This release address a series of locally exploitable security problems
discovered since PHP 4.4.3. All PHP users are encouraged to upgrade to this
release as soon as possible.
This release provides the following security fixes:
* Added missing safe_mode/open_basedir checks inside the error_log(),
file_exists(), imap_open() and imap_reopen() functions.
* Fixed overflows inside str_repeat() and wordwrap() functions on 64bit systems.
* Fixed possible open_basedir/safe_mode bypass in cURL extension.
* Fixed overflow in GD extension on invalid GIF images.
* Fixed a buffer overflow inside sscanf() function.
* Fixed memory_limit restriction on 64 bit system.
${EXTRACT_SUFX}, so one can directly use EXTRACT_ONLY instead.
EXTRACT_ONLY defaults to ${DISTFILES} which in turn defaults to
${DISTNAME}${EXTRACT_SUFX}. So if EXTRACT_SUFX is relevant for determining
which tools are needed this can only happen if neither DISTFILES nor
EXTRACT_ONLY have been set by the package, in which case the relevant
variable EXTRACT_ONLY would contain EXTRACT_SUFX.
shntool is a multi-purpose WAVE data processing and reporting utility.
File formats are abstracted from its core, so it can process any file
that contains WAVE data, compressed or not - provided there exists a
format module to handle that particular file type.
* Number of bug fixes
* New option to help to avoid a potential denial of service in IAX2 channel driver
* Support for TE407P and TE412P quad T1/E1 interface cards
> Can everyone now agree that there are no more hangs? :)
>
> * Require that Dovecot master process's version number matches the
> child process's, unless version_ignore=yes. Usually it's an
> accidental installation problem if the version numbers don't match.
> * Maildir: Create maildirfolder file when creating new maildirs.
>
> + ldap+prefetch: Use global uid/gid settings if LDAP query doesn't
> return them
> + %variables: Negative offsets count from the end of the string.
> Patch by Johannes Berg.
> - kqueue ioloop code rewrite
> - notify=kqueue might have caused connection hangs sometimes
> - deliver: If message body contained a valid mbox From_ line, it
> and the rest of the message was skipped.
> - mbox: We got into infinite loops if trying to open a 2 byte sized
> file as mbox.
> - Don't crash with ssl_disable=yes
> - quota plugin caused compiling problems with some OSes
> - mbox: After saving a mail to a synced mbox, we lost the sync which
> caused worse performance
>
> I think my v1.0 TODO list is:
>
> - avoid duplicate flag change notifications, or in case the message is
> also expunged don't bother notifying its flag changes at all
> (shouldn't be hard)
> - HFS+ avoid-hardlinks patch?
> - 32bit -> 64bit upgrade still doesn't work without assert-crashing:
> mail-cache-transaction.c: line 709 (mail_cache_add): assertion failed:
> (fixed_size == (unsigned int)-1 || fixed_size == data_size)
> - Courier-compatible INBOX. namespace gives "invalid namespace" errors
>
> I'm still not sure about the last one though. Could someone give me
> specific commands that clients send that causes it?
>
> As for the 32bit -> 64bit upgrade fix, could someone give me access to a
> x86-64 machine for a while to test it out?
Overview of Changes from GLib 2.12.1 to GLib 2.12.2
===================================================
* Unicode updates:
- Normalization is following Unicode TR #29
- g_unichar_isxdigit() only accept characters
for which g_unichar_xdigit_value() returns a value
- g_unichar_toupper and g_unichar_tolower leave
unconvertable characters in place instead of
replacing them by NUL
* Bugs fixed
348491 g_utf8_strup() and g_utf8_strdown() returns
string with NUL bytes
349825 GKeyFile always inserts a newline before a group
347842 g_unichar_isxdigit() is too general about what
it considers a digit
348694 g_utf8_normalize() hasn't been updated to PR #29
348785 Hint about G_DEBUG in Message Logging docs
349792 Wrong english string (UI)
349952 gparamspecs.c uses gcc feature
* Translation updates (ca,cs,de,dz,es,eu,fi,gu,ko,
nl,pl,tr,uk,zh_HK,zh_TW)
Major changes compared to the IMP H3 (4.1.2) version are:
* Added server configuration option to limit numer of login tries.
