For details see:
https://blog.clamav.net/2023/05/clamav-110-released.html
"Major changes
Added the ability to extract images embedded in HTML CSS <style> blocks.
Updated to Sigtool so that the --vba option will extract VBA code from
Microsoft Office documents the same way that libclamav extracts VBA.
This resolves several issues where Sigtool could not extract VBA.
Sigtool will also now display the normalized VBA code instead of the
pre-normalized VBA code.
Added a new ClamScan and ClamD option: --fail-if-cvd-older-than=days.
Additionally, we introduce FailIfCvdOlderThan as a clamd.conf synonym
for --fail-if-cvd-older-than. When passed, it causes ClamD to exit on
startup with a non-zero return code if the virus database is older than
the specified number of days.
Added a new function cl_cvdgetage() to the libclamav API. This function
will retrieve the age in seconds of the youngest file in a database
directory, or the age of a single CVD (or CLD) file.
Added a new function cl_engine_set_clcb_vba() to the libclamav API. Use
this function to set a cb_vba callback function. The cb_vba callback
function will be run whenever VBA is extracted from office documents.
The provided data will be a normalized copy of the extracted VBA. This
callback was added to support Sigtool so that it can use the same VBA
extraction logic that ClamAV uses to scan documents.
Other improvements
Removed the vendored TomsFastMath library in favor of using OpenSSL to
perform "big number"/multiprecision math operations. Work courtesy of
Sebastian Andrzej Siewior.
Build system: Added CMake option DO_NOT_SET_RPATH to avoid setting
RPATH on Unix systems. Feature courtesy of Sebastian Andrzej Siewior.
Build system: Enabled version-scripts with CMake to limit symbol
exports for libclamav, libfreshclam, libclamunrar_iface, and
libclamunrar shared libraries on Unix systems, excluding macOS.
Improvement courtesy of Orion Poplawski and Sebastian Andrzej Siewior.
Build system: Enabled users to pass in custom Rust compiler flags using
the RUSTFLAGS CMake variable. Feature courtesy of Orion Poplawski.
Removed a hard-coded alert for CVE-2004-0597. The CVE is old enough
that it is no longer a threat and the detection had occasional
false-positives.
Set Git attributes to prevent Git from altering line endings for Rust
vendored libraries. Third-party Rust libraries are bundled in the
ClamAV release tarball. We do not commit them to our own Git
repository, but community package maintainers may now store the tarball
contents in Git. The Rust build system verifies the library manifest,
and this change ensures that the hashes are correct. Improvement
courtesy of Nicolas R.
Fixed compile time warnings. Improvement courtesy of Razvan Cojocaru.
Added a minor optimization when matching domain name regex signatures
for PDB, WDB and CDB type signatures.
Build system: Enabled the ability to select a specific Python version.
When building, you may use the CMake option -D
PYTHON_FIND_VER=<version> to choose a specific Python version. Feature
courtesy of Matt Jolly.
Added improvements to the ClamOnAcc process log output so that it is
easier to diagnose bugs.
Windows: Enabled the MSI installer to upgrade between feature versions
more easily when ClamAV is installed to a location different from the
default (i.e., not C:\Program Files\ClamAV). This means that the MSI
installer can find a previous ClamAV 1.0.x installation to upgrade to
ClamAV 1.1.0.
Sigtool: Added the ability to change the location of the temp directory
using the --tempdir option and added the ability to retain the temp
files created by Sigtool using the --leave-temps option.
Other minor improvements.
Bug fixes
Fixed the broken ExcludePUA / --exclude-pua feature. Fix courtesy of
Ged Haywood and Shawn Iverson.
Fixed an issue with integer endianness when parsing Windows executables
on big-endian systems. Fix courtesy of Sebastian Andrzej Siewior.
Fixed a possible stack overflow read when parsing WDB signatures. This
issue is not a vulnerability.
Fixed a possible index out of bounds when loading CRB signatures. This
issue is not a vulnerability.
Fixed a possible use after free when reading logical signatures. This
issue is not a vulnerability.
Fixed a possible heap overflow read when reading PDB signatures. This
issue is not a vulnerability.
Fixed a possible heap overflow read in javascript normalizer module.
This issue is not a vulnerability.
Fixed two bugs that would cause Freshclam to fail update when applying
a CDIFF database patch if that patch adds a file to the database
archive or removes a file from the database archive. This bug also
caused Sigtool to fail to create such a patch.
Fixed an assortment of complaints identified by Coverity static analysis.
Fixed one of the Freshclam tests that was failing on some Fedora
systems due to a bug printing debug-level log messages to stdout. Fix
courtesy of Arjen de Korte.
Correctly remove temporary files generated by the VBA and XLM
extraction modules so that the files are not leaked in patched versions
of ClamAV where temporary files are written directly to the
temp-directory instead of writing to a unique subdirectory."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:57 +0000 (19:53 +0200)]
ffmpeg: Update to version 6.0
- Update from version 5.1.2 to 6.0
- Update of rootfile
- sobump occurs so find-dependencies checked and the addons mpd, shairport-sync &
minidlna will be bumped to the next PAK_VER as a patch set with this change.
