From upstream ITS #8885
Add a configure test for hdb_generate_key_set_password() prototype
contrib/slapd-modules/smbk5pwd uses hdb_generate_key_set_password() from
Heimdal, which was shortly turned from a 5 arguments function to a 7 arguments
function before the prototype change was rolled back to address API
incompatibility.
Unfortunately, the 7 arguments hdb_generate_key_set_password() made it into
released NetBSD 8.0, causing a build break in contrib/slapd-modules/smbk5pwd.
This change adds a configure test for 7 arguments prototype so that
contrib/slapd-modules/smbk5pwd build again on NetBSD 8.0, and other OS that
would include the 7 arguments hdb_generate_key_set_password().
## 1.2.2 (July 30, 2018)
SECURITY:
- acl: Fixed an issue where writes operations on the Keyring and
Operator were being allowed with a default allow policy even when
explicitly denied in the policy.
FEATURES:
- **Alias Checks:** Alias checks allow a service or node to alias the
health status of another service or node in the cluster.
- agent: New Cloud Auto-join providers: vSphere and Packet.net.
- cli: Added `-serf-wan-port`, `-serf-lan-port`, and `-server-port`
flags to CLI for cases where these can't be specified in config
files and `-hcl` is too cumbersome.
- connect: The TTL of leaf (service) certificates in Connect is now
configurable.
IMPROVEMENTS:
- proxy: With `-register` flag, heartbeat failures will only log once
service registration succeeds.
- http: 1.0.3 introduced rejection of non-printable chars in HTTP URLs
due to a security vulnerability. Some users who had keys written
with an older version which are now dissallowed were unable to delete
them. A new config option disable_http_unprintable_char_filter is
added to allow those users to remove the offending keys. Leaving this
new option set long term is strongly discouraged as it bypasses
filtering necessary to prevent some known vulnerabilities.
- agent: Allow for advanced configuration of some gossip related
parameters.
- agent: Make some Gossip tuneables configurable via the config file
- ui: Included searching on `.Tags` when using the freetext search
field.
- ui: Service.ID's are now shown in the Service detail page and (only
if it is different from the service name) the Node Detail >
[Services] tab.
BUG FIXES:
- acl/connect: Fix an issue that was causing managed proxies not to
work when ACLs were enabled.
- connect: Fix issue with managed proxies and watches attempting to
use a client addr that is 0.0.0.0 or ::
- connect: Allow Native and Unmanaged proxy configurations via config
file
- connect: Fix bug causing 100% CPU on agent when Connect is disabled
but a proxy is still running
- proxy: Don't restart proxies setup in a config file when Consul
restarts
- ui: Display the Service.IP address instead of the Node.IP address in
the Service detail view.
- ui: Watch for trailing slash stripping 301 redirects and forward the
user to the correct location.
- connect: Fixed an issue in the connect native HTTP client where it
failed to resolve service names.
## 1.2.1 (July 12, 2018)
IMPROVEMENTS:
- acl: Prevented multiple ACL token refresh operations from occurring
simultaneously.
- acl: Add async-cache down policy mode to always do ACL token
refreshes in the background to reduce latency.
- proxy: Pass through HTTP client env vars to managed proxies so that
they can connect back to Consul over HTTPs when not serving HTTP.
- connect: Persist intermediate CAs on leader change.
BUG FIXES:
- api: Intention APIs parse error response body for error message.
- agent: Intention read endpoint returns a 400 on invalid UUID
- agent: Service registration with "services" does not error on
Connect upstream configuration.
- dns: Ensure that TXT RRs dont get put in the Answer section for
A/AAAA queries.
- dns: Ensure that only 1 CNAME is returned when querying for services
that have non-IP service addresses.
- api: Fixed issue where `Lock` and `Semaphore` would return earlier
than their requested timeout when unable to acquire the lock.
