Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Backports:SLE-15-SP3:Update
patchinfo.17613
_patchinfo
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _patchinfo of Package patchinfo.17613
<patchinfo incident="17613"> <issue tracker="bnc" id="1175333">VUL-0: CVE-2020-15693: nim: httpClient is vulnerable to a CR-LF injection</issue> <issue tracker="bnc" id="1185084">VUL-0: CVE-2021-21373: nim: "nimble refresh" falls back to a non-TLS URL in case of error</issue> <issue tracker="bnc" id="1181705">VUL-0: CVE-2020-15690: nim: Standard library asyncftpclient lacks a check for newline character</issue> <issue tracker="bnc" id="1185083">VUL-0: CVE-2021-21372: nim: doCmd can be leveraged to execute arbitrary commands</issue> <issue tracker="bnc" id="1185085">VUL-0: CVE-2021-21374: nim: Improper verification of the SSL/TLS certificate</issue> <issue tracker="bnc" id="1175334">VUL-0: CVE-2020-15692: nim: mishandle of argument to browsers.openDefaultBrowser</issue> <issue tracker="bnc" id="1192712">VUL-1: CVE-2021-41259: nim: null byte accepted in getContent function, leading to URI validation bypass</issue> <issue tracker="bnc" id="1175332">VUL-0: CVE-2020-15694: nim: httpClient.get().contentLength() fails to properly validate the server response</issue> <issue tracker="bnc" id="1185948">VUL-0: CVE-2021-29495: nim: stdlib httpClient does not validate peer certificates by default</issue> <issue tracker="cve" id="2020-15690"/> <issue tracker="cve" id="2021-21373"/> <issue tracker="cve" id="2020-15692"/> <issue tracker="cve" id="2021-21374"/> <issue tracker="cve" id="2021-21372"/> <issue tracker="cve" id="2020-15694"/> <issue tracker="cve" id="2020-15693"/> <issue tracker="cve" id="2021-41259"/> <issue tracker="cve" id="2021-29495"/> <packager>david.anes</packager> <rating>important</rating> <category>security</category> <summary>Security update for nim</summary> <description>This update for nim fixes the following issues: Includes upstream security fixes for: * (boo#1175333, CVE-2020-15693) httpClient is vulnerable to a CR-LF injection * (boo#1175334, CVE-2020-15692) mishandle of argument to browsers.openDefaultBrowser * (boo#1175332, CVE-2020-15694) httpClient.get().contentLength() fails to properly validate the server response * (boo#1192712, CVE-2021-41259) null byte accepted in getContent function, leading to URI validation bypass * (boo#1185948, CVE-2021-29495) stdlib httpClient does not validate peer certificates by default * (boo#1185085, CVE-2021-21374) Improper verification of the SSL/TLS certificate * (boo#1185084, CVE-2021-21373) "nimble refresh" falls back to a non-TLS URL in case of error * (boo#1185083, CVE-2021-21372) doCmd can be leveraged to execute arbitrary commands * (boo#1181705, CVE-2020-15690) Standard library asyncftpclient lacks a check for newline character Following nim tools now work as expected: * nim_dbg is now installed. * nim-gdb can be successfully launched as it finds and loads nim-gdb.py correctly under gdb. * nimble package manager stores package information per user. * compiler package can be found and used, as it may be required by other packages. Update to 1.6.6 * standard library use consistent styles for variable names so it can be used in projects which force a consistent style with --styleCheck:usages option. * ARC/ORC are now considerably faster at method dispatching, bringing its performance back on the level of the refc memory management. * Full changelog: https://nim-lang.org/blog/2022/05/05/version-166-released.html - Previous updates and changelogs: * 1.6.4: https://nim-lang.org/blog/2022/02/08/version-164-released.html * 1.6.2: https://nim-lang.org/blog/2021/12/17/version-162-released.html * 1.6.0: https://nim-lang.org/blog/2021/10/19/version-160-released.html * 1.4.8: https://nim-lang.org/blog/2021/05/25/version-148-released.html * 1.4.6: https://nim-lang.org/blog/2021/04/15/versions-146-and-1212-released.html * 1.4.4: https://nim-lang.org/blog/2021/02/23/versions-144-and-1210-released.html * 1.4.2: https://nim-lang.org/blog/2020/12/01/version-142-released.html * 1.4.0: https://nim-lang.org/blog/2020/10/16/version-140-released.html Update to 1.2.16 * oids: switch from PRNG to random module * nimc.rst: fix table markup * nimRawSetjmp: support Windows * correctly enable chronos * bigints are not supposed to work on 1.2.x * disable nimpy * misc bugfixes * fixes a 'mixin' statement handling regression [backport:1.2 Update to version 1.2.12 * Fixed GC crash resulting from inlining of the memory allocation procs * Fixed “incorrect raises effect for $(NimNode)” (#17454) - from version 1.2.10 * Fixed “JS backend doesn’t handle float->int type conversion “ (#8404) * Fixed “The “try except” not work when the “OSError: Too many open files” error occurs!” (#15925) * Fixed “Nim emits #line 0 C preprocessor directives with –debugger:native, with ICE in gcc-10” (#15942) * Fixed “tfuturevar fails when activated” (#9695) * Fixed “nre.escapeRe is not gcsafe” (#16103) * Fixed ““Error: internal error: genRecordFieldAux” - in the “version-1-4” branch” (#16069) * Fixed “-d:fulldebug switch does not compile with gc:arc” (#16214) * Fixed “osLastError may randomly raise defect and crash” (#16359) * Fixed “generic importc proc’s don’t work (breaking lots of vmops procs for js)” (#16428) * Fixed “Concept: codegen ignores parameter passing” (#16897) * Fixed “{.push exportc.} interacts with anonymous functions” (#16967) * Fixed “memory allocation during {.global.} init breaks GC” (#17085) * Fixed "Nimble arbitrary code execution for specially crafted package metadata" + https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p + (boo#1185083, CVE-2021-21372) * Fixed "Nimble falls back to insecure http url when fetching packages" + https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp8 + (boo#1185084, CVE-2021-21373) * Fixed "Nimble fails to validate certificates due to insecure httpClient defaults" + https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx + (boo#1185085, CVE-2021-21374) - from version 1.2.8 * Fixed “Defer and –gc:arc” (#15071) * Fixed “Issue with –gc:arc at compile time” (#15129) * Fixed “Nil check on each field fails in generic function” (#15101) * Fixed “[strscans] scanf doesn’t match a single character with $+ if it’s the end of the string” (#15064) * Fixed “Crash and incorrect return values when using readPasswordFromStdin on Windows.” (#15207) * Fixed “Inconsistent unsigned -> signed RangeDefect usage across integer sizes” (#15210) * Fixed “toHex results in RangeDefect exception when used with large uint64” (#15257) * Fixed “Mixing ‘return’ with expressions is allowed in 1.2” (#15280) * Fixed “proc execCmdEx doesn’t work with -d:useWinAnsi” (#14203) * Fixed “memory corruption in tmarshall.nim” (#9754) * Fixed “Wrong number of variables” (#15360) * Fixed “defer doesnt work with block, break and await” (#15243) * Fixed “Sizeof of case object is incorrect. Showstopper” (#15516) * Fixed “Mixing ‘return’ with expressions is allowed in 1.2” (#15280) * Fixed “regression(1.0.2 => 1.0.4) VM register messed up depending on unrelated context” (#15704) - from version 1.2.6 * Fixed “The pegs module doesn’t work with generics!” (#14718) * Fixed “[goto exceptions] {.noReturn.} pragma is not detected in a case expression” (#14458) * Fixed “[exceptions:goto] C compiler error with dynlib pragma calling a proc” (#14240) * Fixed “Nim source archive install: ‘install.sh’ fails with error: cp: cannot stat ‘bin/nim-gdb’: No such file or directory” (#14748) * Fixed “Stropped identifiers don’t work as field names in tuple literals” (#14911) * Fixed “uri.decodeUrl crashes on incorrectly formatted input” (#14082) * Fixed “odbcsql module has some wrong integer types” (#9771) * Fixed “[ARC] Compiler crash declaring a finalizer proc directly in ‘new’” (#15044) * Fixed “code with named arguments in proc of winim/com can not been compiled” (#15056) * Fixed “javascript backend produces javascript code with syntax error in object syntax” (#14534) * Fixed “[ARC] SIGSEGV when calling a closure as a tuple field in a seq” (#15038) * Fixed “Compiler crashes when using string as object variant selector with else branch” (#14189) * Fixed “Constructing a uint64 range on a 32-bit machine leads to incorrect codegen” (#14616) Update to version 1.2.2: * See https://nim-lang.org/blog.html for details - Enable the full testsuite in the %check section * Add build dependencies to run the testsuite * Whitelists a few tests that are not passing yet Update to version 1.0.2: * See https://nim-lang.org/blog.html for details - Update dependencies (based on changes by Federico Ceratto </description> </patchinfo>
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor