2018-08-01: Avoid OOB read on invalid entry point length
Don't let the entry point checksum verification run beyond the end
of the buffer holding it (32 bytes). This bug was discovered by
Lionel Debroux using the AFL fuzzer and AddressSanitizer.
Signed-off-by: Jean Delvare <jdelvare@suse.de>
2018-08-01: Validate structure completeness before decoding
Ensure that the whole DMI structure fits in the announced table
length before performing any action on it. Otherwise we might end
up reading beyond the end of our memory buffer. This bug was
discovered by Lionel Debroux using the AFL fuzzer and
AddressSanitizer. Its probability is very low, as it requires a DMI
table corrupted in one of two very specific ways to trigger. This
bug exists since dmidecode version 2.9, although it is hard to
test because option --from-dump was only introduced in version
2.10.
Signed-off-by: Jean Delvare <jdelvare@suse.de>
When updating a package, some package authors use local time for the
entries in doc/CHANGES, and my system clock was off by several days. To
detect and fix these problems early, pkglint now checks that the dates
are properly ordered.
this works well enough to browse javascript websites with otter-browser,
which needed paxctl +m, although I didn't try it without these changes.
XXX this package might be crashing from feeding bogus values to
posix_memalign.
Additionally, this fixes the build.
Mark paxctl +m, I probably needed this because I locally
enabled qt-webkit's JIT.
0.9.99.1:
added importer for OPML files;
added support for abp: protocol for adding new content filtering profiles;
added ability to open selection as link if it macthes URL format;
various fixes and minor improvements for Feeds reader.
0.9.99:
initial version of Feeds Reader:
Atom and RSS 2.0 parsers;
support for categories;
ability to preview feeds before subscribing using view-feed: protocol;
added action to take page screenshot;
some minor optimizations.
0.9.98:
several enhancements in experimental backend for QtWebEngine (Blink):
initial work on global history support;
added support for alternative stylesheets;
added support for fetching lists of search engines, feeds and links;
initial work on Feeds Reader;
several bug fixes and some minor optimizations.
0.9.97:
added initial version of Tab History panel;
some minor optimizations.
0.9.96:
added initial version of Tab History panel;
some minor optimizations
0.9.95:
added initial version of toolbar widget for viewing downloads from current session;
added some new keyboard shortcuts;
some minor fixes.
0.9.94:
added new default style for Start Page by Kamil Nęcek;
added interface allowing to manage list of hosts using customized website overrides;
several bug fixes and some optimizations.
0.9.93:
added Page Information panel;
added support for external icons for User Scripts;
some minor fixes and optimizations.
0.9.92:
improved support for styling tab bar text;
added support for deleting User Scripts in Addons Manager;
restored inline URLs completion;
added action for peeking tab contents;
multiple bug fixes and stability improvements.
0.9.91:
reworked toolbars:
added support for visibility toggle button (collapsing contents);
fixed unified toolbar and titlebar style under macOS;
toolbar visibility and location is now stored per main window;
improved sidebar(s):
added ability to add new sidebars;
allow to change their location by drag and drop;
vastly improved error pages:
special error pages are now used instead of SSL warning dialogs;
blocked content triggers dedicated error pages;
improved User Agents configuration;
added support for managing multiple proxy configurations and setting them per page or host;
reworked internal actions handling system allows to specify parameters for actions trigerred by keyboard shortcuts and mouse gestures;
vastly decreased import time for large bookmark files;
added module for listing opened windows and tabs;
improved styling under Windows, Unity and macOS;
added new default icon theme by Kamil Nęcek;
item views can now allocate extra space to predefined column other than last one;
added action to set, reset or toggle an option;
global editing actions now apply to focused single and multi line text edit widgets too;
added ability to drop URLs onto bookmark bars;
spell checking is now available in other multi line text edit widgets;
added action to control multimedia playback rate;
keyboard shortcuts are now validated while editing;
added support for customizing F12 menu;
implemented "Validate Using" menu;
added support for configurable Fast Forward rules;
0.9.12:
greatly improved tab bar:
allow to detach tabs by dragging them away;
allow to drop URLs and tabs from other windows;
added option to show embedded tab thumbnails;
improved handling of visibility of close button;
tabs demanding attention are drawn using bold font;
improved RTL support;
decreased default tab padding;
tab text is no longer centered horizontally;
fixed status tip messages while rearranging tabs;
improved KDE5 and Unity integration:
added support for progress information;
added support for desktop actions;
several MacOS X specific fixes and improvements:
improved rendering of platform style;
added dock icon menu;
added support for listing applications associated with given MIME type;
added support for Windows jump list;
added fullscreen support for QtWebKit backend;
open file path is saved;
improved RTL support in address and search fields;
many other fixes and improvements.
0.9.11:
added initial support for storing passwords:
support for multiple credential sets per host;
basic passwords management;
disabled by default (no encryption yet);
added crash reporter;
added support for muting tab media;
F12 menu now exposes all modes for Images visibility (including new option to show cached images only) and Plugins;
QtWebEngine backend is now capable of saving pages in MIME HTML format and as complete set of files;
added new toolbar visibility settings for full screen mode;
added new widget for showing content blocking details;
added ability to customize progress bar;
added ability to add loading progress information widgets to any toolbar;
various improvements in handling of content blocking profiles:
added new definitions and updated existing;
added option to add custom blocking rules;
profiles are now grouped by type;
various minor fixes and improvements.
on finding "nbcheckpassword" (which, at present, might be either
checkpassword-pam or DJB's original).
