The signal trampoline detection for NetBSD 7 and later is still broken.
Support for NetBSD 6.99 has been removed along with supporte for
32-bit DragonFly. The modifications to the testsuite were misguided and
have also been removed.
Notable changes
- build: zlib symbols and additional OpenSSL symbols are now
exposed on Windows platforms.
- child_process, cluster: Forked child processes and cluster
workers now support stdio configuration.
- child_process: argv[0] can now be set to arbitrary values in
spawned processes.
- fs: fs.ReadStream now exposes the number of bytes it has read so
far.
- repl: The REPL now supports editor mode.
- util: inspect() can now be configured globally using
util.inspect.defaultOptions.
The latest Go release, version 1.7, arrives six months after 1.6. Most of its
changes are in the implementation of the toolchain, runtime, and libraries.
There is one minor change to the language specification. As always, the release
maintains the Go 1 promise of compatibility. We expect almost all Go programs
to continue to compile and run as before.
There is one tiny language change in this release. The section on terminating
statements clarifies that to determine whether a statement list ends in a
terminating statement, the “final non-empty statement” is considered the end,
matching the existing behavior of the gc and gccgo compiler toolchains. In
earlier releases the definition referred only to the “final statement,” leaving
the effect of trailing empty statements at the least unclear. The go/types
package has been updated to match the gc and gccgo compiler toolchains in this
respect. This change has no effect on the correctness of existing programs.
Go 1.7 adds support for macOS 10.12 Sierra. This support was backported to Go
1.6.3. Binaries built with versions of Go before 1.6.3 will not work correctly
on Sierra.
Changelog:
IANA Data 2016d
JDK 8u102 contains IANA time zone data version 2016d. For more
information, refer to Timezone Data Versions in the JRE Software.
See JDK-8151876
Enhancements
core-libs/java.lang.invoke
Internal package sun.invoke.anon has been removed
The internal package sun.invoke.anon has been removed. The
functionality it used to provide, namely anonymous class loading
with possible constant pool patches, is available via the
Unsafe.defineAnonymousClass() method.
See JDK-8081512
hotspot/runtime
New property jdk.lang.processReaperUseDefaultStackSize
When a large TLS (Thread local storage) size is set for Threads,
the JVM results in a stack overflow exception. The reason for this
behavior is that the reaper thread was created with a low stack
size of 32768k. When a large TLS size is set, it steals space from
the threads stack, which eventually results in a stack overflow.
This is a known glibc bug. To overcome this issue, we have introduced
a workaround (jdk.lang.processReaperUseDefaultStackSize) in which
the user can set the reaper threads stack size to a default instead
of to 32768. This gives the reaper thread a bigger stack size, so
for a large TLS size, such as 32k, the process will not fail.
Users can set this flag in one of two ways:
1. -Djdk.lang.processReaperUseDefaultStackSize=true
2. System.setProperty("jdk.lang.processReaperUseDefaultStackSize",
"true")
The problem has been observed only when JVM is started from JNI
code in which TLS is declared using "__thread"
See JDK-8130425
hotspot/compiler
Implemented performance improvements for BigInteger.montgomeryMultiply
We have implemented improvements that will improve performance of
several security algorithms, especially when using ciphers with
key lengths of 2048-bit or greater. To turn on these improvements,
use the options -XX:+UseMontgomeryMultiplyIntrinsic and
-XX:+UseMontgomerySquareIntrinsic. This improvement is only for
Linux and Solaris on x86_64 architecture.
See JDK-8130150
Changes
security-libs/javax.crypto
MSCAPI KeyStore can handle same-named certificates
Java SE KeyStore does not allow certificates that have the same
aliases
(http://docs.oracle.com/javase/8/docs/api/java/security/KeyStore.html).
However, on Windows, multiple certificates stored in one keystore
are allowed to have non-unique friendly names.The fix for JDK-6483657
makes it possible to operate on such non-uniquely named certificates
through the Java API by artificially making the visible aliases
unique.
