-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update cfengine3 to 3.7.2 #307
Conversation
Cfengine 3.7 itself is an LTS line. |
I'm working on this now. |
Awesome, thanks! |
Fixing several issues with the update, but one question: where do the SMF manifests come from? |
I created them using They've been added to the CfEngine source repository (https://github.com/cfengine/core/tree/master/contrib/solaris-smf), but for some reason are not included in the source code packages. |
Patch based largely on a pull request by bahamat@: TritonDataCenter/pkgsrc#307 3.7.2: Bug fixes: - readfile() and read*list() should print an error if they fail to read file. (Redmine #7702) - Fix 'AIX_PREINSTALL_ALREADY_DONE.txt: cannot create' error message on AIX. - If there is an error saving a mustache template file it is now logged with log-level error (was inform). - Change: Clarify bootstrap/failsafe reports - Fixed several bugs which prevented CFEngine from loading libraries from the correct location. This affected several platforms. (Redmine #6708) - If file_select.file_types is set to symlink and there are regular files in the scanned directory, CFEngine no longer produces an unneccessary error message. (Redmine #6996) - Fix: Solaris packages no longer contain duplicate library files, but instead symlinks to them. (Redmine #7591) - cf-agent, cf-execd, cf-promises, cf-runagent and cf-serverd honor multiple -D, -N and -s arguments (Redmine #7191) - Fix "@endif" keyword sometimes being improperly processed by policy parser. (Redmine #7413) - It is possible to edit the same value in multiple regions of one file. (Redmine #7460) - Fix select_class not setting class when used in common bundle with slist. (Redmine #7482) - Fix broken HA policy for 3rd disaster-recovery node. - Directories should no more be changed randomly into files. (Redmine #6027) - Include latest security updates for 3.7. - Reduce malloc() thread contention on heavily loaded cf-serverd, by not exiting early in the logging function, if no message is to be printed. (Redmine #7624) - Improve cf-serverd's lock contention because of getpwnam() call. (Redmine #7643) - action_policy "warn" now correctly produces warnings instead of various other verbosity levels. (Redmine #7274) - Change: Improve efficiency and debug reports (Redmine #7527) - Change package modules permissions on hub package so that hub can execute package promises. (Redmine #7602) - No longer hang when changing permissions/ownership on fifos (Redmine #7030) - Fix exporting CSV reports through HTTPS. (Redmine #7267) - failsafe.cf will be created when needed. (Redmine #7634) - Mustache templates: Fix key when value is not a primitive. The old behavior, when iterating across a map or array of maps, was to abort if the key was requested with . The new behavior is to always replace with either the key name or the iteration position in the array. An error is printed if is used outside of a Mustache iteration section. - Legacy package promise: Result classes are now defined if the package being promised is already up to date. (Redmine #7399) - TTY detection should be more reliable. (Redmine #7606) Masterfiles: - Add: Path to svcprop in stdlib - Add: New `results` classes body [] (Redmine #7418, #7481) - Remove: Support for email settings from augments_file (Redmine #7682) 3.7.1: Bug fixes: - Fix daemons not restarting correctly on upgrade on AIX. (Redmine #7550) - Fix upgrade causing error message under systemd because of open ports. - Fix build with musl libc. (Redmine #7455) - Long promiser strings with multiple lines are now abbreviated in logs. (Redmine #3964) - Fixed a bug which could cause daemons to not to be killed correctly when upgrading or manually running "service cfengine3 stop". (Redmine #7193) - Package promise: Fix inability to install certain packages with numbers. - Fix package promise not removing dependant packages. (Redmine #7424) - Fix warning "Failed to parse csv file entry" with certain very long commands promises. (Redmine #7400) - Fix misaligned help output in cf-hub. (Redmine #7273) - Augmenting inputs from the augments_file (Redmine #7420) - Add support for failover to 3rd HA node located outside cluster. - Upgrade all dependencies for patch release. - Fix a bug which caused daemons not to be restarted on upgrade. (Redmine #7528) 3.7.0: New features: - New package promise implementation. - Full systemd support for all relevant platforms - New classes to determine whether certain features are enabled: * feature_yaml * feature_xml For the official CFEngine packages, these are always enabled, but packages from other sources may be built without the support. - New readdata() support for generic data input (CSV, YAML, JSON, or auto) - YAML support: new readyaml() function and in readdata() - CSV support: new readcsv() function and in readdata() - New string_mustache() function - New data_regextract() function - eval() can now be called with "class" as the "mode" argument, which