Adolf Belka [Tue, 23 Jan 2024 11:26:45 +0000 (12:26 +0100)]
pam: Update to version 1.6.0
- Update from version 1.5.3 to 1.6.0
- Update of rootfile
- A build bug was found with 1.6.0 if --enable-read-both-confs was set in the configure.
A commit fixing this has been released and converted into a patch for IPFire. This
will end up in the next pam release version and the IPFire patch can then be removed.
- Changelog
1.6.0
* Added support of configuration files with arbitrarily long lines.
* build: fixed build outside of the source tree.
* libpam: added use of getrandom(2) as a source of randomness if available.
* libpam: fixed calculation of fail delay with very long delays.
* libpam: fixed potential infinite recursion with includes.
* libpam: implemented string to number conversions validation when parsing
controls in configuration.
* pam_access: added quiet_log option.
* pam_access: fixed truncation of very long group names.
* pam_canonicalize_user: new module to canonicalize user name.
* pam_echo: fixed file handling to prevent overflows and short reads.
* pam_env: added support of '\' character in environment variable values.
* pam_exec: allowed expose_authtok for password PAM_TYPE.
* pam_exec: fixed stack overflow with binary output of programs.
* pam_faildelay: implemented parameter ranges validation.
* pam_listfile: changed to treat \r and \n exactly the same in configuration.
* pam_mkhomedir: hardened directory creation against timing attacks.
Please note that using *at functions leads to more open file handles
during creation.
* pam_namespace: fixed potential local DoS (CVE-2024-22365).
* pam_nologin: fixed file handling to prevent short reads.
* pam_pwhistory: helper binary is now built only if SELinux support is enabled.
* pam_pwhistory: implemented reliable usernames handling when remembering
passwords.
* pam_shells: changed to allow shell entries with absolute paths only.
* pam_succeed_if: fixed treating empty strings as numerical value 0.
* pam_unix: added support of disabled password aging.
* pam_unix: synchronized password aging with shadow.
* pam_unix: implemented string to number conversions validation.
* pam_unix: fixed truncation of very long user names.
* pam_unix: corrected rounds retrieval for configured encryption method.
* pam_unix: implemented reliable usernames handling when remembering passwords.
* pam_unix: changed to always run the helper to obtain shadow password entries.
* pam_unix: unix_update helper binary is now built only if SELinux support
is enabled.
* pam_unix: added audit support to unix_update helper.
* pam_userdb: added gdbm support.
* Multiple minor bug fixes, portability fixes, documentation improvements,
and translation updates.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 23 Jan 2024 11:26:44 +0000 (12:26 +0100)]
lvm2: Update to version 2.03.23
- Update from version 2.03.22 to 2.03.23
- Update of rootfile not required
- Changelog
2.03.23
Set the first lv_attr flag for raid integrity images to i or I.
Add -A option for pvs and pvscan to show PVs outside devices file.
Improve searched_devnames temp file usage to prevent redundant scanning.
Change default search_for_devnames from auto to all.
Add lvmdevices --refresh to search for missing PVIDs on all devices.
Add comparison between old and new entries in lvmdevices --check.
Fix device_id matching order - match non-devname first.
Fix "lvconvert -m 0" when there is other than first in-sync leg.
Use system.devices as default for dmeventd when dmeventd.devices is undefined.
Accept WWIDs containing QEMU HARDDISK for device_id.
Improve handling of non-standard WWID prefixes used for device_id.
Configure automatically enables cmdlib for dmeventd and notify-dbus for dbus.
Fix hint calculation for pools with zero or error segment.
Configure supports --disable-shared to build only static binaries.
Configure supports --without-{blkid|systemd|udev} for easier static build.
Refresh device ids if the system changes.
Fix pvmove when specifying raid components as moved LVs.
Enhance error detection for lvm_import_vdo.
Support PV lists with thin lvconvert.
Fix support for lvm_import_vdo with SCSI VDO volumes.
Fix locking issue leading to hanging concurrent vgchange --refresh.
Recognize lvm.conf report/headings=2 for full column names in report headings.
Add --headings none|abbrev|full cmd line option to set report headings type.
Fix conversion to thin pool using lvmlockd.
Fix conversion from thick into thin volume using lvmlockd.
Require writable LV for conversion to vdo pool.
Fix return value from lvconvert integrity remove.
Preserve UUID for pool metadata spare.
Preserve UUID for swapped pool metadata.
Rewrite validation of device name entries used as device_id.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 23 Jan 2024 11:26:43 +0000 (12:26 +0100)]
libidn: Update to version 1.42
- Update from version 1.41 to 1.42
- Update of rootfile
- Changelog
1.42
** Bump required gettext version to 0.19.8 for musl-libc.
** Compiler warning improvements.
As before, compiler warnings are enabled by default. You may disable
them using ./configure --disable-gcc-warnings or turn them into fatal
errors using ./configure --enable-gcc-warnings=error to add -Werror
and sensible -Wno-error='s. Based on gnulib's manywarnings, see
<https://www.gnu.org/software/gnulib//manual/html_node/manywarnings.html>.
** Fix type confusion on LLP64/Windows platforms.
While libidn has worked using cygwin libc, it has never worked on
ucrt/msvcrt libc. Report and tiny patch by Francesco Pretto in
<https://lists.gnu.org/archive/html/help-libidn/2022-02/msg00000.html>.
** tests: Added script tests/standalone.sh suitable for integrators.
The main purpose is to test a system-installed libidn, suitable for
distributor checking (a'la Debian's autopkgtest/debci). It may also
be used to test a newly built libidn outside the usual 'make check'
infrastructure. To check that your system libidn is working, invoke
the script with `srcdir` as an environment variable indicating where
it can be find the source code for libidn's tests/ directory (it will
use the directory name where the script is by default):
tests/standalone.sh
To check that a newly built static libidn behaves, invoke:
env STANDALONE_CFLAGS="-Ilib lib/.libs/libidn.a"
tests/standalone.sh
To check that a newly built shared libidn behaves, invoke:
env srcdir=tests STANDALONE_CFLAGS="-Ilib -Wl,-rpath
lib/.libs lib/.libs/libidn.so" tests/standalone.sh
If the libidn under testing is too old and has known bugs, that
should cause tests to fail, which is intentional.
** Updated translations.
** Update gnulib files and build fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 23 Jan 2024 11:26:41 +0000 (12:26 +0100)]
iproute2: Update to version 6.7.0
- Update from version 6.6.0 to 6.7.0
- Update of rootfile not required
- Changelog only available from git repo commits
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 23 Jan 2024 11:26:40 +0000 (12:26 +0100)]
gnutls: Update to version 3.8.3
- Update from version 3.8.2 to 3.8.3
- Update of rootfile
- Changelog
3.8.3
- libgnutls: Fix more timing side-channel inside RSA-PSK key exchange
[GNUTLS-SA-2024-01-14, CVSS: medium] [CVE-2024-0553]
- libgnutls: Fix assertion failure when verifying a certificate chain with a
cycle of cross signatures
[GNUTLS-SA-2024-01-09, CVSS: medium] [CVE-2024-0567]
- libgnutls: Fix regression in handling Ed25519 keys stored in PKCS#11 token
certtool was unable to handle Ed25519 keys generated on PKCS#11
with pkcs11-tool (OpenSC). This is a regression introduced in 3.8.2.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 23 Jan 2024 11:26:39 +0000 (12:26 +0100)]
attr: Update to version 2.5.2
- Update from version 2.5.1 to 2.5.2
- Update of rootfile
- Changelog is no longer updated in the source tarball. Only source for changes is the git
repository commits from https://git.savannah.nongnu.org/cgit/attr.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 Jan 2024 11:40:31 +0000 (12:40 +0100)]
wavemon: Update to version 0.9.5
- Update from version 0.9.4 to 0.9.5
- Update of rootfile not required
- force-netlink-include-path patch updated due to chganges in file in source tarball
- Changelog
0.9.5
Info Screen:
improve format of percentages (use fixed format rather than auto-format).