Please note, this fix does not enable creating same-named certificates
with the Java API. It only allows you to deal with same-named
certificates that were added to the keystore by 3rd party tools.
It is still recommended that your design not use multiple certificates
with the same name. In particular, the following sentence will not
be removed from the Java documentation: "In order to avoid problems,
it is recommended not to use aliases in a KeyStore that only differ
in case."
(http://docs.oracle.com/javase/8/docs/api/java/security/KeyStore.html)
See JDK-6483657
security-libs/javax.net.ssl
Modify requirements on Authority Key Identifier extension field
during X509 certificate chain building
The requirement to have the Authority Key Identifier (AKID) and
Subject Key Identifier (SKID) fields matching when building X509
certificate chains has been modified for some cases.
See JDK-8072463
hotspot/gc
Providing more granular levels for GC verification
This enhancement provides a way to specify more granular levels
for the GC verification enabled using the VerifyBeforeGC, VerifyAfterGC,
and VerifyDuringGC diagnostic options. It introduces a new diagnostic
option VerifySubSet with which one can specify the subset of the
memory system that should be verified.
With this new option, one or more sub-systems can be specified in
a comma separated string. Valid memory sub-systems are: threads,
heap, symbol_table, string_table, codecache, dictionary,
classloader_data_graph, metaspace, jni_handles, c-heap, and
codecache_oops.
During the GC verification, only the sub-systems specified using
VerifySubSet get verified:
D:\\tests>java -XX:+UnlockDiagnosticVMOptions -XX:+VerifyBeforeGC
-XX:VerifySubSet="threads,c-heap" -Xlog:gc+verify=debug Test
[0.095s][debug ][gc,verify] Threads
[0.099s][debug ][gc,verify] C-heap
[0.105s][info ][gc,verify] Verifying Before GC (0.095s, 0.105s) 10.751ms
[0.120s][debug ][gc,verify] Threads
[0.124s][debug ][gc,verify] C-heap
[0.130s][info ][gc,verify] Verifying Before GC (0.120s, 0.130s) 9.951ms
[0.148s][debug ][gc,verify] Threads
[0.152s][debug ][gc,verify] C-heap
If any invalid memory sub-systems are specified with VerifySubSet,
the Java process exits with the following error message:
D:\\tests>java -XX:+UnlockDiagnosticVMOptions -XX:+VerifyBeforeGC
-XX:VerifySubSet="threads,c-heap,hello" -Xlog:gc+verify=debug oom
Error occurred during initialization of VM VerifySubSet: 'hello'
memory sub-system is unknown, please correct it
See JDK-8072725
hotspot/compiler
Removed PICL warning message
In 8u40 and 7u80, a new feature was introduced to use the PICL
library on Solaris to get some system information. If this library
was not found, we printed an error message:
Java HotSpot(TM) Server VM warning: PICL (libpicl.so.1) is missing.
Performance will not be optimal.
This warning was misleading. Not finding the PICL library is a very
minor issue, and the warnings mostly lead to confusion. In this
release, the warning was removed.
See JDK-8144957
core-libs/javax.naming
Improved exception handling for bad LDAP referral replies
The JDK was throwing a NullPointerException when a non-compliant
REFERRAL status result was sent but no referral values were included.
With this change, a NamingException with message value of "Illegal
encoding: referral is empty" will be thrown in such circumstances.
See JDK-8149450 and JDK-8154304
Bug Fixes
The following are some of the notable bug fixes included in this
release:
security-libs/javax.net.ssl
Fix to resolve "Unable to process PreMasterSecret, may be too big"
issue
Recent JDK updates introduced an issue for applications that depend
on having a delayed provider selection mechanism. The issue was
introduced in JDK 8u71, JDK 7u95 and JDK 6u111. The main error seen
corresponded to an exception like the following :
handling exception: javax.net.ssl.SSLProtocolException: Unable to
process PreMasterSecret, may be too big
See JDK-8149017
This release also contains fixes for security vulnerabilities
described in the Oracle Java SE Critical Patch Update Advisory.
