Michael Tremer [Tue, 12 Jan 2021 10:55:57 +0000 (10:55 +0000)]
kernel: Trust the randomness from the CPU
This will allow the kernel to seed its CRNG using RDSEED or RDRAND.
During the boot process, it is required that the CRNG is being
initialised, but it may take some long time on systems that do not have
a random number generator.
This is the default for various other distributions like Debian.
Signed-off-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 12 Jan 2021 10:52:30 +0000 (10:52 +0000)]
kernel: Compile RNG drivers into the kernel
The kernel will try to gather entropy really early in the boot process
where those device drivers might not have been loaded yet. They are
small and can therefore be compiled into the kernel like we already do
on ARM.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 1 Jul 2021 10:10:17 +0000 (10:10 +0000)]
core158: Fully terminate apache before restarting it
Asking apache to restart itself fails when the binary is changed and
some symbols cannot be resolved. We therefore terminate all processes
and start them again.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sun, 20 Jun 2021 12:15:20 +0000 (14:15 +0200)]
knot: Update to 3.0.7
For details see:
https://www.knot-dns.cz/2021-06-16-version-307.html
Features:
knotd: new configuration policy option for CDS digest algorithm setting #738
keymgr: new command for primary SOA serial manipulation in on-secondary signing mode
Improvements:
knotd: improved algorithm rollover to shorten the last step of old RRSIG publication
Bugfixes:
knotd: zone is flushed upon server start, despite DNSSEC signing is up-to-date
knotd: wildcard nonexistence is proved on empty-non-terminal query
knotd: redundant wildcard proof for non-authoritative data in a reply
knotd: missing wildcard proofs in a wildcard-cname loop reply
knotd: incorrectly synthesized CNAME owner from a wildcard record #715
knotd: zone-in-journal changeset ignores journal-max-usage limit #736
knotd: incorrect processing of zone-in-journal changeset with SOA serial 0
knotd: broken initialization of processing workers if SO_REUSEPORT(_LB) not available
kjournalprint: reported journal usage is incorrect #736
keymgr: cannot parse algorithm name ed448 #739
keymgr: default key size not set properly
kdig: failed to process huge DoH responses
libknot/probe: some corner-case bugs
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Fri, 18 Jun 2021 07:07:21 +0000 (09:07 +0200)]
proxy.cgi: Suppress Squid version by default
While hiding version information does not come with any _actual_
security improvements, it is generally a good thing to do so by default:
Attackers will still be able to reasonably guess or enumerate the
software version running, but need to conduct additional effort to do
so, hence more likely raising alerts and drawing attention on their
operation.
In addition, we suppress version details somewhere else in IPFire 2.x by
default, too (e. g. Unbound and Apache), so we can justify this patch by
aiming to stay consistent, I guess. :-)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 17 Jun 2021 09:47:00 +0000 (11:47 +0200)]
cups-filters: Update to 1.28.9
- Update from 1.28.8 to 1.28.9
- Update of rootfile not required
- Changelog
CHANGES IN V1.28.9
- libcupsfilters: Silenced compiler warnings
- libcupsfilters: Removed duplicate code in the
apply_filters() function.
- driverless: If there are no driverless IPP printers
available let "driverless" terminate with exit code 0 and
not 1, to follow CUPS' standard of backends in discovery
mode terminating with 0 if there are no appropriate printers
found (Issue #375).
- gstoraster, foomatic-rip: Fixed Ghostscript command line for
counting pages as it took too long on PDFs from evince when
printing DjVu files (Issue #354, Pull request #371, Ubuntu
bug #1920730).
- cups-browsed: Renamed ldap_connect() due to conflict in
new openldap (Issue #367, Pull request #370).
- pdftoraster: Free color data after processing of each page
(Pull request #363).
- cups-browsed: Always save "...-default" option entries
from printers.conf, regardless of presence or absense
of PPD file (Pull request #359).
