Version 10.21.0 'Dubnium' (LTS)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
CVE-2020-10531: ICU-20958 Prevent SEGV_MAPERR in append (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
Commits
- deps: fix OPENSSLDIR on Windows
- deps: backport ICU-20958 to fix CVE-2020-10531
- (SEMVER-MINOR) deps: update nghttp2 to 1.41.0
- (SEMVER-MINOR) http2: implement support for max settings entries
- napi: fix memory corruption vulnerability
Version 12.18.0 'Erbium' (LTS)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
Commits
- crypto: update root certificates
- (SEMVER-MINOR) deps: update nghttp2 to 1.41.0
- (SEMVER-MINOR) http2: implement support for max settings entries
- napi: fix memory corruption vulnerability
- tls: emit session after verifying certificate
- tools: update certdata.txt
Version 14.4.0 (Current)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
Commits
- crypto: update root certificates
- (SEMVER-MINOR) deps: update nghttp2 to 1.41.0
- (SEMVER-MINOR) http2: implement support for max settings entries
- napi: fix memory corruption vulnerability
- tls: emit session after verifying certificate
- tools: update certdata.txt
perl v5.30.3
Security
[CVE-2020-10543] Buffer overflow caused by a crafted regular expression
A signed "size_t" integer overflow in the storage space calculations for nested regular expression
quantifiers could cause a heap buffer overflow in Perl's regular expression compiler that overwrites memory
allocated after the regular expression storage space with attacker supplied data.
The target system needs a sufficient amount of memory to allocate partial expansions of the nested
quantifiers prior to the overflow occurring. This requirement is unlikely to be met on 64-bit systems.
[CVE-2020-10878] Integer overflow via malformed bytecode produced by a crafted regular expression
Integer overflows in the calculation of offsets between instructions for the regular expression engine could
cause corruption of the intermediate language state of a compiled regular expression. An attacker could
abuse this behaviour to insert instructions into the compiled form of a Perl regular expression.
[CVE-2020-12723] Buffer overflow caused by a crafted regular expression
Recursive calls to "S_study_chunk()" by Perl's regular expression compiler to optimize the intermediate
language representation of a regular expression could cause corruption of the intermediate language state of
a compiled regular expression.
Additional Note
An application written in Perl would only be vulnerable to any of the above flaws if it evaluates regular
expressions supplied by the attacker. Evaluating regular expressions in this fashion is known to be
dangerous since the regular expression engine does not protect against denial of service attacks in this
usage scenario.
Incompatible Changes
There are no changes intentionally incompatible with Perl 5.30.2.
Modules and Pragmata
Updated Modules and Pragmata
o Module::CoreList has been upgraded from version 5.20200314 to 5.20200601_30.
Since do-configure-pre-hook already depends on replace-interpreter, there
is no point in making any other stage depend on that as well. At best,
it has no effect. At worst it creates a hard-to-find difference between
builds that run "bmake install" directly and builds that split the build
into "bmake configure && bmake build && bmake install", as bulk builds
do.
## 1.9.1 - 2020-05-12
- Add :prefix option to declare-source
- Re-enable minimal builds with the debugger.
- Add several flags for configuring Janet on different platforms.
- Fix broken meson build from 1.9.0 and add meson to CI.
- Fix compilation issue when nanboxing is disabled.
## 1.9.0 - 2020-05-10
- Add `:ldflags` option to many jpm declare functions.
- Add `errorf` to core.
- Add `lenprefix` combinator to PEGs.
- Add `%M`, `%m`, `%N`, and `%n` formatters to formatting functions. These are the
same as `%Q`, `%q`, `%P`, and `%p`, but will not truncate long values.
- Add `fiber/root`.
- Add beta `net/` module to core for socket based networking.
- Add the `parse` function to parse strings of source code more conveniently.
- Add `jpm rule-tree` subcommand.
- Add `--offline` flag to jpm to force use of the cache.
- Allow sending pointers and C functions across threads via `thread/send`.
- Fix bug in `getline`.
- Add `sh-rule` and `sh-phony` to jpm's dialect of Janet.
- Change C api's `janet_formatb` -> `janet_formatbv`, and add new function `janet_formatb` to C api.
- Add `edefer` macro to core.
- A struct/table literal/constructor with duplicate keys will use the last value given.
Previously, this was inconsistent between tables and structs, literals and constructor functions.
- Add debugger to core. The debugger functions are only available
in a debug repl, and are prefixed by a `.`.
- Add `sort-by` and `sorted-by` to core.
- Support UTF-8 escapes in strings via `\uXXXX` or `\UXXXXXX`.
- Add `math/erf`
- Add `math/erfc`
- Add `math/log1p`
- Add `math/next`
- Add os/umask
- Add os/perm-int
- Add os/perm-string
- Add :int-permissions option for os/stat.
- Add `jpm repl` subcommand, as well as `post-deps` macro in project.janet files.
- Various bug fixes.
Version 14.3.0 (Current)
Notable Changes
REPL previews improvements with autocompletion
The output preview is changed to generate previews for autocompleted input instead of the actual input.
Pressing <enter> during a preview is now going to evaluate the whole string including the autocompleted part. Pressing <escape> cancels that behavior.
Support for Top-Level Await
It's now possible to use the await keyword outside of async functions.
These packages are susceptible to bugs when confronted with non-ASCII
characters.
See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=94182.
It takes some time to analyze and fix these individually, therefore they
are only marked as "needs work".