For a more complete list of the bug fixes included in this release,
see the JDK 8u102 Bug Fixes page.
-----------------------------
* 0.30: 2015=04-02
Mostly minor build and test fixes. This release was actually forced by the
impending doom of gitorious.org; the project hosting had to change and the
metadata with it.
(pkgsrc changes)
- Set LICENSE as gnu-gpl-v2
- compiler, stdlib:
- New preprocessor macros ?FUNCTION_NAME, ?FUNCTION_ARITY
- New preprocessor directives -error(Term) and -warning(Term) to
cause a compilation error or warning, respectively.
- gen_statem a new state machine behavior
- mnesia_ext: plugin of external storage solutions to mnesia
- crypto: uses EVP interface in OpenSSL resulting in generally
better performance and support for HW acceleration
- ssh: performance improvements, uses the new gen_statem behavior
- ssl: enhanced error log messages
- dialyzer: the support for maps is very much extended both the
type specification syntax and the type analysis.
- erts:
- erlang:open_port(spawn, ...) 3-5 times faster
- tracing, extensive improvements (scalability, speed, match
specifications on send/receive, support for lttng, ...)
- dirty schedulers improved
- per process configurable handling of message_queue
- fast loading of multiple modules
- max_heap_size process flag
- erts/kernel: Experimental support for Unix Domain Sockets
Full changelog:
http://erlang.org/download/otp_src_19.0.readme
6.3.1.
Notable changes
- buffer:
- Improve performance of Buffer.from(str, 'hex') and
Buffer#write(str, 'hex').
- Fix creating from zero-length ArrayBuffer.
- deps:
- Upgrade to V8 5.0.71.57.
- Backport V8 instanceof bugfix
- repl: Fix issue with function redeclaration.
- util: Fix inspecting of boxed symbols.
6.3.0
Notable changes
- buffer: Added buffer.swap64() to complement swap16() & swap32().
- build: New configure options have been added for building
Node.js as a shared library.
- crypto: Root certificates have been updated.
- debugger: The server address is now configurable via
--debug=<address>:<port>.
- npm: Upgraded npm to v3.10.3
- readline: Added the prompt option to the readline constructor.
- repl / vm: sigint/ctrl+c will now break out of infinite loops
without stopping the Node.js instance.
- src:
- Added a node::FreeEnvironment public C++ API.
- Refactored require('constants'), constants are now available
directly from their respective modules.
- stream: Improved readable.read() performance by up to 70%.
- timers: setImmediate() is now up to 150% faster in some
situations.
- util: Added a breakLength option to util.inspect() to control
how objects are formatted across lines.
- v8-inspector: Experimental support has been added for debugging
Node.js over the inspector protocol.
PHP 7.1.x builds upon 7.0.x, adding new features (so far)
* Iterable type.
* HTTP/2 Server Push Support in ext/curl & other ext/curl improvements
* Fix inconsistent behavior in $this variable
* Square bracket syntax for array destructuring assignment
* Create closure from callable
* More precise float values
* Asynchronous Signal Handling (without ticks) in ext/pcntl.
* Additional Context in pcntl_signal Handler
NOTE: this is BETA, not suitable for production environment
Fix build on systems with disabled X11
Reported by <schmonz>, Andreas Kusalananda Kahari
Tested by Andreas Kusalananda Kahari
Possible direction is to make this switch by default disabled on Darwin.
Byterun is a pure-Python implementation of a Python bytecode execution
virtual machine. It was started to get a better understanding of
bytecodes to fix branch coverage bugs in coverage.py.
Quote from release note:
Note that according to our release schedule, PHP 5.5.38 is the last release
of the PHP 5.5 branch. There may be additional release if we discover
important security issues that warrant it, otherwise this release will be
the final one in the PHP 5.5 branch. If your PHP installation is based on
PHP 5.5, it may be a good time to start making the plans for the upgrade to
PHP 5.6 or PHP 7.0.