Configuration:
fix ncurses support for white backgrounds (#119),
configuration file now either in $XDG_CONFIG_HOME/wavemon/wavemonrc or in
$HOME/.config/wavemon/wavemonrc (#106).
Miscellaneous
avoid including include linux/if.h (#109),
check and set support for C99 standard (#108),
updated README (#107),
configuration file can now be located in XDG_CONFIG_HOME (#105),
added portable implementation of asprintf(3),
updated copied nl80211 header file,
make -Wpedantic the default when building.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 Jan 2024 11:40:30 +0000 (12:40 +0100)]
transmission: Update to version 4.0.5
- Update from version 4.0.4 to 4.0.5
- Update of rootfile
- Changelog
4.0.5
Highlights
Fixed 4.0.0 bug where the IP address field in UDP announces were not encoded
in network byte order. [BEP-15]. (#6132)
Fixed a bug that incorrectly escaped JSON strings in some locales.
(#6005, #6133)
Fixed 4.0.4 decreased download speeds for people who set a low upload
bandwidth limit. (#6134)
All Platforms
Fixed bug that prevented editing trackers on magnet links. (#5957)
Fixed HTTP tracker announces and scrapes sometimes failing after adding a
torrent file by HTTPS URL. (#5969)
In RPC responses, change the default sort order of torrents to match
Transmission 3.00. (#5604)
Fixed tr_sys_path_copy() behavior on some Synology Devices. (#5974)
macOS Client
Support Sonoma when building from sources. (#6016, #6051)
Fixed early truncation of long group names in groups list. (#6104)
Qt Client
Fix: only append .added suffix to watchdir files. (#5705)
GTK Client
Fixed crash when opening torrent file from "Recently used" section in
GTK 4. (#6131, #6142)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 Jan 2024 11:40:29 +0000 (12:40 +0100)]
stunnel: Update to version 5.71
- Update from vesrion 5.69 to 5.71
- Update of rootfile not required
- Changelog
5.71, 2023.09.19, urgency: MEDIUM
Security bugfixes
- OpenSSL DLLs updated to version 3.1.3.
Bugfixes
- Fixed the console output of tstunnel.exe.
Features sponsored by SAE IT-systems
- OCSP stapling is requested and verified in the client mode.
- Using "verifyChain" automatically enables OCSP
stapling in the client mode.
- OCSP stapling is always available in the server mode.
- An inconclusive OCSP verification breaks TLS negotiation.
This can be disabled with "OCSPrequire = no".
- Added the "TIMEOUTocsp" option to control the maximum
time allowed for connecting an OCSP responder.
Features
- Added support for Red Hat OpenSSL 3.x patches.
5.70, 2023.07.12, urgency: HIGH
Security bugfixes
- OpenSSL DLLs updated to version 3.0.9.
- OpenSSL FIPS Provider updated to version 3.0.8.
Bugfixes
- Fixed TLS socket EOF handling with OpenSSL 3.x.
This bug caused major interoperability issues between
stunnel built with OpenSSL 3.x and Microsoft's
Schannel Security Support Provider (SSP).
- Fixed reading certificate chains from PKCS#12 files.
Features
- Added configurable delay for the "retry" option.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 Jan 2024 11:40:28 +0000 (12:40 +0100)]
poppler: Update to version 24.01.0
- Update from version 23.08.0 to 24.01.0
- Update of rootfile
- Changelog
24.01.0:
core:
* Don't crash on certain documents on the NSS signature backend
* Fix infinite loop in some annotation code if there's not space for
even one character
* Fix build on Android with generic font configuration
* Small internal code cleanup
23.12.0:
core:
* Rewrite FoFiType1::parse to be more flexible. Issue #1422
* Small internal code refactoring
23.11.0:
core:
* CairoOutputDev: Use internal downscaling algorithm if image exceeds
Cairo's maximum dimensions.
* Internal code improvements
* Fix crash on malformed files
utils:
* pdftocairo: Add option to document logical structure if output is pdf
* pdftocairo: EPS output should not contain %%PageOrientation
23.10.0:
core:
* cairo: update type 3 fonts for cairo 1.18 api
* Fix crash on malformed files
build system:
* Make a few more dependencies soft-mandatory
* Add more supported gnupg releases
* Check if linker supports version scripts
23.09.0:
core:
* Add Android-specific font matching functionality
* Fix digital signatures for NeedAppearance=true
* Forms: Don't look up same glyph multiple times
* Provide the key location for certificates you can sign with
* Add ToUnicode support for similarequal
* Fix crash on malformed files
qt5:
* Provide the key location for certificates you can sign with
* Allow to force a rasterized overprint preview during PS conversion
qt6:
* Provide the key location for certificates you can sign with
* Allow to force a rasterized overprint preview during PS conversion
pdfsig:
* Provide the key location for certificates you can sign with
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 Jan 2024 11:40:27 +0000 (12:40 +0100)]
pixman: Update to version 43.0
- Update from versionj 42.2 to 43.0
- Update of rootfile
- Changelog
The NEWS and ChangeLog files in the source tarball are empty.
For details of changes see the commits log
https://cgit.freedesktop.org/pixman/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 Jan 2024 11:40:26 +0000 (12:40 +0100)]
memtest: Update to version 7.00
- Update from version 6.20 to 7.00
- Update of rootfile not required
- Changelog
7.00
IMC polling for live DRAM settings
Preliminary support for ECC polling
Add support for MMIO UART
Add debugging options
Bug fixes & optimizations
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 Jan 2024 11:40:25 +0000 (12:40 +0100)]
lshw: Update to version B.02.20
- Update from version B.02.19.2 to B.02.20
- Update of rootfile
- Changelog
B.02.20
bug fixes
code cleanup
For more details see the git repo
https://ezix.org/src/pkg/lshw/compare/B.02.19...B.02.20
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 Jan 2024 11:40:24 +0000 (12:40 +0100)]
libvirt: Update to version 10.0.0
- Update from version 8.10.0 to 10.0.0
- Update of rootfile
- Changelog is too large to include here. Details can be found in the NEWS.rst file in the
source tarball
CVE-2023-3750 was fixed in version 9.6.0
Fix race condition in storage driver leading to a crash
In **libvirt-8.3** a bug was introduced which in rare cases could cause
``libvirtd`` or ``virtstoraged`` to crash if multiple clients attempted to
look up a storage volume by key, path or target path, while other clients
attempted to access something from the same storage pool.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 Jan 2024 11:40:23 +0000 (12:40 +0100)]
libtalloc: Update to version 2.4.1
- Update from version 2.3.4 to 2.4.1
- Update of rootfile
- Changelog
2.4.1 (2023-07-20)
No change information available anywhere that I could find
2.4.0 (2023-01-18)
No change information available anywhere that I could find
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 Jan 2024 11:40:21 +0000 (12:40 +0100)]
haproxy: Update to version 2.9.2
- Update from version 2.8.5 to 2.9.2
- Update of rootfile not required
- Changelog is too large to include here. Details can be found in the CHANGELOG file in the
source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 Jan 2024 11:40:20 +0000 (12:40 +0100)]
fmt: Update to version 10.2.1
- Update from version 10.0.0 to 10.2.1
- Update of rootfile
- Changelog is a bit too large to include here. Details can be found in ChangeLog.md file
in source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 Jan 2024 11:40:19 +0000 (12:40 +0100)]
dmidecode: Update to version 3.5
- Update from version 3.3 to 3.5
- Update of rootfile not required
- Two patches no longer required as fixes are now in source tarball
- Changelog
3.5 (Tue Mar 14 2023)
- Decode HPE OEM records 216, 224, 230, 238 and 242.
