The informative pakfire message
"No new upgrades available. You are on release ..."
does not mean that an error has happened. This patch adjusts
the log level prefix to "info" accordingly.
Bug #5429: TCP flow that retransmits the SYN with a newer TSval not properly tracked (5.0.x backport)
[Note: Therefore 'suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch' could be removed]
Bug #5424: inspection of smb traffic without smb/dcerpc doesn't work correct. (5.0.x backport)
Bug #5423: DCERPC protocol detection when nested in SMB (5.0.x backport)
Bug #5404: detect: will still inspect packets of a "dropped" flow for non-TCP (5.0.x backport)
Bug #5388: detect/threshold: offline time handling issue (5.0.x backports)
Bug #5358: test failure on Ubuntu 22.04 with GCC 12 (5.0.x backport)
Bug #5354: detect/alert: fix segvfault when incrementing discarded alerts if alert-queue-expand fails (5.0.x backport)
Bug #5345: CIDR prefix calculation fails on big endian archs (5.0.x backport)
Bug #5343: ftp: quadratic complexity for tx iterator with linked list (5.0.x backport)
Bug #5341: decode/mime: base64 decoding for data with spaces is broken (5.0.x backport)
Bug #5339: PreProcessCommands does not handle all the edge cases (5.0.x backport)
Bug #5325: FTP: expectation created in wrong direction (5.0.x backport)
Bug #5305: cppcheck: various static analyzer "warning"s
Bug #5302: Failed assert DeStateSearchState
Bug #5301: eve: payload field randomly missing even if the packet field is present
Bug #5289: Remove unneeded stack-on-signal initialization.
Bug #5283: 5.0.x: ftp: don't let first incomplete segment be over maximum length
Bug #5124: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport)
Bug #5113: Off-by-one in flow-manager flow_hash row allocation
Bug #5055: Documentation copyright years are invalid
Bug #5021: dataset: error with space in rule language
Bug #4926: Rule error in SMB dce_iface and dce_opnum keywords (5.0.x backport)
Bug #4646: TCP reassembly, failed assert app_progress > last_ack_abs, both sides need to be pruned
Optimization #5123: alerts: use alert queing in DetectEngineThreadCtx (5.0.x backport)
Optimization #5121: Use configurable or more dynamic @ PACKET_ALERT_MAX@ (5.0.x backport)
Task #5322: stats/alert: log out to stats alerts that have been discarded from packet queue (5.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-1
"Features
Fix #704: [FR] Statistics counter for number of outgoing UDP queries
sent; introduces 'num.query.udpout' to the 'unbound-control stats'
command.
Bug Fixes
makedist.sh picks up 32bit libssp-0.dll when 32bit compile.
Fix for edns client subnet to respect not looking in its cache when
instructed to do so (e.g., prefetch).
Merge PR #688: Rpz url notify issue.
Note in the unbound.conf text that NOTIFY is allowed from the 'url:'
addresses for auth and rpz zones.
Remove unused LDNS function check for GOST Engine unloading.
Fix for loading locally stored zones that have lines with blanks or
blanks and comments.
Fix #663: use after free issue with edns options.
Clarify -v flag manpage entry (#705)
Fix test program dohclient close to use portability routine.
Show the output of the exact .rpl run that failed with 'make test'.
Fix for cached 0 TTL records to not trigger prefetching when
serve-expired-client-timeout is set.
Add debug option to the mini_tdir.sh test code.
Fix to not count cached NXDOMAIN for MAX_TARGET_NX.
Allow fallback to the parent side when MAX_TARGET_NX is reached. This
will also allow MAX_TARGET_NX more NXDOMAINs.
iana portlist update.
Fix detection of libz on windows compile with static option.
Fix compile warning for windows compile.
Merge PR #706: NXNS fallback.
From #706: Cached NXDOMAIN does not increase the target nx responses.
From #706: Don't generate parent side queries if we already have the
lame records in cache.
From #706: When a lame address is the best choice, don't try to
generate target queries when the missing targets are all lame.
Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS mode
on openssl3.
Merge PR #660 from Petr Menšík: Sha1 runtime insecure.
For #660: formatting, less verbose logging, add EDE information.
Fix for correct openssl error when adding windows CA certificates to
the openssl trust store.
Improve val_sigcrypt.c::algo_needs_missing for one loop pass.
Reintroduce documentation and more EDE support for
val_sigcrypt.c::dnskeyset_verify_rrset_sig.
Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
one loop pass'.
Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
outbound tcp sockets."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 3380500 to 3890000
- Update of rootfile not required
- Changelog
Release 3.39.0 On 2022-06-25
Add (long overdue) support for RIGHT and FULL OUTER JOIN.
Add new binary comparison operators IS NOT DISTINCT FROM and IS DISTINCT FROM that are
equivalent to IS and IS NOT, respective, for compatibility with PostgreSQL and SQL
standards.
Add a new return code (value "3") from the sqlite3_vtab_distinct() interface that
indicates a query that has both DISTINCT and ORDER BY clauses.
Added the sqlite3_db_name() interface.
The unix os interface resolves all symbolic links in database filenames to create a
canonical name for the database before the file is opened.
Defer materializing views until the materialization is actually needed, thus avoiding
unnecessary work if the materialization turns out to never be used.
The HAVING clause of a SELECT statement is now allowed on any aggregate query, even
queries that do not have a GROUP BY clause.
