bugfix release

git-svn-id: svn+ssh://svn.gna.org/svn/gnustep/libs/base/trunk@38120 72102866-910b-0410-8b05-ffd578937521

ChangeLog

@@ -1,3 +1,17 @@
+2014-10-17  Richard Frith-Macdonald <rfm@gnu.org>
+
+	* Documentation/news.texi:
+	* Documentation/ReleaseNotes.gsdoc:
+	* Version: Bump subminor version for bugfix release
+	* NSTimeZones/NSTimeZones.tar: update
+	* Source/NSProcessInfo.m: Use separate lock for globally unique
+	string rather than sharing lock intended for other purposes.
+	* Source/GSTLS.m: Change default TLS 'priority' to disable SSLv3.0
+	as it renders things open to the 'POODLE' attack.
+	Also, print warning if it is expressly requested from the code
+	(though the use of the GSTLSPriority user default will still
+	allow complete control without warnings).
+
 2014-10-11  Marcus Mueller <znek@mulle-kybernetik.com>
 
 	* Headers/GNUstepBase/GSVersionMacros.h: UNAVAILABLE_ATTRIBUTE added
@@ -9,12 +23,6 @@
 
 	* configure: Regenerated.
 
-2014-07-28  Richard Frith-Macdonald <rfm@gnu.org>
-
-	* Source/NSUserDefaults.m:
-	* Source/GSPrivate.h:
-	* Source/NSLog.m:
-
 2014-07-25  Richard Frith-Macdonald <rfm@gnu.org>
 
 	* Source/Tools/gdomap.c: Unless running on windows, allow new -j

Documentation/ReleaseNotes.gsdoc

@@ -29,6 +29,18 @@ notice and this notice are preserved.
 	migrate to using a newer version of the library.
       </p>
 
+      <section>
+	<heading>Version 1.24.7</heading>
+        <p>A new stable (bugfix) release.<br />
+        The release has various platform/portability tweaks, as
+        well as a variety of bugfixes.<br />
+        The default HTTPS connection configuration is modified to disable
+        SSLv3.0 support (to prevent the 'POODLE' security attack).<br />
+        This release also contains an update to include the most recent
+        international timezone data.
+        </p>
+      </section>
+
       <section>
 	<heading>Version 1.24.6</heading>
         <p>A new stable (bugfix) release.<br />

Documentation/news.texi

@@ -11,6 +11,16 @@ The currently released version of the library is
 See the @url{ReleaseNotes.html} document for more information.
 @end ifclear
 
+@section Noteworthy changes in version @samp{1.24.7}
+
+@itemize @bullet
+@item TLS and other security improvements
+@item Latest timezone data included
+@item Various other bugfixes
+@end itemize
+
+@ifclear ANNOUNCE-ONLY
+
 @section Noteworthy changes in version @samp{1.24.6}
 
 @itemize @bullet
@@ -21,8 +31,6 @@ See the @url{ReleaseNotes.html} document for more information.
 @item Various other bugfixes
 @end itemize
 
-@ifclear ANNOUNCE-ONLY
-
 @section Noteworthy changes in version @samp{1.24.5}
 
 @itemize @bullet

Source/GSTLS.m

@@ -1448,8 +1448,6 @@ static NSMutableDictionary      *credentialsCache = nil;
             @" these locations.");
         }
 
-      gnutls_set_default_priority(session);
-
       pri = [opts objectForKey: NSStreamSocketSecurityLevelKey];
       str = [opts objectForKey: GSTLSPriority];
       if (nil == pri && nil == str)
@@ -1467,6 +1465,15 @@ static NSMutableDictionary      *credentialsCache = nil;
           str = nil;
         }
 