- Fortify entry point length checks.
- Add a --no-quirks option.
- Drop the CPUID exception list.
- Do not let --dump-bin overwrite an existing file.
- Ensure /dev/mem is a character device file.
- Bug fixes:
Fix segmentation fault in HPE OEM record 240
- Minor improvements:
Typo fixes
Write the whole dump file at once
Fix a build warning when USE_MMAP isn't set
3.4 (Mon Jun 27 2022)
- Support for SMBIOS 3.4.0. This includes new memory device types, new
processor upgrades, new slot types and characteristics, decoding of memory
module extended speed, new system slot types, new processor characteristics
and new format of Processor ID.
- Support for SMBIOS 3.5.0. This includes new processor upgrades, BIOS
characteristics, new slot characteristics, new on-board device types, new
pointing device interface types, and a new record type (type 45 -
Firmware Inventory Information).
- Decode HPE OEM records 194, 199, 203, 236, 237, 238 and 240.
- Bug fixes:
Fix OEM vendor name matching
Fix ASCII filtering of strings
Fix crash with option -u
- Minor improvements:
Skip details of uninstalled memory modules
Don't display the raw CPU ID in quiet mode
Improve the formatting of the manual pages
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 Jan 2024 11:40:18 +0000 (12:40 +0100)]
bird: Update to version 2.14
- Update from version 2.0.12 to 2.14
- Update of rootfile not required
- Changelog
2.14 (2023-10-06)
o MPLS subsystem
o L3VPN: BGP/MPLS VPNs (RFC 4364)
o BGP: Access to unknown route attributes
o RAdv: Custom options
o Babel: RTT metric extension
o BMP: Refactored route monitoring
o BMP: Multiple instances of BMP protocol
o BMP: Both pre-policy and post-policy monitoring
o Experimental route aggregation
o Filter: Method framework
o Filter: Functions have return type statements
o Filter: New bytestring data type
o Kernel: Option to learn kernel routes
o Many bugfixes and improvements
Notes:
User-defined filter functions that return values now should have return type
statements. We still accept functions without such statement, if they could be
properly typed.
For loops allowed to use both existing iterator variables or ones defined in
the for statement. We no longer support the first case, all iterator variables
must be defined in the for statement (e.g. 'for int i in bgp_path ...').
Due to oversight, VRF interfaces were not included in respective VRFs, this is
fixed now.
2.13.1 (2023-06-23)
o BGP: Fix role check when no capability option is present
o Filter: Fixed segfault when a case option had an empty block
This is a bugfix version.
2.13 (2023-04-21)
o Babel: IPv4 via IPv6 extension (RFC 9229)
o Babel: Improve authentication on lossy networks
o BGP: New 'allow bgp_med' option
o BSD: Support for IPv4 routes with IPv6 nexthop on FreeBSD
o Experimental BMP protocol implementation
o Important bugfixes
Notes:
We changed versioning scheme from <epoch>.<major>.<minor> to more common
<major>.<minor>.<patch> . From now on, you may expect that BIRD 2.13.x will be
strictly only fixing bugs found in 2.13, whereas BIRD 2.14 will also contain
new features.
This BIRD version contains an alpha release of BMP protocol implementation.
It is not ready for production usage and therefore it is not compiled by
default and have to be enabled during installation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Erik Kapfer [Tue, 16 Jan 2024 15:26:39 +0000 (16:26 +0100)]
Firewall initscript: Restore Tor IPTable rules by manual firewall restart
If the firewall will be manually restart via '/etc/init.d/firewall restart',
the IPTable rules for the Tor relay will be deleted since 'iptables_init' only
flushes and creates inbound and unbound chains for Tor but does not restore the
ruleset from Tor initscript.
For reference and tests please see -->
https://community.ipfire.org/t/tor-stop-working-without-stop-the-process-or-give-an-error-message/10697
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 14 Jan 2024 15:59:00 +0000 (15:59 +0000)]
linux: Forbid legacy TIOCSTI usage
To quote from the kernel documentation:
> Historically the kernel has allowed TIOCSTI, which will push
> characters into a controlling TTY. This continues to be used
> as a malicious privilege escalation mechanism, and provides no
> meaningful real-world utility any more. Its use is considered
> a dangerous legacy operation, and can be disabled on most
> systems.
>
> Say Y here only if you have confirmed that your system's
> userspace depends on this functionality to continue operating
> normally.
>
> Processes which run with CAP_SYS_ADMIN, such as BRLTTY, can
> use TIOCSTI even when this is set to N.
>
> This functionality can be changed at runtime with the
> dev.tty.legacy_tiocsti sysctl. This configuration option sets
> the default value of the sysctl.
This patch therefore proposes to no longer allow legacy TIOCSTI usage
in IPFire, given its security implications and the apparent lack of
legitimate usage.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 13 Jan 2024 19:43:50 +0000 (20:43 +0100)]
htop: Update to 3.3.0
For details see:
https://github.com/htop-dev/htop/blob/main/ChangeLog
"What's new in version 3.3.0
* Multiple refactorings and code improvements
* Shorten docker container IDs to 12 characters
* Settings: preserve empty header
* Fix execlp() argument without pointer cast
* OpenFilesScreen: Make column sizing dynamic for file size, offset and inode
* Add support for "truss" (FreeBSD equivalent of "strace")
* Darwin: add NetworkIOMeter support
* HeaderLayout: add "3 columns - 40/30/30", "... 30/40/30" & "... 30/30/40"
* Meter: use correct unicode characters for digit '9'
* Note in manual re default memory units of KiB
* Add column for process container name
* Add logic to filter the container name (+type) from the CGroup name
* Change NetworkIOMeter value unit from KiB/s to bytes/second
* Cap DiskIOMeter "utilisation" percentage at 100%
* PCP platform implementation of frontswap and zswap accounting
* Shorten podman/libpod container IDs to 12 characters
* Write configuration to temporary file first
* Incorporate shared memory in bar text
* Move shared memory next to used memory
* Correct order of memory meter in help
* Add recalculate to Ctrl-L refresh
* Update process list on thread visibility toggling
* Support dynamic screens with 'top-most' entities beyond processes
* Introduce Row and Table classes for screens beyond top-processes
* Rework ZramMeter and remove MeterClass.comprisedValues
* More robust logic for CPU process percentages (Linux & PCP)
* Show year as start time for processes older than a year
* Short-term fix for docker container detection
* default color preset: use bold blue for better visibility
* Document 'O' keyboard shortcut
* Implement logic for '--max-iterations'
* Update F5 key label on tab switch (Tree <-> List)
* Force re-sorting of the process list view after switching between list/treeview mode
* Linux: (hack) work around the fact that Zswapped pages may be SwapCached
* Linux: implement zswap support
* {Memory,Swap}Meter: add "compressed memory" metrics
* Darwin: add DiskIOMeter support
* Fix scroll relative to followed process
* ZramMeter: update bar mode
* Use shared real memory on FreeBSD
* Increase Search and Filter max string length to 128
* Improve CPU computation code
* Remove LXC special handling for the CPU count
* Create new File Descriptor meter
* PCP: add IRQ PSI meter
* Linux: add IRQ PSI meter
* Linux: highlight username if process has elevated privileges
* Add support for scheduling policies
* Add a systemd user meter to monitor user units.
* FreeBSD: remove duplicate zfs ARC size subtraction"
Michael Tremer [Fri, 12 Jan 2024 13:29:04 +0000 (13:29 +0000)]
collectd: Restart is required after reconnect
The "ping" plugin does not re-resolve the gateway IP address after
pinging it for the first time. For most people this won't be a big
problem, but if the default gateway changes, the latency graph won't
work any more.
In order to do re-resolve "gateway", the only way is to restart
collectd.
