ChangeLog:
## 1.4.3 - 2020-08-06
* On Windows, always call `CreateFileW` instead of `CreateFile`.
`CreateFile` could be mapped to `CreateFileA` and not work as expected.
Pull request by Sandu Liviu Catalin. GitHub #228.
* Fixed use of uninitialized memory in `dump_entry_data_list()` that could
cause a heap buffer flow in `mmdblookup`. As part of this fix, most uses
of `malloc` were replaced with `calloc`. Reported by azhou. GitHub #236.
## 1.4.2 - 2019-11-02
* The 1.4.0 release introduced a change that increased the size of `MMDB_s`,
unintentionally causing an ABI break. This release reverts the relevant
commit.
## 1.4.1 - 2019-11-01
* The man page links for function calls were not generated correctly in
1.4.0. This has been corrected.
## 1.4.0 - 2019-11-01
* A negative array index may now be used with `MMDB_get_value`,
`MMDB_vget_value`, and `MMDB_aget_value`. This specifies the element
from the end of the array. For instance, `-1` would refer to the
last element of the array. PR by Kyle Box. GitHub #205.
* On Windows, the file name passed to `MMDB_open` is now expected to be
UTF-8 encoded. This allows Unicode characters to be used in file names.
As part of this change, `mmdblookup` on Windows now converts its
arguments to UTF-8. PR by Gerald Combs. GitHub #189 & #191.
* Fix a memory leak that occurred when freeing an `MMDB_s` where the
database had no languages defined in the metadata. If you are using an
official MaxMind database, this leak does not affect you. Pull request
by Kókai Péter. GitHub #180.
* Add `--disable-binaries` option to `configure`. Pull request by Fabrice
Fontaine. GitHub #166.
* Previous releases incorrectly included `*.Po` files in the `t` directory.
This has been corrected. Reported by Daniel Macks. GitHub #168.
* The internal use of the `MMDB_s` now has the `const` modifier. Public
functions that accepted an `MMDB_s` as an argument now also declare it as
`const`. Pull request by Kurt Johnson. GitHub #199.
* `mmdblookup` now displays the prefix length for the record when using
the verbose flag. GitHub #172.
Overview of Changes in GTK+ 3.24.22
===================================
* GtkTextView:
- Fix some corner cases of pixelcache invalidation
- Make select-all work on touch
* Fix print portal support
* Adwaita:
- Tweak title style class
- Add a public color for text view background
* Windows:
- Limit the size of the corner mask cache
- Use native API for keycode conversion
- Use GLES on arm64
* Wayland: Add a way to change the application id
* Quartz: Add axes to master devices
* Add --enable-tracker3 option to configure
* Translation updates:
Catalan
German
Indonesian
Italian
Kazakh
Spanish
Turkish
Version 4.9.2
* mkdir: fixed exit code with -f option.
* ftp: made ftp:use-pret setting tri-boolean.
* get/mget/put/mput: don't try next files after error if cmd:fail-exit is true.
* get/mget: fixed -O option with remote URL and xfer:use-temp-file being true.
* mirror: disallow empty patterns; don't delete "..".
* mirror: fixed --on-change with --reverse.
* sftp: fixed a bug with truncated files when packets are reordered (finally).
The intent of "--frozen --locked" was to not use the network, but the new
"--offline" option is better suited for this purpose.
It for example allows us to patch Cargo.toml if necessary without having
to regen checksums.
PostgreSQL 12.4, 11.9, 10.14, 9.6.19, 9.5.23
Security Issues
CVE-2020-14349: Uncontrolled search path element in logical replication.
Versions Affected: 10 - 12.
The PostgreSQL search_path setting determines schemas searched for tables, functions, operators, etc. The CVE-2018-1058 fix caused most PostgreSQL-provided client applications to sanitize search_path, but logical replication continued to leave search_path unchanged. Users of a replication publisher or subscriber database can create objects in the public schema and harness them to execute arbitrary SQL functions under the identity running replication, often a superuser. Installations having adopted a documented secure schema usage pattern are not vulnerable.