- watch: Fix issue with HTTPs only agents not executing watches
properly
- agent: Managed proxies that bind to 0.0.0.0 now get a health check
on a sane IP
- server: (Consul Enterprise) Fixed an issue causing Consul to panic
when network areas were used
- license: (Consul Enterprise) Fixed an issue causing the snapshot
agent to log erroneous licensing errors
1.7.8: 12 Jul 2018
- [Feature] Add more extended statistics about fuzzy updates
- [Feature] Add more non-conformant Received headers support
- [Feature] Add preliminary function to get fuzzy hashes from text in
Lua
- [Feature] Allow to configure AV module rejection message
- [Feature] Implement fuzzy hashes extraction in mime tool
- [Feature] Improve WHITE_ON_WHITE rule
- [Feature] Improve integer -> string conversion
- [Feature] Reuse maps in multimap module more aggressively
- [Fix] Avoid race condition in skip map as pool lifetime is not
enough
- [Fix] Eliminate all specific C plugins pools
- [Fix] Fix DKIM check rule if DNS is unavailable
- [Fix] Fix build where ucontext is defined in ucontext.h
- [Fix] Fix crash in base url handling
- [Fix] Fix descriptors leak in sqlite3 locking code
- [Fix] Fix messages quarantine
- [Fix] Fix padded numbers printing
- [Fix] Fix race condition on maps reinit
- [Fix] Fix regexp functions when no data is passed
- [Fix] Fix specific urls extraction
- [Fix] Fix styles propagation
- [Fix] Improve resetting of the limit buckets
- [Fix] Initialize sqlite3 properly
- [Fix] Work with broken resolvers in resolv.conf
- [Project] Implement HTTP maps caching
- [Project] Refresh fuzzy hashes when matched
- [Project] Add logic to deduplicate fuzzy updates queue
- [WebUI] Add missed declarations
- [WebUI] Avoid using "undefined" property
- [WebUI] Do not accept passwords containing control characters
- [WebUI] Do not redeclare variables
- [WebUI] Enable strict mode,
- [WebUI] Fix variable assignment
- [WebUI] Initialize variables at declaration
- [WebUI] Remove duplicated path from RequireJS config
- [WebUI] Remove unused block
- [WebUI] Remove unused variable
- [WebUI] Remove unused variables
- [WebUI] Use self-explanatory notation
- [WebUI] Use type-safe equality operators
1.7.7: 02 Jul 2018
- [CritFix] Check NM part of pubkey to match it with rotating keypairs
- [CritFix] Do not overwrite PID of the main process
- [CritFix] Fix maps after reload
- [CritFix] Fix maps race conditions on reload
- [CritFix] Fix shmem leak in encrypting proxy mode
- [Feature] Add a concept of ignored symbols to avoid race conditions
- [Feature] Add ability to print bayes tokens in rspamadm mime
- [Feature] Add method to get statistical tokens in Lua API
- [Feature] Add preliminary mime stat command
- [Feature] Add rspamadm mime tool
- [Feature] Add urls extraction tool
- [Feature] Address ZeroFont exploit
- [Feature] Allow rspamadm mime to process multiple files
- [Feature] Allow to extract words in `rspamadm mime`
- [Feature] Allow to print mime part data
- [Feature] Allow to show HTML structure on extraction
- [Feature] Distinguish IP failures from connection failures
- [Feature] Improve output for mime command
- [Feature] Improve styles propagation
- [Feature] Main process crash will now cleanup all children
- [Feature] Preload file and static maps in main process
- [Feature] Print stack trace on crash
- [Feature] Process font size in HTML parser
- [Feature] Propagate content length of invisible tags
- [Feature] Read ordinary file maps in chunks to be more safe on
rewrites
- [Feature] Support base tag in HTML
- [Feature] Support more size suffixes when parsing HTML styles
- [Feature] Support opacity style
- [Fix] Another fix for nested composites
- [Fix] Fill nm id in keypairs cache code
- [Fix] Fix colors alpha channel handling
- [Fix] Fix destruction logic
- [Fix] Fix double free
- [Fix] Fix maps preload logic
- [Fix] Fix nested composites process
- [Fix] Fix proxying of Exim connections
- [Fix] Fix reload crash
- [Fix] Fix rspamadm -l command
- [Fix] Update ed25519 signing schema
- [WebUI] Stop using "const" declaration
- [WebUI] Update RequireJS to 2.3.5
1.7.6: 15 Jun 2018
- [CritFix] Fix multiple neural networks support
- [Feature] Add decryption function to keypair command
- [Feature] Add gzip compression for HTTP requests in elastic module
- [Feature] Add gzip methods to lua util
- [Feature] Add maps based on Top Level Domains
- [Feature] Add pubkey checks for dkim_signing
- [Feature] Add support of fake DNS records
- [Feature] Add tool to encrypt files
- [Feature] Allow to add symbols using settings directly
- [Feature] Allow to match private and public keys for DKIM signatures
- [Feature] Allow to set task flags via settings
- [Feature] Allow to specify fake DNS address from the config
- [Feature] Implement signatures verification using rspamadm keypair
- [Feature] Implement signing using `rspamadm keypair`
- [Feature] Improve error reporting for DKIM key access issues
- [Feature] Provide $HOSTNAME variable in UCL
- [Feature] Rework levenshtein distance computation
- [Feature] Split message parsing and processing
- [Feature] Support ED25519 DKIM signatures
- [Feature] Support encrypted configs in UCL
- [Feature] Suppress duplicate warning on very large radix tries
- [Feature] Use OSB to combine header names
- [Fix] Cleanup maps data on shutdown
- [Fix] Fix '~' behaviour in composites
- [Fix] Fix HTTP maps updates
- [Fix] Fix NIST signatures
- [Fix] Fix RFC822 comments when processing a mime address
- [Fix] Fix double free
- [Fix] Fix dynamic settings application
- [Fix] Fix for CommuniGate Pro maillist
- [Fix] Fix keypair creation method to actually create keypair...