21 Jul 2016, PHP 5.5.38
- BZip2:
. Fixed bug #72613 (Inadequate error handling in bzread()). (Stas)
- Core:
. Fixed bug #70480 (php_url_parse_ex() buffer overflow read). (Stas)
. Fixed bug #72513 (Stack-based buffer overflow vulnerability in
virtual_file_ex). (loianhtuan at gmail dot com)
. Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session
Deserialization). (taoguangchen at icloud dot com)
. Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and
applications). (CVE-2016-5385) (Stas)
- EXIF:
. Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).
(Stas)
. Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).
(Stas)
- GD:
. Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read
access). (Pierre)
. Fixed bug #72519 (imagegif/output out-of-bounds access). (Pierre)
. Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).
(CVE-2016-6207) (Pierre)
- Intl:
. Fixed bug #72533 (locale_accept_from_http out-of-bounds access). (Stas)
- ODBC:
. Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)
- SNMP:
. Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and
unserialize()). (taoguangchen at icloud dot com)
- Xmlrpc:
. Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).
(Stas)
- Zip:
. Fixed bug #72520 (Stack-based buffer overflow vulnerability in
php_stream_zip_opener). (loianhtuan at gmail dot com)
A Python code can dynamically load shared libraries and it's wrapped with
a plain dlopen(3) call. The holder of this interface (_ctypes module)
without rpath set to X11BASE cannot detect libs like 'GL'.
This might be the last step to fix issues with running GUI Python
applications on NetBSD.
Bump PKGREVISION.
This isn't addressing Python's wrapper for dlopen(3).
This possibily addresses mostly NetBSD as other popular OSes have ldconfig.
Testing commands:
- before applying the patch
>>> from ctypes.util import find_library
>>> find_library("m")
'libm.so.0'
>>> find_library("crypto")
'libcrypto.so.11'
>>> find_library("GL")
>>> find_library("curl")
- after applying the patch
>>> from ctypes.util import find_library
>>> find_library("m")
'libm.so.0'
>>> find_library("crypto")
'libcrypto.so.11'
>>> find_library("GL")
'libGL.so.2'
>>> find_library("curl")
'libcurl.so.4'
This patch doesn't solve the case of custom dirs like $PREFIX/qt5/lib.
However it's solving most common cases of using this call.
A possible solution is to parse the output "pkg_info -La"... however it's
very slow. In other words a cache with libraries might be needed to handle
it efficiently.
Bump PKGREVISION.
Qore 0.8.12 is a major new release with many new features and hundreds of bug
fixes as well as packaging fixes. Highlights include:
* The most significant innovation in this release comes in the form of support
for Prompt Collection
* Support for Bulk DML (large volume SQL operations in one server round-trip)
in the Mapper, TableMapper, SqlUtil and the new BulkSqlUtil modules
* Standardized function naming convention, many significant design and
implementation fixes and improvements
* Numerous new functions, methods, constants, operators, and user modules
* Hundreds of bug fixes
A security-related issue was recently reported in Go's net/http/cgi package and
net/http package when used in a CGI environment. Go 1.6.3 and Go 1.7rc2 contain
a fix for this issue.
Go versions 1.0-1.6.2 and 1.7rc1 are vulnerable to an input validation flaw in
the CGI components resulting in the HTTP_PROXY environment variable being set
by the incoming Proxy header. This environment variable was also used to set
the outgoing proxy, enabling an attacker to insert a proxy into outgoing
requests of a CGI program.
This is CVE-2016-5386 and was addressed by this change:
https://golang.org/cl/25010, tracked in this issue:
https://golang.org/issue/16405
The Go team would like to thank Dominic Scheirlinck for coordinating disclosure
of this issue across multiple languages and CGI environments. Read more about
"httpoxy" here: https://httpoxy.org/
Go 1.6.3 also adds support for macOS Sierra. See https://golang.org/issue/16354
for details.
