Update Info

openSUSE-2022-10095


Security update for nim


Type: security
Severity: important
Issued: 2022-08-24
Description:
This update for nim fixes the following issues:

Includes upstream security fixes for:

* (boo#1175333, CVE-2020-15693) httpClient is vulnerable to a 
  CR-LF injection
* (boo#1175334, CVE-2020-15692) mishandle of argument to 
  browsers.openDefaultBrowser
* (boo#1175332, CVE-2020-15694) httpClient.get().contentLength()
  fails to properly validate the server response
* (boo#1192712, CVE-2021-41259) null byte accepted in getContent
  function, leading to URI validation bypass
* (boo#1185948, CVE-2021-29495) stdlib httpClient does not
  validate peer certificates by default
* (boo#1185085, CVE-2021-21374) Improper verification of the 
  SSL/TLS certificate
* (boo#1185084, CVE-2021-21373) "nimble refresh" falls back to a 
  non-TLS URL in case of error
* (boo#1185083, CVE-2021-21372) doCmd can be leveraged to execute
  arbitrary commands
* (boo#1181705, CVE-2020-15690) Standard library asyncftpclient 
  lacks a check for newline character

Following nim tools now work as expected:

* nim_dbg is now installed.
* nim-gdb can be successfully launched as it finds and loads
  nim-gdb.py correctly under gdb.
* nimble package manager stores package information per user.
* compiler package can be found and used, as it may be required
  by other packages.
  
Update to 1.6.6

* standard library use consistent styles for variable names so it
  can be used in projects which force a consistent style with 
  --styleCheck:usages option. 
* ARC/ORC are now considerably faster at method dispatching, 
  bringing its performance back on the level of the refc memory 
  management.
* Full changelog:
  https://nim-lang.org/blog/2022/05/05/version-166-released.html
- Previous updates and changelogs:
* 1.6.4: 
  https://nim-lang.org/blog/2022/02/08/version-164-released.html
* 1.6.2: 
  https://nim-lang.org/blog/2021/12/17/version-162-released.html
* 1.6.0: 
  https://nim-lang.org/blog/2021/10/19/version-160-released.html
* 1.4.8: 
  https://nim-lang.org/blog/2021/05/25/version-148-released.html
* 1.4.6: 
  https://nim-lang.org/blog/2021/04/15/versions-146-and-1212-released.html
* 1.4.4: 
  https://nim-lang.org/blog/2021/02/23/versions-144-and-1210-released.html
* 1.4.2: 
  https://nim-lang.org/blog/2020/12/01/version-142-released.html
* 1.4.0: 
  https://nim-lang.org/blog/2020/10/16/version-140-released.html

Update to 1.2.16

* oids: switch from PRNG to random module
* nimc.rst: fix table markup
* nimRawSetjmp: support Windows
* correctly enable chronos
* bigints are not supposed to work on 1.2.x
* disable nimpy
* misc bugfixes
* fixes a 'mixin' statement handling regression [backport:1.2 

Update to version 1.2.12  

* Fixed GC crash resulting from inlining of the memory
  allocation procs
* Fixed “incorrect raises effect for $(NimNode)” (#17454)
- from version 1.2.10
* Fixed “JS backend doesn’t handle float->int type conversion “ (#8404)
* Fixed “The “try except” not work when the “OSError:
  Too many open files” error occurs!” (#15925)
* Fixed “Nim emits #line 0 C preprocessor directives with
  –debugger:native, with ICE in gcc-10” (#15942)
* Fixed “tfuturevar fails when activated” (#9695)
* Fixed “nre.escapeRe is not gcsafe” (#16103)
* Fixed ““Error: internal error: genRecordFieldAux” - in
  the “version-1-4” branch” (#16069)
* Fixed “-d:fulldebug switch does not compile with gc:arc” (#16214)
* Fixed “osLastError may randomly raise defect and crash” (#16359)
* Fixed “generic importc proc’s don’t work (breaking lots
  of vmops procs for js)” (#16428)
* Fixed “Concept: codegen ignores parameter passing” (#16897)
* Fixed “{.push exportc.} interacts with anonymous functions” (#16967)
* Fixed “memory allocation during {.global.} init breaks GC” (#17085)
* Fixed "Nimble arbitrary code execution for specially crafted package metadata"
  + https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p
  + (boo#1185083, CVE-2021-21372)
* Fixed "Nimble falls back to insecure http url when fetching packages"
  + https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp8
  + (boo#1185084, CVE-2021-21373)
* Fixed "Nimble fails to validate certificates due to insecure httpClient defaults"
  + https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx
  + (boo#1185085, CVE-2021-21374)
- from version 1.2.8
* Fixed “Defer and –gc:arc” (#15071)
* Fixed “Issue with –gc:arc at compile time” (#15129)
* Fixed “Nil check on each field fails in generic function” (#15101)
* Fixed “[strscans] scanf doesn’t match a single character with
  $+ if it’s the end of the string” (#15064)
* Fixed “Crash and incorrect return values when using
  readPasswordFromStdin on Windows.” (#15207)
* Fixed “Inconsistent unsigned -> signed RangeDefect usage
  across integer sizes” (#15210)
* Fixed “toHex results in RangeDefect exception when
  used with large uint64” (#15257)
* Fixed “Mixing ‘return’ with expressions is allowed in 1.2” (#15280)
* Fixed “proc execCmdEx doesn’t work with -d:useWinAnsi” (#14203)
* Fixed “memory corruption in tmarshall.nim” (#9754)
* Fixed “Wrong number of variables” (#15360)
* Fixed “defer doesnt work with block, break and await” (#15243)
* Fixed “Sizeof of case object is incorrect. Showstopper” (#15516)
* Fixed “Mixing ‘return’ with expressions is allowed in 1.2” (#15280)
* Fixed “regression(1.0.2 => 1.0.4) VM register messed up
  depending on unrelated context” (#15704)
- from version 1.2.6
* Fixed “The pegs module doesn’t work with generics!” (#14718)
* Fixed “[goto exceptions] {.noReturn.} pragma is not detected
  in a case expression” (#14458)
* Fixed “[exceptions:goto] C compiler error with dynlib pragma
  calling a proc” (#14240)
* Fixed “Nim source archive install: ‘install.sh’ fails with error:
  cp: cannot stat ‘bin/nim-gdb’: No such file or directory” (#14748)
* Fixed “Stropped identifiers don’t work as field names in
  tuple literals” (#14911)
* Fixed “uri.decodeUrl crashes on incorrectly formatted input” (#14082)
* Fixed “odbcsql module has some wrong integer types” (#9771)
* Fixed “[ARC] Compiler crash declaring a finalizer proc
  directly in ‘new’” (#15044)
* Fixed “code with named arguments in proc of winim/com can
  not been compiled” (#15056)
* Fixed “javascript backend produces javascript code with syntax
  error in object syntax” (#14534)
* Fixed “[ARC] SIGSEGV when calling a closure as a tuple
  field in a seq” (#15038)
* Fixed “Compiler crashes when using string as object variant
  selector with else branch” (#14189)
* Fixed “Constructing a uint64 range on a 32-bit machine leads
  to incorrect codegen” (#14616)

Update to version 1.2.2:

* See https://nim-lang.org/blog.html for details
- Enable the full testsuite in the %check section
* Add build dependencies to run the testsuite
* Whitelists a few tests that are not passing yet

Update to version 1.0.2:

* See https://nim-lang.org/blog.html for details
- Update dependencies (based on changes by Federico Ceratto



              

Packages


  • nim-1.6.6-bp153.2.3.1