Many microoptimizations collectively reduce CPU cycles by about 2.3%.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Sun, 10 Jul 2022 13:10:56 +0000 (15:10 +0200)]
vim: Update to version 9.0
- Update from version 8.2 to 9.0
- Update of rootfile
- Remove gcc10 detection patch as this is now built into the source tarball
- Update hardening crash patch. The issue related to the gcc10 patch seems to suggest
that when that is fixed then the hardening crash patch is not required but it wasn't
100% clear. So I have left the patch in place as it only changes one line and if it
worked with the earlier versions then it should also work now. If it is decided that
it is not needed then it can always be removed at a future update.
- Changelog is massive with over 30000 lines.
vim provides fixed updates such as 8.2 and 9.0 but then issues very frequent patch
updates. For version 8.2 there are 5172 patch updates none of which have been applied
to IPFire. All of these are now built into version 9.0
https://vimhelp.org/version9.txt.html#new-9 provides the details of what is new with
version 9.0, including details of all the 5172 patches.
- Key thing for version 9.0 is that there is a new Vim9 script language which is not
backwards compatible. However the old legacy script language will continue to be
supported so all old scripts can continue to be used.
- Version 9.0 already has 48 patches released. The releases occur virtually every day
with several days having multiple patch releases.
- Once this 9.0 version of vim has been confirmed to work successfully by people
experienced in using vim (I struggle to remember the set of characters to press to
exit from an editing session), then my plan is to periodically submit an update of the
patches, although some may be missed out as they are not relevant for IPFire - such
as deleting Travis CI config and improving the recognition of some Visual Basic files.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Sun, 10 Jul 2022 21:02:21 +0000 (23:02 +0200)]
i2c-tools: Update to version 4.3
- Update from version 3.1.2 (July 2017) to 4.3 (July 2021)
- Update of rootfile
- Changelog
4.3 (2021-07-22)
decode-dimms: Attempt to decode LPDDR3 modules
eeprom, eepromer: Removed the tools in favor of eeprog
i2cdetect: Sort the bus list by number
i2cdump: Add range support to I2C block mode
Deprecate SMBus block mode
i2cget: Add support for I2C block read
Add support for SMBus block read
i2ctransfer: Reverted check for returned length from driver
4.2 (2020-09-22)
manpages: Add BUGS section to let people know how to contact us
Makefile: Allow to preset all CFLAGS and LDFLAGS variables
tools: Consistently use snprintf instead of sprintf
Restrict addresses 0x03-0x07, too (defined by I2C standard)
decode-dimms: Print SPD revision for DDR3 too
Print primary bus width for DDR3 and DDR4
List ee1004 as a candidate driver
Display MAC for DDR3
Add MAC abbreviation for DDR4
Round DDR4 speed properly
Detect and report truncated input files
Print kernel driver used
Print DDR memory speed in MT/s
Add DDR5 memory types
Decode manufacturing data for LPDDR3
Fix the version string
Point the user to the right drivers
Update the list of vendors to Jedec JEP106BB
decode-vaio: Add support for the at24 driver
Scan more i2c buses
i2cset: Fix short writes with mask
i2ctransfer: Mention '-a' everywhere in the manpage
Support messages using I2C_M_RECV_LEN
Add check for returned length from driver
i2c-stub-from-dump: Read dumps from hexdump -C
library: Add a manual page to document the API
4.1 (2018-11-30)
Makefile: Make STRIP, DESTDIR and PREFIX overridable
tools: Fix potential buffer overflows in i2cbusses
Fix build race
Allow usage of reserved addresses with the '-a' flag
decode-dimms: Add preliminary DDR4 support
Decode size and timings of DDR4
Decode misc parameters of DDR4
Decode physical characteristics of DDR4
Documentation update for DDR4
Verify the CRC of DDR4 data block 1
Update manufacturer IDs (JEP106AX)
eeprog: Fix ambiguous parentheses
Fix build race
i2ctransfer: Rename option '-f' to '-a' for consistency
i2c-dev.h: Delete
library: Fix build race
Allow disabling the dynamic flavor
Mention the correct license in source files
py-smbus: Fix i2c_smbus_* error propagation
4.0 (2017-10-30)
tools: Fix build with recent compilers (gcc 4.6+)
Add examples to the manual pages
README: Clarify licenses
Mention the current maintainer
decode-dimms: Decode module configuration type of DDR2 SDRAM
Decode bus width extension of DDR3 SDRAM
Don't choke when no EEPROM is found
Don't make columns larger than they need to be
Make side-by-side output more robust
Print module organization of DDR SDRAM
Merge cells by default in side-by-side output
Print extra timing values of DDR SDRAM
Print DDR and DDR2 core timings for all supported CAS values
Print DDR2 equivalent speed of tCK max
Don't print undefined DDR2 SDRAM timings
Print SDR, DDR, DDR2, DDR3 core timings for all standard speeds
Update manufacturer IDs
Make DDR3 manufacturer count parity error non-fatal
Strip former manufacturer name in side-by-side output mode
Remove duplicate "ns" in SDR timings
Add section headers for SDR modules
Fix decoding of SDR SPD revision
Prevent hang on reserved DDR3 module type
Decode more DDR3 module types
Fix DDR3 tRAS decoding
Fix DDR3 core timings rounding
Round down PC3 numbers to comply with Jedec
Don't print the DDR3 time bases
Decode the FTB fields of DDR3 tCk, tAA, tRCD, tRP and tRC
Fix speed and PC3 number of high-speed DDR3 modules
Decode DDR3 reference card revision
Print width of all known DDR3 module types
Print physical characteristics for all DDR3 module types
Don't print raw SSTE32882 register values
Add support for Load Reduced DIMM (LRDIMM) DDR3 modules
Fully decode the DDR3 SDRAM Device Type field
Fix DDR3 extended temp range refresh rate decoding
