Overview of changes leading to 2.1.3
Friday, November 16, 2018
====================================
- Fix AAT 'mort' shaping, which was broken in 2.1.2
Overview of changes leading to 2.1.2
Friday, November 16, 2018
====================================
- Various internal changes.
- AAT shaping improvements:
o Implement kern table Format 1 state-machine-based kerning.
o Implement cross-stream kerning (cursive positioning, etc).
o Ignore emptyish GSUB tables (zero scripts) if morx present.
o Don't apply GPOS if morx is being applied. Matches Apple.
2018-11-21 meld 3.19.1
======================
Features:
* Support comparing remote files (Kai Willadsen; initial work by Chris Mayo)
* Significantly improve folder comparison performance when comparing large
trees (Hugo Sena Ribeiro)
* Improve folder comparison IO and memory use (Hugo Sena Ribeiro)
* Add recursive collapse/expand actions to folder comparisons (Jesus Arroyo)
* Add OARS metadata for software management (Nick Richards)
* Support file drag-and-drop directly on to textviews (Kai Willadsen)
* Refresh the application icon and add a processing pipeline (Kai Willadsen)
* Windows build improvements:
* Build using msys2 on GNOME Gitlab infrastructure and update to using
current GTK+ (Vasily Galkin)
* Add simple zip-based Windows build output to pipeline (Vasily Galkin)
* Improve Windows logging behaviour (Vasily Galkin)
* Help launching now works (Vasily Galkin)
* Shortcuts now work in non-English keyboard layouts (via GTK+)
* Windows paths are shortened correctly (Kai Willadsen)
Fixes:
* Next/Previous Change actions correctly account for text filters (Heikki
Ketoharju)
* Fix blank line ignoring in folder comparisons (Hugo Sena Ribeiro)
* Miscellaneous performance improvements (Hugo Sena Ribeiro)
* Fix initial focus pane for two-pane comparison (Kai Willadsen)
* Handle encoding failures on file load (Kai Willadsen)
* Fix surrogate problems in on-save encoding check (Kai Willadsen)
* Fix display of some encoding errors in folder comparisons (Kai Willadsen)
* Fix Git unpushed commit check for ambiguous filenames (Kai Willadsen)
* Fix committing a folder in Git (Kai Willadsen)
* Show errors for critical unhandled application failures, such as failed
saves (Kai Willadsen)
* Work around GTK+ shortcut activation issues; see GNOME/gtk#140 (Kai
Willadsen)
* Update Up/Down/Delete shortcuts to support numpad (Kai Willadsen)
* Fix copy-paste of GtkSourceView-highlighted text into Meld (Kai Willadsen)
* Don't open additional blank comparison tabs when using the --diff CLI
argument (Kai Willadsen)
* Fix installation on Mint (Kai Willadsen)
Internal changes:
* File comparisons and CLI argument handling now use Gio.File and support
URIs (Kai Willadsen; initial work by Chris Mayo)
* Many Python 3 deprecation cleanups (Claude Paroz)
* Rename icon/desktop/appdata for consistency with appid (Mathieu Bridon)
* Flatpak build updates (Mathieu Bridon, Kai Willadsen)
* Make XDG application ID match other application IDs (Kai Willadsen)
* Multiple pygobject/GTK+ deprecation cleanups (Kai Willadsen)
* Python 3.7 support (Kai Willadsen)
* PEP8 and style compliance (Jesus Arroyo, Stefan Erichsen)
* Bugs fixed: 152, 175, 177, 179, 193, 196, 197, 197, 203, 217, 225, 233,
235, 239
0.31 (2018/10/24)
* add commands "queued", "seekthrough", "mount", "unmount"
* support "search" with filter expression (MPD 0.21)
* support "load" with range
* allow only tag names after "list"
* fix the Windows build (no strndup())
* make documentation build optional with -Ddocumentation={true|false|auto}
* build: require Meson 0.47
NEW IN WAF 2.0.12
-----------------
* Fix broken inheritance task trees #2194
NEW IN WAF 2.0.11
-----------------
* Do not raise an exception on check_cfg/mandatory=False/-vv #2193
* Post past task generators in lazy sub-folder builds #2191
* Disable warnings on versioned library installation
* Fix cpplint concurrent execution problems
2.0.5
=====
* Allow preserveSpace on XML attributes (Álvaro Muñoz)
* Fixed issue with writing files under macOS (Álvaro Muñoz)
* Fixed various differences between Python 2 and 3
* Fixed issues with libxml2 memory management
Changes:
---------------------------------------------------------------------
--- kernel-6.1.1 ----------------------------------------------------
---------------------------------------------------------------------
Note! The kernel-6.1.1 application can *not* be applied independently
of other applications on an arbitrary OTP 21 installation.
