{"id":"openSUSE-SU-2022:10095-1","summary":"Security update for nim","details":"This update for nim fixes the following issues:\n\nIncludes upstream security fixes for:\n\n* (boo#1175333, CVE-2020-15693) httpClient is vulnerable to a \n  CR-LF injection\n* (boo#1175334, CVE-2020-15692) mishandle of argument to \n  browsers.openDefaultBrowser\n* (boo#1175332, CVE-2020-15694) httpClient.get().contentLength()\n  fails to properly validate the server response\n* (boo#1192712, CVE-2021-41259) null byte accepted in getContent\n  function, leading to URI validation bypass\n* (boo#1185948, CVE-2021-29495) stdlib httpClient does not\n  validate peer certificates by default\n* (boo#1185085, CVE-2021-21374) Improper verification of the \n  SSL/TLS certificate\n* (boo#1185084, CVE-2021-21373) 'nimble refresh' falls back to a \n  non-TLS URL in case of error\n* (boo#1185083, CVE-2021-21372) doCmd can be leveraged to execute\n  arbitrary commands\n* (boo#1181705, CVE-2020-15690) Standard library asyncftpclient \n  lacks a check for newline character\n\nFollowing nim tools now work as expected:\n\n* nim_dbg is now installed.\n* nim-gdb can be successfully launched as it finds and loads\n  nim-gdb.py correctly under gdb.\n* nimble package manager stores package information per user.\n* compiler package can be found and used, as it may be required\n  by other packages.\n  \nUpdate to 1.6.6\n\n* standard library use consistent styles for variable names so it\n  can be used in projects which force a consistent style with \n  --styleCheck:usages option. \n* ARC/ORC are now considerably faster at method dispatching, \n  bringing its performance back on the level of the refc memory \n  management.\n* Full changelog:\n  https://nim-lang.org/blog/2022/05/05/version-166-released.html\n- Previous updates and changelogs:\n* 1.6.4: \n  https://nim-lang.org/blog/2022/02/08/version-164-released.html\n* 1.6.2: \n  https://nim-lang.org/blog/2021/12/17/version-162-released.html\n* 1.6.0: \n  https://nim-lang.org/blog/2021/10/19/version-160-released.html\n* 1.4.8: \n  https://nim-lang.org/blog/2021/05/25/version-148-released.html\n* 1.4.6: \n  https://nim-lang.org/blog/2021/04/15/versions-146-and-1212-released.html\n* 1.4.4: \n  https://nim-lang.org/blog/2021/02/23/versions-144-and-1210-released.html\n* 1.4.2: \n  https://nim-lang.org/blog/2020/12/01/version-142-released.html\n* 1.4.0: \n  https://nim-lang.org/blog/2020/10/16/version-140-released.html\n\nUpdate to 1.2.16\n\n* oids: switch from PRNG to random module\n* nimc.rst: fix table markup\n* nimRawSetjmp: support Windows\n* correctly enable chronos\n* bigints are not supposed to work on 1.2.x\n* disable nimpy\n* misc bugfixes\n* fixes a 'mixin' statement handling regression [backport:1.2 \n\nUpdate to version 1.2.12  \n\n* Fixed GC crash resulting from inlining of the memory\n  allocation procs\n* Fixed “incorrect raises effect for $(NimNode)” (#17454)\n- from version 1.2.10\n* Fixed “JS backend doesn’t handle float-\u003eint type conversion “ (#8404)\n* Fixed “The “try except” not work when the “OSError:\n  Too many open files” error occurs!” (#15925)\n* Fixed “Nim emits #line 0 C preprocessor directives with\n  –debugger:native, with ICE in gcc-10” (#15942)\n* Fixed “tfuturevar fails when activated” (#9695)\n* Fixed “nre.escapeRe is not gcsafe” (#16103)\n* Fixed ““Error: internal error: genRecordFieldAux” - in\n  the “version-1-4” branch” (#16069)\n* Fixed “-d:fulldebug switch does not compile with gc:arc” (#16214)\n* Fixed “osLastError may randomly raise defect and crash” (#16359)\n* Fixed “generic importc proc’s don’t work (breaking lots\n  of vmops procs for js)” (#16428)\n* Fixed “Concept: codegen ignores parameter passing” (#16897)\n* Fixed “{.push exportc.} interacts with anonymous functions” (#16967)\n* Fixed “memory allocation during {.global.} init breaks GC” (#17085)\n* Fixed 'Nimble arbitrary code execution for specially crafted package metadata'\n  + https://github.com/nim-lang/security/security/advisories/GHSA-rg9f-w24h-962p\n  + (boo#1185083, CVE-2021-21372)\n* Fixed 'Nimble falls back to insecure http url when fetching packages'\n  + https://github.com/nim-lang/security/security/advisories/GHSA-8w52-r35x-rgp8\n  + (boo#1185084, CVE-2021-21373)\n* Fixed 'Nimble fails to validate certificates due to insecure httpClient defaults'\n  + https://github.com/nim-lang/security/security/advisories/GHSA-c2wm-v66h-xhxx\n  + (boo#1185085, CVE-2021-21374)\n- from version 1.2.8\n* Fixed “Defer and –gc:arc” (#15071)\n* Fixed “Issue with –gc:arc at compile time” (#15129)\n* Fixed “Nil check on each field fails in generic function” (#15101)\n* Fixed “[strscans] scanf doesn’t match a single character with\n  $+ if it’s the end of the string” (#15064)\n* Fixed “Crash and