will cause it to return true ("any") if the calculated result is non-zero, and false ("!any") if it is zero. - New list_ifelse() function - New mapjson() function as well as JSON support in maparray(). - filestat() function now supports "xattr" argument for extended attributes. - "ifvarclass" now has "if" as an alias, and "unless" as an inverse alias. - Ability to expand JSON variables directory in Mustache templates: Prefix the name with '%' for multiline expansion, '$' for compact expansion. - Ability to expand the iteration *key* in Mustache templates with @ - Canonical JSON output: JSON output has reliably sorted keys so the same data structure will produce the same JSON every time. - New "@if minimum_version(x.x)" syntax in order to hide future language improvements from versions that don't understand them. - compile time option (--with-statedir) to override the default state/ directory path. - Fix error messages/ handling in process signalling which no longer allowed any signals to fail silently - Also enable shortcut keyword for cf-serverd classic protocol, eg to simplify the bootstrap process for clients that have different sys.masterdir settings (Redmine #3697) - methods promises now accepts the bundle name in the promiser string, as long as it doesn't have any parameters. - In a services promise, if the service_method bundle is not specified, it defaults to the promiser string (canonified) with "service_" as a prefix. The bundle must be in the same namespace as the promise. - inline JSON in policy files: surrounding with parsejson() is now optional *when creating a new data container*. - New data_expand() function to interpolate variables in a data container. - Add configurable network bandwidth limit for all outgoing connections ("bwlimit" attribute in "body common control") . To enforce it in both directions, make sure the attribute is set on both sides of the connection. - Secure bootstrap has been facilitated by use of "cf-agent --boostrap HUB_ADDRESS --trust-server=no" - Implement new TLS-relevant options (Redmine #6883): - body common control: tls_min_version - body server control: allowtlsversion - body common control: tls_ciphers - body server control: allowciphers (preexisting) Changes: - Improved output format, less verbose, and messages are grouped. - cf-execd: agent_expireafter default was changed to 120 minutes (Redmine #7113) - All embedded databases are now rooted in the state/ directory. - TLS used as default for all outgoing connections. - process promise now reports kept status instead of repaired if a signal is not sent, even if the restart_class is set. The old behavior was to set the repaired status whenever the process was not running. (Redmine#7216). - Bootstrapping requires keys to be generated in advance using cf-key. - Disable class set on reverse lookup of interfaces IP addresses. (Redmine #3993, Redmine #6870) - Define a hard class with just the OS major version on FreeBSD. - Abort cf-agent if OpenSSL's random number generator can't be seeded securely. - Masterfiles source tarball now installs using the usual commands "./configure; make install". - Updated Emacs syntax highlighting template to support the latest syntax enhancements in 3.7. Deprecations: - Arbitrary arguments to cfruncommand (using "cf-runagent -o") are not acceptable any more. (Redmine #6978) - 3.4 is no longer supported in masterfiles. Bug fixes: - Fix server common bundles evaluation order (Redmine#7211). - Limit LMDB disk usage by preserving sparse areas in LMDB files (Redmine#7242). - Fixed LMDB corruption on HP-UX 11.23. (Redmine #6994) - Fixed insert_lines failing to converge if preserve_block was used. (Redmine #7094) - Fixed init script failing to stop/restart daemons on openvz/lxc hosts. (Redmine #3394) - rm_rf_depth now deletes base directory as advertised. (Redmine #7009) - Refactored cf-agent's connection cache to properly differentiate hosts using all needed attributes like host and port. (Redmine #4646) - Refactored lastseen database handling to avoid inconsistencies. (Redmine #6660) - cf-key --trust-key now supports new syntax to also update the lastseen database, so that clients using old protocol will trust the server correctly. - Fixed a bug which sometimes caused an agent or daemon to kill or stop itself. (Redmine #7075, #7244) - Fixed a bug which made it difficult to kill CFEngine daemons, particularly cf-execd. (Redmine #6659, #7193) - Fixed a bug causing systemd not to be detected correctly on Debian. (Redmine #7297) - "cf-promises -T" will now correctly report the checked out commit, even if you haven't checked out a Git branch. (Redmine #7332) - Reduce verbosity of harmless errors related to socket timeouts and missing thermal zone files. (Redmine #6486 and #7238) - Fix process_result logic to match the purpose of body process_select days_older_than (Redmine #3009) Masterfiles: Added: - Support for user specified overring of framework defaults without modifying policy supplied