On a full OTP 21 installation, also the following runtime
dependency has to be satisfied:
-- erts-10.1 (first satisfied in OTP 21.1)
--- Fixed Bugs and Malfunctions ---
OTP-15438 Application(s): kernel
Related Id(s): ERL-781
Fix bug causing net_kernel process crash on connection
attempt from node with name identical to local node.
Full runtime dependencies of kernel-6.1.1: erts-10.1, sasl-3.0,
stdlib-3.5
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
Recursor 4.1.8
Crafted query can cause a denial of service (CVE-2018-16855)
Recursor 4.1.7
Revert ‘Keep the EDNS status of a server on FormErr with EDNS’
Refuse queries for all meta-types
Recursor 4.1.6
Revert “rec: Authority records in AA=1 CNAME answer are authoritative”.
Recursor 4.1.5
PowerDNS Security Advisory 2018-04 (CVE-2018-10851)
PowerDNS Security Advisory 2018-06 (CVE-2018-14626)
PowerDNS Security Advisory 2018-07 (CVE-2018-14644)
Improvements
Add pdnslog to lua configuration scripts (Chris Hofstaedtler)
Fix compilation with libressl 2.7.0+
Export outgoing ECS value and server ID in protobuf (if any)
Switch to devtoolset 7 for el6
Allow the signature inception to be off by a number of seconds (Kees Monshouwer)
Bug Fixes
Crafted answer can cause a denial of service (CVE-2018-10851)
Packet cache pollution via crafted query (CVE-2018-14626)
Crafted query for meta-types can cause a denial of service (CVE-2018-14644)
Delay the creation of rpz threads until we have dropped privileges
Cleanup the netmask trees used for the ecs index on removals
Make sure that the ecs scope from the auth is < to the source
Authority records in aa=1 cname answer are authoritative
Avoid a memory leak in catch-all exception handler
Don’t require authoritative answers for forward-recurse zones
Release memory in case of error in the openssl ecdsa constructor
Convert a few uses to toLogString to print DNSName’s that may be empty in a safer manner
Avoid a crash on DEC Alpha systems
Clear all caches on (N)TA changes
4.1.5:
This release fixes the following security advisories:
* PowerDNS Security Advisory 2018-03 (CVE-2018-10851)
* PowerDNS Security Advisory 2018-05 (CVE-2018-14626)
Improvements
* Apply alias scopemask after chasing
* Release memory in case of error in the openssl ecdsa constructor
* Switch to devtoolset 7 for el6
Bug Fixes
* Fix compilation with libressl 2.7.0+
* Actually truncate truncated responses
* Crafted zone record can cause a denial of service (CVE-2018-10851, PowerDNS Security Advisory 2018-03)
* Packet cache pollution via crafted query (CVE-2018-14626, PowerDNS Security Advisory 2018-05)
Release 0.13.0:
Fix nested backend in SequentialBackend to avoid changing the default
backend to Sequential.
Fix nested_backend behavior to avoid setting the default number of
workers to -1 when the backend is not dask.
Release 0.12.5
Include loky 2.3.1 with better error reporting when a worker is
abruptly terminated. Also fixes spurious debug output.
Include cloudpickle 0.5.6. Fix a bug with the handling of global
variables by locally defined functions.
Release 0.12.4
Include loky 2.3.0 with many bugfixes, notably w.r.t. when setting
non-default multiprocessing contexts. Also include improvement on
memory management of long running worker processes and fixed issues
when using the loky backend under PyPy.
Raises a more explicit exception when a corrupted MemorizedResult is loaded.
Loading a corrupted cached file with mmap mode enabled would
recompute the results and return them without memmory mapping.
Release 0.12.3
Fix joblib import setting the global start_method for multiprocessing.
Fix MemorizedResult not picklable.
Fix Memory, MemorizedFunc and MemorizedResult round-trip pickling +
unpickling.
Fixed a regression in Memory when positional arguments are called as
kwargs several times with different values.
Integration of loky 2.2.2 that fixes issues with the selection of the
default start method and improve the reporting when calling functions
with arguments that raise an exception when unpickling.
Prevent MemorizedFunc.call_and_shelve from loading cached results to
RAM when not necessary. Results in big performance improvements
2.2:
This release is the result of 8 months of work with over 149 commits by
58 contributors. Highlights include:
- Add support for Python 3.7. This is the last release to support Python 2.
- Uniform random number generator (RNG) handling which defaults to global
RNGs but allows specification of a single RNG for all random numbers in NX.
- Improved GraphViews to ease subclassing and remove cyclic references
which caused trouble with deepcopy and pickle.
- New Graph method `G.update(H)`
IPython 7.2.0 brings minor bugfixes, improvements, and new configuration options:
- Fix a bug preventing PySide2 GUI integration from working
- Run CI on Mac OS !