- Changelog
version 6.0:
- Radiance HDR image support
- ddagrab (Desktop Duplication) video capture filter
- ffmpeg -shortest_buf_duration option
- ffmpeg now requires threading to be built
- ffmpeg now runs every muxer in a separate thread
- Add new mode to cropdetect filter to detect crop-area based on motion vectors and edges
- VAAPI decoding and encoding for 10/12bit 422, 10/12bit 444 HEVC and VP9
- WBMP (Wireless Application Protocol Bitmap) image format
- a3dscope filter
- bonk decoder and demuxer
- Micronas SC-4 audio decoder
- LAF demuxer
- APAC decoder and demuxer
- Media 100i decoders
- DTS to PTS reorder bsf
- ViewQuest VQC decoder
- backgroundkey filter
- nvenc AV1 encoding support
- MediaCodec decoder via NDKMediaCodec
- MediaCodec encoder
- oneVPL support for QSV
- QSV AV1 encoder
- QSV decoding and encoding for 10/12bit 422, 10/12bit 444 HEVC and VP9
- showcwt multimedia filter
- corr video filter
- adrc audio filter
- afdelaysrc audio filter
- WADY DPCM decoder and demuxer
- CBD2 DPCM decoder
- ssim360 video filter
- ffmpeg CLI new options: -stats_enc_pre[_fmt], -stats_enc_post[_fmt],
-stats_mux_pre[_fmt]
- hstack_vaapi, vstack_vaapi and xstack_vaapi filters
- XMD ADPCM decoder and demuxer
- media100 to mjpegb bsf
- ffmpeg CLI new option: -fix_sub_duration_heartbeat
- WavArc decoder and demuxer
- CrystalHD decoders deprecated
- SDNS demuxer
- RKA decoder and demuxer
- filtergraph syntax in ffmpeg CLI now supports passing file contents
as option values, by prefixing option name with '/'
- hstack_qsv, vstack_qsv and xstack_qsv filters
For more details about the changes you have to review the commits in the git repo
https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n6.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:21 +0000 (19:53 +0200)]
zstd: Update to version 1.5.5
- Update from version 1.5.4 to 1.5.5
- Update of rootfile
- Changelog
v1.5.5 (Apr 2023)
fix: fix rare corruption bug affecting the high compression mode, reported by @danlark1 (#3517, @terrelln)
perf: improve mid-level compression speed (#3529, #3533, #3543, @yoniko and #3552, @terrelln)
lib: deprecated bufferless block-level API (#3534) by @terrelln
cli: mmap large dictionaries to save memory, by @daniellerozenblit
cli: improve speed of --patch-from mode (~+50%) (#3545) by @daniellerozenblit
cli: improve i/o speed (~+10%) when processing lots of small files (#3479) by @felixhandte
cli: zstd no longer crashes when requested to write into write-protected directory (#3541) by @felixhandte
cli: fix decompression into block device using -o, reported by @georgmu (#3583)
build: fix zstd CLI compiled with lzma support but not zlib support (#3494) by @Hello71
build: fix cmake does no longer require 3.18 as minimum version (#3510) by @kou
build: fix MSVC+ClangCL linking issue (#3569) by @tru
build: fix zstd-dll, version of zstd CLI that links to the dynamic library (#3496) by @yoniko
build: fix MSVC warnings (#3495) by @embg
doc: updated zstd specification to clarify corner cases, by @Cyan4973
doc: document how to create fat binaries for macos (#3568) by @rickmark
misc: improve seekable format ingestion speed (~+100%) for very small chunk sizes (#3544) by @Cyan4973
misc: tests/fullbench can benchmark multiple files (#3516) by @dloidolt
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:20 +0000 (19:53 +0200)]
opus: Update to version 1.4
- Updsate from version 1.3.1 to 1.4
- Update of rootfile
- Changelog
opus 1.4 major release brings the following improvements and fixes:
Improved tuning of the Opus in-band FEC (LBRR).
See https://gitlab.xiph.org/xiph/opus/-/issues/2360 for details
Added a OPUS_SET_INBAND_FEC(2) option that turns on FEC, but does not force
SILK mode (FEC will be disabled in CELT mode)
Improved tuning and various fixes to DTX
Added Meson support, improved CMake support In addition to the improvements
above, this release includes many minor bug fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:19 +0000 (19:53 +0200)]
nfs: Update to version 2.6.3
- Update from version 2.6.2 to 2.6.3
- Update of rootfile
- Changelog is available in sourceforge at the following url
https://sourceforge.net/projects/nfs/files/nfs-utils/2.6.3/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:18 +0000 (19:53 +0200)]
lvm2: Update to version 2.03.21
- Update from version 2.02.188 to 2.03.21
- Update of rootfile
- Changelog
version 2.03.21 - 21st April 2023
Fix activation of vdo-pool for with 0 length headers (converted pools).
Avoid printing internal init messages when creation integration devices.
Allow (write)cache over raid+integrity LV.
version 2.03.20 - 21st March 2023
Fix segfault if using -S|--select with log/report_command_log=1 setting.
Configure now fails when requested lvmlockd dependencies are missing.
Add some configure Gentoo enhancements for static builds.
version 2.03.19 - 21st February 2023
Configure supports --with-systemd-run executed from udev rules.
Enhancement for build with MuslC systemd and non-bash system shells (dash).
Do not reset SYSTEMD_READY variable in udev for PVs on MD and loop devices.
Ensure udev is processing origin LV before its thick snapshots LVs.
Fix and improve runtime memory size detection for VDO volumes.
version 2.03.18 - 22nd December 2022
Fix issues reported by coverity scan.
Fix warning for thin pool overprovisioning on lvextend (2.03.17).
Add support for writecache metadata_only and pause_writeback settings.
Fix missing error messages in lvmdbusd.
Version 2.03.17 - 10th November 2022
Add new options (--fs, --fsmode) for FS handling when resizing LVs.
Fix 'lvremove -S|--select LV' to not also remove its historical LV right away.
Fix lv_active field type to binary so --select and --binary applies properly.
Switch to use mallinfo2 and use it only with glibc.
Error out in lvm shell if using a cmd argument not supported in the shell.
Fix lvm shell's lastlog command to report previous pre-command failures.
Extend VDO and VDOPOOL without flushing and locking fs.
Add --valuesonly option to lvmconfig to print only values without keys.
Updates configure with recent autoconf tooling.
Fix lvconvert --test --type vdo-pool execution.
Add json_std output format for more JSON standard compliant version of output.
Fix vdo_slab_size_mb value for converted VDO volume.
Fix many corner cases in device_id, including handling of S/N duplicates.
Fix various issues in lvmdbusd.
Version 2.03.16 - 18th May 2022
Fix segfault when handling selection with historical LVs.
Add support --vdosettings with lvcreate, lvconvert, lvchange.
Filtering multipath devices respects blacklist setting from multipath
configuration.
lvmdevices support for removing by device id using --deviceidtype and
--deldev.
Display writecache block size with lvs -o writecache_block_size.
Improve cachesettings description in man lvmcache.
Fix lossing of delete message on thin-pool extension.
Version 2.03.15 - 07th February 2022
Remove service based autoactivation. global/event_activation = 0 is NOOP.
Improve support for metadata profiles for --type writecache.
Use cache or active DM device when available with new kernels.
Introduce function to utilize UUIDs from DM_DEVICE_LIST.
Increase some hash table size to better support large device sets.
Version 2.03.14 - 20th October 2021
Device scanning is skipping directories on different filesystems.
Print info message with too many or too large archived files.
Reduce metadata readings during scanning phase.
Optimize computation of crc32 check sum with multiple PVs.
Enhance recover path on cache creation failure.
Filter out unsupported MQ/SMQ cache policy setting.
Fix memleak in mpath filter.
Support newer location for VDO statistics.
Add support for VDO async-unsafe write policy.
Improve lvm_import_vdo script.
Support VDO LV with lvcreate -ky.
Fix lvconvert for VDO LV bigger then 2T.
Create VDO LVs automatically without zeroing.
Rename vdoimport to lvm_import_vdo.
Version 2.03.13 - 11th August 2021
Changes in udev support:
- obtain_device_list_from_udev defaults to 0.
- see devices/external_device_info_source,
devices/obtain_device_list_from_udev, and devices/multipath_wwids_file help
in lvm.conf
Fix devices file handling of loop with deleted backing file.
Fix devices file handling of scsi_debug WWIDs.
Fix many static analysis issues.
Support --poolmetadataspare with vgsplit and vgmerge.
Fix detection of active components of external origin volume.
Add vdoimport tool to support conversion of VDO volumes.
Support configurable allocation/vdo_pool_header_size.
Fix handling of lvconvert --type vdo-pool --virtualsize.
Simplified handling of archive() and backup() internal calls.
Add 'idm' locking type for IDM lock manager.