Encode "degrees" to HTML degree symbol
Generate XHTML 1.1 compliant markup
Add a manual page
Correctly check for out-of-bounds vendor ID
Update manufacturer IDs (JEP106AQ)
decode-vaio: Add a manual page
eeprog: Add a manual page
Moved to a separate subdirectory
Increase delay after writes
eeprom: Add a manual page
Marked as deprecated
eepromer: Add a manual page
Marked as deprecated
i2cdetect: Do a best effort detection if functionality is missing
Clarify the SMBus commands used for probing by default
i2ctransfer: New tool to send user-defined I2C messages in one transfer
i2c-dev.h: Minimize differences with kernel flavor
Move SMBus helper functions to include/i2c/smbus.h
i2c-stub-from-dump: Be more tolerant on input dump format
library: New libi2c library
Properly propagate real error codes on read errors
Use I2C_SMBUS_BLOCK_MAX instead of hard-coding 32
lib/smbus.c: Add missing include which was causing a build error
py-smbus: Fix module level docs
Add support for python 3
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Sat, 9 Jul 2022 12:37:23 +0000 (12:37 +0000)]
util-linux: Do not ship broken symlink "/usr/bin/x86_64"
This file points to /usr/bin/setarch, which we do not ship on any
architecture. As it serves no obvious purpose on IPFire installations,
we may as well not ship it entirely.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Peter Müller [Sat, 9 Jul 2022 15:00:19 +0000 (15:00 +0000)]
Core Update 170: Ship screen
Apparently, screen 4.8.0 was never shipped with any Core Update. To
ensure no stale files are left, delete any /usr/bin/screen-4.* binary,
as they will be replaced by the up-to-date version immediately
afterwards.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Sat, 9 Jul 2022 13:57:31 +0000 (13:57 +0000)]
screen: Update to 4.9.0
Full changelog as per https://savannah.gnu.org/forum/forum.php?forum_id=10107:
New in this release:
* Hardstatus option for used encoding (escape string '%e')
* OpenBSD uses native openpty() from its utils.h
* Fixes:
- fix combining char handling that could lead to a segfault
- CVE-2021-26937: possible denial of service via a crafted UTF-8 character sequence (bug #60030)
- make screen exit code be 0 when checking --help
- session names limit is 80 symbols (bug #61534)
- option -X ignores specified user in multiuser env (bug #37437)
- a lot of reformations/fixes/cleanups (man page and source code)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Grant Grundler (2):
lsusb: remove unused RETRIES constant
lsusb: don't complain on EAGAIN
Greg Kroah-Hartman (10):
sysfs: add copyright notice taken from name.*
LICENSES: add symlink to handle "or-later" issue for GPL-2.0
LICENSES: put spdx headers on the license files
rename "GPL-2.0+" to "GPL-2.0-or-later"
LICENSE: rename GPL-3.0.txt -> GPL-3.0-only.txt
usbhid-dump.8.in: add copyright information
.gitignore: add copyright and SPDX info
usbhid-dump: add copyright and SPDX info
SPDX header cleanups from GPL-2.0 -> GPL-2.0-only
usbutils.spdx: update with output of latest reuse tool
Jonathan Neuschäfer (2):
lsusb: Fix spelling of bEndpointAddress in UVC
lsusb: Decode endpoint addresses in UVC
Lukas Zaoral (3):
lsusb.c: fix leak in dump_printer_device
usb-devices: do not use `local` in a POSIX shell script
desc-defs.c: fix possible out-of-bound read
Matthias Braun (1):
Fix typos in lsusb.8.in
Ruslan Kabatsayev (5):
Fix locating endpoint when it's a directory rather than a symlink
Fix formatting of interface descriptors to match /sys/kernel/debug/usb/devices
Fix formatting of endpoint direction to match /sys/kernel/debug/usb/devices
Fix formatting of endpoint type to match /sys/kernel/debug/usb/devices
Fix formatting of max endpoint packet size to match /sys/kernel/debug/usb/devices
Thomas Hebb (1):
lsusb: Fix buffer size copy/paste error
Adolf Belka [Fri, 8 Jul 2022 20:55:11 +0000 (22:55 +0200)]
iperf: Update to version 2.1.7
- Update from version 2.0.14a to 2.1.7
- Update of rootfile not required
- Changelog
2.1.7 (as of April 5th, 2022)
o Support for tcp bounceback test
o Code clean up
o Regression fixes (see git-log)
2.1.6
o Fix to major 2.1.5 regeressions
2.1.5 change set as of (December 3, 2021)
o fix some HAVE_IPV6 conditional changes
o fix SO_TIMEOUT regressiony
o ren sockets.c to socket_io.c
o fix compile breakage per abs() returning an int instead of float
o support for gettcpinfo on Mac OS X (tested on both M1 and x86 silicon)
o move setsock_blocking from sockets into PerfSocket.cpp
o don't require -V for v6, instead try v6 when v4 hostname lookup fails, client only
o add assert in writen
o add tcp RTT variance to client output
o use setsockopt to get the nagle status
o show Nagle and TOS settings on client
o more on connect-only testing
o sample and output the initial rtt and cwnd in the connect report
o fix multiple fullduplex regressions
o fix for HAVE_TCP_STATS in configure, then linux compile
o writen can have more than one write, fix accounting when this occurs
o fix tos with --reverse and --full-duplex
o add support for --tos-override <value> on server
o add support for --tcp-drain, add mmm stats, histograms - experimental feature
o multiple man page updates
o fix partial histogram print to not show (f)
o some new scripts in python flows
o fixes to incr-srcport
o fixes for --incr-dstport
o fix regression on very first UDP packet having transit latency of zero
o fix --reverse and --isochronous when --trip-times not set
o fix client_init regression, pull out tcp_shutdown
o fix reporter startup race and one second delay by setting the threads ready predicate and issuing the signal under a lock
o fix first send accounting for small -n
o fix configure.ac to use '=' instead of '=='
2.1.4 change set as of (August 12, 2021)
o fix TCP isoch regression
o fix regression in UDP header exchange for tests like --reverse
