[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
GNU Automake 1.12.2 released (fixes a SECURITY VULNERABILITY!)
From: |
Stefano Lattarini |
Subject: |
GNU Automake 1.12.2 released (fixes a SECURITY VULNERABILITY!) |
Date: |
Mon, 09 Jul 2012 18:14:15 +0200 |
We are pleased to announce the Automake 1.12.2 maintenance release.
This release FIXES A SECURITY VULNERABILITY (CVE-2012-3386; see the
NEWS excerpt below for details), so you are strongly encouraged to
upgrade your existing Automake installation ASAP.
See below for the detailed list of changes since Automake 1.12.1, as
summarized by the NEWS file.
Download here:
ftp://ftp.gnu.org/gnu/automake/automake-1.12.2.tar.gz
ftp://ftp.gnu.org/gnu/automake/automake-1.12.2.tar.xz
Please report bugs and problems to <address@hidden>, and send
general comments and feedback to <address@hidden>.
Thanks to everyone who has reported problems, contributed patches,
and helped testing Automake!
-*-*-*-
New in 1.12.2:
* Warnings and deprecations:
- Automake now issues a warning (in the 'portability' category) if
'configure.in' is used instead of 'configure.ac' as the Autoconf
input file. Such a warning will also be present in the next
Autoconf version (2.70).
* Cleaning rules:
- Recursive cleaning rules descends into the $(SUBDIRS) in the natural
order (as done by the other recursive rules), rather than in the
inverse order. They used to do that in order to work a round a
limitation in an older implementation of the automatic dependency
tracking support, but that limitation had been lifted years ago
already, when the automatic dependency tracking based on side-effects
of compilation had been introduced.
- Cleaning rules for compiled objects (both "plain" and libtool) work
better when subdir objects are involved, not triggering a distinct
'rm' invocation for each such object. They do so by removing *any*
compiled object file that is in the same directory of a subdir
object. See automake bug#10697.
* Silent rules support:
- A new predefined $(AM_V_P) make variable is provided; it expands
to a shell conditional that can be used in recipes to know whether
make is being run in silent or verbose mode.
Bugs fixed in 1.12.2:
* SECURITY VULNERABILITIES!
- The recipe of the 'distcheck' no longer grants anymore temporary
world-wide write permissions on the extracted distdir. Even if such
rights were only granted for a vanishingly small time window, the
implied race condition proved to be enough to allow a local attacker
to run arbitrary code with the privileges of the user running "make
distcheck". This is CVE-2012-3386.
* Long-standing bugs:
- The "recheck" targets behaves better in the face of build failures
related to previously failed tests. For example, if a test is a
compiled program that must be rerun by "make recheck", and its
compilation fails, it will still be rerun by further "make recheck"
invocations. See automake bug#11791.
* Bugs introduced by 1.12.1:
- Automake provides once again the '$(mkdir_p)' make variable and the
'@mkdir_p@' substitution (both as simple aliases for '$(MKDIR_P)'),
for better backward-compatibility.
-*-*-*-
* WARNING: Future backward-incompatibilities!
- Future versions of Automake will likely drop support for the
long-deprecated 'configure.in' name for the Autoconf input file.
You are advised to use the recommended name 'configure.ac' instead.
- The long-obsolete (since automake 1.10) AM_PROG_MKDIR m4 macro will
be removed in Automake 1.13. The $(mkdir_p) make variable and the
@mkdir_p@ substitution will still remain available (as aliases of
$(MKDIR_P)) for the moment, for better backward compatibility.
- Autoconf 2.65 or later will be required by the next major Automake
version (1.13). Until now, Automake has required Autoconf version
2.62 or later.
- Starting from the next major Automake version (1.13), the rules
to build pdf, ps and dvi output from Texinfo input will use the
'--build-dir' option by default. Since such an option was only
introduced in Texinfo 4.9, this means that Makefiles generated by
future Automake versions will require at least that version of
Texinfo.
- Starting from the next major Automake version (1.13), the parallel
testsuite harness (previously only enabled by the 'parallel-tests'
option) will become the default one; the older serial testsuite
harness will still be available through the use of the 'serial-tests'
option.
- The following long-obsolete m4 macros will be removed in the
next major Automake version (1.13):
AM_PROG_CC_STDC: superseded by AC_PROG_CC since October 2002
fp_PROG_CC_STDC: broken alias for AM_PROG_CC_STDC
fp_WITH_DMALLOC: old alias for AM_WITH_DMALLOC
AM_CONFIG_HEADER: superseded by AC_CONFIG_HEADERS since July 2002
ud_PATH_LISPDIR: old alias for AM_PATH_LISPDIR
jm_MAINTAINER_MODE: old alias for AM_MAINTAINER_MODE
ud_GNU_GETTEXT: old alias for AM_GNU_GETTEXT
gm_PROG_LIBTOOL: old alias for AC_PROG_LIBTOOL
fp_C_PROTOTYPES: old alias for AM_C_PROTOTYPES (which was part
of the now-removed automatic de-ANSI-fication
support of Automake)
- All the "old alias" macros in 'm4/obsolete.m4' will be removed in
the next major Automake version (1.13).
- Support for the two- and three-arguments invocation forms of the
AM_INIT_AUTOMAKE macro is deprecated, and will be removed in the
next major Automake version (1.13).
- The '--acdir' option of aclocal is deprecated, and will probably
be removed in the next major Automake release (1.13). You should
use the options '--automake-acdir' and '--system-acdir' instead
(which have been introduced in Automake 1.11.2).
- The exact order in which the directories in the aclocal macro
search path are looked up is probably going to be changed in the
next Automake release (1.13).
- The 'missing' script will not try anymore to update the timestamp
of out-of-date files that require a maintainer-specific tool to be
remade, in case the user lacks such a tool (or has a too-old version
of it). In fact, starting from Automake 1.13, all it'll do will be
giving more useful warnings than a bare "command not found" from a
make recipe would.
- GNU Automake 1.12.2 released (fixes a SECURITY VULNERABILITY!),
Stefano Lattarini <=