The PostgreSQL project thanks Noah Misch for reporting this problem.
CVE-2020-14350: Uncontrolled search path element in CREATE EXTENSION.
Versions Affected: 9.5 - 12. The security team typically does not test unsupported versions, but this problem is quite old.
When a superuser runs certain CREATE EXTENSION statements, users may be able to execute arbitrary SQL functions under the identity of that superuser. The attacker must have permission to create objects in the new extension's schema or a schema of a prerequisite extension. Not all extensions are vulnerable.
In addition to correcting the extensions provided with PostgreSQL, the PostgreSQL Global Development Group is issuing guidance for third-party extension authors to secure their own work.
Bug Fixes and Improvements
This update also fixes over 50 bugs that were reported in the last several months. Some of these issues affect only version 12, but many affect all supported versions.
Some of these fixes include:
Fix edge cases in partition pruning involving multiple partition key columns with multiple or no constraining WHERE clauses.
Several fixes for query planning and execution involving partitions.
Fix for determining when to execute a column-specific UPDATE trigger on a logical replication subscriber.
pg_replication_slot_advance() now updates the oldest xmin and LSN values, as the failure to do this could prevent resources (e.g. WAL files) from being cleaned up.
Fix a performance regression in ts_headline().
Ensure that pg_read_file() and related functions read until EOF is reached, which fixes compatibility with pipes and other virtual files.
Forbid numeric NaN values in jsonpath computations, which do not exist in SQL nor JSON.
Several fixes for NaN inputs with aggregate functions. This fixes a change in PostgreSQL 12 where NaN values caused the following aggregates to emit values of 0 instead of NaN: corr(), covar_pop(), regr_intercept(), regr_r2(), regr_slope(), regr_sxx(), regr_sxy(), regr_syy(), stddev_pop(), and var_pop().
time and timetz values fractionally greater than 24:00:00 are now rejected.
Several fixes for EXPLAIN, including a fix for reporting resource usage when a plan uses parallel workers with "Gather Merge" nodes.
Fix timing of constraint revalidation in ALTER TABLE that could lead to odd errors.
Fix for REINDEX CONCURRENTLY that could prevent old values from being included in future logical decoding output.
Fix for LATERAL references that could potentially cause crashes during query execution.
Use the collation specified for a query when estimating operator costs
Fix conflict-checking anomalies in SERIALIZABLE transaction isolation mode.
Ensure checkpointer process discards file sync requests when fsync is off
Fix issue where pg_control could be written out with an inconsistent checksum, which could lead to the inability to restart the database if it crashed before the next pg_control update.
Ensure that libpq continues to try to read from the database connection socket after a write failure, as this allows the connection to collect any final error messages from the server.
Report out-of-disk-space errors properly in pg_dump and pg_basebackup
Several fixes for pg_restore, including a fix for parallel restore on tables that have both table-level and column-level privileges.
Fix for pg_upgrade to ensure it runs with vacuum_defer_cleanup_age set to 0.
Fix how pg_rewind handles just-deleted files in the source data directory
Fix failure to initialize local state correctly in contrib/dblink, which could lead to dblink_close() issuing an unexpected COMMIT on the remote server.
Change contrib/amcheck to not report about deleted index pages that are empty, as this is normal during WAL replay.
Some translation files are installed or not installed depending on the
visibility of qt5-qttranslations in the build environment. For now,
simply explictly require this as a dependency. (It looks like there may
be more translation components to consider, but that's TBD separate
from basic build consistency.) Thanks to wiz@ for mentioning this.
Also, they've bumped the minimum GCC accepted from 4.7 to 4.8.
