From 640c6dbbb0952f990f9d03f19f6188bf3c3701ae Mon Sep 17 00:00:00 2001 From: Peter Taoussanis Date: Fri, 24 Jul 2020 18:27:34 +0200 Subject: [PATCH] v2.15.0 --- CHANGELOG.md | 54 ++++++++++++++++++++++++++++++++++++++++++++-------- README.md | 13 ++++++++++--- project.clj | 2 +- 3 files changed, 57 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d9c86a4..45c739e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,18 +1,56 @@ > This project uses [Break Versioning](https://github.com/ptaoussanis/encore/blob/master/BREAK-VERSIONING.md) as of **Aug 16, 2014**. -## v2.15.0-RC1 / 2019 Feb 16 +## v2.15.0 / 2020 Jul 24 ```clojure -[com.taoensso/nippy "2.15.0-RC1"] +[com.taoensso/nippy "2.15.0"] ``` -> This is a major feature release. It should be non-breaking but **please report any problems** - thanks! +> This is a **major** feature release. It may be **BREAKING**! -* [#113 #114] **New**: Support object arrays (@isaksky) -* [#101] **Change**: Switch default encryptor from AES-CBC to AES-GCM (faster, includes integrity check) -* [#116] **Impl**: Update lz4 lib: 1.3->1.5 (@johnmcconnell) -* **Impl**: Update a number of dependencies -* **Impl**: Refactor encryption utils for extra flexibility in future +**BREAKING CHANGES** since `v2.14.0`: + +* [#130] Add `*serialization-whitelist*`, **ENABLED BY DEFAULT**. + +See https://github.com/ptaoussanis/nippy/issues/130 for details, incl. upgrade instructions. + +Big thanks to **Timo Mihaljov** (@solita-timo-mihaljov) for an excellent report identifying this vulnerability! + +**New** since `v2.14.0`: + +* [#127] Add utils: `freeze-to-string`, `thaw-from-string` (@piotr-yuxuan) +* [#113 #114] Add support for object arrays (@isaksky) +* [#83 #112] Add support for deftype (@isaksky) +* [#83 #113] Add support for URIs (@isaksky) + +**Changes** since `v2.14.0`: + +* [#101] Switch default encryptor from `AES-CBC` to `AES-GCM` (faster, includes integrity check) +* Refactor encryption utils for extra flexibility in future +* Latest dependencies + +**Fixes** since `v2.14.0`: + +* [#120] Update `freezable?` to cover `nil` + + +## v2.14.2 / 2020 Jul 24 + +```clojure +[com.taoensso/nippy "2.14.2"] +``` + +> This is a non-breaking **hotfix security release**. PLEASE READ CAREFULLY. + +**New** since `v2.14.0`: + +* [#130] Add `*serialization-whitelist*` feature, **DISABLED BY DEFAULT**. + +### *** SECURITY ADVISORY *** + +To prevent a possible **Remote Code Execution (RCE) vulnerability** (#130), you must **opt-in** to use the new `*serialization-whitelist*` feature. + +See the `nippy/*serialization-whitelist*` docstring for usage instructions. ## v2.14.0 / 2017 Dec 21 diff --git a/README.md b/README.md index 659f172..bacd7ba 100644 --- a/README.md +++ b/README.md @@ -4,10 +4,17 @@ **[CHANGELOG]** | [API] | current [Break Version]: ```clojure -[com.taoensso/nippy "2.14.0"] ; Stable -[com.taoensso/nippy "2.15.0-RC1"] ; Dev, see CHANGELOG for details +[com.taoensso/nippy "2.15.0"] ; BREAKING, see CHANGELOG for details ``` +## ** SECURITY ADVISORY ** + +Users of Nippy older than **v2.15.0 final** should **please upgrade ASAP** due to a **Remote Code Execution vulnerability** when deserializing data from an **untrusted source**. + +Please see [here](https://github.com/ptaoussanis/nippy/issues/130) for details, including upgrade instructions. + +-- + > Please consider helping to [support my continued open-source Clojure/Script work]? > > Even small contributions can add up + make a big difference to help sustain my time writing, maintaining, and supporting Nippy and other Clojure/Script libraries. **Thank you!** @@ -39,7 +46,7 @@ Nippy is an attempt to provide a reliable, high-performance **drop-in alternativ Add the necessary dependency to your project: ```clojure -[com.taoensso/nippy "2.14.0"] +[com.taoensso/nippy "2.15.0"] ``` And setup your namespace imports: diff --git a/project.clj b/project.clj index 110dc77..fa6467a 100644 --- a/project.clj +++ b/project.clj @@ -1,4 +1,4 @@ -(defproject com.taoensso/nippy "2.15.0-RC1" +(defproject com.taoensso/nippy "2.15.0" :author "Peter Taoussanis " :description "High-performance serialization library for Clojure" :url "https://github.com/ptaoussanis/nippy"