o Add support for TCP_NOTSENT_LOWAT vi --tcp-write-prefetch and select() before write()
o Add support for TCP_WINDOW_CLAMP
o Rework recvn() and writen() for when SO_SNDTIMEO and SO_RCVTIMEO are enabled
o Add support for --histograms on select with --tcp-write-prefetch
o Add support for bind to device on the listener, i.e. iperf -s -i 1 -e -B 0.0.0.0%eth0, will only accept/receive on the eth0 interface
o Add support for virtual/tap interfaces
o Add support for --hide-ips (don't show the ip addresses in the report outputs)
o Fix units of -pps with --reverse, --fullduplex, -r and -d
o Remove use of MSG_PEEK by moving the mBuf buffer from client/server object to settings context
o Use MSG_WAITALL in recvn (collided with MSG_PEEK on Windows)
2.1.3 change set as of (July 13, 2021)
o relax cli errors a bit to WARN instead of ERROR
o fix TCP read fatal error macro
o fix UDP server to not fatal error on EINTR, use macro
o handle and warn on failed read of tcp test flags
o redesign of tcp retry (2.1.2 fix was incomplete)
o thread exit signals reporter thread condition var for timely exits of the tool
2.1.2 change set (as of June 25th, 2021)
o fix TCP retry regression per interval reporting
2.1.1 change set (as of June 23rd, 2021)
o isochronous bug fix
o -P and -B src port will increment for unique quintuple
o support for port ranges, e.g. -p 6000-6008
o double free fix per memory corruption when -l is less than 244
o don't use pthread_join on the client --reverse, symptom hung client
o fixes for --trip-times and small 64 byte packets
o udp fail on reverse should exit
o support for low duty cycle bursts (--burst-period and --burst-size)
o final report fixes
o full duplex ouput fixex
o support for --incr-scrip
o multicast setsockopt fixes
2.1.0 change set (as of January 5th, 2021)
o scaling improvements for -P, i.e. improved support for large numbers of traffic threads
o major code refactoring (see doc/DESIGN_NOTES) for maintainability, extensibilty, performance, scaling, memory usage
o support for full duplex traffic using --full-duplex
o support for reverse traffic using --reverse
o support for role-reversal character of asterisk in the transfer id
o transfer id now an incrementing integer and no longer the socket id
o support for TCP connect only tests with --connect-only
o isochronous support compiled in by default, must use config to disable
o support --isochronous for both UDP or TCP traffic to simulate video streams
o support for low duty cycle traffic patterns via --burst-period and --burst-size
o use of clock_nanosleep when supported to schedule isochronous burst starts, otherwise use nanosleep delay
o support for --trip-times indicating the client and server clocks are synchronized to an accuracy sufficient, note: consider the use of precision time protocol as well as ask your data center to provide access to a GPS disciplined reference time source
o support for --trip-times with -d and -r bidirectional tests
o output TCP connect times (3WHS) in connect reports
o support for application level tcp connect retries via --connect-retries n
o rate-limited options of -b and --fq-rate supported for unidirectional, full duplex and reverse traffic
o reporter thread designed to automatically cause packet reports to aggregate - mitigating and hopefully removing thread thrashing
o support for frame or burst based reporting or sampling vs time based via -i [f|F] (experimental)
o support for UDP traffic only from client to server with --no-udp-fin
o support for write to read latencies (UDP and TCP) with --trip-times
o support for sum only outputs with --sum-only
o support for little's law calculations in --trip-time outputs
o support for --txstart-time <epoch-time> to schedule client traffic start, timestamp support microseconds, e.g. unix $(expr $(date +%s) + 1).$(date +%N)
o support for --txdelay-time to insert delay between TCP three way handshake (3WHS) and data transfer
o support for --no-connect-sync which disables transmit traffic start synchronization when -P is used, defaults to synchronized
o option of --full-duplex implementation uses a barrier on the client side to synchronize full duplex traffic
o no limits to group sum reports, i.e. all clients will get its own sum report per a server
o improved report timestamps, e.g. end to end or client and server based timestamps with --trip-times
o improved settings messaging
o improved messaging for --tcp-congestion or -Z
o re-implemented -U for single UDP server with minimal threading interactions
o re-implemented -1 or --singleclient where server will serialize traffic runs
o warning message if the test were likely CPU bound instead of network i/o bound
o fix the case when -P <value> is set on the server such that summing output is displayed
o multicast listener will autoset -U (single server), e.g -P > 1 not supported for multicast
o multicast listener no longer busy drops multicast packets during traffic test, i.e. only server thread receives them
o immediate bail out on mutually exclusive command line options
o getaddrinfo bug with -static linkage workaround and DNS lookup one time in setttings context vs twice in Settings and client traffic thread
o fix -o or --output using freopen to redirect stdout and stderr to a file
o support for --local-only which sets SO_DONTROUTE on a socket to limit traffic to local hosts (default is off)
o support compile time option of --local-only to set on by default via ./configure --enable-default-localonly
o support for date and time of in connect messages,
e.g. [ 0] local 192.168.1.108%eth0 port 5001 connected with 192.168.1.62 port 36724 (MSS=453) (sock=5) on 2020-12-22 19:43:42 (PST)
o support for feature of --permit-key and permit-key-timeout (defaults to 20 seconds.) The permit-key must match for the server to accpet the client's traffic. It also sets the transfer id. TCP only.
