- forstdin QoL changes: now it exits 1 if it doesn't read anything,
and it only splits on newlines by default.
- forbacktickx, which is a wrapper to forstdin, gets the same changes.
- Line-processing binaries now chomp by default. Substitution
binaries do not.
- New -N option everywhere to disable chomping.
- New "default" directive to trap, replacing the irrelevant "timeout".
Add RUBYGEM_VERBOSE user-settable variable. It is useful for developers.
RUBYGEM_VERBOSE
Execute gem with verbose option.
Possible values: Yes No
Default: No
Passing LDFLAGS verbatim no longer works, prefix each of them with -ccopt,
this seems to work across more ocaml binaries than -ldopt.
Tested across a number of packages that previously failed.
New in 2020.12:
* Removals:
+ Deprecated method candidates (subbuf(Any:U) on Buf, chdir(Str(), :$!test) on IO::Path)
and indir(IO() $path, &what, :$test!) subroutine candidate that were
throwing an exception instead of a deprecation warning for a long time
were removed from CORE [9040318]
* Additions:
+ Add new method deterministic to Iterator role [87fc041][b83b1b3][
b63c0e0][c37a88e][96285af]
+ Introduce %*SUB-MAIN-OPTS<coerce-allomorphs-to> setting [bd5eba4][
49eecd6]
+ Add a new candidate to spurt routine and method.
It does not have an argument taking content to write,
making it similar to the touch utility [f2ea0a6]
+ Add :emit-on-empty and :emit-once-on-empty methods to Supply.batch
method [cb8eb68]
+ Add :emit-timed to Supply.batch method [492651e]
+ Make is DEPRECATED trait introspectable on Routine instances [0d1c8a8]
* Changes:
+ Improve output of Attribute documentation when rendered with
Pod::To::Text [a0a8a51]
+ Increase sensitivity of Supply.batch(:seconds) x 1000 [aecfc9b]
+ The cas subroutine now accepts Mu as both its target and values [
998cae5]
+ Defined List instances no longer return True when calling ACCEPT
with an undefined List (i.e. List ~~ () returns False now) [9fd79f9]
+ Mark the base native array class as Positional [d1d2546]
* Efficiency:
+ Implement metamodel transparency of nominalizables and fix handling of
definite parameters, gaining back some performance loss introduced with
the new coercion protocol in previous release
[d37906d][ed16d6c][b5465b1][e481619]
+ Fix a shaped array performance problem [f27e212]
+ Make execution of some kinds of when faster [c080e59][0006475][b3a2558]
+ Make cas subroutine ~10% faster [484f870]
+ Make @a[*-1] candidates about 60% faster [2d5d3bf]
+ Optimize some array operators [4ac0f73]
+ Make array access [$i] with $i being a native int about 2x as fast [
7c0956b]
+ Improve the performance of signature binding [b1f59a2]
+ Speed up various aspects of native 1-dim shaped arrays and
native arrays in general
[42fceb0][2c5b545][3def3ce][705e6e6][a76e2b6][60fa48e]
[6792cc4][bd944e7][2274aa8][392d8be][1c43c46]
* Fixes:
+ Fix number of issues with REPL execution. e.g. it "forgetting" previous
multi sub declarations, calling WHAT on native type
[7c0a81f][eae309a][e46a1da][f2851b9][e8ab527][0d6278f]
[6f7718c][be45507]
+ Fix roles not being auto-punned for postcifcumfix:<( )>, by
implementing an invocation protocol for roles [79d2aea]
[5a22a7c][77a7bd2][17223fc][4009f40][538ad1b][9f98595]
+ Fix concurrency issue in compilations with heredocs [147bae3]
+ Fix subsets of coercions [af43ef6]
+ Fix an issue with splitdir method of IO::Spec::Unix
leading to action at a distance bugs [3d46341][f154244]
+ Fix argument of a coercion type not having a workable default value
[44cc88b][856dfb2]
+ Fix error reporting for slurpy named parameters with type constraints [
e1f09cf]
