diff --git a/NEWS b/NEWS index 7181ea3ad..e15951b27 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,101 @@ Noteworthy changes in release a.b ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +* NEW. Contribution guidelines, Including sections on complexity, completeness, + signing and our AI policy. + (PR #2003) + +Updates +------- + +* Remove CRAM v4.0 support. The experimental CRAM v4 code was large, complex + and insufficiently tested. With no real move toward v4 adoption we have + removed the code in order to reduce the likelihood of security issues. + (PR #2020 and PR #2031) + +* Ensure indirect function calls have the correct type. Some HTSlib interfaces + have function callbacks that are intended to be generic, so the function + signatures include a void * for data to be passed in. While this mostly works + it is strictly undefined behaviour. Some new wrapper functions and interfaces + are added to address this. + (PR #1994) + +* Add wrappers for malloc, realloc with a calloc-like interface. This helps + avoid bugs due to integer wrap-around when calculating memory sizes. + (PR #2006) + +* Make faidx work with very long (>4 Gbyte!) lines. Although faidx should + support very long references, writing one longer than 4Gbases on a single line + broke it because it used a uint32_t field to store the line length. + (PR #2008. fixes samtools/samtools#2331. Reported by Ying Chen) + +* Parallel cram2bam. Add more of the work into worker threads to speed + everything up. + (PR #2015) + +* Improve synced reader error checking. Ensure memory failures are caught and + that error are propagated to callers. + (PR #2024) + +* Add tbx and bcf multi-region iterators. + (PR #2030, fixes #1930. Requested by Adam Novak. + Replaces the alternative PRs #1997 and #2022) + +* Remove references to the non-existant FAI_CACHE. + (PR #2033, fixes #2032. Reported by John Marshall) + +* Improve hfile_s3.c error handling. + (PR #2036. Thanks to John Marshall) + +* In VCF, improve the "not defined in the header" messages. + (PR #2007) + + +Build Changes +------------- + +* Add Github actions builds for Linux and Mac OS. This replaces the Cirrus CI + tests that were discontinued. + (PR #2000) + +* Ensure PACKAGE_VERSION is set in the Makefile. + (PR #2038. See also samtools/samtools#2337) + +Bug fixes +--------- + +* Fix a read buffer overflow and improve SQ LN field checking. + (PR #1999 fixes oss-fuzz issue 499447432) + +* A number of small fixes, often removing unused code or correcting misplaced + checks. + (PR #1992, PR #1993, PR #2004, PR #2010) + +* Fix s3_seek returning wrong offset on cache-hit. + (PR #2012. Thanks to Nick Edwards) + +* Remove a signed overflow bug in bgzf_read_small. + (PR #2013) + +* Protect against uninitialised variable read with X_NOSZ codecs. + (PR #2023, fixes #2021. Reported by Jiami Lin) + +* Several fixes co-authored by Team Atlanta. Fix divide-by-zeros in + cram_xpack_decode_char and cram_xdelta_decode. Also protect against oversized + shift (ubsan) in cram_subexp_decode. + (PR #2025. Thanks to Team Atlanta) + +* Bounds-check refid when loading a CRAM .crai index. + (PR #2029. Thanks to Sidhartha Kumar) + + +Documentation updates +--------------------- + +* Clarify how defaults work when building an index with tabix. + (PR #2002, addresses #1995. Query made by dariober) + + Noteworthy changes in release 1.23.1 (18th March 2026) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~