Fixes: #13522 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Mon, 8 Jan 2024 09:44:00 +0000 (09:44 +0000)]
kmod: Update to 31
According to the source tarball's NEWS file:
- Improvements
- Allow passing a path to modprobe so the module is loaded from
anywhere from the filesystem, but still handling the module
dependencies recorded in the indexes. This is mostly intended for kernel
developers to speedup testing their kernel modules without having to load the
dependencies manually or override the module in /usr/lib/modules/.
Now it's possible to do:
# modprobe ./drivers/gpu/drm/i915/i915.ko
As long as the dependencies didn't change, this should do the right thing
- Use in-kernel decompression if available. This will check the runtime support
in the kernel for decompressing modules and use it through finit_module().
Previously kmod would fallback to the older init_module() when using
compressed modules since there wasn't a way to instruct the kernel to
uncompress it on load or check if the kernel supported it or not.
This requires a recent kernel (>= 6.4) to have that support and
in-kernel decompression properly working in the kernel.
- Make modprobe fallback to syslog when stderr is not available, as was
documented in the man page, but not implemented
- Better explaing `modprobe -r` and how it differentiates from rmmod
- depmod learned a `-o <dir>` option to allow using a separate output
directory. With this, it's possible to split the output files from
the ones used as input from the kernel build system
- Add compat with glibc >= 2.32.9000 that dropped __xstat
- Improve testsuite to stop skipping tests when sysconfdir is something
other than /etc
- Build system improvements and updates
- Change a few return codes from -ENOENT to -ENODATA to avoid confusing output
in depmod when the module itself lacks a particular ELF section due to e.g.
CONFIG_MODVERSIONS=n in the kernel.
- Bug Fixes
- Fix testsuite using uninitialized memory when testing module removal
with --wait
- Fix testsuite not correctly overriding the stat syscall on 32-bit
platforms. For most architectures this was harmless, but for MIPS it
was causing some tests to fail.
- Fix handling unknown signature algorithm
- Fix linking with a static liblzma, libzstd or zlib
- Fix memory leak when removing module holders
- Fix out-of-bounds access when using very long paths as argument to rmmod
- Fix warnings reported by UBSan
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This change is now producing problems on IPv6-enabled systems as it will
deny access to any website that is IPv6-enabled as well, even if the
client connected using IPv4.
I have tested if squid is now running on fine on systems where IPv6 is
disabled and can confirm that its running just fine.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Tue, 26 Dec 2023 13:10:34 +0000 (14:10 +0100)]
postfix: Update to version 3.8.4 + prevent smtp smuggling
- Update from version 3.8.3 to 3.8.4
- Update of rootfile not required
- Permanent fix for smtp smuggling will be in version 3.9. However the fix has been
backported into version 3.8.4 but with the default for the parameter of "no".
- This patch sets the defaults for all the main.cf parameters highlighted by Wietse
Venema in http://www.postfix.org/smtp-smuggling.html
- Additionally the implementation of smtpd_forbid_bare_newline = yes has been added to
the install.sh pak for postfix so that it will be included into any main.cf file being
restored from backup. This parameter is available for the first time in 3.8.4 so will
not be in any backup prior to this release and can therefore be safely applied to
restored versions of main.cf.
- This fix in install.sh will be able to be removed when version 3.9 is released early
in 2024 as the default for that parameter in that version onwards will then be "yes"
- Changelog
3.8.4
Security: with "smtpd_forbid_bare_newline = yes" (default
"no" for Postfix < 3.9), reply with "Error: bare <LF>
received" and disconnect when an SMTP client sends a line
ending in <LF>, violating the RFC 5321 requirement that
lines must end in <CR><LF>. This prevents SMTP smuggling
attacks that target a recipient at a Postfix server. For
backwards compatibility, local clients are excluded by
default with "smtpd_forbid_bare_newline_exclusions =
$mynetworks". Files: mantools/postlink, proto/postconf.proto,
global/mail_params.h, global/smtp_stream.c, global/smtp_stream.h,
smtpd/smtpd.c.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Mon, 18 Dec 2023 17:28:52 +0000 (18:28 +0100)]
bash: Update the patches applied to bash
- Update the patches to include patches 16 to 21
- Update of rootfile not required
- Changelog
patch 21: fix for expanding command substitutions in a word expansion in a
here-document
patch 20: allow time reserved word as first token in command substitution
patch 19: fix case where background job set the terminal process group
patch 18: fix for returning unknown tokens to the bison parser
patch 17: fix for optimizing forks when using the . builtin in a subshell
patch 16: fix for a crash if one of the expressions in an arithmetic for command
expands to NULL
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Sat, 30 Dec 2023 14:37:00 +0000 (14:37 +0000)]
haproxy: Update to 2.8.5
Please refer to
https://www.mail-archive.com/search?l=haproxy%40formilux.org&q=announce+subject%3A%22[ANNOUNCE]+haproxy-2.8.5%22+-subject%3A%22re:%22
for this version's release announcement.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Sat, 30 Dec 2023 14:35:00 +0000 (14:35 +0000)]
Tor: Update to 0.4.8.10
Changes in version 0.4.8.10 - 2023-12-08
This is a security release fixing a high severity bug (TROVE-2023-007)
affecting Exit relays supporting Conflux. We strongly recommend to update as
soon as possible.
o Major bugfixes (TROVE-2023-007, exit):
- Improper error propagation from a safety check in conflux leg
linking lead to a desynchronization of which legs were part of a
conflux set, ultimately causing a UAF and NULL pointer dereference
crash on Exit relays. Fixes bug 40897; bugfix on 0.4.8.1-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on December 08, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/12/08.
o Minor bugfixes (bridges, statistics):
- Correctly report statistics for client count over Pluggable
transport. Fixes bug 40871; bugfix on 0.4.8.4
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Sun, 31 Dec 2023 20:50:18 +0000 (21:50 +0100)]
libplist: Update to version 2.3.0
- Update from version 2.2.0 to 2.3.0
- Update of rootfile
2.3.0
- Changes:
* Rename PLIST_UINT to PLIST_INT and add plist_new_int() and plist_get_int_val()
* Add support for JSON format
* Add support for OpenStep format
* Introduce error codes and format constants
* Add return value to import/export functions to allow returning error codes
* Add new plist_sort function
* Add several human-readable output-only formats
* Add new plist_write_to_string/_stream/_file functions
* Add new plist_print function
* Add new plist_read_from_file function
* Add new plist_mem_free() function
* Add a few C++ methods
* Add C++ interface test
* Add PLIST_NULL type
* Some code housekeeping (mostly clang-tidy)
- Breaking:
* plist_from_memory() gets additional parameter
- Bugfixes:
* Fix multiple bugs in all of the parsers
* Fix handling of PLIST_UID nodes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sun, 31 Dec 2023 20:50:17 +0000 (21:50 +0100)]
nqptp: Update to version 1.2.4
- Update from version commit ad384f9ed3b2cc31e97012ab6bfe5a214ffc65a2 (between 1.2.1 and
1.2.2) to 1.2.4
- Update of rootfile not required
- Changelog
1.2.4
Following on from the security update of 1.2.3, some further changes are
introduced to make the communication path between NQPTP and Shairport Sync
resistant to outside interference. On Linux, nqptp now runs as a restricted user
but with special permission to access ports 319 and 320.
These changes have necessitated changing the SMI interface. The SMI interface is
now at version 10, and Shairport Sync must also be updated to be compatible with
it.
Before updating, it is important that you remove the startup service file as
described in the README.
Please read the Release Notes for more details.
1.2.3
This important update fixes a crashing bug whereby a maliciously-crafted message
to the control port could crash NQPTP. (Supersedes 1.2.2.)