by the framework itself (see example_def.json) - Support for def.json class augmentation in update policy - Run vacuum operation on postgresql every night as a part of maintenance. - Add measure_promise_time action body to lib (3.5, 3.6, 3.7, 3.8) - New negative class guard `cfengine_internal_disable_agent_email` so that agent email can be easily disabled by augmenting def.json Changed: - Relocate def.cf to controls/VER/ - Relocate update_def to controls/VER - Relocate all controls to controls/VER - Only load cf_hub and reports.cf on CFEngine Enterprise installs - Relocate acls related to report collection from bundle server access_rules to controls/VER/reports.cf into bundle server report_access_rules - Re-organize cfe_internal splitting core from enterprise specific policies and loading the appropriate inputs only when necessary - Moved update directory into cfe_internal as it is not generally intended to be modified - services/autorun.cf moved to lib/VER/ as it is not generally intended to be modified - To improve predictibility autorun bundles are activated in lexicographical order - Relocate services/file_change.cf to cfe_internal/enterprise. This policy is most useful for a good OOTB experience with CFEngine Enterprise Mission Portal. - Relocate service_catalogue from promsies.cf to services/main.cf. It is intended to be a user entry. This name change correlates with the main bundle being activated by default if there is no bundlesequence specified. - Reduce benchmarks sample history to 1 day. - Update policy no longer generates a keypair if one is not found. (Redmine: #7167) - Relocate cfe_internal_postgresql_maintenance bundle to lib/VER/ - Set postgresql_monitoring_maintenance only for versions 3.6.0 and 3.6.1 - Move hub specific bundles from lib/VER/cfe_internal.cf into lib/VER/cfe_internal_hub.cf and load them only if policy_server policy if set. - Re-organize lib/VER/stdlib.cf from lists into classic array for use with getvalues Removed: - Diff reporting on /etc/shadow (Enterprise) - Update policy from promise.cf inputs. There is no reason to include the update policy into promsies.cf, update.cf is the entry for the update policy - _not_repaired outcome from classes_generic and scoped_classes generic (Redmine: # 7022) Fixes: - standard_services now restarts the service if it was not already running when using service_policy => restart with chkconfig (Redmine #7258)
kramdown 1.10.0 released This release brings the usual bug fixes but also support for the strikethrough syntax in the GFM parser as well as some enhancements regarding the specification of language names for syntax highlighting purposes. Changes * 4 minor changes: o Support for the math-engine MathJax-Node was updated to use the new mathjax-node package (fixes #313, pull request by Tom Thorogood) o URL query parameters can now be appended to language names specified in fenced code blocks if the syntax highlighting engine accepts them (fixes #234) o Added strikethrough syntax to the GFM parser (fixes #184 and #307; initial pull request by Diego Galeota, updated by Parker Moore) o Allow almost all characters in class names that are defined via a special syntax (fixes #318, requested by cabo) * 4 bug fixes: o Fixed a problem where Kramdown::Document.new would only accept the symbol :input but not the string ¡Æinput¡Ç as valid key (fixes #312, pull request by Sun Yaozhu) o Fixed inconsistent behavior: Empty link text is now also allowed for normal links, not just images (fixes #305, reported by cabo) o The HTML5 <mark> element is now recognized as span level element (fixes #298, reported by Niclas Darville) o Fixed problem where e-mail autolinks containing an underscore character were not correctly recognized (fixes #293, reported by erikse) * 3 other fixes: o Fixed missing package update statement for Travis (by Parker Moore) o Add some more documentation regarding MathJax (fixes #296, pull request by Christopher Jefferson) o Fixed bad link in API documentation (fixes #315, reported by Tom MacWright)
## [1.11.3][] (2016-09-16) * Fix known_hosts caching to match on the entire hostlist [PR #364](capistrano/sshkit#364) @byroot ## [1.11.2][] (2016-07-29) ### Bug fixes * Fixed a crash occurring when `Host@keys` was set to a non-Enumerable. @xavierholt [PR #360](capistrano/sshkit#360) ## [1.11.1][] (2016-06-17) ### Bug fixes * Fixed a regression in 1.11.0 that would cause `ArgumentError: invalid option(s): known_hosts` in some older versions of net-ssh. @byroot [#357](capistrano/sshkit#357) ## [1.11.0][] (2016-06-14) ### Bug fixes * Fixed colorized output alignment in Logger::Pretty. @xavierholt [PR #349](capistrano/sshkit#349) * Fixed a bug that prevented nested `with` calls [#43](capistrano/sshkit#43) ### Other changes * Known hosts lookup optimization is now enabled by default. @byroot ## 1.10.0 (2016-04-22) * You can now opt-in to caching of SSH's known_hosts file for a speed boost when deploying to a large fleet of servers. Refer to the [README](https://github.com/capistrano/sshkit/tree/v1.10.0#known-hosts-caching) for details. We plan to turn this on by default in a future version of SSHKit. [PR #330](capistrano/sshkit#330) @byroot * SSHKit now explicitly closes its pooled SSH connections when Ruby exits; this fixes `zlib(finalizer): the stream was freed prematurely` warnings [PR #343](capistrano/sshkit#343) @mattbrictson * Allow command map entries (`SSHKit::CommandMap#[]`) to be Procs [PR #310](capistrano/sshkit#310) @mikz ## 1.9.0 **Refer to the 1.9.0.rc1 release notes for a full list of new features, fixes, and potentially breaking changes since SSHKit 1.8.1.