- cups-browsed: Start after network-online.target (Pull
request #360).
- texttopdf: Set default margins when no PPD file is used
(Pull request #356).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 15 Jun 2021 20:29:34 +0000 (22:29 +0200)]
proxy.cgi: drop options for faking Referer and User-Agent HTTP headers
While maintaining privacy when accessing web sites probably has never
been more important than it is today, faking Referer and User-Agent
headers is both obsolete and counterproductive:
(a) Most web sites require HTTPS, thwarting manipulation attempts to
HTTP headers in transit. Given todays' internet landscape, faking
these headers is unlikely to work for the vast majority of web
sites.
(b) It is trivial to detect faked HTTP User-Agent headers by obtaining
corresponding browser information via JavaScript. Any difference
most likely indicates (trivial) header manipulation attempts, hence
rendering this feature useless if browsers do not behave in the same
manner, which we cannot control on IPFire.
(c) Especially static Referer headers make users stick out like a sore
thumb, as nobody else in the world is likely to have the same
Referer set _all the time_.
Modern browsers attempt to strip sensitive information from Referer
headers, or ditch them completely, particularly to 3rd party sites.
Given the state of the web ecosystem as we know it today, enforcing
privacy in a centralised manner does not even come close to being
sufficient. Without gaining control over users' browsers, their
settings, and their infrastructure (such as setting up terminal
environments for accessing the web, preventing hardware
fingerprinting), a centralised attempt will at best fail, if not making
things worse, as highlighted in (c).
Therefore, removing these features from the Squid GUI is the least worse
option we have. We should not give our users a false sense of privacy.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 15 Jun 2021 17:42:11 +0000 (19:42 +0200)]
smartmontools: update to 7.2
Release announcement of this version as per
https://www.smartmontools.org/browser/tags/RELEASE_7_2/smartmontools/NEWS:
Date 2020-12-30
Summary: smartmontools release 7.2
-----------------------------------------------------------
- smartctl: New option '--json=y[c]' selects YAML output.
- smartctl '-i': Prints ATA TRIM and Zoned Device capabilities.
- smartctl '-j': Fixed 'scsi_grown_defect_list' value.
- smartctl '-a': Prints SCSI 'Accumulated power on time'.
- smartctl '-n POWERMODE': SCSI support.
- smartctl '-s standby,now' and '-s standby,off': SCSI support.
- smartctl '-c': NVMe 1.4 additions.
- smartd: Support for staggered self-tests.
- smartd: No longer writes attribute log if no attributes were read
due to standby mode or other error.
- smartd: Now resolves symlinks before device names are checked for
duplicates.
- smartd: Fixed SMARTD_DEVICETYPE environment variable if DEVICESCAN is
used without '-d TYPE'.
- ATA: Device type '-d jmb39x-q,N' for JMB39x protocol variant used by
some QNAP NAS devices.
- ATA: Device type '-d jms56x,N' for JMS562 USB to SATA RAID bridges.
- SCSI: Improved heuristics for log subpages of new and very old disks.
- NVMe: Log transfer size limited to avoid device or kernel crashes.
- NVMe/USB: Device type '-d sntrealtek' for Realtek RTL9210 USB to
NVMe bridges.
- update-smart-drivedb: New option '--branch X.Y'.
- HDD, SSD and USB additions to drive database.
- Dropped support for pre-C99 snprintf().
- configure: Dropped option '--without-working-snprintf'.
- configure: Fixed '-fstack-protector*' detection.
- Linux: Various fixes of smartd.service file.
- Darwin: NVMe log support.
- FreeBSD: Device scan does no longer include T_ENCLOSURE devices.
- NetBSD: Fixed timeout handling.
- NetBSD big endian: Fixed ATA register handling.
- OpenBSD: Fixed timeout handling.