1.2.2
Superseded by version 1.2.3
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sun, 31 Dec 2023 20:50:16 +0000 (21:50 +0100)]
shairport-sync: Update to version 4.3.2
- Update from version 4.1.1 to 4.3.2
- Update of rootfile not required.
- Updating shairport-sync to 4.2 or later also requires an update of nqptp as the newer
version of shairport-sync requires NQPTP with Shared Memory Interface Version smi9 and
will not work with older versions.
- Changelog
4.3.2
This update contains a brand new PipeWire backend with full synchronisation --
your feedback is welcome on this. The update also contains a number of bug fixes.
Enhancements
A totally new PipeWire backend featuring full synchronisation.
Bug Fixes
Stability improvements for the PulseAudio backend.
Fix a crash when the Avahi subsystem became disconnected. This is normally a
rare occurrence, but Shairport Sync was not dereferencing obsolete data
correctly when it happened.
Set and reset Bonjour flags correctly when it's a Classic Airplay session in
AirPlay 2 operation.
Fix a number of FreeBSD compilation errors and warnings.
Fix various errors when breaking into an existing session to terminate it.
Thanks again to aaronk6.
Fix some debug message errors, sigh. Thanks to Nathan Gray.
4.3.1
Bug Fixes
This release, 4.3.1, fixes a bug in Version 4.3 that prevented Shairport
Sync from being added to Home.
4.3
This update contains important security updates, bug fixes and enhancements.
NQPTP must also be updated, and it should be updated before updating Shairport
Sync.
The Shared Memory Interface version of both Shairport Sync and NQPTP is now 10,
i.e. smi10.
Notes
When updating NQPTP on Linux, be sure to remove the old service file as
directed in the README.
Having completed both updates and installations, remember to restart NQPTP
first and then restart Shairport Sync.
Security Updates
A crashing bug in NQPTP has been fixed.
The communications protocol used between NQPTP and Shairport Sync has been
revised and made more resilient to attempted misuse.
In Linux systems, NQPTP no longer runs as root -- instead it runs as the
restriced user nqptp, with access to ports 319 and 320 set by the installer
via the setcap utility.
Enhancements
A new volume control profile called dasl-tapered has been added in which
halving the volume control setting halves the output level.
For example, moving the volume slider from full to half reduces the output
level by 10dB, which roughly corresponds with a perceived halving of the
audio volume level.
Moving the volume slider from half to a quarter reduces the output level by
a further 10dB.
The tapering rate is slightly modified at the lower end of the range if the
device's attenuation range is restricted (less than about 55dB).
To activate the dasl-tapered profile, set the volume_control_profile to
"dasl_tapered" in the configuration file and restart Shairport Sync.
Many thanks to David Leibovic, aka dasl-, for this.
On graceful shutdown, an active_end signal should now be generated if the
system was in the active state. Addresses issue #1647. Thanks to Tucker
Kern for raising the issue.
Bug Fixes
Fixed a bug that causes the Docker image to crash occasionally when OwnTone
interrupted an existing iOS session. Thanks to aaronk6 for the report.
Fixed a cross-compliation error caused by not looking for the correct
version of the ar tool. The fix was to substitute the correct version
during the autoreconf phase. Thanks to sternenseemann for raising the
issue and the PR containing the fix.
Updated the mDNS strings for the Classic AirPlay feature of AP2, so that it
does not appear to provide MFi authentication. Addresses this discussion.
Always uses a revision number of 1 when looking for status updates on the
DACP remote control port. This follows a suggestion in Issue #1658. Thanks
to ejurgensen, as ever, for the report and the suggested fix.
Fixed a statistics bug (the minimum buffer size was incorrectly logged) and
also tidy up the statistics logging interval logic for resetting min and
max counters.
Added an important missing format string argument to a call in the Jack
Audio backend. Many thanks to michieldwitte for their PR.
Maintenance
Stopped using a deprecated FFmpeg data structure reference.
Stopped using deprecated OpenSSL calls. Thanks to yubiuser for their PR --
which did some of the updating -- and for their guidance.
Run workflow-based tests on PRs automatically. Thanks to yubiuser for their PR.
4.2
This release consists of enhancements and important bug fixes to Shairport Sync
Version 4.1. For information on the new features of 4.1, including AirPlay 2
support, please see the Version 4.1 Release Note.
Important
If you are updating an existing installation of Shairport Sync, you must
also update NQPTP. The reason is that this update to Shairport Sync
requires NQPTP with Shared Memory Interface Version smi9 and will not
work with older versions.
For details of the enhancements and bug fixes in this release, please
refer to the RELEASENOTES.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sun, 31 Dec 2023 20:49:27 +0000 (21:49 +0100)]
sudo: Update to version 1.9.15p5
- Update from version 1.9.15p4 to 1.9.15p5
- Update of rootfile not required
- Changelog
1.9.15p5
Fixed evaluation of the lecture, listpw, verifypw, and fdexec sudoers Defaults
settings when used without an explicit value. Previously, if specified
without a value they were evaluated as boolean false, even when the negation
operator (’!’) was not present.
Fixed a bug introduced in sudo 1.9.14 that prevented LDAP netgroup queries
using the NETGROUP_BASE setting from being performed.
Sudo will now transparently rename a user’s lecture file from the older
name-based path to the newer user-ID-based path. GitHub issue #342.
Fixed a bug introduced in sudo 1.9.15 that could cause a memory allocation
failure if sysconf(_SC_LOGIN_NAME_MAX) fails. Bug #1066
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Sun, 31 Dec 2023 09:27:24 +0000 (10:27 +0100)]
meson: Update to version 1.3.1
- Update from version 1.2.3 to 1.3.1
- Update of rootfile
- Changelog is too large to include here. See details at
https://mesonbuild.com/Release-notes.html
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Sun, 31 Dec 2023 09:27:21 +0000 (10:27 +0100)]
iperf3: Update to version 3.16
- Update from version 3.12 to 3.16
- Update of rootfile not required
- Changelog
3.16 2023-11-30
* Notable user-visible changes
* Multiple test streams started with -P/--parallel will now be
serviced by different threads. This allows iperf3 to take
advantage of multiple CPU cores on modern processors, and will
generally result in significant throughput increases (PR #1591).
* OpenSSL 3 is now detected at build time. If OpenSSL 3 is found,
various older, deprecated, APIs will not be used. iperf3 will
continue to work with OpenSSL 1.1.1. OpenSSL is used as a part
of the iperf3 authentication functionality (Issue #1300, PR
#1589).
* The authorized users file used by the authentication functionality
is now checked for accessibility much earlier during the program
startup, as opposed to being checked near the start of a
test (Issue #1583, PR #1585).
* Developer-visible changes
* BREAKING CHANGE: iperf3 now requires pthreads and C atomic
variables to compile and run.
3.15 2023-09-14
* Notable user-visible changes
* Several bugs that could allow the iperf3 server to hang waiting
for input on the control connection has been fixed. ESnet thanks
Jorge Sancho Larraz from Canonical for reporting this issue. For
more information, see:
https://downloads.es.net/pub/iperf/esnet-secadv-2023-0002.txt.asc
* A bug that caused garbled output with UDP tests on 32-bit hosts
has been fixed (PR #1554, PR #1556). This bug was introduced in
iperf-3.14.
* A bug in counting UDP messages has been fixed (PR #1367, PR
#1380).
3.14 2023-07-07
* Notable user-visible changes
* A memory allocation hazard was fixed (Issue #1542/PR #1543). For
more information see:
https://downloads.es.net/pub/iperf/esnet-secadv-2023-0001.txt.asc
* JSON output was improved, such as print JSON numbers as signed (PR
#1539, Issue #1435), the exit code when doing JSON output was
fixed (PR #1523), and client_api was fixed so that it still
returns an error code when JSON is enabled (Issue #1405). Also,
duplicate fields when using multiple streams was removed from the
JSON output (#1492).