- [Fix] Fix matching patterns with no paths
- [Fix] Fix memory leak in parsing comments
- [Fix] Fix parsing of urls with numeric password
- [Fix] Fix plugins intialisation in configwizard
- [Fix] Fix potential crash on reload
- [Fix] Fix potential race condition for a finished HTTP connections
- [Fix] Fix race-condition leak on processes reload
- [Fix] Fix signing in openssl mode
- [Fix] Free language detector structures
- [Fix] Relax alignment requirements
- [Fix] Send DMARC reports compressed
- [Fix] Try to fix leak in dmarc module
- [Fix] Try to plug memory leak in metric exporter
- [Project] Convert rspamadm subcommands to Lua
- [WebUI] Display smtp sender/recipient in history
- [WebUI] Fix elements disabling in "Symbols" tab
- [WebUI] Limit recipients list in history column to 3
- [WebUI] Match envelope and mime addresses following in arbitrary
order
- [WebUI] Update column header
- [WebUI] Wrap addresses in history
1.7.5: 18 May 2018
- [Conf] Add MSBL proposed return codes
- [Conf] Add additional groups for policies
- [CritFix] Do not use volatile Lua strings as UCL keys
- [Feature] Add ability to add fuzzy hashes to headers
- [Feature] Add function to extract most meaningful urls
- [Feature] Add rule to block mixed text and encrypted parts
- [Feature] Allow multiple groups for symbols
- [Feature] Allow to disable lua squeezing logic
- [Feature] Allow to get multipart children in Lua
- [Feature] Allow to insert multiple headers from milter headers
- [Feature] Allow to print scores in subject and further extensions
- [Feature] Be more error-prone in squeezed rules
- [Feature] Support multiple return codes in emails module
- [Feature] Use EMA for calculating averages
- [Feature] Use common jit cache for all regexps
- [Feature] support for CommuniGate Pro self-generated messages
- [Fix] Allow to have multiple values for headers as arrays
- [Fix] Do not open sockets for disabled workers
- [Fix] Fix AuthservId
- [Fix] Fix base64 folding in Lua API
- [Fix] Fix build on non-x86 platforms
- [Fix] Fix cached maps logic
- [Fix] Fix compatibility with old maps query logic
- [Fix] Fix crash if skip_map is used
- [Fix] Fix importing static maps from UCL
- [Fix] Fix parsing of unix sockets
- [Fix] Fix raw_mime regexp on HTML part with no text content
- [Fix] Fix tables logging
- [Fix] Fix vertical tab handling in libucl
- [Fix] Try to fix frequency counters
- [Fix] Use better sharding for ip_score
- [Fix] Use multiple results from SURBL DNS reply
- [Fix] When doing AV scan select a different server for retransmit
Upstream changes:
version 1.22 at 2018-07-15 12:24:13 +0000
-----------------------------------------
Change: f3770138dd1fe7948ee2f7633a14dd661daa1267
Author: Chris 'BinGOs' Williams <chris@bingosnet.co.uk>
Date : 2018-07-15 13:24:13 +0000
Fixed problem when specifying ssl options
-----------------------------------------
version 1.20 at 2018-07-13 18:06:30 +0000
-----------------------------------------
Change: dedc0de6a3a6513ac32355393443ae5bee756ec8
Author: Chris 'BinGOs' Williams <chris@bingosnet.co.uk>
Date : 2018-07-13 19:06:30 +0000
Added sslctx, sslcert and sslkey options
These allow manipulation of the SSL/TLS connection and to specify
client-side certificate, respectively.