+ Fix behavior of postcircumfix [ ] called with Iterable on
native array [4304e25]
+ Disallow calling of postcircumfix [ ] with type objects [6c7044e]
+ Fix a bug in set symmetric difference logic [7b6de5c]
+ Make Num coercer demand definite invocant [a75b3fa]
+ Add missing handling of adverbs :kv, :p, :k, :v for
1-dim shaped native arrays, also support many adverbs at once
(e.g. :exists:(kv|p) [0f4970d][02e48d8]
+ Give stub packages created by package_at_key a proper longname [aab4f55
]
+ Fix raku method called on CompUnit::Repository::Distribution instance [
7d0813c]
+ Fix proper reporting of the X::Parameter::RW exception message [1732054
]
+ Fix RAKUDO_MODULE_DEBUG output when the message contains meta
characters [b58510f]
+ The Test module now correctly handles RAKU_TEST_TIMES environment
variable,
previously called PERL6_TEST_TIMES [d84ed4e]
* Internal:
+ Remove deprecated functionality to core epilogue [7406f8c]
+ Introduce Rakudo::Iterator.TailWith [f6c7ddb][9dbb52f]
+ Add sink-all method to a number of PredictiveIterators [cf0f2f2]
+ Make Iterator.sink-all default to using skip-one [f0ebdd0]
+ Add raku method to Rakudo::Internals::IterationSet for easier debugging
[0d301fa]
+ Remove all easily removable nqp::stmts from Rakudo code [f2f2cf8]
+ Another round of nqp::if -> ternaries [aba90b0]
+ Fix unwanted references to other compilations by CompilerServices [
d0de766]
+ Type IO::Socket::INET family/type/protocol values [534cc54]
+ Add missing debug type names for easier debugging [a68b8ab]
+ Move "is test-assertion" to candidates [15ec4fe]
+ Adapt filenames in binary release scripts [3748884]
+ Various cleanup and micro-optimization changes [1801a5a]
[eabdee4][45246ae][6852f40][dce6804][c663cc3][1712f03]
[b525c4d][6ee47f0][912381b][2ce5260][80f9283][161325e]
[65f24a8][c02c9cd][46e9468][82d31e0][137d49b][53ad24a]
[1331ffd][c4c4ba9]
Version 10.23.1 'Dubnium' (LTS)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8265: use-after-free in TLSWrap (High) Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits
CVE-2020-8287: HTTP Request Smuggling in nodejs Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html).
CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High) This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt
Version 12.20.1 'Erbium' (LTS)
Notable changes
This is a security release.
Vulnerabilities fixed:
CVE-2020-8265: use-after-free in TLSWrap (High) Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits
CVE-2020-8287: HTTP Request Smuggling in nodejs Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html).
CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High) This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt
Version 14.15.4 'Fermium' (LTS)
Notable Changes
Vulnerabilities fixed:
CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20201208.txt
CVE-2020-8265: use-after-free in TLSWrap (High)
Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.
CVE-2020-8287: HTTP Request Smuggling in nodejs (Low)
Affected versions of Node.js allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html).
Other OS bundle the necessary libraries with the bootstrap kits, and enabling
this option would mean having to carry additional patches for the bundled zlib
etc.
Camlp5 Version 7.13:
--------------------
* [03 Sep 20] Support for Ocaml 4.11.1.
Camlp5 Version 7.12:
--------------------
* [29 Apr 20] upgrade to minimal support for Ocaml 4.11.0
(specifically 4.11.0+dev2-2020-04-22). This does not provide
support for any new stuff in 4.11.0; indeed, stuff may break. This
is just minimal "build and bootstrap" support.