* Prevent UDP packet count and operations overflow (PR #1536/Issue
#1534).
* Statistics are fixed when --omit is used (Issue #1489/PR #1498).
* Developer-visible changes
* CI builds and tests using GitHub actions have been added (PR
#1519).
* A fix for Android "unable to create a new stream error" was added
(PR #1506).
* Support for Voice Admit DSCP code point from RFC 5865 was added
(PR #1490).
* A fix for preventing a crash when RSA public key path doesn't
exist was fixed (PR #1488/Issue #1471).
3.13 2023-02-16
* Notable user-visible changes
* fq-rate (PR #1461, Issue #1366), and bidirectional flag (Issue #1428,
PR #1429) were added to the JSON output.
* Added support for OpenBSD including cleaning up endian handling (PR #1396)
and support for TCP_INFO on systems where it was implemented (PR #1397).
* Fixed bug in how TOS is set in mapped v4 (PR #1427).
* Corrected documentation, such as updating binary download links and text
(Issue #1459), updating version on iperf3 websites, and fixing an
incorrect error message (Issue #1441).
* Fixed crash on rcv-timeout with JSON logfile (#1463, #1460, issue #1360,
PR #1369).
* Fixed a bug that prevented TOS/DSCP from getting set correctly for reverse
tests (PR #1427, Issue #638).
* Developer-visible changes
* Getter and setter are now available for bind_dev (PR #1419).
* Added missing getter for bidirectional tests (PR #1453).
* Added minor changes to clean up .gitignore and error messages (#1408).
* Made sure configure scripts are runnable with /bin/sh (PR #1398).
* Cleaned up RPM spec, such as adding missing RPM build dependencies, dropping
EL5 and removing outdated %changelog (PR #1401) to make.
* Added a fix for a resource leak bug in function iperf_create_pidfile(#1443).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sun, 31 Dec 2023 09:27:20 +0000 (10:27 +0100)]
fontconfig: Update to version 2.15.0
- Update from version 2.14.1 to 2.15.0
- Update of rootfile
- Autogen no longer required
- fcobjshash.h is no longer in tarball from version 2.13.1
- Changelog
2.15
Do not change the order of orth files
Convert tabs to spaces
Convert more tabs to spaces in docs
src/meson.build: Store correct paths to fontconfig.pc.
Fix a typo in description for HAVE_STDATOMIC_PRIMITIVES
Report more detailed logs instead of assertion.
Add some missing constant names for weight.
Adujst indentation between programlisting in fontconfig-user.sgml
Bump version to 2.14.2
Clean up unused code
Add another test case for flatpak
Update 65-nonlatin.conf for macOS
Change the order of the properties to the order of fontconfig cache format
Add missing property descriptions
Add namedinstance property
Remove the problematic language from code and doc
Fix a typo
Fix a typo for FcCharSetDelChar doc
Fix a typo in scalable property
Use 'outline' instead of 'scalable' for bitmaps
Add more docs about selectfont
Rework CI implementation
Fix a typo
Rework CI implementation v2
Apply a fix of ci-templates
Fix uninitialized memory access when failing memory allocation.
Create a symlink with relative path
Fix an error of "initializer element is not constant"
Update CaseFolding.txt to Unicode 15.1
Update the encoding table for Simplified Chinese
Retry to decode strings in the name table as UTF-16BE in some cases.
Work around decoding strings in Macintosh encoding for the name table.
Add iconv detection for meson build
.gitlab-ci: Update
CI: Update
CI: static build only for rawhide
Use memmove instead of memcpy
Rename README to NEWS and add README.md
Update so version
Fix leak of `reason` in _FcConfigParse when not complaining
Ignore LC_CTYPE if set to "UTF-8"
Some doc clarifications
Add FC_FONT_WRAPPER
Detect standalone CFF fonts for FC_FONT_WRAPPER
Add anp.orth, bhb.orth, hif.orth, mag.orth, raj.orth, and the.orth
Add {agr,ayc,bem,ckb,cmn,dsb,hak,lij,lzh,mfe,mhr,miq,mjw,mnw,nan,nhn,niu,rif,sgs,shn,szl,tcy,tpi,unm,wae,yue,yuw}.orth
Change index type to 16 bit and bump cache version to 9
Expand ~ in glob
Add optional 11-lcdfilter-none configuration
Fix filepaths added when scanning with sysroot
Fix false-positive CFI failure
In fcfreetype.c, `GetScriptTags`: fix `use_of_uninitialized_value` and return the correct number of parsed tags in case the font file contains less tags than indicated.
meson: Support any compiler with gcc or msvc argument syntax
fix typo
Reload MM/VF metadata for each font face in font collection
fixed typos in fc-conflist.sgml
Add aliases for Helvetica LT Std
2.14.2
Fix the build issue on meson when -g option is added to c_args
Store artifacts for meson windows CI
Add FC_DESKTOP_NAME property
Add --with-default-sub-pixel-rendering option
Update po-conf/POTFILES.in
Ignore null pointer on Fc*Destroy functions
Convert tabs to spaces
Convert more tabs to spaces in docs
src/meson.build: Store correct paths to fontconfig.pc.
Fix a typo in description for HAVE_STDATOMIC_PRIMITIVES
Report more detailed logs instead of assertion.
Add some missing constant names for weight.
Adujst indentation between programlisting in fontconfig-user.sgml
meson: modify gperf test to remove sh dependency
meson: Update freetype2 git repository to upstream
Ignore LC_CTYPE if set to "UTF-8"
Expand ~ in glob
fix typo
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sun, 31 Dec 2023 09:27:19 +0000 (10:27 +0100)]
cifs-utils: Update to version 7.0
- Update from version 6.14 to 7.0
- Update of rootfile not required
- Changelog
7.0 3165220 cifs-utils: bump version to 7.0 7b91873 cifs-utils: don't return uninitialized value in cifs_gss_get_req d9f5447 cifs-utils: make GSSAPI usage compatible with Heimdal 5e5aa50 cifs-utils: work around missing krb5_free_string in Heimdal dc60353 fix warnings for -Waddress-of-packed-member c4c94ad setcifsacl: fix memory allocation for struct cifs_ace 4ad2c50 setcifsacl: fix comparison of actions reported by covscan 9b074db cifs.upcall: remove unused variable and fix syslog message 2981686 cifs.upcall: Switch to RFC principal type naming 8a288d6 man-pages: Update cifs.upcall to mention GSS_USE_PROXY aeee690 cifs.upcall: fix compiler warning e2430c0 cifs.upcall: add gssproxy support
6.15
- CVE-2022-27239: mount.cifs: fix length check for ip option parsing
In cifs-utils through 6.14, a stack-based buffer overflow when parsing
the mount.cifs ip= command-line argument could lead to local attackers
gaining root privileges.
- CVE-2022-29869: mount.cifs: fix verbose messages on option parsing
cifs-utils through 6.14, with verbose logging, can cause an
information leak when a file contains = (equal sign) characters but is
not a valid credentials file.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 18 Dec 2023 17:29:44 +0000 (18:29 +0100)]
apache2: Apply patch to make work with updated libxml2
- libxml2 since version 2.12.0 has removed a variable that was specified in the apache
apache mod_xml2enc code.
- This dependency caused the apache2 build to fail with the updated libxml2.