+#if GNUTLS_VERSION_NUMBER < 0x020C00
+      gnutls_set_default_priority(session);
+#else
+      /* By default we disable SSL3.0 as the 'POODLE' attack (Oct 2014)
+       * renders it insecure.
+       */
+      gnutls_priority_set_direct(session, "NORMAL:-VERS-SSL3.0", NULL);
+#endif
+
       if (nil == str)
         {
           if ([pri isEqual: NSStreamSocketSecurityLevelNone] == YES)
@@ -1480,13 +1487,15 @@ static NSMutableDictionary      *credentialsCache = nil;
           else if ([pri isEqual: NSStreamSocketSecurityLevelSSLv2] == YES)
             {
               // pri = NSStreamSocketSecurityLevelSSLv2;
-              GSOnceMLog(@"NSStreamSocketSecurityLevelTLSv2 is insecure ..."
+              GSOnceMLog(@"NSStreamSocketSecurityLevelSSLv2 is insecure ..."
                 @" not implemented");
               DESTROY(self);
               return nil;
             }
           else if ([pri isEqual: NSStreamSocketSecurityLevelSSLv3] == YES)
             {
+              GSOnceMLog(@"NSStreamSocketSecurityLevelSSLv3 is insecure ..."
+                @" please change your code to stop using it");
 #if GNUTLS_VERSION_NUMBER < 0x020C00
               const int proto_prio[2] = {
                 GNUTLS_SSL3,

Source/NSProcessInfo.m

@@ -200,6 +200,10 @@ For more detailed assistance, please report the error to bug-gnustep@gnu.org.\n\
 /*************************************************************************
  *** Static global vars
  *************************************************************************/
+
+// The lock to protect shared process resources.
+static NSRecursiveLock  *procLock = nil;
+
 // The shared NSProcessInfo instance
 static NSProcessInfo	*_gnu_sharedProcessInfoObject = nil;
 
@@ -577,23 +581,23 @@ static char	**_gnu_noobjc_env = NULL;
   
   ifp = fopen(proc_file_name, "r");
   if (ifp == NULL)
-  {
+    {
-    fprintf(stderr, "Error: Failed to open the process info file:%s\n", 
+      fprintf(stderr, "Error: Failed to open the process info file:%s\n", 
-	    proc_file_name);
+              proc_file_name);
-    abort();
+      abort();
-  }
+    }
   
   fread(&pinfo, sizeof(pinfo), 1, ifp);
   fclose(ifp);
   
   vectors = (char **)pinfo.pr_envp;
   if (!vectors)
-  {
+    {
-    fprintf(stderr, "Error: for some reason, environ == NULL "
+      fprintf(stderr, "Error: for some reason, environ == NULL "
-      "during GNUstep base initialization\n"
+        "during GNUstep base initialization\n"
-      "Please check the linking process\n");
+        "Please check the linking process\n");
-    abort();
+      abort();
-  }
+    }
   
   /* copy the environment strings */
   for (count = 0; vectors[count]; count++)
@@ -602,11 +606,11 @@ static char	**_gnu_noobjc_env = NULL;
   if (!_gnu_noobjc_env)
     goto malloc_error;
   for (i = 0; i < count; i++)
-  {
+    {
-  	_gnu_noobjc_env[i] = (char *)strdup(vectors[i]);
+      _gnu_noobjc_env[i] = (char *)strdup(vectors[i]);
-    if (!_gnu_noobjc_env[i])
+      if (!_gnu_noobjc_env[i])
-      goto malloc_error;
+        goto malloc_error;
-  }
+    }
   _gnu_noobjc_env[i] = NULL;
 
   /* get the argument vectors */
@@ -899,6 +903,7 @@ _gnu_noobjc_free_vars(void)
 