o support for experimental feature of --near-congestion (tcp only)
o man page updates with examples
o tested with 1000's of traffic streams, WiFi, 10G and 100G
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Fri, 8 Jul 2022 20:54:59 +0000 (22:54 +0200)]
htop: Update to version 3.2.1
- Update from version 3.1.2 to 3.2.1
- Update of rootfile not required
- Changelog
What's new in version 3.2.1
* Fix setting to show all branches collapsed by default
* Restore functionality of stripExeFromCmdline setting
* Fix some command line display settings not being honored without restart
* Display single digit precision for CPU% greater than 99.9%
* On Linux, FreeBSD and PCP consider only shrinkable ZFS ARC as cache
* On Linux, increase field width of CPUD% and SWAPD% columns
* Colorize process state characters in help screen
* Use mousemask(3X) to enable and disable mouse control
* Fix heap buffer overflow in Vector_compact
* On Solaris, fix a process time scaling error
* On Solaris, fix the build
* On NetBSD, OpenBSD and Solaris ensure env buffer size is sufficient
* On Linux, resolve processes exiting interfering with sampling
* Fix ProcessList quadratic removal when scanning processes
* Under LXC, limit CPU count to that given by /proc/cpuinfo
* Improve container detection for LXC
* Some minor documentation fixes
What's new in version 3.2.0
* Support for displaying multiple tabs in the user interface
* Allow multiple filter and search terms (logical OR, separate by "|")
* Set correct default sorting direction (defaultSortDesc)
* Improve performance for process lookup and update
* Rework the IOMeters initial display
* Removed duplicate sections on COMM and EXE
* Highlight process UNINTERRUPTIBLE_WAIT state (D)
* Show only integer value when CPU% more than 99.9%
* Handle rounding ambiguity between 99.9 and 100.0%
* No longer leaves empty the last column in header
* Fix header layout and meters reset if a header column is empty
* Fix PID and UID column widths off-by-one error
* On Linux, read generic sysfs batteries
* On Linux, do not collect LRS per thread (it is process-wide)
* On Linux, dynamically adjust the SECATTR and CGROUP column widths
* On Linux, fix a crash in LXD
* On FreeBSD, add support for showing process emulation
* On Darwin, lazily set process TTY name
* Always set SIGCHLD to default handling
* Avoid zombie processes on signal races
* Ensure last line is cleared when SIGINT is received
* Instead of SIGTERM, pre-select the last sent signal
* Internal Hashtable performance and sizing improvements
* Add heuristics for guessing LXC or Docker from /proc/1/mounts
* Force elapsed time display to zero if process started in the future
* Avoid extremely large year values when printing time
* Fix division by zero when calculating IO rates
* Fix out of boundary writes in XUtils
* Fix custom thread name display issue
* Use AC_CANONICAL_HOST, not AC_CANONICAL_TARGET in configure.ac
* Support libunwind of LLVM
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Fri, 8 Jul 2022 20:54:42 +0000 (22:54 +0200)]
harfbuzz: Update to version 4.4.1
- Update from version 4.2.0 to 4.4.1
- Update of rootfile
- Changelog
Overview of changes leading to 4.4.1
- Fix test failure with some compilers.
- Fix Telugu and Kannada kerning regression.
Overview of changes leading to 4.4.0
- Caching of variable fonts shaping, in particular when using HarfBuzz’s own
font loading functions (ot). Bringing performance of variable shaping in par
with non-variable fonts shaping. (Behdad Esfahbod)
- Caching of format 2 “Contextual Substitution” and “Chained Contexts
Substitution” lookups. Resulting in up to 20% speedup of lookup-heavy fonts
like Gulzar or Noto Nastaliq Urdu. (Behdad Esfahbod)
- Improved ANSI output from hb-view. (Behdad Esfahbod)
- Support for shaping legacy, pre-OpenType Windows 3.1-era, Arabic fonts that
relied on a fixed PUA encoding. (Khaled Hosny, Behdad Esfahbod)
- Sinhala script is now shaped by the USE shaper instead of “indic” one.
(Behdad Esfahbod, David Corbett)
- Thai shaper improvements. (David Corbett)
- hb-ot-name API supports approximate BCP-47 language matching, for example
asking for “en_US” in a font that has only “en” names will return them.
(Behdad Esfahbod)
- Optimized TrueType glyph shape loading. (Behdad Esfahbod)
- Fix subsetting of HarfBuzz faces created via hb_face_create_for_tables().
(Garret Rieger)
- Add 32 bit var store support to the subsetter. (Garret Rieger)
- New API
+HB_BUFFER_FLAG_DEFINED
+HB_BUFFER_SERIALIZE_FLAG_DEFINED
+hb_font_changed()
+hb_font_get_serial()
+hb_ft_hb_font_changed()
+hb_set_hash()
+hb_map_copy()
+hb_map_hash()
Overview of changes leading to 4.3.0
- Major speed up in loading and subsetting fonts, especially in
handling CFF table. Subsetting some fonts is now 3 times faster.