Changes in 2.0.12 (since 2.0.11):
* Notable changes
** FFI: Add support for functions that set 'errno'
When accessing POSIX functions from a system's libc via Guile's dynamic
FFI, you commonly want to access the 'errno' variable to be able to
produce useful diagnostic messages.
This is now possible using 'pointer->procedure' or
'scm_pointer_to_procedure_with_errno'. See "Dynamic FFI" in the manual.
** The #!r6rs directive now influences read syntax
The #!r6rs directive now changes the per-port reader options to make
Guile's reader conform more closely to the R6RS syntax. In particular:
- It makes the reader case sensitive.
- It disables the recognition of keyword syntax in conflict with the
R6RS (and R5RS).
- It enables the `square-brackets', `hungry-eol-escapes' and
`r6rs-hex-escapes' reader options.
** 'read' now accepts "\(" as equivalent to "("
This is indented for use at the beginning of lines in multi-line strings
to avoid confusing Emacs' lisp modes. Previously "\(" was an error.
** SRFI-14 character data set upgraded to Unicode 8.0.0
** SRFI-19 table of leap seconds updated
** 'string-hash', 'read-string', and 'write' have been optimized
** GOOPS bug fix for inherited accessor methods
In the port of GOOPS to Guile 2.0, we introduced a bug related to
accessor methods. The bug resulted in GOOPS assuming that a slot S in
an object whose class is C would always be present in instances of all
subclasses C, and allocated to the same struct index. This is not the
case for multiple inheritance. This behavior has been fixed to be as it
was in 1.8.
One aspect of this change may cause confusion among users. Previously
if you defined a class C:
(use-modules (oop goops))
(define-class C ()
(a #:getter get-a))
And now you define a subclass, intending to provide an #:init-value for
the slot A:
(define-class D ()
(a #:init-value 42))
Really what you have done is define in D a new slot with the same name,
overriding the existing slot. The problem comes in that before fixing
this bug (but not in 1.8), the getter 'get-a' would succeed for
instances of D, even though 'get-a' should only work for the slot 'a'
that is defined on class C, not any other slot that happens to have the
same name and be in a class with C as a superclass.
It would be possible to "merge" the slot definitions on C and D, but
that part of the meta-object protocol (`compute-slots' et al) is not
fully implemented.
Somewhat relatedly, GOOPS also had a fix around #:init-value on
class-allocated slots. GOOPS was re-initializing the value of slots
with #:class or #:each-subclass allocation every time instances of that
class was allocated. This has been fixed.
* New interfaces
** New SRFI-28 string formatting implementation
See "SRFI-28" in the manual.
** New (ice-9 unicode) module
See "Characters" in the manual.
** Web server
The (web server) module now exports 'make-server-impl', 'server-impl?',
and related procedures. Likewise, (web server http) exports 'http'.
** New procedures: 'string-utf8-length' and 'scm_c_string_utf8_length'
See "Bytevectors as Strings" in the manual, for more.
** New 'EXIT_SUCCESS' and 'EXIT_FAILURE' Scheme variables
See "Processes" in the manual.
** New C functions to disable automatic SMOB finalization
The new 'scm_set_automatic_finalization_enabled' C function allows you
to choose whether automatic object finalization should be enabled (as
was the case until now, and still is by default.) This is meant for
applications that are not thread-safe nor async-safe; such applications
can disable automatic finalization and call the new 'scm_run_finalizers'
function when appropriate.
See the "Garbage Collecting Smobs" and "Smobs" sections in the manual.
** Cross-compilation to ARM
More ARM cross-compilation targets are supported: "arm.*eb",
"^aarch64.*be", and "aarch64".
