File _patchinfo of Package patchinfo.16136

<patchinfo incident="16136">
  <issue tracker="bnc" id="1185083">VUL-0: CVE-2021-21372: nim: doCmd can be leveraged to execute arbitrary commands</issue>
  <issue tracker="bnc" id="1185084">VUL-0: CVE-2021-21373: nim: "nimble refresh" falls back to a non-TLS URL in case of errror</issue>
  <issue tracker="bnc" id="1185085">VUL-0: CVE-2021-21374: nim: Improper verification of the SSL/TLS certificate</issue>
  <issue tracker="cve" id="2021-21373"/>
  <issue tracker="cve" id="2021-21372"/>
  <issue tracker="cve" id="2021-21374"/>
  <packager>glaubitz</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for nim</summary>
  <description>This update for nim fixes the following issues:

num was updated to version 1.2.12:

* Fixed GC crash resulting from inlining of the memory allocation procs
* Fixed &#8220;incorrect raises effect for $(NimNode)&#8221; (#17454)

From version 1.2.10:

* Fixed &#8220;JS backend doesn&#8217;t handle float-&gt;int type conversion &#8220; (#8404)
* Fixed &#8220;The &#8220;try except&#8221; not work when the &#8220;OSError:
  Too many open files&#8221; error occurs!&#8221; (#15925)
* Fixed &#8220;Nim emits #line 0 C preprocessor directives with
  &#8211;debugger:native, with ICE in gcc-10&#8221; (#15942)
* Fixed &#8220;tfuturevar fails when activated&#8221; (#9695)
* Fixed &#8220;nre.escapeRe is not gcsafe&#8221; (#16103)
* Fixed &#8220;&#8220;Error: internal error: genRecordFieldAux&#8221; - in
  the &#8220;version-1-4&#8221; branch&#8221; (#16069)
* Fixed &#8220;-d:fulldebug switch does not compile with gc:arc&#8221; (#16214)
* Fixed &#8220;osLastError may randomly raise defect and crash&#8221; (#16359)
* Fixed &#8220;generic importc proc&#8217;s don&#8217;t work (breaking lots
  of vmops procs for js)&#8221; (#16428)
* Fixed &#8220;Concept: codegen ignores parameter passing&#8221; (#16897)
* Fixed &#8220;{.push exportc.} interacts with anonymous functions&#8221; (#16967)
* Fixed &#8220;memory allocation during {.global.} init breaks GC&#8221; (#17085)
* Fixed "Nimble arbitrary code execution for specially crafted package metadata"
  + https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p
  + (boo#1185083, CVE-2021-21372)
* Fixed "Nimble falls back to insecure http url when fetching packages"
  + https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp8
  + (boo#1185084, CVE-2021-21373)
* Fixed "Nimble fails to validate certificates due to insecure httpClient defaults"
  + https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx
  + (boo#1185085, CVE-2021-21374)

from version 1.2.8

* Fixed &#8220;Defer and &#8211;gc:arc&#8221; (#15071)
* Fixed &#8220;Issue with &#8211;gc:arc at compile time&#8221; (#15129)
* Fixed &#8220;Nil check on each field fails in generic function&#8221; (#15101)
* Fixed &#8220;[strscans] scanf doesn&#8217;t match a single character with
  $+ if it&#8217;s the end of the string&#8221; (#15064)
* Fixed &#8220;Crash and incorrect return values when using
  readPasswordFromStdin on Windows.&#8221; (#15207)
* Fixed &#8220;Inconsistent unsigned -&gt; signed RangeDefect usage
  across integer sizes&#8221; (#15210)
* Fixed &#8220;toHex results in RangeDefect exception when
  used with large uint64&#8221; (#15257)
* Fixed &#8220;Mixing &#8216;return&#8217; with expressions is allowed in 1.2&#8221; (#15280)
* Fixed &#8220;proc execCmdEx doesn&#8217;t work with -d:useWinAnsi&#8221; (#14203)
* Fixed &#8220;memory corruption in tmarshall.nim&#8221; (#9754)
* Fixed &#8220;Wrong number of variables&#8221; (#15360)
* Fixed &#8220;defer doesnt work with block, break and await&#8221; (#15243)
* Fixed &#8220;Sizeof of case object is incorrect. Showstopper&#8221; (#15516)
* Fixed &#8220;Mixing &#8216;return&#8217; with expressions is allowed in 1.2&#8221; (#15280)
* Fixed &#8220;regression(1.0.2 =&gt; 1.0.4) VM register messed up
  depending on unrelated context&#8221; (#15704)

from version 1.2.6

* Fixed &#8220;The pegs module doesn&#8217;t work with generics!&#8221; (#14718)
* Fixed &#8220;[goto exceptions] {.noReturn.} pragma is not detected
  in a case expression&#8221; (#14458)
* Fixed &#8220;[exceptions:goto] C compiler error with dynlib pragma
  calling a proc&#8221; (#14240)
* Fixed &#8220;Nim source archive install: &#8216;install.sh&#8217; fails with error:
  cp: cannot stat &#8216;bin/nim-gdb&#8217;: No such file or directory&#8221; (#14748)
* Fixed &#8220;Stropped identifiers don&#8217;t work as field names in
  tuple literals&#8221; (#14911)
* Fixed &#8220;uri.decodeUrl crashes on incorrectly formatted input&#8221; (#14082)
* Fixed &#8220;odbcsql module has some wrong integer types&#8221; (#9771)
* Fixed &#8220;[ARC] Compiler crash declaring a finalizer proc
  directly in &#8216;new&#8217;&#8221; (#15044)
* Fixed &#8220;code with named arguments in proc of winim/com can
  not been compiled&#8221; (#15056)
* Fixed &#8220;javascript backend produces javascript code with syntax
  error in object syntax&#8221; (#14534)
* Fixed &#8220;[ARC] SIGSEGV when calling a closure as a tuple
  field in a seq&#8221; (#15038)
* Fixed &#8220;Compiler crashes when using string as object variant
  selector with else branch&#8221; (#14189)
* Fixed &#8220;Constructing a uint64 range on a 32-bit machine leads
  to incorrect codegen&#8221; (#14616)

Update to version 1.2.2:

* See https://nim-lang.org/blog.html for details

Update to version 1.0.2:

* See https://nim-lang.org/blog.html for details
</description>
</patchinfo>