(Behdad Esfahbod, Garret Rieger)
- Speed up blending CFF2 table. (Behdad Esfahbod)
- Speed up hb_ot_tags_from_language(). (Behdad Esfahbod, David Corbett)
- Fix USE classification of U+10A38 to fix multiple marks on single Kharoshthi
base. (David Corbett)
- Fix parsing of empty CFF Index. (Behdad Esfahbod)
- Fix subsetting CPAL table with partial palette overlaps. (Garret Rieger)
- New API
+hb_map_is_equal() (Behdad Esfahbod)
Overview of changes leading to 4.2.1
- Make sure hb_blob_create_from_file_or_fail() always returns nullptr in case
of failure and not empty blob sometimes. (Khaled Hosny)
- Add --passthrough-tables option to hb-subset. (Cosimo Lupo)
- Reinstate a pause after basic features in Khmer shaper, fixing a regression
introduced in previous release. (Behdad Esfahbod)
- Better handling of Regional_Indicator when shaped with RTL-native scripts,
reverting earlier fix that caused regressions in AAT shaping. (Behdad Esfahbod)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Fri, 8 Jul 2022 20:54:31 +0000 (22:54 +0200)]
haproxy: Update to version 2.6.0
- Update to version 2.6.0 from 2.5.5
- Update of rootfile not required
- Changelog is too large to include here (approx 1700 lines). For details see the ChangeLog
file in the source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Fri, 8 Jul 2022 20:54:16 +0000 (22:54 +0200)]
gutenprint: Update to version 5.3.4
- Update frpm version 5.2.9 (2012) to 5.3.4
- Update of rootfile
- find-dependencies run on sobumped libs. No dependencies found on old sobumped versions
only on the new versions.
- Changelog is too large to include here (approx 1700 lines). For details of changes see
the ChangeLog file in the source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Fri, 8 Jul 2022 20:54:03 +0000 (22:54 +0200)]
gptfdisk: Update to version 1.0.9
- Update from version 1.0.8 to 1.0.9
- No rootfile required
- Changelog
1.0.9 (4/14/2022):
- Removed stray debugging code that caused "partNum is {x}" to be printed
when changing a partition's name with sgdisk (-c/--change-name).
- Added support for aligning partitions' end points, as well as their start
points. This support affects the default partition size when using 'n' in
gdisk; it affects the default partition size in cgdisk; and it's activated
by the new '-I' option in sgdisk. See the programs' respective man pages
for details. This feature is intended to help with LUKS2 encryption, which
reacts badly to partitions that are not sized as exact multiples of the
encryption block size.
- Added check for too-small disks (most likely to be an issue when trying
to use a too-small disk image); program now aborts if this happens.
- Added the ability to build sgdisk and cgdisk for Windows.
- Added new type codes:
* FreeBSD nandfs (0xa506)
* Apple APFS Pre-Boot (0xaf0b)
* Apple APFS Recovery (0xaf0c)
* ChromeOS firmware (0x7f03)
* ChromeOS mini-OS (0x7f04)
* ChromeOS hibernate (0x7f05)
* U-Boot boot loader (0xb000)
* 27 (!) codes for Fuchsia (0xf100 to 0xf11a)
- Fixed build problems with recent versions of ncurses.
- Fixed bug that caused cgdisk to report incorrect partition attributes.
- Consolidated Makefiles for Linux, FreeBSD, Solaris, macOS, and Windows
(32- and 64-bit). The old OS-specific Makefiles remain in case the new
consolidated Makefile has problems, but the old ones are deprecated.
(The Solaris support in the new Makefile is untested.)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Fri, 8 Jul 2022 20:53:43 +0000 (22:53 +0200)]
gnutls: Update to version 3.7.6
- Update from version 3.6.16 to 3.7.6
- Update of rootfile
- find-dependencies run on sobump libs. No dependencies flagged for the old or new libs
- Changelog
* Version 3.7.6 (released 2022-05-27)
** libgnutls: Fixed invalid write when gnutls_realloc_zero()
is called with new_size < old_size. This bug caused heap
corruption when gnutls_realloc_zero() has been set as gmp
reallocfunc (!1592, #1367, #1368, #1369).
** API and ABI modifications:
No changes since last version.
* Version 3.7.5 (released 2022-05-15)
** libgnutls: The GNUTLS_NO_TICKETS_TLS12 flag and %NO_TICKETS_TLS12 priority
modifier have been added to disable session ticket usage in TLS 1.2 because
it does not provide forward secrecy (#477). On the other hand, since session
tickets in TLS 1.3 do provide forward secrecy, the PFS priority string now
only disables session tickets in TLS 1.2. Future backward incompatibility:
in the next major release of GnuTLS, we plan to remove those flag and
modifier, and make GNUTLS_NO_TICKETS and %NO_TICKETS only affect TLS 1.2.
** gnutls-cli, gnutls-serv: Channel binding for printing information
has been changed from tls-unique to tls-exporter as tls-unique is
not supported in TLS 1.3.
** libgnutls: Certificate sanity checks has been enhanced to make
gnutls more RFC 5280 compliant (!1583).
Following changes were included:
- critical extensions are parsed when loading x509
certificate to prohibit any random octet strings.
Requires strict-x509 configure option to be enabled
- garbage bits in Key Usage extension are prohibited
- empty DirectoryStrings in Distinguished name structures
of Issuer and Subject name are prohibited
** libgnutls: Removed 3DES from FIPS approved algorithms (#1353).
According to the section 2 of SP800-131A Rev.2, 3DES algorithm
will be disallowed for encryption after December 31, 2023:
https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
** libgnutls: Optimized support for AES-SIV-CMAC algorithms (#1217, #1312).
The existing AEAD API that works in a scatter-gather fashion
(gnutls_aead_cipher_encryptv2) has been extended to support AES-SIV-CMAC.
For further optimization, new function (gnutls_aead_cipher_set_key) has been
added to set key on the existing AEAD handle without re-allocation.
** libgnutls: HKDF and AES-GCM algorithms are now approved in FIPS-140 mode
when used in TLS (#1311).
** The configure arguments for Brotli and Zstandard (zstd) support
have changed to reflect the previous help text: they are now
--with-brotli/--with-zstd respectively (#1342).