- This patch removes the dependency. It will be able to be removed when the next apache
update is carried out as the patch was created from an apache commit.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 18 Dec 2023 17:29:43 +0000 (18:29 +0100)]
libxml2: Update to version 2.12.3
- Update from version 2.11.4 to 2.12.3
- Update of rootfile
- Changelog
2.12.3: Dec 12 2023
### Regressions
- parser: Fix namespaces redefined from default attributes
### Build fixes
- include: Rename XML_EMPTY helper macro
- include: Move declaration of xmlInitGlobals
- include: Add missing includes
- include: Move globals from xmlsave.h to parser.h
- include: Readd circular dependency between tree.h and parser.h
2.12.2: Dec 5 2023
### Regressions
- parser: Fix invalid free in xmlParseBalancedChunkMemoryRecover
- globals: Disable TLS in static Windows builds
- html: Reenable buggy detection of XML declarations
- tree: Fix regression when copying DTDs
- parser: Make CRLF increment line number
### Build fixes
- build: Disable compiler TLS by default
- cmake: Update config.h.cmake.in
- tests: Fix tests --with-valid --without-xinclude
2.12.1: Nov 23 2023
### Regressions
- hash: Fix deletion of entries during scan
- parser: Only enable SAX2 if there are SAX2 element handlers
### Build fixes
- autotools: Stop checking for snprintf
- dict: Fix '__thread' before 'static'
- fix: pthread weak references in globals.c (Mike Dalessio)
- tests: Fix build with older MSVC
2.12.0: Nov 16 2023
### Major changes
Most of the known issues leading to quadratic behavior in the XML parser
were fixed. Internal hash tables were rewritten to reduce memory
consumption.
Starting with this release, it should be enough to add the --with-legacy
configuration option to provide maximum ABI compatibility. For example,
if a code module was removed from the default configuration, the option
will add stubs for the removed symbols.
libxml2 will now store global variables in thread-local storage if supported
by the compiler. This avoids allocating the data lazily which can result in
a fatal error condition. A new API function xmlCheckThreadLocalStorage
was added so the allocation can be checked earlier if compiler TLS is not
supported. To prepare for future improvements, some API functions now expect
or return a const xmlError struct.
Several cyclic dependencies in public header files were fixed. As a result,
certain headers won't include other headers as before.
Refactoring of the encoding code has been mostly completed. Calling
xmlSwitchEncoding from client code is now fully supported, for example to
override the encoding for the push parser.
When parsing data from memory, libxml2 will now stream data chunk by chunk
instead of copying the whole buffer (possibly twice with encodings),
reducing peak memory consumption considerably.
A new API function xmlCtxtSetMaxAmplification was added to allow parsing
of files that would otherwise trigger the billion laughs protection.
Several bugs in the regex determinism checks were fixed. Invalid XML
Schemas which previous versions erroneously accepted will now be
rejected.
### Deprecations
- globals: Deprecate xmlLastError
- parser: Deprecate global parser options
- win32: Deprecate old Windows build system
### Bug fixes
- parser: Stop switching to ISO-8859-1 on encoding errors
- parser: Support encoded external PEs in entity values
- string: Fix UTF-8 validation in xmlGetUTF8Char
- SAX2: Allow multiple top-level elements
- parser: Update line number after coalescing text nodes
- parser: Check for truncated multi-byte sequences
### Improvements
- error: Make more xmlError structs constant
- parser: Remove redundant IS_CHAR check in xmlCurrentChar
- parser: Fix stack handling in xmlParseTryOrFinish
- parser: Protect against quadratic default attribute expansion
- parser: Missing checks for disableSAX
- entities: Make xmlFreeEntity public
- examples: Don't use sprintf
- encoding: Suppress -Wcast-align warnings
- parser: Use hash tables to avoid quadratic behavior
- parser: Don't skip CR in xmlCurrentChar
- dict: Rewrite dictionary hash table code
- hash: Rewrite hash table code
- malloc-fail: Report malloc failure in xmlFARegExec
- malloc-fail: Report malloc failure in xmlRegEpxFromParse
- parser: Simplify xmlStringCurrentChar
- regexp: Fix status codes and handle invalid UTF-8
- error: Make xmlGetLastError return a const error
- html: Fix logic in htmlAutoClose
- globals: Move globals back to correct header files
- globals: Use thread-local storage if available
- globals: Rework global state destruction on Windows
- globals: Define globals using macros
- globals: Introduce xmlCheckThreadLocalStorage
- globals: Make xmlGlobalState private
- threads: Move library initialization code to threads.c
- debug: Remove debugging code
- globals: Move code from threads.c to globals.c
- parser: Avoid undefined behavior in xmlParseStartTag2
- schemas: Fix memory leak of annotations in notations
- dict: Update hash function
- dict: Use thread-local storage for PRNG state
- dict: Use xoroshiro64** as PRNG
- xmllint: Fix error messages
- parser: Fix detection of null bytes
- parser: Improve error handling in push parser
- parser: Don't check inputNr in xmlParseTryOrFinish
- parser: Remove push parser debugging code
- tree: Fix copying of DTDs
- legacy: Add stubs for disabled modules
- parser: Allow to set maximum amplification factor
- entities: Don't change doc when encoding entities
- parser: Never use UTF-8 encoding handler
- encoding: Remove debugging code
- malloc-fail: Fix unsigned integer overflow in xmlTextReaderPushData
- html: Remove encoding hack in htmlCreateFileParserCtxt
- parser: Decode all data in xmlCharEncInput
- parser: Stream data when reading from memory
- parser: Optimize xmlLoadEntityContent
- parser: Don't overwrite EOF parser state
- parser: Simplify input pointer updates
- parser: Don't reinitialize parser input members
- encoding: Move rawconsumed accounting to xmlCharEncInput
- parser: Rework encoding detection
- parser: Always create UTF-8 in xmlParseReference
- html: Remove some debugging code in htmlParseTryOrFinish
- malloc-fail: Fix memory leak in xmlCompileAttributeTest
- parser: Recover more input from encoding errors
- malloc-fail: Handle malloc failures in xmlAddEncodingAlias
- malloc-fail: Fix null-deref with xmllint --copy
- xpath: Ignore entity ref nodes when computing node hash
- malloc-fail: Fix null deref after xmlXIncludeNewRef
- SAX: Always validate xml:ids
- Stop using sprintf
- Fix compiler warning on GCC < 8
- regexp: Fix determinism checks
- regexp: Fix checks for eliminated transitions
- regexp: Simplify xmlFAReduceEpsilonTransitions
- regexp: Fix cycle check in xmlFAReduceEpsilonTransitions
- schemas: Fix filename in xmlSchemaValidateFile
- schemas: Fix line numbers in streaming validation
- writer: Add error check in xmlTextWriterEndDocument
- encoding: Stop calling xmlEncodingErr
- xmlIO: Remove some calls to xmlIOErr
- parser: Improve handling of encoding and IO errors
- parser: Move xmlFatalErr to parserInternals.c
- encoding: Rework error codes
- .gitignore: Split up and rearrange .gitignore files
- .gitignore: Add runsuite.log
- Stop calling xmlMemoryDump
- examples: Don't call xmlCleanupParser and xmlMemoryDump
- xpath: Remove remaining references to valueFrame
### Portability
- python: Make it compatible with python3.12 (Daniel Garcia Moreno)
### Build systems
- cmake: Check whether static linking dependencies found in config files
(James Le Cuirot)
- autotools: Make --with-minimum disable lzma support
- build: Remove some GCC warnings
- Handle NOCONFIG case when setting locations from CMake target properties
(Markus Rickert)
- cmake: Generate better pkg-config file for SYSROOT builds under CMake
(James Le Cuirot)
- autoconf: Include non-pkg-config dependency flags in the pkg-config file
(James Le Cuirot)
- autoconf: Don't bake build time CFLAGS into pkg-config file (James Le Cuirot)