Python 3.8.7
Core and Builtins
bpo-32381: Fix encoding name when running a .pyc file on Windows: PyRun_SimpleFileExFlags() now uses the correct encoding to decode the filename.
bpo-42536: Several built-in and standard library types now ensure that their internal result tuples are always tracked by the garbage collector:
collections.OrderedDict.items()
dict.items()
enumerate()
functools.reduce()
itertools.combinations()
itertools.combinations_with_replacement()
itertools.permutations()
itertools.product()
itertools.zip_longest()
zip()
Previously, they could have become untracked by a prior garbage collection. Patch by Brandt Bucher.
Library
bpo-42630: tkinter functions and constructors which need a default root window raise now RuntimeError with descriptive message instead of obscure AttributeError or NameError if it is not created yet or cannot be created automatically.
bpo-42644: logging.disable will now validate the types and value of its parameter. It also now accepts strings representing the levels (as does loging.setLevel) instead of only the numerical values.
bpo-36541: Fixed lib2to3.pgen2 to be able to parse PEP-570 positional only argument syntax.
bpo-42375: subprocess module update for DragonFlyBSD support.
bpo-39825: Windows: Change sysconfig.get_config_var('EXT_SUFFIX') to the expected full platform_tag.extension format. Previously it was hard-coded to .pyd, now it is compatible with distutils.sysconfig and will result in something like .cp38-win_amd64.pyd. This brings windows into conformance with the other platforms.
bpo-39101: Fixed tests using IsolatedAsyncioTestCase from hanging on BaseExceptions.
bpo-41907: fix format() behavior for IntFlag
bpo-41889: Enum: fix regression involving inheriting a multiply-inherited enum
bpo-41891: Ensure asyncio.wait_for waits for task completion
bpo-40219: Lowered tkinter.ttk.LabeledScale dummy widget to prevent hiding part of the content label.
bpo-40084: Fix Enum.__dir__: dir(Enum.member) now includes attributes as well as methods.
Documentation
bpo-17140: Add documentation for the multiprocessing.pool.ThreadPool class.
Build
bpo-42604: Now all platforms use a value for the “EXT_SUFFIX” build variable derived from SOABI (for instance in freeBSD, “EXT_SUFFIX” is now “.cpython-310d.so” instead of “.so”). Previosuly only Linux, Mac and VxWorks were using a value for “EXT_SUFFIX” that included “SOABI”.
bpo-42598: Fix implicit function declarations in configure which could have resulted in incorrect configuration checks. Patch contributed by Joshua Root.
Tools/Demos
bpo-42613: Fix freeze.py tool to use the prope config and library directories. Patch by Victor Stinner.
Python 3.8.7 release candidate 1
Security
bpo-42103: Prevented potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.
bpo-42051: The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. This should not affect users as entity declarations are not used in regular plist files.
bpo-40791: Add volatile to the accumulator variable in hmac.compare_digest, making constant-time-defeating optimizations less likely.
Core and Builtins
bpo-41686: On Windows, the SIGINT event, _PyOS_SigintEvent(), is now created even if Python is configured to not install signal handlers (if PyConfig.install_signal_handlers equals to 0, or Py_InitializeEx(0)).
bpo-42143: Fix handling of errors during creation of PyFunctionObject, which resulted in operations on uninitialized memory. Patch by Yonatan Goldschmidt.
bpo-41984: The garbage collector now tracks all user-defined classes. Patch by Brandt Bucher.
bpo-41909: Fixed stack overflow in issubclass() and isinstance() when getting the __bases__ attribute leads to infinite recursion.
bpo-41894: When loading a native module and a load failure occurs, prevent a possible UnicodeDecodeError when not running in a UTF-8 locale by decoding the load error message using the current locale’s encoding.
