openSUSE Security Update: Security update for nim ______________________________________________________________________________ Announcement ID: openSUSE-SU-2021:0628-1 Rating: moderate References: #1185083 #1185084 #1185085 Cross-References: CVE-2021-21372 CVE-2021-21373 CVE-2021-21374 CVSS scores: CVE-2021-21374 (NVD) : 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Affected Products: openSUSE Backports SLE-15-SP2 ______________________________________________________________________________ An update that fixes three vulnerabilities is now available. Description: This update for nim fixes the following issues: num was updated to version 1.2.12: * Fixed GC crash resulting from inlining of the memory allocation procs * Fixed ���incorrect raises effect for $(NimNode)��� (#17454) From version 1.2.10: * Fixed ���JS backend doesn���t handle float->int type conversion ��� (#8404) * Fixed ���The ���try except��� not work when the ���OSError: Too many open files��� error occurs!��� (#15925) * Fixed ���Nim emits #line 0 C preprocessor directives with ���debugger:native, with ICE in gcc-10��� (#15942) * Fixed ���tfuturevar fails when activated��� (#9695) * Fixed ���nre.escapeRe is not gcsafe��� (#16103) * Fixed ������Error: internal error: genRecordFieldAux��� - in the ���version-1-4��� branch��� (#16069) * Fixed ���-d:fulldebug switch does not compile with gc:arc��� (#16214) * Fixed ���osLastError may randomly raise defect and crash��� (#16359) * Fixed ���generic importc proc���s don���t work (breaking lots of vmops procs for js)��� (#16428) * Fixed ���Concept: codegen ignores parameter passing��� (#16897) * Fixed ���{.push exportc.} interacts with anonymous functions��� (#16967) * Fixed ���memory allocation during {.global.} init breaks GC��� (#17085) * Fixed "Nimble arbitrary code execution for specially crafted package metadata" + https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962 p + (boo#1185083, CVE-2021-21372) * Fixed "Nimble falls back to insecure http url when fetching packages" + https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp 8 + (boo#1185084, CVE-2021-21373) * Fixed "Nimble fails to validate certificates due to insecure httpClient defaults" + https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhx x + (boo#1185085, CVE-2021-21374) from version 1.2.8 * Fixed ���Defer and ���gc:arc��� (#15071) * Fixed ���Issue with ���gc:arc at compile time��� (#15129) * Fixed ���Nil check on each field fails in generic function��� (#15101) * Fixed ���[strscans] scanf doesn���t match a single character with $+ if it���s the end of the string��� (#15064) * Fixed ���Crash and incorrect return values when using readPasswordFromStdin on Windows.��� (#15207) * Fixed ���Inconsistent unsigned -> signed RangeDefect usage across integer sizes��� (#15210) * Fixed ���toHex results in RangeDefect exception when used with large uint64��� (#15257) * Fixed ���Mixing ���return��� with expressions is allowed in 1.2��� (#15280) * Fixed ���proc execCmdEx doesn���t work with -d:useWinAnsi��� (#14203) * Fixed ���memory corruption in tmarshall.nim��� (#9754) * Fixed ���Wrong number of variables��� (#15360) * Fixed ���defer doesnt work with block, break and await��� (#15243) * Fixed ���Sizeof of case object is incorrect. Showstopper��� (#15516) * Fixed ���Mixing ���return��� with expressions is allowed in 1.2��� (#15280) * Fixed ���regression(1.0.2 => 1.0.4) VM register messed up depending on unrelated context��� (#15704) from version 1.2.6 * Fixed ���The pegs module doesn���t work with generics!��� (#14718) * Fixed ���[goto exceptions] {.noReturn.} pragma is not detected in a case expression��� (#14458) * Fixed ���[exceptions:goto] C compiler error with dynlib pragma calling a proc��� (#14240) * Fixed ���Nim source archive install: ���install.sh��� fails with error: cp: cannot stat ���bin/nim-gdb���: No such file or directory��� (#14748) * Fixed ���Stropped identifiers don���t work as field names in tuple literals��� (#14911) * Fixed ���uri.decodeUrl crashes on incorrectly formatted input��� (#14082) * Fixed ���odbcsql module has some wrong integer types��� (#9771) * Fixed ���[ARC] Compiler crash declaring a finalizer proc directly in ���new������ (#15044) * Fixed ���code with named arguments in proc of winim/com can not been compiled��� (#15056) * Fixed ���javascript backend produces javascript code with syntax error in object syntax��� (#14534) * Fixed ���[ARC] SIGSEGV when calling a closure as a tuple field in a seq��� (#15038) * Fixed ���Compiler crashes when using string as object variant selector with else branch��� (#14189) * Fixed ���Constructing a uint64 range on a 32-bit machine leads to incorrect codegen��� (#14616) Update to version 1.2.2: * See https://nim-lang.org/blog.html for details Update to version 1.0.2: * See https://nim-lang.org/blog.html for details This update was imported from the openSUSE:Leap:15.2:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2021-628=1 Package List: - openSUSE Backports SLE-15-SP2 (aarch64 x86_64): nim-1.2.12-bp152.4.3.1 References: https://www.suse.com/security/cve/CVE-2021-21372.html https://www.suse.com/security/cve/CVE-2021-21373.html https://www.suse.com/security/cve/CVE-2021-21374.html https://bugzilla.suse.com/1185083 https://bugzilla.suse.com/1185084 https://bugzilla.suse.com/1185085