Add more test dependencies.
Self tests cause a python core dump, see
https://github.com/pyca/cryptography/issues/3372
1.7.2 - 2017-01-27
~~~~~~~~~~~~~~~~~~
* Updated Windows and macOS wheels to be compiled against OpenSSL 1.0.2k.
SWIG-3.0.11 summary:
- PHP 7 support added.
- C++11 alias templates and type aliasing support added.
- Minor fixes and enhancements for C# Go Guile Java Javascript Octave PHP Python R Ruby Scilab XML.
FEATURES:
- KV Import/Export CLI: consul kv export and consul kv import can be
used to move parts of the KV tree between disconnected consul
clusters, using JSON as the intermediate representation.
- Node Metadata: Support for assigning user-defined metadata key/value
pairs to nodes has been added.
- Node Identifiers: Consul agents can now be configured with a unique
identifier, or they will generate one at startup that will persist
across agent restarts.
- Improved Blocking Queries: Consul's blocking query implementation was
improved to provide a much more fine-grained mechanism for detecting
changes.
- GCE auto-discovery: New -retry-join-gce configuration options added to
allow bootstrapping by automatically discovering Google Cloud
instances with a given tag at startup.
IMPROVEMENTS:
- build: Consul is now built with Go 1.7.4.
- cli: consul kv get now has a -base64 flag to base 64 encode the value.
- cli: consul kv put now has a -base64 flag for setting values which are
base 64 encoded.
- ui: Added a notice that JS is required when viewing the web UI with JS
disabled.
BUG FIXES:
- agent: Redacted the AWS access key and secret key ID from the
/v1/agent/self output so they are not disclosed.
- agent: Fixed a rare startup panic due to a Raft/Serf race condition.
- cli: Fixed a panic when an empty quoted argument was given to consul
kv put.
- tests: Fixed a race condition with check mock's map usage.
Changes for v1.8.2 (2017-01-26)
- Fix bug introduced in v0.7.1 where completers would not receive
the parser keyword argument.
- Documentation improvements.
Changes for v1.8.1 (2017-01-21)
- Fix completion after tokens with wordbreak chars (#197)
Security fixes:
#CVE-2017-5375: Excessive JIT code allocation allows bypass of ASLR and DEP
#CVE-2017-5376: Use-after-free in XSL
#CVE-2017-5378: Pointer and frame data leakage of Javascript objects
#CVE-2017-5380: Potential use-after-free during DOM manipulations
#CVE-2017-5390: Insecure communication methods in Developer Tools JSON viewer
#CVE-2017-5396: Use-after-free with Media Decoder
#CVE-2017-5383: Location bar spoofing with unicode characters
#CVE-2017-5386: WebExtensions can use data: protocol to affect other extensions
#CVE-2017-5373: Memory safety bugs fixed in Firefox 51 and Firefox ESR 45.7
Changelog:
Fixed
Geolocation not working on Windows (Bug 1333516)
Multiprocess incompatibility did not correctly register with some add-ons (Bug 1333423)
Changes from https://git.finalrewind.org/feh/plain/ChangeLog
Sun, 22 Jan 2017 19:11:32 +0100 Daniel Friesel <derf+feh@finalrewind.org>
* Release v2.18.1
* Fix image-specific format specifiers not being updated correctly
(e.g. %z not displaying the correct zoom value after zooming in / out)
Tue, 01 Nov 2016 10:55:04 +0100 Daniel Friesel <derf+feh@finalrewind.org>
* Release v2.18
* Move README to README.md
* New key binding: ! / zoom_fill (zoom to fill window, may cut off image
parts)
* Only for builds with exif=1: Disable EXIF-based auto rotation by
default, add --auto-rotate option to enable it (Patch by Elliot Wolk)
Wed, 31 Aug 2016 20:27:20 +0200 Daniel Friesel <derf+feh@finalrewind.org>
* Release v2.17.1
* Fix compilation on systems where HOST_NAME_MAX is not defined, such as
FreeBSD (patch by Niclas Zeising)
Sun, 28 Aug 2016 21:26:54 +0200 Daniel Friesel <derf+feh@finalrewind.org>
* Release v2.17
* Install feh icon (both 48x48 and scalable SVG) to /usr/share/icons
when running "make install app=1"
* Fix --sort not being respected after the first reload when used in
conjunction with --reload
* All key actions can now also be bound to a button by specifying them
in .config/feh/buttons. However, note that button actions can not be
bound to keys.
* Rename "menu" key action to "toggle_menu", "prev" to "prev_img" and
"next" to "next_img". The old names are still supported, but no longer
documented.