Fix load of kvdo target when it is not present in memory (2.03.12).
Version 2.03.12 - 07th May 2021
Allow attaching cache to thin data volume.
Fix memleak when generating list of outdated pvs.
Better hyphenation usage in man pages.
Replace use of deprecated security_context_t with char*.
Configure supports AIO_LIBS and AIO_CFLAGS.
Improve build process for static builds.
New --setautoactivation option to modify LV or VG auto activation.
New metadata based autoactivation property for LVs and VGs.
Improve signal handling with lvmpolld.
Signal handler can interrupt command also for SIGTERM.
Lvreduce --yes support.
Add configure option --with/out-symvers for non-glibc builds.
Report error when the filesystem is missing on fsadm resized volume.
Handle better blockdev with --getsize64 support for fsadm.
Do not include editline/history.h when using editline library.
Support error and zero segtype for thin-pool data for testing.
Support mixed extension for striped, error and zero segtypes.
Support resize also for stacked virtual volumes.
Skip dm-zero devices just like with dm-error target.
Reduce ioctl() calls when checking target status.
Merge polling does not fail, when LV is found to be already merged.
Poll volumes with at least 100ms delays.
Do not flush dm cache when cached LV is going to be removed.
New lvmlockctl_kill_command configuration option.
Support interruption while waiting on device close before deactivation.
Flush thin-pool messages before removing more thin volumes.
Improve hash function with less collisions and make it faster.
Reduce ioctl count when deactivating volumes.
Reduce number of metadata parsing.
Enhance performance of lvremove and vgremove commands.
Support interruption when taking archive and backup.
Accelerate large lvremoves.
Speedup search for cached device nodes.
Speedup command initialization.
Add devices file feature, off by default for now.
Support extension of writecached volumes.
Fix problem with unbound variable usage within fsadm.
Fix IMSM MD RAID detection on 4k devices.
Check for presence of VDO target before starting any conversion.
Support metatadata profiles with volume VDO pool conversions.
Support -Zn for conversion of already formated VDO pools.
Avoid removing LVs on error path of lvconvert during creation volumes.
Fix crashing lvdisplay when thin volume was waiting for merge.
Support option --errorwhenfull when converting volume to thin-pool.
Improve thin-performance profile support conversion to thin-pool.
Add workaround to avoid read of internal 'converted' devices.
Prohibit merging snapshot into the read-only thick snapshot origin.
Restore support for flipping rw/r permissions for thin snapshot origin.
Support resize of cached volumes.
Disable autoactivation with global/event_activation=0.
Check if lvcreate passes read_only_volume_list with tags and skips zeroing.
Allocation prints better error when metadata cannot fit on a single PV.
Pvmove can better resolve full thin-pool tree move.
Limit pool metadata spare to 16GiB.
Improves conversion and allocation of pool metadata.
Support thin pool metadata 15.88GiB, adds 64MiB, thin_pool_crop_metadata=0.
Enhance lvdisplay to report raid available/partial.
Support online rename of VDO pools.
Improve removal of pmspare when last pool is removed.
Fix problem with wiping of converted LVs.
Fix memleak in scanning (2.03.11).
Fix corner case allocation for thin-pools.
Version 2.03.11 - 08th January 2021
Fix pvck handling MDA at offset different from 4096.
Partial or degraded activation of writecache is not allowed.
Enhance error handling for fsadm and handle correct fsck result.
Dmeventd lvm plugin ignores higher reserved_stack lvm.conf values.
Support using BLKZEROOUT for clearing devices.
Support interruption when wipping LVs.
Support interruption for bcache waiting.
Fix bcache when device has too many failing writes.
Fix bcache waiting for IO completion with failing disks.
Configure use own python path name order to prefer using python3.
Add configure --enable-editline support as an alternative to readline.
Enhance reporting and error handling when creating thin volumes.
Enable vgsplit for VDO volumes.
Lvextend of vdo pool volumes ensure at least 1 new VDO slab is added.
Use revert_lv() on reload error path after vg_revert().
Configure --with-integrity enabled.
Restore lost signal blocking while VG lock is held.
Improve estimation of needed extents when creating thin-pool.
Use extra 1% when resizing thin-pool metadata LV with --use-policy.
Enhance --use-policy percentage rounding.
Configure --with-vdo and --with-writecache as internal segments.
Improving VDO man page examples.
Allow pvmove of writecache origin.
Report integrity fields.
Integrity volumes defaults to journal mode.
Switch code base to use flexible array syntax.
Fix 64bit math when calculation cachevol size.
Preserve uint32_t for seqno handling.
Switch from mmap to plain read when loading regular files.
Update lvmvdo man page and better explain DISCARD usage.
Version 2.03.10 - 09th August 2020
Add writecache and integrity support to lvmdbusd.
Generate unique cachevol name when default required from lvcreate.
Converting RAID1 volume to one with same number of legs now succeeds with a
warning.
Fix conversion to raid from striped lagging type.
Fix conversion to 'mirrored' mirror log with larger regionsize.
Zero pool metadata on allocation (disable with allocation/zero_metadata=0).
Failure in zeroing or wiping will fail command (bypass with -Zn, -Wn).
Add lvcreate of new cache or writecache lv with single command.
Fix running out of free buffers for async writing for larger writes.
Add integrity with raid capability.
Fix support for lvconvert --repair used by foreign apps (i.e. Docker).
Version 2.03.09 - 26th March 2020
Fix formatting of vdopool (vdo_slab_size_mb was smaller by 2 bits).
Fix showing of a dm kernel error when uncaching a volume with cachevol.
Version 2.03.08 - 11th February 2020
Prevent problematic snapshots of writecache volumes.
Add error handling for failing allocation in _reserve_area().
Fix memleak in syncing of internal cache.
Fix pvck dump_current_text memleak.
Fix lvmlockd result code on error path for _query_lock_lv().
Update pvck man page and help output.
Reject invalid writecache high/low_watermark setting.
Report writecache status.
Accept more output lines from vdo_format.
Prohibit reshaping of stacked raid LVs.
Avoid running cache input arg validation when creating vdo pool.
Prevent raid reshaping of stacked volumes.
Added VDO lvmdbusd methods for enable/disable compression & dedupe.
Added VDO lvmdbusd method for converting LV to VDO pool.
Version 2.03.07 - 30th November 2019
Subcommand in vgck for repairing headers and metadata.
Ensure minimum required region size on striped RaidLV creation.
Fix resize of thin-pool with data and metadata of different segtype.
Improve mirror type leg splitting.
Improve error path handling in daemons on shutdown.
Fix activation order when removing merged snapshot.
Experimental VDO support for lvmdbusd.
Version 2.03.06 - 23rd October 2019
Add _cpool suffix to cache-pool LV name when used by caching LV.
No longer store extra UUID for cmeta and cdata cachevol layer.
Enhance activation of cache devices with cachevols.
Add _cvol in list of protected suffixes and start use it with DM UUID.
Rename LV converted to cachevol to use _cvol suffix.