** There are no changes since 1.9.0.rc1. ## 1.9.0.rc1 ### Potentially breaking changes * The SSHKit DSL is no longer automatically included when you `require` it. **This means you must now explicitly `include SSHKit::DSL`.** See [PR #219](capistrano/sshkit#219) for details. @beatrichartz * `SSHKit::Backend::Printer#test` now always returns true [PR #312](capistrano/sshkit#312) @mikz ### New features * `SSHKit::Formatter::Abstract` now accepts an optional Hash of options [PR #308](capistrano/sshkit#308) @mattbrictson * Add `SSHKit::Backend.current` so that Capistrano plugin authors can refactor helper methods and still have easy access to the currently-executing Backend without having to use global variables. * Add `SSHKit.config.default_runner` options that allows to override default command runner. This option also accepts a name of the custom runner class. * The ConnectionPool has been rewritten in this release to be more efficient and have a cleaner internal API. You can still completely disable the pool by setting `SSHKit::Backend::Netssh.pool.idle_timeout = 0`. @mattbrictson @byroot [PR #328](capistrano/sshkit#328) ### Bug fixes * make sure working directory for commands is properly cleared after `within` blocks [PR #307](capistrano/sshkit#307) @steved * display more accurate string for commands with spaces being output in `Formatter::Pretty` [PR #304](capistrano/sshkit#304) @steved [PR #319](capistrano/sshkit#319) @mattbrictson * Fix a race condition experienced in JRuby that could cause multi-server deploys to fail. [PR #322](capistrano/sshkit#322) @mattbrictson
Changes in 2.8.2 Aug 15, 2016 - version 2.8.2 * Bug o 2.8.1 introduced JRuby + SSL connection problem; in some cases it cannot connect to trusted TLS server. 2.8.1 failed to load multiple CA certificates in a file. #327. Aug 16, 2016 - version 2.8.2.1 * Bug o 2.8.1 introduced another bug that causes NPE from JRuby when JRuby program loads httpclient and uses OpenSSL::X509::Store outside of httpclient. 2.8.3 fixed this problem. #325 Aug 28, 2016 - version 2.8.2.3 * Bug o 2.8.2 fixed VERIFY_NONE at JRuby but the fix was not enough. Sep 11, 2016 - version 2.8.2.4 * Bug o 2.8.2 caused unexpected resulting value change of OpenSSL::X509::Store#add_cert method. Fixed. Changes in 2.8.1 Aug 8, 2016 - version 2.8.1 * Changes o Use TLSv1.2 always on JRuby #320 o Do not reset keep-alive connection by configuration change #315 o Add strict_response_size_check option #316 false by default, meaning it behavies like browsers by default. o Add MIME type for XML #308 * Bug o Direct access to SSLConfig#cert_store in JRuby was broken from 2.7 #276 #317 o OpenSSL::SSL::VERIFY_NONE does not work in JRuby #319 o Allow receiving response body in block when follow_redirects => true. #304 o Fix blocking issue with request_async when Encoding.default_internal is set. #307 o Apply timeouts for chunked transfer encoding #309 Changes in 2.8.0 Apr 24, 2016 - version 2.8.0 * Changes o Force using RSA 2048bit CA cert set Use RSA 2048bit CA cert set every time if it runs with OpenSSL (== except JRuby.) Old openssl (<1.0.1p or <1.0.2d) cannot handle this CA set and causes SSL connection failure against some SSL servers including AWS S3 API. For such case you can manually specify RSA 1024bit CA cert set as a workaround. c = HTTPClient.new { |c| c.ssl_config.add_trust_ca("cacert1024.pem") } c.get("https://www.ruby-lang.org/") RSA 1024bit CA cert set is not maintained over years so you should consider updating OpenSSL version so that HTTPClient uses RSA 2048 bit CA cert set. Changes in 2.7.2 Apr 22, 2016 - version 2.7.2 * Changes o Use RSA 1024bit CA cert when linked to old openssl Based on comments to #297 this commit silently (without warning) accepts RSA 1024bit certificate set when runtime ruby is liked with old OpenSSL (<1.0.1p or <1.0.2d.) If you're unsure that your OpenSSL is patched or not, and want to make sure to use RSA 2048bit certificate set, please call HTTPClient::SSLConfig#add_trust_ca("cacert.pem"). c = HTTPClient.new { |c| c.ssl_config.add_trust_ca("cacert.pem") } c.get("https://www.ruby-lang.org/") I'm going to remove RSA 1024bit certificate set and bump httpclient version to 2.8.0 soon after I release this as 2.7.2. I believe almost all OpenSSL installation is patched quickly these days so it should not cause SSL connectivity problem.
