My earlier try at fixing Linux only worked with particular distros. To
get around this, just install a stub charset.alias file universally on
Linux. This is the simplest thing to do for now. While here, this is
also breaking on recent Darwin releases because the build scripting
expects GNU sed.
libgcc is newer than the one about to be installed. If so, don't install
the libgcc.
Having an older libgcc appear in the lookup may result in binaries not
running, as they need symbols from the newer libgcc.
Such a case is PR pkg/54506.
Leaves SunOS unchanged, by request from jperkin.
If the pkgsrc compiler is GCC, don't install libgcc.
Having an older libgcc is problematic: it may be missing symbols from
newer libgcc. This is what happened in PR pkg/54506.
Use this on gcc-aux and gcc5-aux: the libgcc_s.so they install is going
to be older in all the operating systems these packages support.
(Other GCC packages will require a more elaborate rule)
Leaving SmartOS unchanged, by request from jperkin.
Update lang/ruby26-base and lang/ruby26 to 2.6.4.
Ruby 2.6.4 (2019-08-28)
Ruby 2.6.4 has been released.
This release includes a security fix of rdoc. Please check the topics below
for details.
* Multiple jQuery vulnerabilities in RDoc
See the commit logs for changes in detail.
Update ruby25-base/ruby25 to 2.5.6.
Ruby 2.5.6 (2019-08-28)
Ruby 2.5.6 has been released.
This release includes about 40 bug fixes after the previous release, and also includes a security fix. Please check the topics below for details.
* Multiple jQuery vulnerabilities in RDoc
See the commit log for details.
2.4.7 (2019-08-28)
Ruby 2.4.7 has been released.
This release includes a security fix. Please check the topics below for
details.
* Multiple jQuery vulnerabilities in RDoc
Ruby 2.4 is now under the state of the security maintenance phase, until
the end of March of 2020. After that date, maintenance of Ruby 2.4 will be
ended. We recommend you start planning the migration to newer versions of
Ruby, such as 2.6 or 2.5.
3.4.0:
The main change is to add a tree-transformation phase. This simplifies the
code a little and allows us to turn if ...: raise AssertionError into
assert, and many if ..: else if ... into if ... elif ..
Use options --show=before and --show=after to see the before the tree transformation phase and after the tree transformation phase.
The Mono Project is an open development initiative sponsored by Ximian
that is working to develop an open source, Unix version of the Microsoft
.NET development platform. Its objective is to enable Unix developers to
build and deploy cross-platform .NET Applications. The project will
implement various technologies developed by Microsoft that have now been
submitted to the ECMA for standardization.
4.08.1 is a bugfix release, fixing compilation failures in presence of the
-pack option, and dynlinking failures.
Highlights in 4.08.0 are:
* Binding operators (let*, let+, and*, etc). They can be used to
streamline monadic code.
* open now applies to arbitrary module expression in structures and to
applicative paths in signatures.
* A new notion of (user-defined) "alerts" generalizes the deprecated
warning.
* New modules in the standard library: Fun, Bool, Int, Option, Result.
* A significant number of new functions in Float, including FMA support,
and a new Float.Array submodule.
* Source highlighting for errors and warnings in batch mode.
* Many error messages were improved.
* Improved AFL instrumentation for objects and lazy values.
* GUI in Java was removed in 10.7.2 release.
* Fix build error related to readline with devel/readline. PR pkg/54484
Changelog:
10.7.2
Fixing out-of-sink of file positions when mixing 'search' and 'seek'
with 'read-line' on IO-streams introduced a new errror making
the newlisp-10.x.x/examples/upload.cgi script fail.
10.7.3
Supress loading of startup init.lsp when -h option is present. Before
only the -n and -x options supressed init.lsp.
Change in modules/gsl.lsp to make it work on locales using comma separator.
Ability to use 'open', 'rename-file', 'delete-file', 'make-dir' and
'remove-dir' with UTF16 filenames in UTF8 versions on Windows when
using the UTF8 version of newLISP. The functions 'file-info', 'file?',
'change-dir' and 'dir? already worked on UTF16 filenames when using the UTF8
version of newLISP on Windows.
Thanks to Michael Sabin who started the work a few years back writing the
win-path.c file with functions translating between UTF8 and UTF16.
When using the UTF8 version of newLISP on Windows in a command shell, that
command shell program also should be able to handle/display UTF8 (not UTF16).
On Windows and Linux the Java based frontend newLISP-GS handles UTF8.
On Mac OS the terminal program handles UTF8.