- build: Generate better pkg-config files for static-only builds (James
Le Cuirot)
- build: Generate better pkg-config file for SYSROOT builds (James Le Cuirot)
- autoconf: Allow custom --with-icu configure option
### Tests
- tests: Also test xmlNextChar in testchar.c
- tests: Start with testparser.c for extra tests
- fuzz: Raise rss_limit_mb
- fuzz: Test xmlTextReaderRead after EOF or failure
- fuzz: Test XML_PARSE_XINCLUDE | XML_PARSE_VALID
- tests: Handle entities in SAX tests
- fuzz: Disable XML_PARSE_SAX1 option in xml fuzzer
- tests: Add more tests for redefined attributes
- hash: Add hash table tests
- tests: Add ATTRIBUTE_NO_SANITIZE_INTEGER macro
- fuzz: Allow to fuzz without push, reader or output modules
- gitlab-ci: Add a "medium" config build
- python: Fix tests on MinGW
- test: Add push parser test with overridden encoding
- testapi: test_xmlSAXDefaultVersion() leaves xmlSAX2DefaultVersionValue set
to 1 with LIBXML_SAX1_ENABLED (David Kilzer)
- gitlab-ci: Lower _XOPEN_SOURCE value
- testapi: Don't set http_proxy environment variable
- test: Add push parser tests for split UTF-8 sequences
- xinclude: Lower initial table size when fuzzing
- tests: Test streaming schema validation
- runtest: Skip element name in schema error messages
### Documentation
- doc: Add notes about runtest to MAINTAINERS.md
- doc: Don't document internal macros in xmlversion.h
- doc: Allow 'unsigned' without 'int'
- doc: Improve documentation of configuration options
2.11.6: Nov 16 2023
### Regressions
- threads: Fix --with-thread-alloc
- xinclude: Fix 'last' pointer in xmlXIncludeCopyNode
### Bug fixes
- parser: Fix potential use-after-free in xmlParseCharDataInternal
2.11.5: Aug 9 2023
### Regressions
- parser: Make xmlSwitchEncoding always skip the BOM
- autotools: Improve iconv check
### Bug fixes
- valid: Fix c1->parent pointer in xmlCopyDocElementContent
- encoding: Always call ucnv_convertEx with flush set to false
### Portability
- autotools: fix Python module file ext for cygwin/msys2 (Christoph Reiter)
### Tests
- runtest: Fix compilation without LIBXML_HTML_ENABLED
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 18 Dec 2023 17:29:00 +0000 (18:29 +0100)]
nfs: Update to version 2.6.4
- Update from version 2.6.3 to 2.6.4
- Update of rootfile not required
- Changelog is no longer created. The commits in the git repo have to be reviewed for
changes - http://git.linux-nfs.org/?p=steved/nfs-utils.git;a=shortlog;h=refs/heads/master
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 1 Jan 2024 14:35:46 +0000 (15:35 +0100)]
dhcp.cgi: Adjust legend entries to make clear they are legends and not messages
- A new IPFire user on the forum saw the orange and red coloured blocks in the legend
section and believed that they were messages about problems that had been created with
the fixed leases.
- This change puts a small block with seperate explanatory text for both the orange and
red coloured blocks.
- This change will also be applied to the wiki in a much clearer way
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Adolf Belka [Mon, 1 Jan 2024 14:35:45 +0000 (15:35 +0100)]
dhcp.cgi: Adjust spacing between an icon and explanatory text
- When dealing with a problem on the forum I noticed that in the Fixed Leases table
Legend section there was a very large space between the empty checkbox icon and the
explanatory text. It looks like the   that I have removed worked on the text
section 'click to enable' as that was moved but not on the off.gif icon as that stayed
in its original place leaving a very large space between the icon and the explanatory
text. Removing the two commands fixes that.
- Reading up about   the problem might be related to these tags no longer being
recommended to use with the newer HTML versions and that indenting or spacing should be
done via CSS code. Will have a look in future on how to accomplish this via CSS.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Adolf Belka [Mon, 18 Dec 2023 17:28:54 +0000 (18:28 +0100)]
gnutls: Update to version 3.8.2
- Update from version 3.8.0 to 3.8.2
- Update of rootfile
- Changelog
3.8.2 (released 2023-11-14)
** libgnutls: Fix timing side-channel inside RSA-PSK key exchange.
[GNUTLS-SA-2023-10-23, CVSS: medium] [CVE-2023-5981]
** libgnutls: Add API functions to perform ECDH and DH key agreement
The functionality has been there for a long time though they were
not available as part of the public API. This enables applications
to implement custom protocols leveraging non-interactive key
agreement with ECDH and DH.
** libgnutls: Added support for AES-GCM-SIV ciphers (RFC 8452)
The new algorithms GNUTLS_CIPHER_AES_128_SIV_GCM and
GNUTLS_CIPHER_AES_256_SIV_GCM have been added to be used through
the AEAD interface. Note that, unlike
GNUTLS_CIPHER_AES_{128,256}_SIV_GCM, the authentication tag is
appended to the ciphertext, not prepended.
** libgnutls: transparent KTLS support is extended to FreeBSD kernel
The kernel TLS feature can now be enabled on FreeBSD as well as
Linux when compiled with the --enable-ktls configure option.
** gnutls-cli: New option --starttls-name
Depending on deployment, application protocols such as XMPP may
require a different origin address than the external address to be
presented prior to STARTTLS negotiation. The --starttls-name can
be used to specify specify the addresses separately.
** API and ABI modifications:
gnutls_pubkey_import_dh_raw: New function
gnutls_privkey_import_dh_raw: New function
gnutls_pubkey_export_dh_raw: New function
gnutls_privkey_export_dh_raw: New function
gnutls_x509_privkey_import_dh_raw: New function
gnutls_privkey_derive_secret: New function
GNUTLS_KEYGEN_DH: New enum member of gnutls_keygen_types_t
GNUTLS_CIPHER_AES_128_SIV_GCM: Added
GNUTLS_CIPHER_AES_256_SIV_GCM: Added
3.8.1 (released 2023-08-03)
** libgnutls: ClientHello extensions are randomized by default
To make fingerprinting harder, TLS extensions in ClientHello
messages are shuffled. As this behavior may cause compatibility
issue with legacy applications that do not accept the last
extension without payload, the behavior can be reverted with the
%NO_SHUFFLE_EXTENSIONS priority keyword.
** libgnutls: Add support for RFC 9258 external PSK importer.
This enables to deploy the same PSK across multiple TLS versions
(TLS 1.2 and TLS 1.3) in a secure manner. To use, the application
needs to set up a callback that formats the PSK identity using
gnutls_psk_format_imported_identity().
** libgnutls: %GNUTLS_NO_EXTENSIONS has been renamed to
%GNUTLS_NO_DEFAULT_EXTENSIONS.
** libgnutls: Add additional PBKDF limit checks in FIPS mode as
defined in SP 800-132. Minimum salt length is 128 bits and
minimum iterations bound is 1000 for PBKDF in FIPS mode.
** libgnutls: Add a mechanism to control whether to enforce extended
master secret (RFC 7627). FIPS 140-3 mandates the use of TLS
session hash (extended master secret, EMS) in TLS 1.2. To enforce
this, a new priority keyword %FORCE_SESSION_HASH is added and if
it is set and EMS is not set, the peer aborts the connection. This
behavior is the default in FIPS mode, though it can be overridden
through the configuration file with the "tls-session-hash" option.
In either case non-EMS PRF is reported as a non-approved operation
through the FIPS service indicator.
** New option --attime to specify current time.
To make testing with different timestamp to the system easier, the
tools doing certificate verification now provide a new option
--attime, which takes an arbitrary time.
** API and ABI modifications:
gnutls_psk_client_credentials_function3: New typedef
gnutls_psk_server_credentials_function3: New typedef
gnutls_psk_set_server_credentials_function3: New function
gnutls_psk_set_client_credentials_function3: New function
gnutls_psk_format_imported_identity: New function
GNUTLS_PSK_KEY_EXT: New enum member of gnutls_psk_key_flags
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
projects / people / pmueller / ipfire-2.x.git / log