Upstream changes:
1.302138 2018-07-11 09:29:51-07:00 America/Los_Angeles
- No changes since trial
1.302137 2018-05-25 08:45:13-07:00 America/Los_Angeles (TRIAL RELEASE)
- Make it safe to fork before events in IPC
Note that this used to be part of py-scipy.
Imageio is a Python library that provides an easy interface to read
and write a wide range of image data, including animated images,
video, volumetric data, and scientific formats. It is cross-platform,
runs on Python 2.7 and 3.4+, and is easy to install.
Upstream changes:
1.004002 2018-07-29
[ Bug Fixes ]
- Skip one particular test on old versions of Moo because it relies on a
feature introduced in Moo 1.004000.
Fixes RT#125948.
<https://rt.cpan.org/Ticket/Display.html?id=125948>
Changes:
3.6.6
-----
Documentation
- bpo-33503: Fix broken pypi link
- bpo-33421: Add missing documentation for typing.AsyncContextManager.
- bpo-33378: Add Korean language switcher for https://docs.python.org/3/
- bpo-33276: Clarify that the __path__ attribute on modules cannot be just
any value.
- bpo-33201: Modernize documentation for writing C extension types.
- bpo-33195: Deprecate Py_UNICODE usage in c-api/arg document.
Py_UNICODE related APIs are deprecated since Python 3.3, but it
is missed in the document.
- bpo-33126: Document PyBuffer_ToContiguous().
- bpo-27212: Modify documentation for the islice() recipe to consume initial
values up to the start index.
- bpo-28247: Update zipapp documentation to describe how to make standalone
applications.
- bpo-18802: Documentation changes for ipaddress. Patch by Jon Foster and
Berker Peksag.
- bpo-27428: Update documentation to clarify that WindowsRegistryFinder
implements MetaPathFinder. (Patch by Himanshu Lakhara)
- bpo-8243: Add a note about curses.addch and curses.addstr exception
behavior when writing outside a window, or pad.
- bpo-31432: Clarify meaning of CERT_NONE, CERT_OPTIONAL, and CERT_REQUIRED
flags for ssl.SSLContext.verify_mode.
Algorithm
Rewrite of the core int32/avx2 implementation for (1) higher speed and
(2) reduced memory consumption. Stack allocation is now at most a few
kilobytes, even for gigantic arrays.
Internally, the sorting algorithm is now mostly bitonic to simplify
indexing, although odd-even speedups are still applied when
convenient. Lanes are complemented to take the down-up decision out of
the inner loops.
As in previous djbsort versions, data is sorted first in vector lanes
and then transposed for final merges, reducing the overall number of
vector permutations. Unlike previous versions, transposition is done
in-place. The transposition in this version is bit-reversal on the outer
6 bits (bottom 3 bits and the top 3 bits), but leaves intermediate bits
alone. Non-power-of-2 array sizes are handled by an extra, more
traditional, merge step.
Sizes 2, 3, 4, 5, 6, 7, 8, 16, 32 are now special-cased. Non-power-of-2
sizes below 256 are padded to the next power of 2.
Portable implementations: The out-of-place int32/portable1 and
int32/portable2 implementations are now gone; the in-place
int32/portable3 and int32/portable4 implementations remain.
C API
float32_sort is now supported. The arithmetic in the reduction from
float32 to int32 is int32 31-bit right shift, uint32 1-bit right shift,
xor; this is slightly more efficient than the reduction from float32 to
uint32 from 2001 Herf.
Compiling
Tests now have more variation (without much slowdown): the uint32 test
cases now deviate from int32 in more than the sign; float32 uses
floating-point numbers that aren't integers; int32 does more loops for
small cases, and some larger cases.
Internals
API for 2-input sorting is now MINMAX macro operating on two
inputs in place.