* Added link to view attached S/MIME key details.
* Fixed escaping of folder names.
* Updated Catalan, German and Slovenian translations.
* Several small bugfixes and improvements.
The full list of changes (from version H3 (4.1.2)) can be viewed here:
http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.699.2.194&r2=1.699.2.206&ty=h
Major changes compared to Horde 3.1.2 are:
* Security Fixes
- Closed an XSS problem in index.php and improved protection against
phishing attempts.
* Bugfixes and improvements
- Added Kolab group ACL support.
- Improved import of date and time fields.
- Fixed synchronization support.
- Updated Catalan, German and Slovenian translations.
The full list of changes (from version 3.1.2) can be viewed here:
http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.252&r2=1.515.2.261&ty=h
=== SMP Support ===
The major news is the support for SMP (Symmetric MultiProcessing).
SMP is supported by most modern operating systems like Linux, Windows, Mac OSx,
Solaris and is becoming more important now when dual processors,
hyper-threading technology and multi-core systems are a reality.
With Erlang, most of the problems which occur in multi-threaded programs have
been solved once and for all in the Erlang VM and do not have to be handled by
the application programmers.
In the SMP version of the Erlang virtual machine, there can be many process
schedulers running in separate OS threads. As default there will be as many
schedulers as there are processors or processor cores on the system.
The SMP support is totally transparent for the Erlang programs. That is, there
is no need to change or recompile existing programs. Programs with built-in
assumptions about sequential execution must be rewritten in order to take
advantage of the SMP support, however.
In this release, the Erlang VM supports SMP with focus on stability. There will
follow a number of subsequent steps with necessary optimizations and support
for more platforms.
=== Erlang Language and Related Issues ===
* The andalso and orelse operators are now allowed to be used in guards.
That also applies to match specifications.
* The BIF is_record/3 can now be used in guards. Also, is_record/3 can now
be called without an erlang: module prefix for consistency with the other
is_* functions.
* The compiler options ignore_try and ignore_cond, which allowed code that
used unquoted try or cond as atoms or record tags, has been removed. Old
code that depended on the options need to be revised to have occurrences
of try or cond as atom or record tags single-quoted. (Note: Although cond
is a reserved keyword, there is no cond statement. It might be introduced
in a future release.)
* (ERTS 5.4.8) The new fun M:F/A construct creates a fun that refers to the
latest version of M:F/A. This syntax is meant to replace tuple funs {M,F}
which have many problems.
* (ERTS 5.4.8) The new type test is_function(Fun, Arity) -- which may be
used in guards -- test whether Fun is a fun that can be applied to Arity
arguments.
=== New Applications ===
Dialyzer
Dialyzer is a static analysis tool that identifies software discrepancies such
as type errors, unreachable code, unnecessary tests, etc in single Erlang
modules or entire (sets of) applications.
Inviso
The Inviso application, together with some new extensions to Runtime_Tools, is
aimed at providing features for efficient tracing of production Erlang/OTP
systems:
* Distributed tracing - tracing on any number of Erlang nodes.
* Autostart - tracing during system start-up.
* Overload protection - mechanisms for suspending and later reactivating
tracing, should an overload situation occur.
* Enhanced use of meta tracing.
* Trace cases - predefined specifications of what to trace.
* Off-line merging and formatting of log files.
Inviso is still under development. An easier-to-use trace tool, using the
features listed above, is planned to be released as an R11B patch in Q3/Q4
2006.
SSH
The SSH application is an Erlang implementation of the secure shell protocol.
It is considered to be a beta release, meaning there can be changes made to the
API before it reaches 1.0.
=== Existing Applications ===
Compiler
(Compiler 4.3.6) It is now possible to encrypt the debug information in Beam
files.
Debugger
(Debugger 2.0) The debugger can now handle the try/catch language construct.
Inets
The Erlang implementation of the TFTP procotcol, tftp, is now documented.
Kernel
In Kernel 2.10.X, several bug fixes and improvements have been made in global ,
the global name registration facility.
OS_Mon
(OS_Mon 2.0) The entire OS_Mon application (code and documentation) has been
reviewed and consequently updated with the goal to make the application more
robust, homogeneous and easier to configure.
STDLIB
Added the zip module with functions for reading and creating zip archives.