- Fix IPython "Demo" mode.
- Fix ``%run`` magic with path in name
- Fix: add CWD to sys.path *after* stdlib
- Better rendering of signatures, especially long ones.
- Re-enable jedi by default if it's installed
- Add New ``minimal`` exception reporting mode (useful for educational purpose).
Version 2.3.3
- Bring back old deprecated dependency syntax to ensure compatibility
with older systems
- Drop Python 3.3 support, as scandir no longer supports it.
- Add Python 3.7 support.
2.5.12:
Bugfixes
* Overwriting default font in Normal style affects library default
* Images not added to anchors.
* Cannot read pivot table formats without dxId
* Repeated registration of simple filter could lead to memory leaks
5.7.2
5.7.2 contains a security fix preventing malicious directory names
from being able to execute javascript. CVE request pending.
5.7.1
5.7.1 contains a security fix preventing nbconvert endpoints from executing javascript with access to the server API. CVE request pending.
5.7.0
New features:
- Update to CodeMirror to 5.37, which includes f-string sytax for Python 3.6
- Update jquery-ui to 1.12
- Check Host header to more securely protect localhost deployments from DNS rebinding.
This is a pre-emptive measure, not fixing a known vulnerability
Use .NotebookApp.allow_remote_access and .NotebookApp.local_hostnames to configure
access.
- Allow access-control-allow-headers to be overridden
- Allow configuring max_body_size and max_buffer_size
- Allow configuring get_secure_cookie keyword-args
- Respect nbconvert entrypoints as sources for exporters
- Include translation sources in source distributions
- Various improvements to documentation
Fixing problems:
- Fix breadcrumb link when running with a base url
- Fix possible type error when closing activity stream
- Disable metadata editing for non-editable cells
- Fix some styling and alignment of prompts caused by regressions in 5.6.0.
- Enter causing page reload in shortcuts editor
- Fix uploading to the same file twice
5.4.0:
New Features
- No input flag (--no-input)
- Add alias --to ipynb for notebook exporter
- Add export_from_notebook
- If set, use nb.metadata.authors for LaTeX author line
- Populate language_info metadata when executing
- Support for \mathscr
- Allow the execute preprocessor to make use of an existing kernel
- Refactor ExecutePreprocessor
- Update widgets CDN for ipywidgets 7 w/fallback
- Add support for adding custom exporters to the "Download as" menu.
- Enable ANSI underline and inverse
- Update notebook css to 5.4.0
- Change default for slides to direct to the reveal cdn rather than locally
- Use "title" instead of "name" for metadata to match the notebook format
- Img filename metadata
- Added MathJax compatibility definitions
- Per cell exception
- Simple API for in-memory templates
- Set BIBINPUTS and BSTINPUTS environment variables when making PDF
- If nb.metadata.title is set, default to that for notebook
Deprecations
- Drop support for python 3.3
Fixing Problems
- Fix api break
- Don't remove empty cells by default
- Handle attached images in html converter
- No need to check for the channels already running
- Update font-awesome version for slides
- Properly treat JSON data
- Skip executing empty code cells
- Ppdate log.warn (deprecated) to log.warning
- Cleanup notebook.tex during PDF generation
- Windows unicode error fixed, nosetest added to setup.py
- Better content hiding; template & testing improvements
- Fix Jinja syntax in custom template example.
- Fix for an issue with empty math block
- Add parser for Multiline math for LaTeX blocks
- Use defusedxml to parse potentially untrusted XML
- Fixes for traitlets 4.1 deprecation warnings
Testing, Docs, and Builds
- A couple of typos
- Add python_requires metadata.
- Document --inplace command line flag.
- Fix minor typo in usage.rst
- Add note about local reveal_url_prefix
- Move onlyif_cmds_exist decorator to test-specific utils
- Include LICENSE file in wheels
- Added Ubuntu Linux Instructions
- Check for too recent of pandoc version
- Removing more nose remnants via dependencies.
- Remove offline statement and add some clarifications in slides docs
- Linkify PR number
- Added shebang for python
- Upgrade mistune dependency
- add feature to improve docs by having links to prs
- Update notebook CSS from version 4.3.0 to 5.1.0
- Explicitly exclude or include all files in Manifest.
5.1.0
- Fix message-ordering bug that could result in out-of-order executions,
especially on Windows
- Fix classifiers to indicate dropped Python 2 support
- Remove some dead code
- Support rich-media responses in inspect_requests (tooltips)
5.0.0
- Drop support for Python 2. ipykernel 5.0 requires Python >= 3.4
- Add support for IPython's asynchronous code execution
- Update release process in CONTRIBUTING.md
---------------------------------------------------------------------
--- erts-10.1.3 -----------------------------------------------------
---------------------------------------------------------------------
Note! The erts-10.1.3 application can *not* be applied independently
of other applications on an arbitrary OTP 21 installation.