Library
bpo-17735: inspect.findsource() now raises OSError instead of IndexError when co_lineno of a code object is greater than the file length. This can happen, for example, when a file is edited after it was imported. PR by Irit Katriel.
bpo-42116: Fix handling of trailing comments by inspect.getsource().
bpo-42482: TracebackException no longer holds a reference to the exception’s traceback object. Consequently, instances of TracebackException for equivalent but non-equal exceptions now compare as equal.
bpo-42406: We fixed an issue in pickle.whichmodule in which importing multiprocessing could change the how pickle identifies which module an object belongs to, potentially breaking the unpickling of those objects.
bpo-42328: Fixed tkinter.ttk.Style.map(). The function accepts now the representation of the default state as empty sequence (as returned by Style.map()). The structure of the result is now the same on all platform and does not depend on the value of wantobjects.
bpo-42014: The onerror callback from shutil.rmtree now receives correct function when os.open fails.
bpo-42237: Fix os.sendfile() on illumos.
bpo-42249: Fixed writing binary Plist files larger than 4 GiB.
bpo-35455: On Solaris, thread_time() is now implemented with gethrvtime() because clock_gettime(CLOCK_THREAD_CPUTIME_ID) is not always available. Patch by Jakub Kulik.
bpo-41754: webbrowser: Ignore NotADirectoryError when calling xdg-settings.
bpo-29566: binhex.binhex() consisently writes macOS 9 line endings.
bpo-42183: Fix a stack overflow error for asyncio Task or Future repr().
The overflow occurs under some circumstances when a Task or Future recursively returns itself.
bpo-42103: InvalidFileException and RecursionError are now the only errors caused by loading malformed binary Plist file (previously ValueError and TypeError could be raised in some specific cases).
bpo-41491: plistlib: fix parsing XML plists with hexadecimal integer values
bpo-32498: Clearer exception message when passing an argument of type bytes to urllib.parse.unquote(). This is only for 3.8; in 3.9 and later this function accepts bytes inputs as well. PR by Irit Katriel.
bpo-42065: Fix an incorrectly formatted error from _codecs.charmap_decode() when called with a mapped value outside the range of valid Unicode code points. PR by Max Bernstein.
bpo-41966: Fix pickling pure Python datetime.time subclasses. Patch by Dean Inwood.
bpo-41976: Fixed a bug that was causing ctypes.util.find_library() to return None when triying to locate a library in an environment when gcc>=9 is available and ldconfig is not. Patch by Pablo Galindo
bpo-41900: C14N 2.0 serialisation in xml.etree.ElementTree failed for unprefixed attributes when a default namespace was defined.
bpo-41855: In importlib.metadata, fix issue where multiple children can be returned from FastPath.zip_children(). Backport of python-devs/importlib_metadata#117.
bpo-41840: Fix a bug in the symtable module that was causing module-scope global variables to not be reported as both local and global. Patch by Pablo Galindo.
bpo-41831: str() for the type attribute of the tkinter.Event object always returns now the numeric code returned by Tk instead of the name of the event type.
bpo-41662: No longer override exceptions raised in __len__() of a sequence of parameters in sqlite3 with ProgrammingError.
bpo-41662: Fixed crash when mutate list of parameters during iteration in sqlite3.
bpo-34215: Clarify the error message for asyncio.IncompleteReadError when expected is None.
bpo-41316: Fix the tarfile module to write only basename of TAR file to GZIP compression header.
bpo-12800: Extracting a symlink from a tarball should succeed and overwrite the symlink if it already exists. The fix is to remove the existing file or symlink before extraction. Based on patch by Chris AtLee, Jeffrey Kintscher, and Senthil Kumaran.
bpo-16936: Allow ctypes.wintypes to be imported on non-Windows systems.
bpo-40592: shutil.which() now ignores empty entries in PATHEXT instead of treating them as a match.
bpo-40492: Fix --outfile for cProfile / profile not writing the output file in the original directory when the program being profiled changes the working directory. PR by Anthony Sottile.
bpo-40105: ZipFile truncates files to avoid corruption when a shorter comment is provided in append (“a”) mode. Patch by Jan Mazur.
bpo-27321: Fixed KeyError exception when flattening an email to a string attempts to replace a non-existent Content-Transfer-Encoding header.
bpo-32793: Fix a duplicated debug message when smtplib.SMTP.connect() is called.