Use normal LVs for wiping of cachevols.
Reload cleanered cache DM only with cleaner policy.
Fix cmd return when zeroing of cachevol fails.
Extend lvs to show all VDO properties.
Preserve VDO write policy with vdopool.
Increase default vdo bio threads to 4.
Continue report when cache_status fails.
Add support for DM_DEVICE_GET_TARGET_VERSION into device_mapper.
Fix cmirrord usage of header files from device_mapper subdir.
Allow standalone activation of VDO pool just like for thin-pools.
Activate thin-pool layered volume as 'read-only' device.
Ignore crypto devices with UUID signature CRYPT-SUBDEV.
Enhance validation for thin and cache pool conversion and swapping.
Improve internal removal of cached devices.
Synchronize with udev when dropping snapshot.
Add missing device synchronization point before removing pvmove node.
Correctly set read_ahead for LVs when pvmove is finished.
Remove unsupported OPTIONS+="event_timeout" udev rule from 11-dm-lvm.rules.
Prevent creating VGs with PVs with different logical block sizes.
Fix metadata writes from corrupting with large physical block size.
Version 2.03.05 - 15th June 2019
Fix command definition for pvchange -a.
Add vgck --updatemetadata command that will repair metadata problems.
Improve VG reading to work if one good copy of metadata is found.
Report/display/scan commands that read VGs will no longer write/repair.
Move metadata repairs from VG reading to VG writing.
Add config setting md_component_checks to control MD component checks.
Add end of device MD component checks when dev has no udev info.
Version 2.03.04 - 10th June 2019
Remove unused_duplicate_devs from cmd causing segfault in dmeventd.
Version 2.03.03 - 07th June 2019
Report no_discard_passdown for cache LVs with lvs -o+kernel_discards.
Add pvck --dump option to extract metadata.
Fix signal delivery checking race in libdaemon (lvmetad).
Add missing Before=shutdown.target to LVM2 services to fix shutdown ordering.
Skip autoactivation for a PV when PV size does not match device size.
Remove first-pvscan-initialization which should no longer be needed.
Add remote refresh through lvmlockd/dlm for shared LVs after lvextend.
Ignore foreign and shared PVs for pvscan online files.
Add config setting to control fields in debug file and verbose output.
Add command[pid] and timestamp to debug file and verbose output.
Fix missing growth of _pmsmare volume when extending _tmeta volume.
Automatically grow thin metadata, when thin data gets too big.
Add synchronization with udev before removing cached devices.
Add support for caching VDO LVs and VDOPOOL LVs.
Add support for vgsplit with cached devices.
Query mpath device only once per command for its state.
Use device INFO instead of STATUS when checking for mpath device uuid.
Change default io_memory_size from 4 to 8 MiB.
Add config setting io_memory_size to set bcache size.
Fix pvscan autoactivation for concurrent pvscans.
Change scan_lvs default to 0 so LVs are not scanned for PVs.
Thin-pool selects power-of-2 chunk size by default.
Cache selects power-of-2 chunk size by default.
Support reszing for VDOPoolLV and VDOLV.
Improve -lXXX%VG modifier which improves cache segment estimation.
Ensure migration_threshold for cache is at least 8 chunks.
Restore missing man info lvcreate --zero for thin-pools.
Drop misleadning comment for metadata minimum_io_size for VDO segment.
Add device hints to reduce scanning.
Introduce LVM_SUPPRESS_SYSLOG to suppress syslog usage by generator.
Fix generator quering lvmconfig unpresent config option.
Fix memleak on bcache error path code.
Fix missing unlock on lvm2 dmeventd plugin error path initialization.
Improve Makefile dependency tracking.
Move VDO support towards V2 target (6.2) support.
Version 2.03.02 - 18th December 2018
Fix missing proper initialization of pv_list struct when adding pv.
Fix (de)activation of RaidLVs with visible SubLVs.
Prohibit mirrored 'mirror' log via lvcreate and lvconvert.
Use sync io if async io_setup fails, or use_aio=0 is set in config.
Fix more issues reported by coverity scan.
Version 2.03.01 - 31st October 2018
Version 2.03.00 - 10th October 2018
Add hot fix to avoiding locking collision when monitoring thin-pools.
Allow raid4 -> linear conversion request.
Fix lvconvert striped/raid0/raid0_meta -> raid6 regression.
Add 'lvm2-activation-generator:' prefix for kmsg messages logged by generator.
Add After=rbdmap.service to {lvm2-activation-net,blk-availability}.service.
Reduce max concurrent aios to avoid EMFILE with many devices.
Fix lvconvert conversion attempts to linear.
Fix lvconvert raid0/raid0_meta -> striped regression.
Fix lvconvert --splitmirror for mirror type (2.02.178).
Do not pair cache policy and cache metadata format.
lvconvert: reject conversions on raid1 LVs with split tracked SubLVs
lvconvert: reject conversions on raid1 split tracked SubLVs
Add basic creation support for VDO target.
Never send any discard ioctl with test mode.
Fix thin-pool alloc which needs same PV for data and metadata.
Extend list of non-memlocked areas with newly linked libs.
Enhance vgcfgrestore to check for active LVs in restored VG.
Configure supports --disable-silent-rules for verbose builds.
Fix unmonitoring of merging snapshots.
Cache can uses metadata format 2 with cleaner policy.
Fix check if resized PV can also fit metadata area.
Avoid showing internal error in lvs output or pvmoved LVs.
Remove clvmd
Remove lvmlib (api)
Remove lvmetad
Use versionsort to fix archive file expiry beyond 100000 files.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:17 +0000 (19:53 +0200)]
libxml2: Update to version 2.11.1
- Update from version 2.10.3 to 2.11.1
- Update of rootfile
- Changelog
There were two CVE's in version 2.10.4
v2.11.1: Apr 30 2023
Fixes build and ABI issues.
- cmake: Fix va_copy detection (Luca Niccoli)
- libxml.m4: Fix quoting
- Link with --undefined-version
- libxml2.syms: Revert removal of version information
v2.11.0: Apr 28 2023
### Major changes
Protection against entity expansion attacks, also known as "billion laughs"
has been greatly improved. Malicious files should be detected reliably now
and false positives should be reduced. It is possible though that large
documents which make heavy use of entities are rejected now.
This release finally fixes symbol visibility on UNIX systems. Internal
symbols will now be hidden. While these symbols were never declared in public
headers, it was still possible to declare them manually. Now this won't work.
All symbol information has been removed from the ELF version script to fix
link errors with --no-undefined-version. The version nodes are kept so it
should still be possible to run binaries linked against older versions.
About 90 memory errors in code paths handling malloc failures have been fixed.
While these issues shouldn't impact security, this improves robustness under
memory pressure.
The XInclude engine has been reworked to properly support nested includes.
Several cases of quadratic behavior in the XML push parser have been fixed.
Refactoring has begun on some buffering and encoding code with the goal of
simplifying this part of the code base and improving error reporting.