* feh now also sets the X11 _NET_WM_PID and WM_CLIENT_MACHINE window
properties
Sun, 31 Jul 2016 16:59:07 +0200 Daniel Friesel <derf+feh@finalrewind.org>
* Release v2.16.2
* Also support in-place editing for images loaded via libcurl or
imagemagick. Results will not be written back to disk in this case.
* -Di switch is now required for PerlIO debugging output
* Core modules and tools no longer search "." for optional modules
* Updated Modules and Pragmata
[core] TCP latency optimization
[core] provide tag to include other YAML files from the configuration file
[core] accept sequence of mappings for path-level configuration
[core] fix broken support for TCP Fast Open in OS X
[access-log] provide directive to emit request-level errors
[access-log] emit values of all set-cookie headers concatenated
[fastcgi] fix connection failure when fastcgi.spawn is used with an uid
[file] more pre-defined MIME types
[http2][proxy] recognize link rel=preload headers in interim response as a trigger to push resources
[http1][http2] validate characters used in the headers
[http1][http2] notify error downstream when an error occurred while generating a response
[http1][http2] fix resource leak upon upgrade failure to HTTP/2
[http2] add http2-push-preload directive to turn off H2 push being initiated by link rel=preload header
[http2] add support for cache-digest header
[http2] drop host header in HTTP/2 layer
[http2] don't use etag for calculating casper cookie
[http2] add support for H2 debug state
[mruby] add dos_detector mruby handler
[mruby] add DSL for access control lists (acl)
[mruby] share mruby state and constants between handlers
[mruby] add library for address-block-based access control
[proxy] add an option to connect to upstream using PROXY protocol
[proxy] don't escape : in URI path
[proxy] preserve received URLs as much as possible
[proxy] add an option to prevent emiting x-forwarded-* headers
[proxy] cache TLS session used for upstream connections
[proxy] turn on/off on-the-fly compression based on the x-compress-hint header
[ssl] set add_lock callback to prevent unnecessary lock-add-unlock
[ssl] add support for OpenSSL 1.1.0
[status] collect and report HTTP statistics
[status] report additional stats when jemalloc is used
[throttle] add new handler for throttling the response bandwidth
[libh2o] provide h2o_rand that calls the appropriate random function depending on the OS
[libh2o] do not require use of picohttpparser.h when using the HTTP/1 client
[libh2o] install library files to the correct location
[misc] provide crash-handler directive to customize crash logging
[misc] guess the default location of h2o.conf
[misc] allow to disable libuv even when it is found
[misc] add font/woff2 to the default mime-type mapping
[misc] mark JavaScript and JSON files as compressible by default
We fixed memory leak bug which only occurs in server side session. Client side sessions are not affected. This bug was detected by LLVM libFuzzer with HTTP/2 corpus that h2o
project uses. Due to the bad code path which nullifies next pointers of linked list in a certain condition, nghttp2_stream object is not going to be freed. We highly encourage to upgrade the existing installation to this latest version.
* Renew test key pair
* Fix OpenSSL 1.1.0 deprecation warnings
* spdylay: compile against openssl-1.1.0
It fails to compile against openssl 1.1.0 due to things like
|shrpx_client_handler.cc:90:30: error: 'strerror' was not declared in this scope
|shrpx_listen_handler.cc:112:32: error: 'memset' was not declared in this scope
|shrpx_listen_handler.cc:114:43: error: 'memcpy' was not declared in this scope
This resolves it.
* spdycat: Fix leak in SpdySession.reqvec
* Compile with IRIX 6.5.22 using GCC-4.7.4
* Remove CREDENTIAL frame processing completely
We just left API as is, but related functions just do nothing now.
* Allocate stream ID when spdylay_submit_{syn_stream,request} is called
This commit allocates stream ID when spdylay_submit_syn_stream and
spdylay_submit_request is called. Also create stream when
spdylay_session_predicate_syn_stream_send is failed, to provide
stream to user callback (e.g., on_ctrl_not_send_callback).
Allocating stream ID early ensures that we can create stream because
we can catch stream ID exhaustion early and fail fast. Since stream
ID is allocated serially, we have to send SYN_STREAM in the order
they queued. So now all queued syn_stream have the same priority
(lowest). The DATA frame has given priority by application. This
does not work well with CREDENTIAL frame, since SYN_STREAM may wait
for CREDENTIAL, which results in out of order transmission. Since
CREDENTIAL frame was deprecated in SPDY/3.1, and no one use it, we
remove its functionality in the later commit.
