NetBSD (8.99.2)'s "/bin/tar" fails to handle the extented headers
and extracts files into the wrong directory. This in turn least
to package list problems during the installation phase.
The latest Go release, version 1.9, arrives six months after Go 1.8 and
is the tenth release in the Go 1.x series. There are two changes to the
language: adding support for type aliases and defining when
implementations may fuse floating point operations. Most of the changes
are in the implementation of the toolchain, runtime, and libraries. As
always, the release maintains the Go 1 promise of compatibility. We
expect almost all Go programs to continue to compile and run as before.
The release adds transparent monotonic time support, parallelizes
compilation of functions within a package, better supports test helper
functions, includes a new bit manipulation package, and has a new
concurrent map type.
There are some instabilities on FreeBSD that are known but not
understood. These can lead to program crashes in rare cases. See issue
15658. Any help in solving this FreeBSD-specific issue would be
appreciated.
Go stopped running NetBSD builders during the Go 1.9 development cycle
due to NetBSD kernel crashes, up to and including NetBSD 7.1. As Go 1.9
is being released, NetBSD 7.1.1 is being released with a fix. However,
at this time we have no NetBSD builders passing our test suite. Any help
investigating the various NetBSD issues would be appreciated.
"The bitrot will continue until morale improves."
Go 1.4 is only used as a bootstrap helper to compile a more recent Go.
However, cgo in 1.4 no longer works with current binutils.
Prodded by Thomas Orgis on the mailing list.
correct order of the include files, and use this also for i386 and
amd64 as well. For alpha, move the Linux-specific settings into the
alpha/linux.h file.
Verified that this package now builds on powerpc.
This is largely the patches posted by maya@ on Jul 23, I just mirrored
the changes to include order to NetBSD/powerpc as well. Thanks!
Bump PKGREVISION, bump to gcc5-libs to follow shortly.
These changes aren't necessary, but on the day when guile-2.0.x is
no longer the primary, then the switch to using a non-default
installation prefix should be seamless.
If Guile installs into a non-default installation prefix, then
use ${GUILE_PREFIX}/info and ${GUILE_PREFIX}/man as the locations
for the installed GNU info files and manpages. This avoids needing
to do a lot of fixes to the PLISTs.
Update lang/nodejs to 8.4.0.
## 2017-08-15, Version 8.4.0 (Current), @addaleax
- HTTP2
- Experimental support for the built-in `http2` has been added via the
`--expose-http2` flag.
- Inspector
- `require()` is available in the inspector console now.
- Multiple contexts, as created by the `vm` module, are supported now.
- N-API
- New APIs for creating number values have been introduced.
- Stream
- For `Duplex` streams, the high water mark option can now be set
independently for the readable and the writable side.
- Util
- `util.format` now supports the `%o` and `%O` specifiers for printing
objects.
## 2017-08-09, Version 8.3.0 (Current), @addaleax
The V8 engine has been upgraded to version 6.0, which has a significantly
changed performance profile.
- DNS
- Independent DNS resolver instances are supported now, with support for
cancelling the corresponding requests.
- N-API
- Multiple N-API functions for error handling have been changed to support
assigning error codes.
- REPL
- Autocompletion support for `require()` has been improved.
- Utilities
- The WHATWG Encoding Standard (`TextDecoder` and `TextEncoder`) has
been implemented as an experimental feature.
Security
* bpo-29591: Update expat copy from 2.1.1 to 2.2.0 to get fixes of CVE-2016-0718 and CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more information.
* bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security vulnerabilities including: CVE-2017-9233 (External entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix regression bugs from 2.2.0’s fix to CVE-2016-0718) and CVE-2012-0876 (Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use os- specific entropy sources like getrandom) doesn’t impact Python, since Python already gets entropy from the OS to set the expat secret using XML_SetHashSalt().
* bpo-26657: Fix directory traversal vulnerability with http.server on Windows. This fixes a regression that was introduced in 3.3.4rc1 and 3.4.0rc1. Based on patch by Philipp Hagemeister.