** Detecting the Zstandard (zstd) library in configure has been
fixed (#1343).
** API and ABI modifications:
GNUTLS_NO_TICKETS_TLS12: New flag
gnutls_aead_cipher_set_key: New function
* Version 3.7.4 (released 2022-03-17)
** libgnutls: Added support for certificate compression as defined in RFC8879
(#1301). New API functions (gnutls_compress_certificate_get_selected_method
and gnutls_compress_certificate_set_methods) allow client and server to set
their preferences.
** certtool: Added option --compress-cert that allows user to specify
compression methods for certificate compression.
** libgnutls: GnuTLS can now be compiled with --enable-strict-x509 configure
option to enforce stricter certificate sanity checks that are compliant with
RFC5280.
** libgnutls: Removed IA5String type from DirectoryString within issuer
and subject name to make DirectoryString RFC5280 compliant.
** libgnutls: Added function (gnutls_record_send_file) to send file content from
open file descriptor (!1486). The implementation is optimized if KTLS (kernel
TLS) is enabled.
** libgnutls: Added function (gnutls_ciphersuite_get) to retrieve the name of
current ciphersuite from TLS session (#1291).
** libgnutls: The run-time dependency on tpm2-tss is now re-implemented using
dlopen, so GnuTLS does not indirectly link to other crypto libraries until
TPM2 functionality is utilized (!1544).
** API and ABI modifications:
GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
gnutls_compress_certificate_get_selected_method: Added
gnutls_compress_certificate_set_methods: Added
gnutls_ciphersuite_get: New function
gnutls_record_send_file: New function
libgnutlsxx: Soname bumped due to ABI breakage introduced in 3.7.1
* Version 3.7.3 (released 2022-01-17)
** libgnutls: The allowlisting configuration mode has been added to the system-wide
settings. In this mode, all the algorithms are initially marked as insecure
or disabled, while the applications can re-enable them either through the
[overrides] section of the configuration file or the new API (#1172).
** The build infrastructure no longer depends on GNU AutoGen for generating
command-line option handling, template file parsing in certtool, and
documentation generation (#773, #774). This change also removes run-time or
bundled dependency on the libopts library, and requires Python 3.6 or later
to regenerate the distribution tarball.
Note that this brings in known backward incompatibility in command-line
tools, such as long options are now case sensitive, while previously they
were treated in a case insensitive manner: for example --RSA is no longer a
valid option of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and
used as a gnutls_privkey_t (#594). The code was originally written for the
OpenConnect VPN project by David Woodhouse. To generate such blobs, use the
tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
** libgnutls: The library now transparently enables Linux KTLS
(kernel TLS) when the feature is compiled in with --enable-ktls configuration
option (#1113). If the KTLS initialization fails it automatically falls back
to the user space implementation.
** certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension (#232). New API functions are also provided to
access and manipulate the extension values.
** certtool: The certtool command can now generate, manipulate, and evaluate
x25519 and x448 public keys, private keys, and certificates.
** libgnutls: Disabling a hashing algorithm through "insecure-hash"
configuration directive now also disables TLS ciphersuites that use it as a
PRF algorithm.
** libgnutls: PKCS#12 files are now created with modern algorithms by default
(!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and
HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with
PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
default PBKDF2 iteration count has been increased to 600000.
** libgnutls: PKCS#12 keys derived using GOST algorithm now uses
HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to
conform with the latest TC-26 requirements (#1225).
** libgnutls: The library now provides a means to report the status of approved
cryptographic operations (!1465). To adhere to the FIPS140-3 IG 2.4.C., this
complements the existing mechanism to prohibit the use of unapproved
algorithms by making the library unusable state.
** gnutls-cli: The gnutls-cli command now provides a --list-config option to
print the library configuration (!1508).
** libgnutls: Fixed possible race condition in
gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared
among multiple threads (#1277). [GNUTLS-SA-2022-01-17, CVSS: low]
** API and ABI modifications:
GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t
GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags
gnutls_ecc_curve_set_enabled: Added.
gnutls_sign_set_secure: Added.
gnutls_sign_set_secure_for_certs: Added.
gnutls_digest_set_secure: Added.
gnutls_protocol_set_enabled: Added.
gnutls_fips140_context_init: New function
gnutls_fips140_context_deinit: New function
gnutls_fips140_push_context: New function
gnutls_fips140_pop_context: New function
gnutls_fips140_get_operation_state: New function
gnutls_fips140_operation_state_t: New enum
gnutls_transport_is_ktls_enabled: New function
gnutls_get_library_configuration: New function
* Version 3.7.2 (released 2021-05-29)
** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added
to disable TLS 1.3 middlebox compatibility mode
** libgnutls: The Linux kernel AF_ALG based acceleration has been added.
This can be enabled with --enable-afalg configure option, when libkcapi
package is installed (#308).
** libgnutls: Fixed timing of early data exchange. Previously, the client was
sending early data after receiving Server Hello, which not only negates the
benefit of 0-RTT, but also works under certain assumptions hold (e.g., the
same ciphersuite is selected in initial and resumption handshake) (#1146).
** certtool: When signing a CSR, CRL distribution point (CDP) is no longer
copied from the signing CA by default (#1126).
** libgnutls: The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to
GNUTLS_NO_IMPLICIT_INIT to reflect the purpose (#1178). The former is now
deprecated and will be removed in the future releases.
** certtool: When producing certificates and certificate requests, subject DN
components that are provided individually will now be ordered by
assumed scale (e.g. Country before State, Organization before
OrganizationalUnit). This change also affects the order in which
certtool prompts interactively. Please rely on the template
mechanism for automated use of certtool! (#1243)
** API and ABI modifications:
gnutls_early_cipher_get: Added
gnutls_early_prf_hash_get: Added
** guile: Writes to a session record port no longer throw an exception upon
GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED.