Changelog:
Development Fixes
Bump RuboCop to v0.85.x (#8223)
Expect drive letter only on vanilla windows (#8227)
Bug Fixes
Disable page excerpts by default (#8222)
Revert introduction of PageDrop (#8221)
Don't generate excerpts for non-html pages (#8234)
Make page excerpts consistent with doc excerpts (#8236)
Documentation
Replace deprecated 'show' command with 'info' (#8235)
Change name to Vercel (#8247)
Add language and examples to describe how to use the configuration op... (#8249)
Fix missing yaml front matter colon and adjust/add clarifying language. (#8250)
correct typo (#8261)
Allow hyperlinks to specific filter documentation (#8231)
Update link to Netlify step-by-step guide (#8264)
Site Enhancements
Including correct Sketch website (#8241)
Release post for v4.1.1 (#8243)
Changelog:
kramdown 2.3.0 released
Although this is a minor version bump there is one breaking change:
Parsing of XML processing instructions was removed because they
are invalid for HTML5 documents.
This change should only affect a negligible amount of existing
kramdown documents since XML processing instructions were never
something a normal user would use.
Additionally, CVE-2020-14001 is addressed to avoid problems when
using the {::options /} extension together with the ‘template’
option. This means updating is highly recommended!
Changes
2 major changes:
New option ‘forbidden_inline_options’ to restrict the
options allowed with the {::options /} extension. This also
addresses the security issue described in CVE-2020-14001.
Parsing of XML processing instructions is not done anymore
for kramdown documents because they are invalid for HTML5
(fixes issue #660 by Samuel Williams)
1 minor change:
Several internal changes with respect to memory usage and
performance (PRs #654, #655, #665 by Ashwin Maroli)
2 bug fixes:
Extend allowed characters in IDs set with headers to all
characters allowed by XML (fixes#658 by Samuel Williams)
Fix thread safety issue by moving global state into an
instance variable (fixes#663 by Samuel Williams)
1 other change:
Documentation fixes and updates (issue #662 by Samuel
Williams, PR #656 by Noah Doersing)
(It loops during the build, at least on amd64 netbsd. It hasn't
apparently been compilable at all in some time, so this should not
make it any less available.)
ChangeLog:
This is a small release with just one update: a major rewrite of the PHP
lexer. Hopefully the improved level of detail makes your PHP code look
prettier but do report any issues you find with it!
This package is cursed and creates links to base. So if you already have
the libraries in base and remove the package, it will remove critical parts
of base.
For example, if installing compat80 on NetBSD 9.0, libterminfo.s.1 already
exists, but this package will *replace* it, and removing the package will
break the base installation.
Distfile changes.
1. Official annoucne says "The only change here is that the configure.ac
file has correctly formatted version number."
2. Name of distfile is changed to match previous file naming scheme.
Old distfile is still available.
3. automake 1.15.1 is used instead of previous 1.15. So, generated files
by it are changed.
4. Other files are not changed, so there is no functional change.
Bump PKGREVISION.
Changelog:
Bugs fixed in this release:
-----------------------------------
[ASTERISK-28878] -
chan_pjsip: PJSIP_MEDIA_OFFER Broken asterisk 16
(Reported by Joseph Ades)
[ASTERISK-28965] -
res_pjsip: Apply outbound proxy to static contacts on AOR
(Reported by Joshua C. Colp)
[ASTERISK-28930] -
./configure --without-ssl build failure
(Reported by Jaco Kroon)
[ASTERISK-28886] -
chan_pjsip: PJSIP_SC_NULL does not exist in pjproject 2.7.2
(Reported by Jared Smith)
[ASTERISK-28957] -
chan_sip: chan_sip does not process 400 response to an INVITE.
(Reported by Frederic LE FOLL)
[ASTERISK-28888] -
res_corosync: causes asterisk crash in huge distributed environment.