* bpo-30500: Fix urllib.parse.splithost() to correctly parse fragments. For example, splithost('//127.0.0.1#@evil.com/') now correctly returns the 127.0.0.1 host, instead of treating @evil.com as the host in an authentification (login@host).
* bpo-30730: Prevent environment variables injection in subprocess on Windows. Prevent passing other invalid environment variables and command arguments.
Security
* bpo-30730: Prevent environment variables injection in subprocess on Windows. Prevent passing other environment variables and command arguments.
* bpo-30694: Upgrade expat copy from 2.2.0 to 2.2.1 to get fixes of multiple security vulnerabilities including: CVE-2017-9233 (External entity infinite loop DoS), CVE-2016-9063 (Integer overflow, re-fix), CVE-2016-0718 (Fix regression bugs from 2.2.0’s fix to CVE-2016-0718) and CVE-2012-0876 (Counter hash flooding with SipHash). Note: the CVE-2016-5300 (Use os- specific entropy sources like getrandom) doesn’t impact Python, since Python already gets entropy from the OS to set the expat secret using XML_SetHashSalt().
* bpo-30500: Fix urllib.parse.splithost() to correctly parse fragments. For example, splithost('//127.0.0.1#@evil.com/') now correctly returns the 127.0.0.1 host, instead of treating @evil.com as the host in an authentification (login@host).
* bpo-29591: Update expat copy from 2.1.1 to 2.2.0 to get fixes of CVE-2016-0718 and CVE-2016-4472. See https://sourceforge.net/p/expat/bugs/537/ for more information.
8.2.1
- configure:
- add mips64el to valid_arch
- crypto:
- Updated root certificates based on NSS 3.30
- deps:
- upgrade OpenSSL to version 1.0.2.l
- http:
- parse errors are now reported when NODE_DEBUG=http
- Agent construction can now be envoked without `new`
- zlib:
- node will now throw an Error when zlib rejects the value of
windowBits, instead of crashing
8.2.0
- Async Hooks
- Multiple improvements to Promise support in `async_hooks` have
been made.
- Build
- The compiler version requirement to build Node with GCC has been
raised to GCC 4.9.4.
- Cluster
- Users now have more fine-grained control over the inspector port
used by individual cluster workers. Previously, cluster workers were
restricted to incrementing from the master's debug port.
- DNS
- The server used for DNS queries can now use a custom port.
- Support for `dns.resolveAny()` has been added.
- npm
- The `npm` CLI has been updated to version 5.3.0. In particular, it
now comes with the `npx` binary, which is also shipped with Node.
### Notable Changes
- configure:
- add mips64el to valid_arch
- crypto:
- Updated root certificates based on NSS 3.30
- deps:
- upgrade OpenSSL to version 1.0.2.l
- http:
- parse errors are now reported when NODE_DEBUG=http
- Agent construction can now be envoked without `new`
- zlib:
- node will now throw an Error when zlib rejects the value of
windowBits, instead of crashing
This is a bugfix release so no buildlink change.
ChangeLog:
New Features in Qore
* added broken-logic-precedence warning.
Bug Fixes in Qore
* fixed documentation regarding escaping of characters in
strings and added a parse exception in case of trying
to escape octal values in range 400-777 (issue 50)
* fixed a crashing bug where Datasource::getConfigString()
was called without a connection, also could crash in an
implicit internal call to this method with the
DatasourcePool class when connections were lost and the
warning callback should be called (issue 1992)
* fixed a bug where Datasource::getConfigHash() returned
different values depending on if the object was
connected or not (issue 1994)
We should not expand call arguments in between flags reg setting and
flags reg using instructions, as it may expand with flags reg
clobbering insn (ADD in this case).
Attached patch moves expansion out of the link. Also, change
zero-extension to non-flags reg clobbering sequence in case we perform
zero-extension with and.
2017-03-25 Uros Bizjak
Incorrect codegen from rdseed intrinsic use (CVE-2017-11671)
We should not expand call arguments in between flags reg setting and
flags reg using instructions, as it may expand with flags reg
clobbering insn (ADD in this case).
Attached patch moves expansion out of the link. Also, change
zero-extension to non-flags reg clobbering sequence in case we perform
zero-extension with and.
2017-03-25 Uros Bizjak