* Version 3.7.1 (released 2021-03-10)
** libgnutls: Fixed potential use-after-free in sending "key_share"
and "pre_shared_key" extensions. When sending those extensions, the
client may dereference a pointer no longer valid after
realloc. This happens only when the client sends a large Client
Hello message, e.g., when HRR is sent in a resumed session
previously negotiated large FFDHE parameters, because the initial
allocation of the buffer is large enough without having to call
realloc (#1151). [GNUTLS-SA-2021-03-10, CVSS: low]
** libgnutls: Fixed a regression in handling duplicated certs in a
chain (#1131).
** libgnutls: Fixed sending of session ID in TLS 1.3 middlebox
compatibiltiy mode. In that mode the client shall always send a
non-zero session ID to make the handshake resemble the TLS 1.2
resumption; this was not true in the previous versions (#1074).
** libgnutls: W32 performance improvement with a new sendmsg()-like
transport implementation (!1377).
** libgnutls: Removed dependency on the external 'fipscheck' package,
when compiled with --enable-fips140-mode (#1101).
** libgnutls: Added padlock acceleration for AES-192-CBC (#1004).
** API and ABI modifications:
No changes since last version.
* Version 3.7.0 (released 2020-12-02)
** libgnutls: Depend on nettle 3.6 (!1322).
** libgnutls: Added a new API that provides a callback function to
retrieve missing certificates from incomplete certificate chains
(#202, #968, #1100).
** libgnutls: Added a new API that provides a callback function to
output the complete path to the trusted root during certificate
chain verification (#1012).
** libgnutls: OIDs exposed as gnutls_datum_t no longer account for the
terminating null bytes, while the data field is null terminated.
The affected API functions are: gnutls_ocsp_req_get_extension,
gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension
(#805).
** libgnutls: Added a new set of API to enable QUIC implementation (#826, #849,
#850).
** libgnutls: The crypto implementation override APIs deprecated in 3.6.9 are
now no-op (#790).
** libgnutls: Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161).
** libgnutls: Support for padlock has been fixed to make it work with Zhaoxin
CPU (#1079).
** libgnutls: The maximum PIN length for PKCS #11 has been increased from 31
bytes to 255 bytes (#932).
** API and ABI modifications:
gnutls_x509_trust_list_set_getissuer_function: Added
gnutls_x509_trust_list_get_ptr: Added
gnutls_x509_trust_list_set_ptr: Added
gnutls_session_set_verify_output_function: Added
gnutls_record_encryption_level_t: New enum
gnutls_handshake_read_func: New callback type
gnutls_handshake_set_read_function: New function
gnutls_handshake_write: New function
gnutls_handshake_secret_func: New callback type
gnutls_handshake_set_secret_function: New function
gnutls_alert_read_func: New callback type
gnutls_alert_set_read_function: New function
gnutls_crypto_register_cipher: Deprecated; no-op
gnutls_crypto_register_aead_cipher: Deprecated; no-op
gnutls_crypto_register_mac: Deprecated; no-op
gnutls_crypto_register_digest: Deprecated; no-op
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Thu, 7 Jul 2022 19:40:18 +0000 (21:40 +0200)]
openssl: Update to version 1.1.1q
- Update from version 1.1.1p to 1.1.1q
- Update of rootfile not required
- Changelog
Changes between 1.1.1p and 1.1.1q [5 Jul 2022]
(CVE-2022-2097) Severity: Moderate
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation would not encrypt the entirety of the data under some
circumstances. This could reveal sixteen bytes of data that was
preexisting in the memory that wasn't written. In the special case of
"in place" encryption, sixteen bytes of the plaintext would be revealed.
Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
they are both unaffected.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sun, 8 May 2022 13:15:18 +0000 (15:15 +0200)]
rules.pl: Do not check private networks against ipblocklists.
In case some of these private networks are part of an used blocklist
this kind of traffic needs to be allowed. Otherwise some services may
not work properly.
For example:
In case one ore more IPSec N2N connections are configured no traffic can
be passed through it, if the used networks are part of an blocklist.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Mon, 2 May 2022 18:52:42 +0000 (20:52 +0200)]
rules.pl: Flush ipblocklist DROP chains.
Flush the DROP chains of the blocklist chains while reloading the
firewall. Otherwise the log rules will stay even if logging has been
disabled in the meantime.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Tim FitzGeorge [Tue, 5 Apr 2022 03:29:03 +0000 (05:29 +0200)]
ipblocklist-sources: New package.
Placing the ipblocklist sources file as an own package, easily
allows to update this single file during a core update and to
keep the vendor details for the blocklists up-to-date.
Signed-off-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Sat, 5 Mar 2022 09:01:24 +0000 (10:01 +0100)]
ipblocklist-functions.pl: Abort and return code if a list is empty or
not parse-able.
In case the downloaded list is empty or the parser is not able to parse
it properly, the download_and_create_blocklist() function now exits and
will return "empty_list" as new error code.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
This function is responisible for downloading and converting the
blocklist into an ipset compatible format.
The only required argument is the blocklist (in upper letter format) which should be
performed. It automatically will setup an upstream proxy (if configured)
and grab the file specified in the blocklist vendor configuration hash.
There is a maximum amount of five attempts until the script gives up and
returns a "dl_error". In case the server responses with "Not Modified"
(Code 304) a "not_modified" will be returned.
If the blocklist successfully has been grabbed, the modification date
get stored for further purposes and the list content will be converted
and stored in an ipset compatible format.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Inspired-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>