== 1.7.0 Dunder Mifflin * Rack 2 support * Ensure Response body.close is called in the same thread Fixes issues with ActiveRecord connection management [#307] * Fix TCP/IP Backend reports incorrect port when asked to bind to 0 [meschbach] * Work with ruby 2.3's --enable-frozen-string-literal [jeremyevans]
Version 0.34 ------------ Released on 2016-12-21. Bug fixes: * `#398 <https://github.com/Kozea/WeasyPrint/issues/398>`_: Honor the presentational_hints option for PDFs. * `#399 <https://github.com/Kozea/WeasyPrint/pull/399>`_: Avoid CairoSVG-2.0.0rc* on Python 2. * `#396 <https://github.com/Kozea/WeasyPrint/issues/396>`_: Correctly close files open by mkstemp. * `#403 <https://github.com/Kozea/WeasyPrint/issues/403>`_: Cast the number of columns into int. * Fix multi-page multi-columns and add related tests. Version 0.33 ------------ Released on 2016-11-28. New features: * `#393 <https://github.com/Kozea/WeasyPrint/issues/393>`_: Add tests on MacOS. * `#370 <https://github.com/Kozea/WeasyPrint/issues/370>`_: Enable @font-face on MacOS. Bug fixes: * `#389 <https://github.com/Kozea/WeasyPrint/issues/389>`_: Always update resume_at when splitting lines. * `#394 <https://github.com/Kozea/WeasyPrint/issues/394>`_: Don't build universal wheels. * `#388 <https://github.com/Kozea/WeasyPrint/issues/388>`_: Fix logic when finishing block formatting context. Version 0.32 ------------ Released on 2016-11-17. New features: * `#28 <https://github.com/Kozea/WeasyPrint/issues/28>`_: Support @font-face on Linux. * Support CSS fonts level 3 almost entirely, including OpenType features. * `#253 <https://github.com/Kozea/WeasyPrint/issues/253>`_: Support presentational hints (optional). * Support break-after, break-before and break-inside for pages and columns. * `#384 <https://github.com/Kozea/WeasyPrint/issues/384>`_: Major performance boost. Bux fixes: * `#368 <https://github.com/Kozea/WeasyPrint/issues/368>`_: Respect white-space for shrink-to-fit. * `#382 <https://github.com/Kozea/WeasyPrint/issues/382>`_: Fix the preferred width for column groups. * Handle relative boxes in column-layout boxes. Documentation: * Add more and more documentation about Windows installation. * `#355 <https://github.com/Kozea/WeasyPrint/issues/355>`_: Add fonts requirements for tests. Version 0.31 ------------ Released on 2016-08-28. New features: * `#124 <https://github.com/Kozea/WeasyPrint/issues/124>`_: Add MIME sniffing for images. * `#60 <https://github.com/Kozea/WeasyPrint/issues/60>`_: CSS Multi-column Layout. * `#197 <https://github.com/Kozea/WeasyPrint/pull/197>`_: Add hyphens at line breaks activated by a soft hyphen. Bux fixes: * `#132 <https://github.com/Kozea/WeasyPrint/pull/132>`_: Fix Python 3 compatibility on Windows. Documentation: * `#329 <https://github.com/Kozea/WeasyPrint/issues/329>`_: Add documentation about installation on Windows. Version 0.30 ------------ Released on 2016-07-18. WeasyPrint now depends on html5lib-0.999999999. Bux fixes: * Fix Acid2 * `#325 <https://github.com/Kozea/WeasyPrint/issues/325>`_: Cutting lines is broken in page margin boxes. * `#334 <https://github.com/Kozea/WeasyPrint/issues/334>`_: Newest html5lib 0.999999999 breaks rendering. Version 0.29 ------------ Released on 2016-06-17. Bug fixes: * `#263 <https://github.com/Kozea/WeasyPrint/pull/263>`_: Don't crash with floats with percents in positions. * `#323 <https://github.com/Kozea/WeasyPrint/pull/323>`_: Fix CairoSVG 2.0 pre-release dependency in Python 2.x. Version 0.28 ------------ Released on 2016-05-16. Bug fixes: * `#189 <https://github.com/Kozea/WeasyPrint/issues/189>`_: ``white-space: nowrap`` still wraps on hyphens * `#305 <https://github.com/Kozea/WeasyPrint/issues/305>`_: Fix crashes on some tables * Don't crash when transform matrix isn't invertible * Don't crash when rendering ratio-only SVG images * Fix margins and borders on some tables Version 0.27 ------------ Released on 2016-04-08. New features: * `#295 <https://github.com/Kozea/WeasyPrint/pull/295>`_: Support the 'rem' unit. * `#299 <https://github.com/Kozea/WeasyPrint/pull/299>`_: Enhance the support of SVG images. Bug fixes: * `#307 <https://github.com/Kozea/WeasyPrint/issues/307>`_: Fix the layout of cells larger than their tables. Documentation: * The website is now on GitHub Pages, the documentation is on Read the Docs. * `#297 <https://github.com/Kozea/WeasyPrint/issues/297>`_: Rewrite the CSS chapter of the documentation.