incorrect return values when using\n  readPasswordFromStdin on Windows.” (#15207)\n* Fixed “Inconsistent unsigned -\u003e signed RangeDefect usage\n  across integer sizes” (#15210)\n* Fixed “toHex results in RangeDefect exception when\n  used with large uint64” (#15257)\n* Fixed “Mixing ‘return’ with expressions is allowed in 1.2” (#15280)\n* Fixed “proc execCmdEx doesn’t work with -d:useWinAnsi” (#14203)\n* Fixed “memory corruption in tmarshall.nim” (#9754)\n* Fixed “Wrong number of variables” (#15360)\n* Fixed “defer doesnt work with block, break and await” (#15243)\n* Fixed “Sizeof of case object is incorrect. Showstopper” (#15516)\n* Fixed “Mixing ‘return’ with expressions is allowed in 1.2” (#15280)\n* Fixed “regression(1.0.2 =\u003e 1.0.4) VM register messed up\n  depending on unrelated context” (#15704)\n- from version 1.2.6\n* Fixed “The pegs module doesn’t work with generics!” (#14718)\n* Fixed “[goto exceptions] {.noReturn.} pragma is not detected\n  in a case expression” (#14458)\n* Fixed “[exceptions:goto] C compiler error with dynlib pragma\n  calling a proc” (#14240)\n* Fixed “Nim source archive install: ‘install.sh’ fails with error:\n  cp: cannot stat ‘bin/nim-gdb’: No such file or directory” (#14748)\n* Fixed “Stropped identifiers don’t work as field names in\n  tuple literals” (#14911)\n* Fixed “uri.decodeUrl crashes on incorrectly formatted input” (#14082)\n* Fixed “odbcsql module has some wrong integer types” (#9771)\n* Fixed “[ARC] Compiler crash declaring a finalizer proc\n  directly in ‘new’” (#15044)\n* Fixed “code with named arguments in proc of winim/com can\n  not been compiled” (#15056)\n* Fixed “javascript backend produces javascript code with syntax\n  error in object syntax” (#14534)\n* Fixed “[ARC] SIGSEGV when calling a closure as a tuple\n  field in a seq” (#15038)\n* Fixed “Compiler crashes when using string as object variant\n  selector with else branch” (#14189)\n* Fixed “Constructing a uint64 range on a 32-bit machine leads\n  to incorrect codegen” (#14616)\n\nUpdate to version 1.2.2:\n\n* See https://nim-lang.org/blog.html for details\n- Enable the full testsuite in the %check section\n* Add build dependencies to run the testsuite\n* Whitelists a few tests that are not passing yet\n\nUpdate to version 1.0.2:\n\n* See https://nim-lang.org/blog.html for details\n- Update dependencies (based on changes by Federico Ceratto\n\n","modified":"2026-02-04T03:30:30.340996Z","published":"2022-08-24T02:33:29Z","related":["CVE-2020-15690","CVE-2020-15692","CVE-2020-15693","CVE-2020-15694","CVE-2021-21372","CVE-2021-21373","CVE-2021-21374","CVE-2021-29495","CVE-2021-41259"],"upstream":["CVE-2020-15690","CVE-2020-15692","CVE-2020-15693","CVE-2020-15694","CVE-2021-21372","CVE-2021-21373","CVE-2021-21374","CVE-2021-29495","CVE-2021-41259"],"references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/HM5F2H5AWO4WRQSTOWMODGKMXAHHBVRH/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1175332"},{"type":"REPORT","url":"https://bugzilla.suse.com/1175333"},{"type":"REPORT","url":"https://bugzilla.suse.com/1175334"},{"type":"REPORT","url":"https://bugzilla.suse.com/1181705"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185083"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185084"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185085"},{"type":"REPORT","url":"https://bugzilla.suse.com/1185948"},{"type":"REPORT","url":"https://bugzilla.suse.com/1192712"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2020-15690"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2020-15692"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2020-15693"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2020-15694"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-21372"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-21373"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-21374"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-29495"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-41259"}],"affected":[{"package":{"name":"nim","ecosystem":"SUSE:Package Hub 15 SP3","purl":"pkg:rpm/suse/nim&distro=SUSE%20Package%20Hub%2015%20SP3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.6-bp153.2.3.1"}]}],"ecosystem_specific":{"binaries":[{"nim":"1.6.6-bp153.2.3.1"}]},"database_specific":{"source":"https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2022:10095-1.json"}},{"package":{"name":"nim","ecosystem":"openSUSE:Leap 15.3","purl":"pkg:rpm/opensuse/nim&distro=openSUSE%20Leap%2015.3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.6-bp153.2.3.1"}]}],"ecosystem_specific":{"binaries":[{"nim":"1.6.6-bp153.2.3.1"}]},"database_specific":{"source":"https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2022:10095-1.json"}}],"schema_version":"1.7.3"}