Other highlights:
- Consolidated private header files.
- Major rework of the autoconf build.
- Deprecated several outdated and internal functions.
Special thanks to Google's Open Source Security Subsidies program for
sponsoring much of the work on this release!
Ongoing work on libxml2 relies on funding. For a list of important open
issues see <https://gitlab.gnome.org/GNOME/libxml2/-/issues/507>
### Security
- Fix use-after-free in xmlParseContentInternal() (David Kilzer)
- xmllint: Fix use-after-free with --maxmem
- parser: Fix OOB read when formatting error message
- entities: Rework entity amplification checks
### Regressions
- parser: Fix regression in xmlParserNodeInfo accounting
### Bug fixes
- Fix memory errors in code handling malloc failures
- encoding: Fix error code in asciiToUTF8
- xpath: number('-') should return NaN
- xmlParseStartTag2() contains typo when checking for default definitions for
an attribute in a namespace (David Kilzer)
- uri: Fix handling of port numbers
- error: Make sure that error messages are valid UTF-8
- xinclude: Fix nested includes
### Improvements
- xmllint: Validate --maxmem integer option
- xmlValidatePopElement() can return invalid value (-1) (David Kilzer)
- parser: Rework EBCDIC code page detection
- parser: Limit name length in xmlParseEncName
- parser: Rework shrinking of input buffers
- html: Rely on CUR_CHAR to grow the input buffer
- parser: Rely on CUR_CHAR/NEXT to grow the input buffer
- valid: Make xmlValidateElement non-recursive
- html: Fix quadratic behavior in htmlParseTryOrFinish
- xmllint: Fix memory leak with --pattern --stream
- parser: Stop calling xmlParserInputShrink
- html: Impose some length limits
- valid: Allow xmlFreeValidCtxt(NULL)
- parser: Stop calling xmlParserInputGrow
- xinclude: Fix quadratic behavior in xmlXIncludeLoadTxt
- xinclude: Abort immediately if max depth was exceeded
- xpath: Only report the first error
- error: Don't move past current position
- error: Limit number of parser errors
- parser: Lower entity nesting limit with XML_PARSE_HUGE
- parser: Don't increase depth twice when parsing internal entities
- parser: Improve detection of entity loops
- parser: Only report a single entity error
- libxml.h: Remove dubious definition of LIBXML_STATIC
- html: Improve parsing of nested lists
- memory: Don't use locks in xmlMemUsed
- encoding: Remove unused variable xmlDefaultCharEncodingHandler
- Rework initialization code
- Add .editorconfig
- parser: Merge misc, prolog and epilog cases in push parser
- parser: Fix 'consumed' accounting when switching encodings
- html: Fix check for end of comment in push parser
- parser: Fix push parser with 1-3 byte initial chunk
- parser: Rewrite push parser boundary checks
- reader: Switch to xmlParserInputBufferCreateMem
- html: Don't escape ASCII chars in href attributes
- io: Don't shrink memory input buffers
- parser: Don't call xmlSHRINK from push parser
- parser: Ignore cdata argument in xmlParseCharData
- parser: Rework push parser parser progress checks
- io: Fix a few integer overflows in I/O statistics
- io: Rework xmlParserInputBufferGrow with encodings
- io: Remove xmlInputReadCallbackNop
- io: Check for memory buffer early in xmlParserInputGrow
- parser: Fix error message in xmlParseCommentComplex
- Bypass proxy in nanoHTTP for hosts in "no_proxy" (Markus Jörg)
- schemas: Fix infinite loop in xmlSchemaCheckElemSubstGroup
- threads: Remove check for pthread_equal
- xinclude: Rework XInclude cache
- xinclude: Remove inefficient refcounting scheme
- xmllint: Improve handling of empty XPath node sets
- parser: Fix potential memory leak in xmlParseAttValueInternal
- error: Don't use initGenericErrorDefaultFunc
- xpath: Lower XPath recursion limit on Windows
- Stop including sys/types.h
- Don't define WIN32 macro
- Make xmlNewSAXParserCtx take a const sax handler
- Consolidate private header files
- Remove internal macros from parserInternals.h
- Move some HTML functions to correct header file
- xmllint: Stop calling xmlSAXDefaultVersion
- Introduce xmlNewSAXParserCtxt and htmlNewSAXParserCtxt
- Don't mess with parser options in htmlParseDocument
- Remove useless call to htmlDefaultSAXHandlerInit
- Remove htmlDefaultSAXHandler from non-SAX1 build
- Don't initialize SAX handler in htmlReadMemory
- Fix htmlReadMemory mixing up XML and HTML functions
- Don't use default SAX handler to report unrelated errors
- Create stream with buffer in xmlNewStringInputStream
- xmlcatalog: Fix memory leaks
### Code quality
- xzlib: Fix implicit sign change in xz_open
- parser: Simplify calculation of available buffer space
- parser: Use size_t when subtracting input buffer pointers
- parser: Check for integer overflow when updating checkIndex
- xpath: Fix harmless integer overflow in xmlXPathTranslateFunction
- schematron: Use logical and
- relaxng: Remove useless if statement
- schemas: Remove useless if statement
- pattern: Merge identical branches
- regexp: Add sanity check in xmlRegCalloc2
- regexp: Simplify xmlRegAtomPush
- encoding: Cast toupper argument to unsigned char
- uri: Add explicit cast in xmlSaveUri
- buf: Fix return value of xmlBufGetInputBase
- parser: Fix integer overflow of input ID
- parser: Remove useless ent->etype test in xmlParseReference
- parser: Remove useless ent->children tests in xmlParseReference
- xmlmemory.c: Remove xmlMemContentShow
- libxml.h: Add comments and indentation
- libxml.h: Don't include stdio.h
- xmlexports.h: Disable docs for internal macro XMLPUBLIC
- parser: Simplify xmlParseConditionalSections
- io: Rearrange code in xmlSwitchInputEncodingInt
- warnings: Fix -Wstrict-prototypes warning
- warnings: Remove set-but-unused variables
- Fix compiler warnings in SAX2.c
- Fix unused variable warning in python/types.c
- Fix compiler warning in examples
- Fix compiler warnings in fuzzing code
- Remove unused code in nanohttp.c
- Remove or annotate char casts
- Don't use sizeof(xmlChar) or sizeof(char)
- Remove explicit integer casts
### Deprecations
- parser: Deprecate more internal functions
- parser: Deprecate some parser input functions
- parser: Deprecate xmlString*DecodeEntities
- threads: Deprecate some internal functions
- buf: Deprecate static/immutable buffers
- Deprecate internal parser functions
- Deprecate old HTML SAX API
- Generate deprecation warnings for old SAX API
- Mark more functions setting globals as deprecated
- Mark more parser functions as deprecated
- Mark most SAX1 functions as deprecated
- Deprecate some global variables
### Portability
- autoconf: Warn about outdated C compilers
- win32: Remove broken libxml2.def.src
- Remove symbols from version script
- catalog.c: Silence a cast warning on VS 2022 (Lukáš Tyrychtr)
- libxml.h: Remove ancient LynxOS setup
- Use python3 not python (Ross Burton)
- xstc/fixup-tests.py: port to Python 3 (Ross Burton)
- xstc/fixup-tests.py: unify whitespace (Ross Burton)