Depend (unconditionally) on mail/qmail-rejectutils, instead of having it
as an option on mail/qmail.
Bump version.
can (by itself depending on pkgtools/pkg_alternatives) expect to find
"nbcheckpassword".
Remove 'qmail-rejectutils' option, which will become an unconditional
dependency in qmail-run.
Bump PKGREVISION.
Upstream changes:
2.10 2018-07-26
- Add no_separators option (RJBS)
- Fix "Negative repeat count does nothing" warning (thanks to Stefan
Bühler)
- Fix Makefile.PL for perl 5.26 where "." is not in @INC by default
(thanks to Petr Písař)
From upstream ITS #8885
Add a configure test for hdb_generate_key_set_password() prototype
contrib/slapd-modules/smbk5pwd uses hdb_generate_key_set_password() from
Heimdal, which was shortly turned from a 5 arguments function to a 7 arguments
function before the prototype change was rolled back to address API
incompatibility.
Unfortunately, the 7 arguments hdb_generate_key_set_password() made it into
released NetBSD 8.0, causing a build break in contrib/slapd-modules/smbk5pwd.
This change adds a configure test for 7 arguments prototype so that
contrib/slapd-modules/smbk5pwd build again on NetBSD 8.0, and other OS that
would include the 7 arguments hdb_generate_key_set_password().
## 1.2.2 (July 30, 2018)
SECURITY:
- acl: Fixed an issue where writes operations on the Keyring and
Operator were being allowed with a default allow policy even when
explicitly denied in the policy.
FEATURES:
- **Alias Checks:** Alias checks allow a service or node to alias the
health status of another service or node in the cluster.
- agent: New Cloud Auto-join providers: vSphere and Packet.net.
- cli: Added `-serf-wan-port`, `-serf-lan-port`, and `-server-port`
flags to CLI for cases where these can't be specified in config
files and `-hcl` is too cumbersome.
- connect: The TTL of leaf (service) certificates in Connect is now
configurable.
IMPROVEMENTS:
- proxy: With `-register` flag, heartbeat failures will only log once
service registration succeeds.
- http: 1.0.3 introduced rejection of non-printable chars in HTTP URLs
due to a security vulnerability. Some users who had keys written
with an older version which are now dissallowed were unable to delete
them. A new config option disable_http_unprintable_char_filter is
added to allow those users to remove the offending keys. Leaving this
new option set long term is strongly discouraged as it bypasses
filtering necessary to prevent some known vulnerabilities.
- agent: Allow for advanced configuration of some gossip related
parameters.
- agent: Make some Gossip tuneables configurable via the config file
- ui: Included searching on `.Tags` when using the freetext search
field.
- ui: Service.ID's are now shown in the Service detail page and (only
if it is different from the service name) the Node Detail >
[Services] tab.
BUG FIXES:
- acl/connect: Fix an issue that was causing managed proxies not to
work when ACLs were enabled.
- connect: Fix issue with managed proxies and watches attempting to
use a client addr that is 0.0.0.0 or ::
- connect: Allow Native and Unmanaged proxy configurations via config
file
- connect: Fix bug causing 100% CPU on agent when Connect is disabled
but a proxy is still running
- proxy: Don't restart proxies setup in a config file when Consul
restarts
- ui: Display the Service.IP address instead of the Node.IP address in
the Service detail view.
- ui: Watch for trailing slash stripping 301 redirects and forward the
user to the correct location.
- connect: Fixed an issue in the connect native HTTP client where it
failed to resolve service names.
## 1.2.1 (July 12, 2018)
IMPROVEMENTS:
- acl: Prevented multiple ACL token refresh operations from occurring
simultaneously.
- acl: Add async-cache down policy mode to always do ACL token
refreshes in the background to reduce latency.
- proxy: Pass through HTTP client env vars to managed proxies so that
they can connect back to Consul over HTTPs when not serving HTTP.
- connect: Persist intermediate CAs on leader change.
BUG FIXES:
- api: Intention APIs parse error response body for error message.
- agent: Intention read endpoint returns a 400 on invalid UUID
- agent: Service registration with "services" does not error on
Connect upstream configuration.
- dns: Ensure that TXT RRs dont get put in the Answer section for
A/AAAA queries.
- dns: Ensure that only 1 CNAME is returned when querying for services
that have non-IP service addresses.
- api: Fixed issue where `Lock` and `Semaphore` would return earlier
than their requested timeout when unable to acquire the lock.
- watch: Fix issue with HTTPs only agents not executing watches
properly
- agent: Managed proxies that bind to 0.0.0.0 now get a health check
on a sane IP
- server: (Consul Enterprise) Fixed an issue causing Consul to panic
when network areas were used
- license: (Consul Enterprise) Fixed an issue causing the snapshot
agent to log erroneous licensing errors
