arrays. In this release, the jsonb and hstore types have gained subscripting operators.
Range types have been extended by adding multiranges, allowing representation of noncontiguous data ranges.
Numerous performance improvements have been made for parallel queries, heavily-concurrent workloads, partitioned tables, logical replication, and vacuuming.
B-tree index updates are managed more efficiently, reducing index bloat.
VACUUM automatically becomes more aggressive, and skips inessential cleanup, if the database starts to approach a transaction ID wraparound condition.
Extended statistics can now be collected on expressions, allowing better planning results for complex queries.
libpq now has the ability to pipeline multiple queries, which can boost throughput over high-latency connections.
adjust chio-changer script:
- subtract 1 from slot provided by bacula as bacula starts counting
from 1 and chio(4) starts counting from 0
- adjust list output to what bacula expects when barcodes aren't
present
Changes from 1.21.0 to 1.21.1
=============================
* Fix pthread flag when linking on ppc64le.
* Updates in codecs (some bring important performance improvements):
* BloscLZ updated to 2.5.1.
* Zlib updated to 1.2.11
* Zstd updated to 1.5.0
Release 1.1.0
Fix byte order inconsistency issue during deserialization using joblib.load in cross-endian environment: the numpy arrays are now always loaded to use the system byte order, independently of the byte order of the system that serialized the pickle. https://github.com/joblib/joblib/pull/1181
Fix joblib.Memory bug with the ignore parameter when the cached function is a decorated function. https://github.com/joblib/joblib/pull/1165
Fix joblib.Memory to properly handle caching for functions defined interactively in a IPython session or in Jupyter notebook cell. https://github.com/joblib/joblib/pull/1214
Update vendored loky (from version 2.9 to 3.0) and cloudpickle (from version 1.6 to 2.0) https://github.com/joblib/joblib/pull/1218
3.8.0 - 04/10/2021
Modified
transip provider is deprecated and not maintained anymore, it will be replaced soon by a new transip provider build on top of the TransIP v6 REST API
Deleted
transip provider is not part of the full dns-lexicon extra, you need to install explicitly the transip extra instead
3.7.1 - 04/10/2021
Modified
Allow to use newer versions of cryptography
Fix doc about unit tests
Changes with Apache 2.4.51
*) SECURITY: CVE-2021-42013: Path Traversal and Remote Code
Execution in Apache HTTP Server 2.4.49 and 2.4.50 (incomplete
fix of CVE-2021-41773) (cve.mitre.org)
It was found that the fix for CVE-2021-41773 in Apache HTTP
Server 2.4.50 was insufficient. An attacker could use a path
traversal attack to map URLs to files outside the directories
configured by Alias-like directives.
If files outside of these directories are not protected by the
usual default configuration "require all denied", these requests
can succeed. If CGI scripts are also enabled for these aliased
pathes, this could allow for remote code execution.
This issue only affects Apache 2.4.49 and Apache 2.4.50 and not
earlier versions.
*) core: Add ap_unescape_url_ex() for better decoding control, and deprecate
unused AP_NORMALIZE_DROP_PARAMETERS flag.
