File _patchinfo of Package patchinfo.17612
<patchinfo incident="17612"> <issue tracker="bnc" id="1192712">VUL-1: CVE-2021-41259: nim: null byte accepted in getContent function, leading to URI validation bypass</issue> <issue tracker="bnc" id="1181705">VUL-0: CVE-2020-15690: nim: Standard library asyncftpclient lacks a check for newline character</issue> <issue tracker="bnc" id="1185083">VUL-0: CVE-2021-21372: nim: doCmd can be leveraged to execute arbitrary commands</issue> <issue tracker="bnc" id="1175332">VUL-0: CVE-2020-15694: nim: httpClient.get().contentLength() fails to properly validate the server response</issue> <issue tracker="bnc" id="1185084">VUL-0: CVE-2021-21373: nim: "nimble refresh" falls back to a non-TLS URL in case of error</issue> <issue tracker="bnc" id="1185085">VUL-0: CVE-2021-21374: nim: Improper verification of the SSL/TLS certificate</issue> <issue tracker="bnc" id="1175333">VUL-0: CVE-2020-15693: nim: httpClient is vulnerable to a CR-LF injection</issue> <issue tracker="bnc" id="1185948">VUL-0: CVE-2021-29495: nim: stdlib httpClient does not validate peer certificates by default</issue> <issue tracker="bnc" id="1175334">VUL-0: CVE-2020-15692: nim: mishandle of argument to browsers.openDefaultBrowser</issue> <issue tracker="cve" id="2021-21372"/> <issue tracker="cve" id="2020-15690"/> <issue tracker="cve" id="2020-15693"/> <issue tracker="cve" id="2021-21373"/> <issue tracker="cve" id="2021-21374"/> <issue tracker="cve" id="2020-15692"/> <issue tracker="cve" id="2020-15694"/> <issue tracker="cve" id="2021-41259"/> <issue tracker="cve" id="2021-29495"/> <packager>david.anes</packager> <rating>important</rating> <category>security</category> <summary>Security update for nim</summary> <description>This update for nim fixes the following issues: Includes upstream security fixes for: * (boo#1175333, CVE-2020-15693) httpClient is vulnerable to a CR-LF injection * (boo#1175334, CVE-2020-15692) mishandle of argument to browsers.openDefaultBrowser * (boo#1175332, CVE-2020-15694) httpClient.get().contentLength() fails to properly validate the server response * (boo#1192712, CVE-2021-41259) null byte accepted in getContent function, leading to URI validation bypass * (boo#1185948, CVE-2021-29495) stdlib httpClient does not validate peer certificates by default * (boo#1185085, CVE-2021-21374) Improper verification of the SSL/TLS certificate * (boo#1185084, CVE-2021-21373) "nimble refresh" falls back to a non-TLS URL in case of error * (boo#1185083, CVE-2021-21372) doCmd can be leveraged to execute arbitrary commands * (boo#1181705, CVE-2020-15690) Standard library asyncftpclient lacks a check for newline character Update to 1.6.6 * standard library use consistent styles for variable names so it can be used in projects which force a consistent style with --styleCheck:usages option. * ARC/ORC are now considerably faster at method dispatching, bringing its performance back on the level of the refc memory management. * Full changelog: https://nim-lang.org/blog/2022/05/05/version-166-released.html - Previous updates and changelogs: * 1.6.4: https://nim-lang.org/blog/2022/02/08/version-164-released.html * 1.6.2: https://nim-lang.org/blog/2021/12/17/version-162-released.html * 1.6.0: https://nim-lang.org/blog/2021/10/19/version-160-released.html * 1.4.8: https://nim-lang.org/blog/2021/05/25/version-148-released.html * 1.4.6: https://nim-lang.org/blog/2021/04/15/versions-146-and-1212-released.html * 1.4.4: https://nim-lang.org/blog/2021/02/23/versions-144-and-1210-released.html * 1.4.2: https://nim-lang.org/blog/2020/12/01/version-142-released.html * 1.4.0: https://nim-lang.org/blog/2020/10/16/version-140-released.html update to 1.2.16 * oids: switch from PRNG to random module * nimc.rst: fix table markup * nimRawSetjmp: support Windows * correctly enable chronos * bigints are not supposed to work on 1.2.x * disable nimpy * misc bugfixes * fixes a 'mixin' statement handling regression [backport:1.2 </description> </patchinfo>