- Remove hacky heuristic from b2dc5675 (Alex Richardson)
- Avoid creating an out-of-bounds pointer by rewriting a check
(Alex Richardson)
- Hide internal functions
- Correctly relocate internal pointers after realloc() (Alex Richardson)
- Visual Studio builds: Allow silencing deprecation warnings (Chun-wei Fan)
- Visual Studio: Define XML_DEPRECATED (Chun-wei Fan)
- xmllint: Include <io.h> on Windows
- warnings: Work around MSVC bug
- sources: Silence C4013 warnings on Visual Studio (Chun-wei Fan)
- python/setup.py.in: Improve Windows import patching (Chun-wei Fan)
- python: Create .pyd on Windows
- Fix Python build on Windows
- Fix Windows compiler warnings in python/types.c
- Fix libxml_PyFileGet
- Remove BeOS support
- Fix libxml_PyFileGet with stdout on macOS
- Migrate from PyEval_ to PyObject_
- Port build_glob.py to Python 3
- Port genChRanges.py to Python 3
- xmlexports.h: Remove LIBXML_FASTCALL optimization
- Remove XMLCALL and XMLCDECL macros from public headers
- Remove XMLDECL macro from .c files
### Build systems
- cmake: Link against `dl` and `dld` only when `LIBXML2_WITH_MODULES` is
enabled (Alexander Kutelev)
- autotools: Fix make distcheck
- Remove RPM build, Makefile.tests, README.tests
- libxml.m4: deprecate AM_PATH_XML2, wrap PKG_CHECK_MODULES instead
(Ross Burton)
- libxml.m4: fix -Wstrict-prototypes (Sam James)
- cmake: Build static library with -DLIBXML_STATIC
- autotools: Don't use version script on Windows
- autotools: Fix winsock detection
- autotools: Only add network libraries if HTTP/FTP enabled
- autotools: Disable parallel Python build
- python: Don't output missing generators during build
- build: Remove check for broken ss_family
- http: Simplify IPv6 checks
- autotools: Fix network checks on Windows
- Fix detection of GNU libiconv
- cmake: Fix Python installation
- cmake: Don't check for Python 2
- configure.ac: Also check for MSYS host
- Improve network library detection
- Detect ws2_32 with AC_SEARCH_LIBS
- Rework network configure checks
- Remove arg cast configure checks
- Fix dlopen check
- Remove HAVE_WIN32_THREADS configuration flag
- Rework dlopen and pthread detection
- Fix test in configure.ac
- cmake: Enable GCC compiler warnings
- Always link with -no-undefined
- Use AM_CFLAGS and AM_LDFLAGS consistently
- Remove -Wredundant-decls
- Call AC_CHECK_* with multiple arguments
- configure.ac: Remove checks for unused programs
- Rework library detection in configure.ac
- Rearrange configure.ac
- Consolidate zlib and lzma detection
- Remove "runtime debugging"
- Consolidate simple API modules in configure.ac
- Fix dependency resolution in configure.ac
- Fix --with-valid --without-regexps build
- Fix --with-schemas --without-xpath build
- Don't build unneeded .c source files
- Move xmlIsXHTML to tree.c
- Cleanup distribution settings in Makefile.am
- Also clean *.pyc files for Python 2
- Don't distribute libxml2.spec
### Tests
- testchar: Add test for memory pull parser with encoding
- fuzz: Also test init function of URI fuzzer
- fuzz: Separate fuzzer for DTD validation
- gitlab-ci: Enable all "integer" sanitizers
- fuzz: Inject random malloc failures
- fuzz: Support variable integer sizes in fuzz data
- fuzz: Fix duplicate detection in fuzzEntityRecorder
- fuzz: Set filename in xmlFuzzEntityLoader
- fuzz: Allow xmlFuzzReadString(NULL)
- fuzz: Fix Makefile dependencies
- fuzz: Add test/recurse to seed corpus
- fuzz: Add separate XInclude fuzzer
- runsuite: Some errors are expected
- testrecurse: Test entity expansion stats
- testapi.c: Initialize catalog early
- gentest.py: Fix memory leak in API tests
- tests: Enable "runsuite" test
- python/tests/reader2: use absolute paths everywhere (Ross Burton)
- python/tests/reader2: always exit(1) if a test fails (Ross Burton)
- testModule: exit if the module can't be opened (Ross Burton)
- CI: disable modules in gcc:static build (Ross Burton)
- CI: fix CI on MinGW builds (Ross Burton)
- python: Fix memory leak checks
- tests: Check that xmlInitParser doesn't allocate memory
- tests: Fix use-after-free in Python tests
- tests: Remove unneeded #includes
- gitlab-ci: Make Test-Msvc exit if ctest fails
- gitlab-ci: Treat compiler warnings as errors on MSVC
- test: Add test for push parser boundaries
- gitlab-ci: Upgrade image to Ubuntu 22.10, reenable MSan
- gitlab-ci: Reenable LeakSanitizer
- gitlab-ci: Fix llvm-symbolizer
- xinclude: Don't create result doc for test with errors
- xinclude: Also test error messages
- gitlab-ci: Allow cast-align warnings from clang
- gitlab-ci: Fix tar invocation
- gitlab-ci: Move MSVC test to separate script
- gitlab-ci: Fix SUFFIX, remove MINGW_PATH
- gitlab-ci: Consolidate CMake test scripts
- gitlab-ci: Only install MinGW autotools if needed
- gitlab-ci: Only install cmake MinGW package if needed
- gitlab-ci: Install 7-Zip using the .msi
- Use $MSYSTEM and 'bash -lc' in MinGW CI
- Add CI job for MinGW/Autotools
- Consolidate CI scripts
- Allow empty MINGW_PACKAGE_PREFIX
- Move Dockerfile to .gitlab-ci directory
- testapi: Disable on Windows for now
- Disable fuzzer tests if glob.h wasn't found
- Move automata test to runtest.c
- Fix testapi when building --without-sax1
# Documentation
- doc: Remove ancient files
- Remove ancient TODOs
- html: Fix htmlInitAutoClose documentation
- doc: Mention new location of XML catalog as breaking change
- doc: Mention potentially breaking changes in NEWS
- doc: Remove xmlDllMain from documentation and version script
- doc: Mention ${sysconfdir} in man pages
- doc: Document xmlcatalog --convert
- doc: Document xmllint --nodict and --pedantic
- doc: Fix indentation in source XML files
- xmllint: Document --quiet option
- Improve cross-references in API docs
- Improve documentation of globals
- Fix documentation parser
- Support comments for global variables in documentation
- Fix update call in apibuild.py
- Don't index anything in DOC_DISABLE sections
- Fix warnings from apibuild.py
- Start with documentation for maintainers
v2.10.4: Apr 11 2023
### Security
- [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
- [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
- schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
### Regressions
- SAX2: Ignore namespaces in HTML documents
- io: Fix "buffer full" error with certain buffer sizes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:15 +0000 (19:53 +0200)]
iproute2: Update to version 6.3.0
- Update from version 6.2.0 to 6.3.0
- Update of rootfile not required
- Changelog can only be reviewed by looking at the commits in the git repo
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:14 +0000 (19:53 +0200)]
harfbuzz: Update to version 7.2.0
- Update from version 7.0.1 to 7.2.0
- Update of rootfile
- Changelog
Overview of changes leading to 7.2.0
- Add Tifinagh to the list of scripts that can natively be either right-to-left
or left-to-right, to improve handling of its glyph positioning.
(Simon Cozens)
- Return also single substitution from hb_ot_layout_lookup_get_glyph_alternates()
(Behdad Esfahbod)
- Fix 4.2.0 regression in applying across syllables in syllabic scripts.
(Behdad Esfahbod)
- Add flag to avoid glyph substitution closure during subsetting, and the
corresponding “--no-layout-closure” option to “hb-subset” command line tool.
(Garret Rieger)
- Support instancing COLRv1 table. (Qunxin Liu)
- Don’t drop used user-defined name table entries during subsetting.
(Qunxin Liu)
- Optimize handling of “gvar” table. (Behdad Esfahbod)
- Various subsetter bug fixes and improvements. (Garret Rieger, Qunxin Liu)
- Various documentation improvements. (Behdad Esfahbod, Josef Friedrich)
- New API:
+HB_SUBSET_FLAGS_NO_LAYOUT_CLOSURE
+HB_UNICODE_COMBINING_CLASS_CCC132
- Deprecated API:
+HB_UNICODE_COMBINING_CLASS_CCC133
Overview of changes leading to 7.1.0
- New experimental hb_shape_justify() API that uses font variations to expand
or shrink the text to a given advance. (Behdad Esfahbod)
- Various build and bug fixes. (Behdad Esfahbod, Garret Rieger, Qunxin Liu)
- New API:
+hb_font_set_variation()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Jon Murphy [Wed, 26 Apr 2023 20:37:13 +0000 (15:37 -0500)]
dbus: Fixes Bug#13094 - Check for existing user before `useradd`
- The dbus install.sh script useradd command causes an error:
"failed adding user 'messagebus', exit code: 9"
- This patch adds a check to only do the useradd if the user does not exist.
- See the bump PAK_VER for dbus that Adolf publised. See this patch:
https://lists.ipfire.org/pipermail/development/2023-April/015816.html
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 26 Apr 2023 12:32:29 +0000 (14:32 +0200)]
dbus: Fixes Bug#13094 - dbus daemon continues running after uninstall
- The uninstall.sh script had stop_service ${NAME} but the package name is dbus while the
initscript is named messagebus. Therefore the stop_service never stops the dbus daemon.
- This patch changes the line to stop_service messagebus
- The install.sh script already has start_service messagebus
- Bump PAK_VER for dbus
Fixes: Bug#13094 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 26 Apr 2023 12:32:28 +0000 (14:32 +0200)]
cups: Fixes Bug#12924 - Can't access https pages in cups
- Version 2.4.2 had some bugs that caused the self signed certificates to not be read or
created properly. The two involved bug fix patches are applied in this submission.
- Corrected the configure options related to avahi and TLS. Using Openssl for the TLS.
- Built .ipfire package installed into vm testbed and tested. With existing 2.4.2
any https pages come up with an error for the secure connection. With this version
the https admin page opens up and config file was able to be successfully modified
via it.
Fixes: Bug#12924 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 19 Apr 2023 12:31:41 +0000 (14:31 +0200)]
sdl2: Update to version 2.26.5
- Update from version 2.26.4 to 2.26.5
- Update of rootfile
- Changelog
2.26.5
The minimum deployment target on macOS is now 10.11, due to changes in the
latest Xcode update
Fixed incorrect modifier keys handling on macOS
Fixed occasional duplicate controller visible on macOS
Fixed handling of third party PS4 controller input reports
Added support for the trigger buttons on the Victrix Pro FS for PS5
Added mapping for Flydigi Vader 2 with the latest firmware (6.0.4.9)
Added mapping for DualSense Edge Wireless Controller on Linux
Added mapping for Hori Pokken Tournament DX Pro Pad
Improved the speed and quality of audio resampling
Fixed crash on Linux if dbus can't be initialized
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://downloads.apache.org/apr/CHANGES-APR-1.7
"Changes for APR 1.7.4
*) Fix a regression where writing to a file opened with both APR_FOPEN_APPEND
and APR_FOPEN_BUFFERED did not properly append the data on Windows.
(This regression was introduced in APR 1.7.3) [Evgeny Kotkov]
Adolf Belka [Wed, 19 Apr 2023 12:31:40 +0000 (14:31 +0200)]
samba: Update to version 4.18.1
- Update from version 4.17.5 to 4.18.1
- Update of rootfile
some libraries now use x86-64 instead of x86_64 but most are still left with x86_64
Good thing that we create a separate version of the rootfile for each architecture
because it is no longer just the arm version that is unique but also the x86_64 one.
- Since version 4.17.0 it has been possible to do a build excluding SMB1 server capability.
As SMB1 is insecure and has known exploits including ransomeware based ones it seems
reasonable to build samba without SMB1 server capability for use on a firewall.
The option to build wiythout SMB1 server capability has been added to the LFS file.
- Changelog
Release Notes for Samba 4.18.1
This is a security release in order to address the following defects:
o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
but otherwise unprivileged users to delete this attribute from
any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html
o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was
insufficient and an attacker may be able to obtain
confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should
assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
* BUG 15276: CVE-2023-0225.
* BUG 15270: CVE-2023-0614.
* BUG 15331: ldb wildcard matching makes excessive allocations.
* BUG 15332: large_ldap test is inefficient.
* BUG 15315: CVE-2023-0922.
* BUG 15270: CVE-2023-0614.
* BUG 15276: CVE-2023-0225.
Release Notes for Samba 4.18.0
NEW FEATURES/CHANGES
SMB Server performance improvements
The security improvements in recent releases
(4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
caused performance regressions for metadata heavy workloads.
While 4.17 already improved the situation quite a lot,
with 4.18 the locking overhead for contended path based operations
is reduced by an additional factor of ~ 3 compared to 4.17.
It means the throughput of open/close
operations reached the level of 4.12 again.
More succinct samba-tool error messages
Historically samba-tool has reported user error or misconfiguration by
means of a Python traceback, showing you where in its code it noticed
something was wrong, but not always exactly what is amiss. Now it
tries harder to identify the true cause and restrict its output to
describing that. Particular cases include:
* a username or password is incorrect
* an ldb database filename is wrong (including in smb.conf)
* samba-tool dns: various zones or records do not exist
* samba-tool ntacl: certain files are missing
* the network seems to be down
* bad --realm or --debug arguments
Accessing the old samba-tool messages
This is not new, but users are reminded they can get the full Python
stack trace, along with other noise, by using the argument '-d3'.