Documentation
bpo-42153: Fix the URL for the IMAP protocol documents.
bpo-41910: Document the default implementation of object.__eq__.
bpo-41774: In Programming FAQ “Sequences (Tuples/Lists)” section, add “How do you remove multiple items from a list”.
bpo-39416: Document some restrictions on the default string representations of numeric classes.
Tests
bpo-41473: Reenable test_gdb on gdb 9.2 and newer: https://bugzilla.redhat.com/show_bug.cgi?id=1866884 bug is fixed in gdb 10.1.
bpo-42553: Fix test_asyncio.test_call_later() race condition: don’t measure asyncio performance in the call_later() unit test. The test failed randomly on the CI.
bpo-40754: Include _testinternalcapi module in Windows installer for test suite
bpo-41739: Fix test_logging.test_race_between_set_target_and_flush(): the test now waits until all threads complete to avoid leaking running threads.
bpo-41944: Tests for CJK codecs no longer call eval() on content received via HTTP.
bpo-41939: Fix test_site.test_license_exists_at_url(): call urllib.request.urlcleanup() to reset the global urllib.request._opener. Patch by Victor Stinner.
bpo-41561: test_ssl: skip test_min_max_version_mismatch when TLS 1.0 is not available
bpo-41602: Add tests for SIGINT handling in the runpy module.
bpo-41306: Fixed a failure in test_tk.test_widgets.ScaleTest happening when executing the test with Tk 8.6.10.
Build
bpo-42398: Fix a race condition in “make regen-all” when make -jN option is used to run jobs in parallel. The clinic.py script now only use atomic write to write files. Moveover, generated files are now left unchanged if the content does not change, to not change the file modification time.
Windows
bpo-42120: Remove macro definition of copysign (to _copysign) in headers.
bpo-38439: Updates the icons for IDLE in the Windows Store package.
bpo-41557: Update Windows installer to use SQLite 3.33.0.
bpo-38324: Avoid Unicode errors when accessing certain locale data on Windows.
macOS
bpo-38443: The --enable-universalsdk and --with-universal-archs options for the configure script now check that the specified architectures can be used.
bpo-41471: Ignore invalid prefix lengths in system proxy excludes.
bpo-41557: Update macOS installer to use SQLite 3.33.0.
IDLE
bpo-42426: Fix reporting offset of the RE error in searchengine.
bpo-42415: Get docstrings for IDLE calltips more often by using inspect.getdoc.
bpo-33987: Mostly finish using ttk widgets, mainly for editor, settings, and searches. Some patches by Mark Roseman.
bpo-41775: Use ‘IDLE Shell’ as shell title
bpo-40511: Typing opening and closing parentheses inside the parentheses of a function call will no longer cause unnecessary “flashing” off and on of an existing open call-tip, e.g. when typed in a string literal.
bpo-38439: Add a 256×256 pixel IDLE icon to the Windows .ico file. Created by Andrew Clover. Remove the low-color gif variations from the .ico file.
C API
bpo-41986: Py_FileSystemDefaultEncodeErrors and Py_UTF8Mode are available again in limited API.
Provides a header only, C++11 interface to R's C interface. Compared
to other approaches 'cpp11' strives to be safe against long jumps from
the C API as well as C++ exceptions, conform to normal R function
semantics and supports interaction with 'ALTREP' vectors.
ChangeLog:
2020-12-23 Simon Sobisch <simonsobisch@gnu.org>
* configure.ac: version 3.1.2
2020-12-15 Simon Sobisch <simonsobisch@gnu.org>
* configure.ac: fixed use of MPIR_LIBS
This results in a successful build and a js78 executable that runs in
my test environment (the most recent OmniOS release). However, test
suite execution yields an immediate failure with the message "too much
recursion", so it seems more work is still required here.
Version 14.15.3 'Fermium' (LTS)
Notable Changes
Node.js v14.15.2 included a commit that has caused reported breakages when cloning request objects. This release reverts the commit that introduced the behaviour change. See https://github.com/nodejs/node/issues/36550 for more details.