- Windows: Dropped backward compatibility fixes for very old compilers.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 15 Jun 2021 17:15:44 +0000 (19:15 +0200)]
glib: Update to 2.68.3
- Update from 2.68.2 to 2.68.3
- Update rootfile
- Changelog
Overview of changes in GLib 2.68.3
* Bugs fixed:
- #2311 testfilemonitor test leaks ip_watched_file_t struct
- #2417 GFile: `g_file_replace_contents()` reports `G_IO_ERROR_WRONG_ETAG` when saving from a symlink
- !2133 Backport !2128 “inotify: Fix a memory leak” to glib-2-68
- !2137 Backport !2136 “tlscertificate: Avoid possible invalid read” to glib-2-68
- !2141 Backport !2138 “glocalfileoutputstream: Fix ETag check when replacing through a symlink” to glib-2-68
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 15 Jun 2021 17:15:26 +0000 (19:15 +0200)]
fuse: Update to 3.10.4
- Update from 3.10.3 to 3.10.4
- Update of rootfile
- Changelog
* Building of unit tests is now optional.
* Fixed a test failure when running tests under XFS.
* Fixed memory leaks in examples.
* Minor documentation fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 15 Jun 2021 17:15:11 +0000 (19:15 +0200)]
cmake: Update to 3.20.4
- Update from 3.20.3 to 3.20.4
- Update of rootfile not required.
- Changelog
Changes in 3.20.4 since 3.20.3:
Ben Boeckel (1):
ci: use consistent sccache builds
Brad King (8):
VS: Add special case for '-T version=14.29.16.10' under VS 16.10
VS: Add flag table entries for '/external:W*' flags in VS 16.10
gitlab-ci: Update Windows builds to MSVC 19.29-16.10 toolset
Makefiles: Fix CMAKE_EXPORT_COMPILE_COMMANDS crash with custom compile rule
presets: Fix buildPreset "jobs" field test case
IRSL: Add Intel oneAPI redist location on Windows
fileapi: Fix codemodel-v2 link command fragment relative paths
John Drouhard (1):
FindBoost: Add check for json component header in Boost 1.75+
Marc Chevrier (1):
Help: cmake_path: fix erroneous example for IS_PREFIX
Raul Tambre (2):
MSVC: C++20 final flag, C++23 support
Clang/MSVC: C++20 final flag, C++23 support
Sam Freed (2):
presets: Fix buildPreset "jobs"
presets: Fix buildPreset "targets" not allowing a single string
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 12 Jun 2021 13:23:25 +0000 (15:23 +0200)]
sudo: Update to 1.9.7p1
- Update from 1.9.7 to 1.9.7p1
- Update of rootfile not required.
- Changelog
Major changes between sudo 1.9.7p1 and 1.9.7
* Fixed an SELinux sudoedit bug when the edited temporary file
could not be opened. The sesh helper would still be run even
when there are no temporary files available to install.
* Fixed a compilation problem on FreeBSD.
* The sudo_noexec.so file is now built as a module on all systems
other than macOS. This makes it possible to use other libtool
implementations such as slibtool. On macOS shared libraries and
modules are not interchangeable and the version of libtool shipped
with sudo must be used.
* Fixed a few bugs in the getgrouplist() emulation on Solaris when
reading from the local group file.
* Fixed a bug in sudo_logsrvd that prevented periodic relay server
connection retries from occurring in "store_first" mode.
* Disabled the nss_search()-based getgrouplist() emulation on HP-UX
due to a crash when the group source is set to "compat" in
/etc/nsswitch.conf. This is probably due to a mismatch between
include/compat/nss_dbdefs.h and what HP-UX uses internally. On
HP-UX we now just cycle through groups the slow way using
getgrent(). Bug #978.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Fri, 11 Jun 2021 11:33:15 +0000 (13:33 +0200)]
Postfix: update to 3.6.0
Please refer to http://www.postfix.org/announcements/postfix-3.6.0.html
for this versions' release announcements.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