Upstream Changelog: Security gdImageCreate() doesn't check for oversized images and as such is prone to DoS vulnerabilities. (CVE-2016-9317) double-free in gdImageWebPtr() (CVE-2016-6912) potential unsigned underflow in gd_interpolation.c DOS vulnerability in gdImageCreateFromGd2Ctx() Fixed Fix #354: Signed Integer Overflow gd_io.c Fix #340: System frozen Fix OOB reads of the TGA decompression buffer Fix DOS vulnerability in gdImageCreateFromGd2Ctx() Fix potential unsigned underflow Fix double-free in gdImageWebPtr() Fix invalid read in gdImageCreateFromTiffPtr() Fix OOB reads of the TGA decompression buffer Fix #68: gif: buffer underflow reported by AddressSanitizer Avoid potentially dangerous signed to unsigned conversion Fix #304: test suite failure in gif/bug00006 [2.2.3] Fix #329: GD_BILINEAR_FIXED gdImageScale() can cause black border Fix #330: Integer overflow in gdImageScaleBilinearPalette() Fix 321: Null pointer dereferences in gdImageRotateInterpolated Fix whitespace and add missing comment block Fix #319: gdImageRotateInterpolated can have wrong background color Fix color quantization documentation Fix #309: gdImageGd2() writes wrong chunk sizes on boundaries Fix #307: GD_QUANT_NEUQUANT fails to unset trueColor flag Fix #300: gdImageClone() assigns res_y = res_x Fix #299: Regression regarding gdImageRectangle() with gdImageSetThickness() Replace GNU old-style field designators with C89 compatible initializers Fix #297: gdImageCrop() converts palette image to truecolor image Fix #290: TGA RLE decoding is broken Fix unnecessary non NULL checks Fix #289: Passing unrecognized formats to gdImageGd2 results in corrupted files Fix #280: gdImageWebpEx() quantization parameter is a misnomer Publish all gdImageCreateFromWebp*() functions and gdImageWebpCtx() Fix issue #276: Sometimes pixels are missing when storing images as BMPs Fix issue #275: gdImageBmpCtx() may segfault for non-seekable contexts Fix copy&paste error in gdImageScaleBicubicFixed() Added More documentation Documentation on GD and GD2 formats More tests
Patch from spz@. Thank you. Changelog: - 1/26/2017: version 0.6.0 * lossless performance and compression improvements * miscellaneous performance improvements (SSE2, NEON, MSA) * webpmux gained a -duration option allowing for frame timing modification * new img2webp utility allowing a sequence of images to be converted to animated webp * API changes: - libwebp: WebPPictureSharpARGBToYUVA WebPPlaneDistortion - libwebpmux / gif2webp: WebPAnimEncoderOptions: kmax <= 0 now disables keyframes, kmax == 1 forces all keyframes. See mux.h and the gif2webp manpage for details. - 12/13/2016: version 0.5.2 This is a binary compatible release. This release covers CVE-2016-8888 and CVE-2016-9085. * further security related hardening in the tools; fixes to gif2webp/AnimEncoder (issues #310, #314, #316, #322), cwebp/libwebp (issue #312) * full libwebp (encoder & decoder) iOS framework; libwebpdecoder WebP.framework renamed to WebPDecoder.framework (issue #307) * CMake support for Android Studio (2.2) * miscellaneous build related fixes (issue #306, #313) * miscellaneous documentation improvements (issue #225) * minor lossy encoder fixes and improvements
graphics/gd: security fix Revisions pulled up: - graphics/gd/Makefile 1.113 - graphics/gd/distinfo 1.43 - graphics/gd/patches/patch-src_gd__webp.c deleted --- Module Name: pkgsrc Committed By: spz Date: Sat Feb 4 23:05:52 UTC 2017 Modified Files: pkgsrc/graphics/gd: Makefile distinfo Removed Files: pkgsrc/graphics/gd/patches: patch-src_gd__webp.c Log Message: update of gd to 2.2.4. Upstream Changelog: Security gdImageCreate() doesn't check for oversized images and as such is prone to DoS vulnerabilities. (CVE-2016-9317) double-free in gdImageWebPtr() (CVE-2016-6912) potential unsigned underflow in gd_interpolation.c DOS vulnerability in gdImageCreateFromGd2Ctx() Fixed Fix #354: Signed Integer Overflow gd_io.c Fix #340: System frozen Fix OOB reads of the TGA decompression buffer Fix DOS vulnerability in gdImageCreateFromGd2Ctx() Fix