On a full OTP 21 installation, also the following runtime
dependency has to be satisfied:
-- kernel-6.1 (first satisfied in OTP 21.1)
--- Improvements and New Features ---
OTP-15430 Application(s): erts
Related Id(s): ERIERL-237
Added an optional ./configure flag to compile the
emulator with spectre mitigation:
--with-spectre-mitigation
Note that this requires a recent version of GCC with
support for spectre mitigation and the
--mindirect-branch=thunk flag, such as 8.1.
Full runtime dependencies of erts-10.1.3: kernel-6.1, sasl-3.0.1,
stdlib-3.5
---------------------------------------------------------------------
--- compiler-7.2.7 --------------------------------------------------
---------------------------------------------------------------------
The compiler-7.2.7 application can be applied independently of other
applications on a full OTP 21 installation.
--- Fixed Bugs and Malfunctions ---
OTP-15353 Application(s): compiler
Related Id(s): ERL-753
Fixed a bug where incorrect code was generated
following a binary match guard.
Full runtime dependencies of compiler-7.2.7: crypto-3.6, erts-9.0,
hipe-3.12, kernel-4.0, stdlib-2.5
---------------------------------------------------------------------
--- erts-10.1.2 -----------------------------------------------------
---------------------------------------------------------------------
Note! The erts-10.1.2 application can *not* be applied independently
of other applications on an arbitrary OTP 21 installation.
On a full OTP 21 installation, also the following runtime
dependency has to be satisfied:
-- kernel-6.1 (first satisfied in OTP 21.1)
--- Fixed Bugs and Malfunctions ---
OTP-15421 Application(s): erts
Fixed a rare bug where files could be closed on a
normal instead of an IO scheduler, resulting in system
instability if the operation blocked.
Full runtime dependencies of erts-10.1.2: kernel-6.1, sasl-3.0.1,
stdlib-3.5
---------------------------------------------------------------------
--- public_key-1.6.3 ------------------------------------------------
---------------------------------------------------------------------
The public_key-1.6.3 application can be applied independently of
other applications on a full OTP 21 installation.
--- Fixed Bugs and Malfunctions ---
OTP-15367 Application(s): public_key
Add DSA SHA2 oids in public_keys ASN1-spec and
public_key:pkix_sign_types/1
Full runtime dependencies of public_key-1.6.3: asn1-3.0, crypto-3.8,
erts-6.0, kernel-3.0, stdlib-3.5
---------------------------------------------------------------------
---------------------------------------------------------------------
---------------------------------------------------------------------
=============================
Release Notes for Samba 4.9.3
November 27, 2018
=============================
This is a security release in order to address the following defects:
o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
Internal DNS server)
o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers)
o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
configuration (unsupported))
o CVE-2018-16857 (Bad password count in AD DC not always effective)
=======
Details
=======
o CVE-2018-14629:
All versions of Samba from 4.0.0 onwards are vulnerable to infinite
query recursion caused by CNAME loops. Any dns record can be added via
ldap by an unprivileged user using the ldbadd tool, so this is a
security issue.
o CVE-2018-16841:
When configured to accept smart-card authentication, Samba's KDC will call
talloc_free() twice on the same memory if the principal in a validly signed
certificate does not match the principal in the AS-REQ.
This is only possible after authentication with a trusted certificate.
talloc is robust against further corruption from a double-free with
talloc_free() and directly calls abort(), terminating the KDC process.
There is no further vulnerability associated with this issue, merely a
denial of service.
o CVE-2018-16851:
During the processing of an LDAP search before Samba's AD DC returns
the LDAP entries to the client, the entries are cached in a single
memory object with a maximum size of 256MB. When this size is
reached, the Samba process providing the LDAP service will follow the
NULL pointer, terminating the process.
There is no further vulnerability associated with this issue, merely a
denial of service.
o CVE-2018-16852:
During the processing of an DNS zone in the DNS management DCE/RPC server,
the internal DNS server or the Samba DLZ plugin for BIND9, if the
DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS
property is set, the server will follow a NULL pointer and terminate.
There is no further vulnerability associated with this issue, merely a
denial of service.
o CVE-2018-16853:
A user in a Samba AD domain can crash the KDC when Samba is built in the
non-default MIT Kerberos configuration.
With this advisory we clarify that the MIT Kerberos build of the Samba
AD DC is considered experimental. Therefore the Samba Team will not
issue security patches for this configuration.
o CVE-2018-16857:
AD DC Configurations watching for bad passwords (to restrict brute forcing
of passwords) in a window of more than 3 minutes may not watch for bad
passwords at all.
For more details and workarounds, please refer to the security advisories.