* spdycat: --proxy-port, not --proxyport
* spdycat: Check :host header field for SNI, since Host header is not allowed
* spdycat: Update spdycat --help output for --header
* spdycat: Fix resource leak found by coverity scan
Upstream Changelog :
- Add taboopat configuration directive to exclude configuration
files based on globing patterns.
- Allow to change default state path at build time
(via the --with-state-file-path option of the configure script).
- Automatically determine resulting file suffix based on
the compression program in use.
- Preserve SELinux context with compress and sharedscripts properly.
- Rename already existing output files to avoid collisions.
- Import systemd service and timer for logrotate from openSUSE.
- Introduce the addextension configuration directive.
- Create CONTRIBUTING.md with instructions for logrotate contributors.
- Maintain ChangeLog.md instead of the legacy CHANGES file.
- Make createolddir configuration directive preserve sticky bit.
- Add minage configuration directive to specify minimum file age to rotate.
- Avoid using local implementation of strndup() and asprintf() if
these functions are available at build time.
- Fix parsing of su directive to accept usernames starting with
numeric symbols.
- Make sure that 64-bit file offsets are used on 32-bit systems.
Pkgsrc changes :
- due to (not so) new compilation system, and recent changes for the
manpage, patch-logrotate.8 is now unnecessary and removed ;
- fixed compilation issue in config.c about libgen.h ;
- updated existing patches to work with new version.
-------
* 921: Correct issue where certifi fallback not being
reached on Windows.
v33.1.0
-------
Installation via pip, as indicated in the `Python Packaging
User's Guide <https://packaging.python.org/installing/>`_,
is the officially-supported mechanism for installing
Setuptools, and this recommendation is now explicit in the
much more concise README.
Other edits and tweaks were made to the documentation. The
codebase is unchanged.
v33.0.0
-------
* 619: Removed support for the ``tag_svn_revision``
distribution option. If Subversion tagging support is
still desired, consider adding the functionality to
setuptools_svn in setuptools_svn 2.
Changes between 1.0.2j and 1.0.2k [26 Jan 2017]
*) Truncated packet could crash via OOB read
If one side of an SSL/TLS path is running on a 32-bit host and a specific
cipher is being used, then a truncated packet can cause that host to
perform an out-of-bounds read, usually resulting in a crash.
This issue was reported to OpenSSL by Robert Święcki of Google.
(CVE-2017-3731)
[Andy Polyakov]
*) BN_mod_exp may produce incorrect results on x86_64
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that attacks
against RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH are considered just
feasible (although very difficult) because most of the work necessary to
deduce information about a private key may be performed offline. The amount
of resources required for such an attack would be very significant and
likely only accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites. Note: This issue is very
similar to CVE-2015-3193 but must be treated as a separate problem.
This issue was reported to OpenSSL by the OSS-Fuzz project.
(CVE-2017-3732)
[Andy Polyakov]
*) Montgomery multiplication may produce incorrect results
There is a carry propagating bug in the Broadwell-specific Montgomery
multiplication procedure that handles input lengths divisible by, but
longer than 256 bits. Analysis suggests that attacks against RSA, DSA
and DH private keys are impossible. This is because the subroutine in
question is not used in operations with the private key itself and an input
of the attacker's direct choice. Otherwise the bug can manifest itself as
transient authentication and key negotiation failures or reproducible
erroneous outcome of public-key operations with specially crafted input.
Among EC algorithms only Brainpool P-512 curves are affected and one
presumably can attack ECDH key negotiation. Impact was not analyzed in
detail, because pre-requisites for attack are considered unlikely. Namely
multiple clients have to choose the curve in question and the server has to
share the private key among them, neither of which is default behaviour.
Even then only clients that chose the curve will be affected.
This issue was publicly reported as transient failures and was not
initially recognized as a security issue. Thanks to Richard Morgan for
providing reproducible case.
(CVE-2016-7055)
[Andy Polyakov]
*) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
prevent issues where no progress is being made and the peer continually
sends unrecognised record types, using up resources processing them.
[Matt Caswell]
-----------------------------------------
version 3.08 at 2017-01-20 15:44:05 +0000
Updated for v5.25.9
version 3.06 at 2017-01-14 21:32:33 +0000
Updated for v5.22.3 && v5.24.1
version 3.04 at 2017-01-02 21:21:05 +0000
Updated for v5.22.3-RC5 and v5.24.1-RC5
version 3.02 at 2016-12-20 19:26:03 +0000
Updated for v5.25.8
version 3.00 at 2016-11-20 21:30:45 +0000
Updated for v5.25.7