 + (void) initialize
 {
+  if (nil == procLock) procLock = [NSRecursiveLock new];
   if (self == [NSProcessInfo class]
     && !_gnu_processName && !_gnu_arguments && !_gnu_environment)
     {
@@ -917,6 +922,7 @@ _gnu_noobjc_free_vars(void)
 /* For WindowsAPI Library, we know the global variables (argc, etc) */
 + (void) initialize
 {
+  if (nil == procLock) procLock = [NSRecursiveLock new];
   if (self == [NSProcessInfo class]
     && !_gnu_processName && !_gnu_arguments && !_gnu_environment)
     {
@@ -929,6 +935,7 @@ extern int __libc_argc;
 extern char **__libc_argv;
 + (void) initialize
 {
+  if (nil == procLock) procLock = [NSRecursiveLock new];
   if (self == [NSProcessInfo class]
     && !_gnu_processName && !_gnu_arguments && !_gnu_environment)
     {
@@ -938,6 +945,10 @@ extern char **__libc_argv;
 
 
 #else
++ (void) initialize
+{
+  if (nil == procLock) procLock = [NSRecursiveLock new];
+}
 #ifndef GS_PASS_ARGUMENTS
 #undef main
 /* The gnustep_base_user_main function is declared 'weak' so that the linker
@@ -1008,7 +1019,7 @@ int main(int argc, char *argv[], char *env[])
   if (!_gnu_sharedProcessInfoObject)
     {
       _gnu_sharedProcessInfoObject = [[_NSConcreteProcessInfo alloc] init];
-      [gnustep_global_lock lock];
+      [procLock lock];
       if (mySet != nil)
 	{
 	  NSEnumerator	*e = [mySet objectEnumerator];
@@ -1022,7 +1033,7 @@ int main(int argc, char *argv[], char *env[])
 	  [mySet release];
 	  mySet = nil;
         }
-      [gnustep_global_lock unlock];
+      [procLock unlock];
     }
 
   return _gnu_sharedProcessInfoObject;
@@ -1065,19 +1076,30 @@ int main(int argc, char *argv[], char *env[])
   static unsigned long	counter = 0;
   unsigned long		count;
   static NSString	*host = nil;
+  NSString              *thost = nil;
   static int		pid;
+  int                   tpid;
   static unsigned long	start;
 
-  [gnustep_global_lock lock];
+  /* We obtain the host name and pid outside the locked region in case
-  if (host == nil)
+   * the lookup is slow or indirectly calls this method fromm another
+   * thread (as unlikely as that is ... some subclass/category could
+   * do it).
+   */
+  if (nil == host)
+    {
+      thost = [[self hostName] stringByReplacingString: @"." withString: @"_"];
+      tpid = [self processIdentifier];
+    }
+  [procLock lock];
+  if (nil == host)
     {
-      pid = [self processIdentifier];
       start = (unsigned long)GSPrivateTimeNow();
-      host = [[self hostName] stringByReplacingString: @"." withString: @"_"];
+      ASSIGN(host, thost);
-      IF_NO_GC(RETAIN(host);)
+      pid = tpid;
     }
   count = counter++;
-  [gnustep_global_lock unlock];
+  [procLock unlock];
 
   // $$$ The format of the string is not specified by the OpenStep
   // specification.
@@ -1449,10 +1471,10 @@ void
 GSInitializeProcess(int argc, char **argv, char **envp)
 {
   [NSProcessInfo class];
-  [gnustep_global_lock lock];
+  [procLock lock];
   fallbackInitialisation = YES;
   _gnu_process_args(argc, argv, envp);
-  [gnustep_global_lock unlock];
+  [procLock unlock];
 }
 
 @implementation	NSProcessInfo (GNUstep)

Version

@@ -7,9 +7,9 @@ GCC_VERSION=4.0.0
 # The version number of this release.
 MAJOR_VERSION=1
 MINOR_VERSION=24
-SUBMINOR_VERSION=6
+SUBMINOR_VERSION=7
 # numeric value should match above
-VERSION_NUMBER=124.6
+VERSION_NUMBER=124.7
 GNUSTEP_BASE_VERSION=${MAJOR_VERSION}.${MINOR_VERSION}.${SUBMINOR_VERSION}
 VERSION=${GNUSTEP_BASE_VERSION}