Better inline assembly from Jason Donenfeld for 2-input sorting: more
flexibility in compiler's register allocation.
The package version number is now automatically copied to version.c as
the implementation version number for implementations that don't provide
version.c.
Verification
minmax now supports more peephole optimizations for complemented bitonic
sorting and for padding: xor(s,xor(s,t)) ⇒ t; xor(-1,s) ⇒ invert(s);
Reverse(Reverse(s)) ⇒ s; signedmin(invert(s),invert(t)) ⇒
invert(signedmax(s,t)); signedmax(invert(s),invert(t)) ⇒
invert(signedmin(s,t)); invert(s)[high:low] ⇒ invert(s[high:low]);
s[bits-1:0] ⇒ s; s[high:low][high2:low2] ⇒ s[high2+low:low2+low];
Concat(...)[high:low] ⇒ ...[high-pos:low-pos] when possible;
Reverse(s)[high:low] ⇒ Reverse(s[...]) when possible; eliminate
signedmin/signedmax when one input is the minimum or maximum constant.
verifymany now includes the implementation version number on
verified lines.
machine, not on the machine preparing a binary package." (Also: "The
issues are explained in Section 8 of
https://pqcrypto.eu.org/deliverables/d2.4.pdf.")
For this to work, we install the source tree (with built objects) to
${PREFIX}/share/djbsort. Then we run tests, install to ${PREFIX}/include
and ${PREFIX}/lib, and check the installed files against pseudo-PLIST.
This means pkg_add(1) will fail if no C compiler is present, which is
unusual behavior for pkg_add but perhaps not entirely unreasonable for a
C library.
Bump PKGREVISION.
Seems to make a previously segfaulting netbsd-8/i386's build not segfault.
ap-php runs PHP's configure and builds some of its code, so it needs the
same flag.
Now we can stop requiring an arbitrary GCC version. The test case in the
GCC bugzilla fails on all GCC versions I tested, but magically some
versions of GCC manage to build a working PHP.
Changelog:
changed
Thunderbird will now prompt to compact IMAP folders even if the account is online. Note: Under certain circumstances an incorrect estimate of the expected gain is shown.
fixed
Complete fix of the EFAIL vulnerability: 1) Removing some HTML crafted to carry out an attack. 2) Optionally: Not decrypting subordinate message parts that otherwise might reveal decrypted content to the attacker. Preference mailnews.p7m_subparts_external needs to be set to true for added security.
fixed
Various problems when forwarding messages inline when using "simple" HTML view
fixed
Deleting or detaching attachments corrupted messages under certain circumstances (not working only in Thunderbird version 52.9.0)
fixed
Various security fixes
Security fixes:
#CVE-2018-12359: Buffer overflow using computed size of canvas element
#CVE-2018-12360: Use-after-free when using focus()
#CVE-2018-12372: S/MIME and PGP decryption oracles can be built with HTML emails
#CVE-2018-12373: S/MIME plaintext can be leaked through HTML reply/forward
#CVE-2018-12362: Integer overflow in SSSE3 scaler
#CVE-2018-12363: Use-after-free when appending DOM nodes
#CVE-2018-12364: CSRF attacks through 307 redirects and NPAPI plugins
#CVE-2018-12365: Compromised IPC child process can list local filenames
#CVE-2018-12366: Invalid data handling during QCMS transformations
#CVE-2018-12368: No warning when opening executable SettingContent-ms files
#CVE-2018-12374: Using form to exfiltrate encrypted mail part by pressing enter in form field
#CVE-2018-5188: Memory safety bugs fixed in Firefox 60, Firefox ESR 60.1, Firefox ESR 52.9, and Thunderbird 52.9
Changelog:
General Improvements
Fixed LTO link-time performance problems caused by an overflow in the
partitioning algorithm while building large binaries.
Language Specific Changes
C++
GCC 8.2 fixed a bug introduced in GCC 8.1 affecting passing or returning of
classes with a deleted copy constructor and defaulted trivial move constructor
(bug c++/86094). GCC 8.2 introduces -fabi-version=13 and makes it the default,
ABI incompatibilities between GCC 8.1 and 8.2 can be reported with -Wabi=12.
See C++ changes for more details.
Target Specific Changes
IA-32/x86-64
-mtune=native performance regression PR84413 on Intel Skylake processors
has been fixed.