potential unsigned underflow Fix double-free in gdImageWebPtr() Fix invalid read in gdImageCreateFromTiffPtr() Fix OOB reads of the TGA decompression buffer Fix #68: gif: buffer underflow reported by AddressSanitizer Avoid potentially dangerous signed to unsigned conversion Fix #304: test suite failure in gif/bug00006 [2.2.3] Fix #329: GD_BILINEAR_FIXED gdImageScale() can cause black border Fix #330: Integer overflow in gdImageScaleBilinearPalette() Fix 321: Null pointer dereferences in gdImageRotateInterpolated Fix whitespace and add missing comment block Fix #319: gdImageRotateInterpolated can have wrong background color Fix color quantization documentation Fix #309: gdImageGd2() writes wrong chunk sizes on boundaries Fix #307: GD_QUANT_NEUQUANT fails to unset trueColor flag Fix #300: gdImageClone() assigns res_y = res_x Fix #299: Regression regarding gdImageRectangle() with gdImageSetThickness() Replace GNU old-style field designators with C89 compatible initializers Fix #297: gdImageCrop() converts palette image to truecolor image Fix #290: TGA RLE decoding is broken Fix unnecessary non NULL checks Fix #289: Passing unrecognized formats to gdImageGd2 results in corrupted files Fix #280: gdImageWebpEx() quantization parameter is a misnomer Publish all gdImageCreateFromWebp*() functions and gdImageWebpCtx() Fix issue #276: Sometimes pixels are missing when storing images as BMPs Fix issue #275: gdImageBmpCtx() may segfault for non-seekable contexts Fix copy&paste error in gdImageScaleBicubicFixed() Added More documentation Documentation on GD and GD2 formats More tests
## 2.0.7 (2017-03-19) * Do not modify BasicObject during template compilation on ruby 2.0+ (#309, jeremyevans) ## 2.0.6 (2017-01-26) * Add support for LiveScript (#286, @Announcement Jacob Francis Powers) * Add support for Sigil (#302, winebarrel) * Add support for Erubi (#308, jeremyevans) * Add support for options in Liquid (#298, #299, laCour) * Always sort locals by strings (#307, jeremyevans) * Fix test warnings (#305, amatsuda) * Fix indentation (#293, yui-knk) * Use SVG badges in README (#294, vasinov) * Fix typo and trailing space (#295, #296, karloescota) ## 2.0.5 (2016-06-02) * Add support for reST using Pandoc (#284, mfenner) * Make lazy loading thread-safe; remove warning (judofyr) ## 2.0.4 (2016-05-16) * Fix regression in BuilderTemplate (#283, judofyr) ## 2.0.3 (2016-05-12) * Add Pandoc support (#276, jmuheim) * Add CommonMark support (#282, raphink) * Add TypeScript support (#278, nghitran) * Work with frozen string literal (#274, jeremyevans) * Add MIME type for Babel (#273, SaitoWu) ## 2.0.2 (2016-01-06) * Pass options to Redcarpet (#250, hughbien) * Haml: Improve error message on frozen self (judofyr) * Add basic support for Babel (judofyr) * Add support for .litcoffee (#243, judofyr, mr-vinn) * Document Tilt::Cache (#266, tommay) * Sort local keys for better caching (#257, jeremyevans) * Add more CSV options (#256, Juanmcuello) * Add Prawn template (kematzy) * Improve cache-miss performance in Tilt::Cache (#251, tommay) * Add man page (#241, josephholsten) * Support YAML/JSON data in bin/tilt (#241, josephholsten) ## 2.0.1 (2014-03-21) * Fix Tilt::Mapping bug in Ruby 2.1.0 (9589652c569760298f2647f7a0f9ed4f85129f20) * Fix `tilt --list` (#223, Achrome) * Fix circular require (#221, amarshall) ## 2.0.0 (2013-11-30) * Support Pathname in Template#new (#219, kabturek) * Add Mapping#templates_for (judofyr) * Support old-style #register (judofyr) * Add Handlebars as external template engine (#204, judofyr, jimothyGator) * Add org-ruby as external template engine (#207, judofyr, minad) * Documentation typo (#208, elgalu) ## 2.0.0.beta1 (2013-07-16) * Documentation typo (#202, chip) * Use YARD for documentation (#189, judofyr) * Add Slim as an external template engine (judofyr) * Add Tilt.templates_for (#121, judofyr) * Add Tilt.current_template (#151, judofyr) * Avoid loading all files in tilt.rb (#160, #187, judofyr) * Implement lazily required templates classes (#178, #187, judofyr) * Move #allows_script and default_mime_type to metadata (#187, judofyr) * Introduce Tilt::Mapping (#187, judofyr) * Make template compilation thread-safe (#191, judofyr)
Patch #329 - 2017/06/12 * add control sequences for reading the Sixel and ReGIS graphics sizes (suggested by Ben Wong). * add a workaround for wcwidth returning -1 for characters which should have been printable (FreeBSD #219800). * fix a bug in font initialization from patch #328 (FreeBSD #219800). * fix a special case in HideCursor which assigned a bold font to the slot used for normal font in changes for italics in patch #307 (Debian #858304). * updates for ReGIS (Ross Combs): + Strings specified with no command are used as "comments". Print these in the log when tracing. + Catch attempts to use "alternate display" mode (AKA "blink") from the GIGI, but do not implement it. + The T(M) command should only multiply the height by 10, not 20. + Make the S(E) command reset more state than just the screen contents. + Remove two rotation variables which were only being printed. + Numerous minor fixes and comment updates in the R command. + Unknown R command option names trigger an empty response. + Fix the output position after printing rotated text (it was missing the the sign before). + Fix the position change with pixelvectors and rotated text (the rotation transform was not being applied). + Update the TODO list and remove a verification FIXME (slanted text positioning is correct as is). + Emulate the approximately 1.4x enlargement for text which isn't rotated at right angles. + Only update the color planes specified in the plane mask (the W command's F option). * fix a bug introduced by the changes to font information in patch #328. When processing the "checkfont" option of the locale resource, the program referred to the request data, to an array which was only allocated in the new/result widget (report by H Merijn Brand). * fix a missing assignment initialization to make the utf8 resource control whether escape sequences to enable/disable UTF-8 mode are allowed.
Patch #329 - 2017/06/12 * add control sequences for reading the Sixel and ReGIS graphics sizes (suggested by Ben Wong). * add a workaround for wcwidth returning -1 for characters which should have been printable (FreeBSD #219800). * fix a bug in font initialization from patch #328 (FreeBSD #219800). * fix a special case in HideCursor which assigned a bold font to the slot used for normal font in changes for italics in patch #307 (Debian #858304). * updates for ReGIS (Ross Combs): + Strings specified with no command are used as "comments". Print these in the log when tracing. + Catch attempts to use "alternate display" mode (AKA "blink") from the GIGI, but do not implement it. + The T(M) command should only multiply the height by 10, not 20. + Make the S(E) command reset more state than just the screen contents. + Remove two rotation variables which were only being printed. + Numerous minor fixes and comment updates in the R command. + Unknown R command option names trigger an empty response. + Fix the output position after printing rotated text (it was missing the the sign before). + Fix the position change with pixelvectors and rotated text (the rotation transform was not being applied). + Update the TODO list and remove a verification FIXME (slanted text positioning is correct as is). + Emulate the approximately 1.4x enlargement for text which isn't rotated at right angles. + Only update the color planes specified in the plane mask (the W command's F option). * fix a bug introduced by the changes to font information in patch #328. When processing the "checkfont" option of the locale resource, the program referred to the request data, to an array which was only allocated in the new/result widget (report by H Merijn Brand). * fix a missing assignment initialization to make the utf8 resource control whether escape sequences to enable/disable UTF-8 mode are allowed.
This is the latest stable. I'm hoping to get this in for the upcoming 2015Q4 LTS.