Fixed a wrong 'symbol protected message' when a protected symbol is
part of a nested espression, but not a symbol with its content to be
modified.
New modules/postscript.lsp changes description of ps:drawto.
Fixed flushing problem on 'print' to stdout on Mac OS and other BSDs.
'(read-key true)' with the 'true' parameter is now non-blocking.
(trim str) on some strings containing 0's would overrun memory and 0's
where not trimmed from the left. All character <= 32 (space) should
be trimmed from the left and right ends of the string buffer. When the
entire string is valid ASCII or UTF-8 with no 0s, ‘trim’ behaves
like in older versions.
10.7.4
When starting newlisp in -http-safe server mode HTTP_PUT and HTTP_DELETE
requests will not be served. This will cause 'write-file' and 'delete-file'
in url syntax, 'put-url' and 'delete-url' functions issued from a newLISP
client to return the text message "Server in safe mode".
New file qa-specific-tests/qa-share.lsp .
New guiserver.jar v 1.67 compiled with java 1.6
Still problems on macOS, some unrelated to change to image/icon load change
Added REQUEST_URI to environment variables in webserver mode.
Removed code introduced in 10.7.2 to syncronize file poisitons of C FILE stream
and raw file handle operations. Syncronization still seem s to work on cases
tested, but may not work in all cases mixing 'read-line' and 'seek'.
Changes for separately packaged Java Guiserver and elimination of installers.
(rotate theList -offsetOfRotation) was buggy
10.7.5
In getPutPostDeleteUrl(....) sock wasn't closed when returning with webError(..)
compareLists() in nl-math.c did not take list lengths into account. Also update
of qa-dot for relevant cases.
Version 10.16.3 'Dubnium' (LTS):
Notable changes
This is a security release.
Node.js, as well as many other implementations of HTTP/2, have been found vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information.
Vulnerabilities fixed:
CVE-2019-9511 “Data Dribble”: The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9512 “Ping Flood”: The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9513 “Resource Loop”: The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU, potentially leading to a denial of service.
CVE-2019-9514 “Reset Flood”: The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVE-2019-9515 “Settings Flood”: The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both, potentially leading to a denial of service.
CVE-2019-9516 “0-Length Headers Leak”: The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory, potentially leading to a denial of service.
CVE-2019-9517 “Internal Data Buffering”: The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both, potentially leading to a denial of service.
CVE-2019-9518 “Empty Frames Flood”: The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU, potentially leading to a denial of service.
net/http: Denial of Service vulnerabilities in the HTTP/2 implementation
net/http and golang.org/x/net/http2 servers that accept direct connections from
untrusted clients could be remotely made to allocate an unlimited amount of
memory, until the program crashes. Servers will now close connections if the
send queue accumulates too many control messages.
The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.
Thanks to Jonathan Looney from Netflix for discovering and reporting these issues.
This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of
golang.org/x/net/http2.
net/url: parsing validation issue
url.Parse would accept URLs with malformed hosts, such that the Host field
could have arbitrary suffixes that would appear in neither Hostname() nor
Port(), allowing authorization bypasses in certain applications. Note that URLs
with invalid, not numeric ports will now return an error from url.Parse.
The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.
Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me)
for discovering and reporting this issue.
net/http: Denial of Service vulnerabilities in the HTTP/2 implementation
net/http and golang.org/x/net/http2 servers that accept direct connections from
untrusted clients could be remotely made to allocate an unlimited amount of
memory, until the program crashes. Servers will now close connections if the
send queue accumulates too many control messages.
The issues are CVE-2019-9512 and CVE-2019-9514, and Go issue golang.org/issue/33606.
Thanks to Jonathan Looney from Netflix for discovering and reporting these issues.
This is also fixed in version v0.0.0-20190813141303-74dc4d7220e7 of
golang.org/x/net/http2.
net/url: parsing validation issue
url.Parse would accept URLs with malformed hosts, such that the Host field
could have arbitrary suffixes that would appear in neither Hostname() nor
Port(), allowing authorization bypasses in certain applications. Note that URLs
with invalid, not numeric ports will now return an error from url.Parse.
The issue is CVE-2019-14809 and Go issue golang.org/issue/29098.
Thanks to Julian Hector and Nikolai Krein from Cure53, and Adi Cohen (adico.me)
for discovering and reporting this issue.
This should help with some people's problems with the rust builds being
excessively long, and if we ever run into compatibility problems between
rust's llvm-current and our shipped version it should be easy to switch
on the internal LLVM by default again.
I've been using this for some time with Firefox without problems.
Bump PKGREVISION.