(Reported by Università di Bologna - CESIA VoIP)
[ASTERISK-28955] -
"setvar" doesn't work properly in dahdi-channels.conf
(Reported by Marin Odrljin)
[ASTERISK-28954] -
StreamEcho() only returns 1 active stream
(Reported by Bill Kervaski)
[ASTERISK-28942] -
res_sorcery_memory_cache: Individual object expiration behaves unexpectedly with full backend caching
(Reported by Joshua C. Colp)
[ASTERISK-28953] -
res_pjsip_session: Preserve stream label
(Reported by Joshua C. Colp)
[ASTERISK-28952] -
Queue wrapuptime sometimes not respected (based on stale lastcall time)
(Reported by Walter Doekes)
[ASTERISK-28950] -
Stale code in app_queue to check untouched channel
(Reported by Walter Doekes)
[ASTERISK-28644] -
Stale comment in app_queue about ring_entry exception
(Reported by Walter Doekes)
[ASTERISK-28948] -
ARI channel create doesn't referencing the channel_id parameter
(Reported by sungtae kim)
[ASTERISK-28938] -
core_unreal / core_local: Add support for multistream and re-negotiation
(Reported by Joshua C. Colp)
[ASTERISK-28939] -
res_rtp_asterisk: Don't have send/receive buffers on non-WebRTC
(Reported by Joshua C. Colp)
[ASTERISK-28944] -
bridge_softmix: Transitioning a stream from inactive -> sendrecv/sendonly doesn't re-negotiation
(Reported by Joshua C. Colp)
[ASTERISK-28923] -
T.38 Segfaults in chan_pjsip_queryoption
(Reported by Yury Kirsanov)
[ASTERISK-28940] -
/channels/create doesn't get any parameters from the body
(Reported by sungtae kim)
[ASTERISK-28936] -
res_pjsip: crash when dialing non-sip uri
(Reported by Walter Doekes)
[ASTERISK-28900] -
res_fax: Double frame free when gateway in use with off-nominal format usage
(Reported by Gregory Massel)
[ASTERISK-28929] -
pjproject_bundled: Honor --without-pjproject.
(Reported by Alexander Traud)
[ASTERISK-28932] -
res_pjsip_logger writing too big packets
(Reported by nappsoft)
[ASTERISK-28921] -
Wrong return value check for fwrite when writing to pcap file
(Reported by nappsoft)
Improvements made in this release:
-----------------------------------
[ASTERISK-28959] -
res_pjsip: Added option for disable rport parameter set
(Reported by sungtae kim)
[ASTERISK-28958] -
Continue reading string when ping received by websocket
(Reported by Nickolay V. Shmyrev)
[ASTERISK-28945] -
AMI SendText - add Content-Type parameter
(Reported by Kevin Harwell)
[ASTERISK-28949] -
res_http_websocket: Add masking to websocket client
(Reported by Moises Silva)
[ASTERISK-28899] -
Upgrade Asterisk to bundled pjproject 2.10
(Reported by Kevin Harwell)
Wireshark 3.2.6 Release Notes
What’s New
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2020-10[1] Kafka dissector crash. Bug 16672[2].
CVE-2020-17498[3].
The following bugs have been fixed:
• Kafka dissector fails parsing FETCH responses. Bug 16623[4].
• Dissector for ASTERIX Category 001 / 210 does not recognize bit 1
as extension. Bug 16662[5].
• "invalid timestamp" for Systemd Journal Export Block. Bug
16664[6].
• Decoding Extended Emergency number list IE length. Bug 16668[7].
• Some macOS Bluetooth PacketLogger capture files aren’t recognized
as PacketLogger files (regression, bisected). Bug 16670[8].
• Short IMSIs (5 digits) lead to wrong decoding+warning. Bug
16676[9].
• Decoding of PFCP IE 'PFD Contents' results in "malformed packet".
Bug 16704[10].
• RFH2 Header with 32 or less bytes of NameValue will not parse out
that info. Bug 16733[11].
• CDP: Port ID TLV followed by Type 1009 TLV triggers [Malformed
Packet]. Bug 16742[12].
• tshark crashed when processing opcda. Bug 16746[13].
• tshark with --export-dicom gives “Segmentation fault (core
dumped)”. Bug 16748[14].
New and Updated Features
There are no new features in this release.
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ASTERIX, BSSAP, CDP, CoAP, DCERPC SPOOLSS, DCOM, DICOM, DVB-S2,
E.212, GBCS, GSM RR, GSM SMS, IEEE 802.11, Kafka, MQ, Nano, NAS 5GS,
NIS+, NR RRC, PacketLogger, PFCP, RTPS, systemd Journal, TDS, TN3270,
and TN5250
New and Updated Capture File Support
PacketLogger and pcapng