* New deprecation
** The undocumented and unused C function 'scm_string_hash' is now deprecated
* Bugs fixed
** Compiler
*** 'call-with-prompt' does not truncate multiple-value returns
(<http://bugs.gnu.org/14347>)
*** Use permissions of source file for compiled file
(<http://bugs.gnu.org/18477>)
*** Fix bug when inlining some functions with optional arguments
(<http://bugs.gnu.org/17634>)
*** Avoid quadratic expansion time in 'and' and 'or' macros
(<http://bugs.gnu.org/17147>)
*** Fix expander bug introduced when adding support for tail patterns
(<http://lists.gnu.org/archive/html/guile-user/2015-09/msg00017.html>)
*** Handle ~p in 'format' warnings (<http://bugs.gnu.org/18299>)
*** Fix bug that exposed `list' invocations to CSE
(<http://bugs.gnu.org/21899>)
*** Reduce eq? and eqv? over constants using equal?
(<http://bugs.gnu.org/21855>)
*** Skip invalid .go files found in GUILE_LOAD_COMPILED_PATH
** Threads
*** Fix data races leading to corruption (<http://bugs.gnu.org/22152>)
** Memory management
*** Fix race between SMOB marking and finalization
(<http://bugs.gnu.org/19883>)
** Ports
*** Setting GUILE_INSTALL_LOCALE=1 sets port default charset from locale
*** Fix port position handling on binary input ports
(<http://bugs.gnu.org/20302>)
*** Bytevector and custom binary ports to use ISO-8859-1
(<http://bugs.gnu.org/20200>)
*** Fix buffer overrun with unbuffered custom binary input ports
(<http://bugs.gnu.org/19621>)
*** Fix memory corruption that arose when using 'get-bytevector-n'
(<http://bugs.gnu.org/17466>)
** System
*** {get,set}sockopt now expect type 'int' for SO_SNDBUF/SO_RCVBUF
*** 'system*' now available on MS-Windows
*** 'open-pipe' now available on MS-Windows
*** Better support for file names containing backslashes on Windows
** Web
*** 'split-and-decode-uri-path' no longer decodes "+" to space
*** HTTP: Support date strings with a leading space for hours
(<http://bugs.gnu.org/23421>)
*** HTTP: Accept empty reason phrases (<http://bugs.gnu.org/22273>)
*** HTTP: 'Location' header can now contain URI references, not just
absolute URIs
*** HTTP: Improve chunked-mode support (<http://bugs.gnu.org/19939>)
*** HTTP: 'open-socket-for-uri' now sets better OS buffering parameters
(<http://bugs.gnu.org/15368>)
** Miscellaneous
*** Fix 'atan' procedure when applied to complex numbers
*** Fix Texinfo to HTML conversion for @itemize and @acronym
(<http://bugs.gnu.org/21772>)
*** 'bytevector-fill!' accepts fill arguments greater than 127
(<http://bugs.gnu.org/19027>)
*** 'bytevector-copy' correctly copies SRFI-4 homogeneous vectors
(<http://bugs.gnu.org/18866>)
*** 'strerror' no longer hangs when passed a non-integer argument
(<http://bugs.gnu.org/18065>)
*** 'scm_boot_guile' now gracefully handles argc == 0
(<http://bugs.gnu.org/18680>)
*** Fix 'SCM_SMOB_OBJECT_LOC' definition (<http://bugs.gnu.org/18495>)
*** Fix bug where 'bit-count*' was not using its second argument
*** SRFI-1 'length+' raises an error for non-lists and dotted lists
(<http://bugs.gnu.org/17296>)
*** Add documentation for SXPath (<http://bugs.gnu.org/19478>)
pkgsrc changes:
- Update MASTER_SITES (again!) similar to the one also used by py35-html-docs
(unlike previous MASTER_SITES this one also contain distfiles for later
Python 3.4 versions)
Changes:
No changelog was available. Sync with lang/python34 version.
pkgsrc changes:
- Use a MASTER_SITES similar to other lang/py*-html-docs
- Add a LICENSE
Changes:
No changelog was available, just the latest python34 documentation more in sync
with lang/python34 (despite the latest Python 3.4 stable release is 3.4.5 the
latest documentation published is 3.4.3).