This may be useful when searching the web.
The intention is that when samba-tool encounters an unrecognised
problem (especially a bug), it will still output a Python traceback.
If you encounter a problem that has been incorrectly identified by
samba-tool, please report it on https://bugzilla.samba.org.
Colour output with samba-tool --color
For some time a few samba-tool commands have had a --color=yes|no|auto
option, which determines whether the command outputs ANSI colour
codes. Now all samba-tool commands support this option, which now also
accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no',
and 'tty' and 'if-tty' for 'auto' (this more closely matches
convention). With --color=auto, or when --color is omitted, colour
codes are only used when output is directed to a terminal.
Most commands have very little colour in any case. For those that
already used it, the defaults have changed slightly.
* samba-tool drs showrepl: default is now 'auto', not 'no'
* samba-tool visualize: the interactions between --color-scheme,
--color, and --output have changed slightly. When --color-scheme is
set it overrides --color for the purpose of the output diagram, but
not for other output like error messages.
New samba-tool dsacl subcommand for deleting ACES
The samba-tool dsacl tool can now delete entries in directory access
control lists. The interface for 'samba-tool dsacl delete' is similar
to that of 'samba-tool dsacl set', with the difference being that the
ACEs described by the --sddl argument are deleted rather than added.
No colour with NO_COLOR environment variable
With both samba-tool --color=auto (see above) and some other places
where we use ANSI colour codes, the NO_COLOR environment variable will
disable colour output. See https://no-color.org/ for a description of
this variable. `samba-tool --color=always` will use colour regardless
of NO_COLOR.
New wbinfo option --change-secret-at
The wbinfo command has a new option, --change-secret-at=<DOMAIN CONTROLLER>
which forces the trust account password to be changed at a specified domain
controller. If the specified domain controller cannot be contacted the
password change fails rather than trying other DCs.
New option to change the NT ACL default location
Usually the NT ACLs are stored in the security.NTACL extended
attribute (xattr) of files and directories. The new
"acl_xattr:security_acl_name" option allows to redefine the default
location. The default "security.NTACL" is a protected location, which
means the content of the security.NTACL attribute is not accessible
from normal users outside of Samba. When this option is set to use a
user-defined value, e.g. user.NTACL then any user can potentially
access and overwrite this information. The module prevents access to
this xattr over SMB, but the xattr may still be accessed by other
means (eg local access, SSH, NFS). This option must only be used when
this consequence is clearly understood and when specific precautions
are taken to avoid compromising the ACL content.
Azure Active Directory / Office365 synchronisation improvements
Use of the Azure AD Connect cloud sync tool is now supported for
password hash synchronisation, allowing Samba AD Domains to synchronise
passwords with this popular cloud environment.
REMOVED FEATURES
smb.conf changes
Parameter Name Description Default
acl_xattr:security_acl_name New security.NTACL
server addresses New
CHANGES SINCE 4.18.0rc4
* BUG 15314: streams_xattr is creating unexpected locks on folders.
* BUG 15310: New samba-dcerpc architecture does not scale gracefully.
CHANGES SINCE 4.18.0rc3
* BUG 15308: Avoid that tests fail because other tests didn't do cleanup on
failure.
* BUG 15311: fd_load() function implicitly closes the fd where it should not.
CHANGES SINCE 4.18.0rc2
* BUG 15301: Improve file_modtime() and issues around smb3 unix test.
* BUG 15299: Spotlight doesn't work with latest macOS Ventura.
* BUG 15298: Build failure on solaris with tevent 0.14.0 (and ldb 2.7.0).
(tevent 0.14.1 and ldb 2.7.1 are already released...)
* BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
fsp_get_pathref_fd() in close and fstat.
* BUG 15291: test_chdir_cache.sh doesn't work with SMBD_DONT_LOG_STDOUT=1.
* BUG 15301: Improve file_modtime() and issues around smb3 unix test.
CHANGES SINCE 4.18.0rc1
* BUG 10635: Office365 azure Password Sync not working.
* BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
* BUG 15293: With clustering enabled samba-bgqd can core dump due to use
after free.
Release Notes for Samba 4.17.7
This is a security release in order to address the following defects:
o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
but otherwise unprivileged users to delete this attribute from
any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html
o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was
insufficient and an attacker may be able to obtain
confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should
assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
* BUG 15276: CVE-2023-0225.
* BUG 15270: CVE-2023-0614.
* BUG 15331: ldb wildcard matching makes excessive allocations.
* BUG 15332: large_ldap test is inefficient.
* BUG 15315: CVE-2023-0922.
* BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
allow full write to all attributes (additional changes).
* BUG 15270: CVE-2023-0614.
* BUG 15276: CVE-2023-0225.
Release Notes for Samba 4.17.6
* BUG 15314: streams_xattr is creating unexpected locks on folders.
* BUG 10635: Use of the Azure AD Connect cloud sync tool is now supported for
password hash synchronisation, allowing Samba AD Domains to synchronise
passwords with this popular cloud environment.
* BUG 15299: Spotlight doesn't work with latest macOS Ventura.
* BUG 15310: New samba-dcerpc architecture does not scale gracefully.
* BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
fsp_get_pathref_fd() in close and fstat.
* BUG 15293: With clustering enabled samba-bgqd can core dump due to use
after free.
* BUG 15311: fd_load() function implicitly closes the fd where it should not.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 19 Apr 2023 12:31:39 +0000 (14:31 +0200)]
parted: Update to version 3.6
- Update from version 3.5 to 3.6
- Update of rootfile
- Changelog
Noteworthy changes in release 3.6 (2023-04-10) [stable]
Promoting alpha release to stable release 3.6
Noteworthy changes in release 3.5.28 (2023-03-24) [alpha]
New Features
Support GPT partition attribute bit 63 as no_automount flag.
Add type commands to set type-id on MS-DOS and type-uuid on GPT.
Add swap flag support to the dasd disklabel
Add display of GPT disk and partition UUIDs in JSON output
Bug Fixes
Fix use of enums in flag limits by switching to using #define
Fix ending sector location when using kibi IEC suffix
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 19 Apr 2023 12:31:37 +0000 (14:31 +0200)]
libgcrypt: Update to version 1.10.2
- Update from version 1.10.1 to 1.10.2
- Update of rootfile
- Changelog
Noteworthy changes in version 1.10.2 (2023-04-06) [C24/A4/R2]
* Bug fixes:
- Fix Argon2 for the case output > 64. [rC13b5454d26]
- Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44]
- Fix RSA key generation failure in forced FIPS mode. [T5919]
- Fix gcry_pk_hash_verify for explicit hash. [T6066]
- Fix a wrong result of gcry_mpi_invm. [T5970]
- Allow building with --disable-asm for HPPA. [T5976]
- Fix Jitter RNG for building native on Windows. [T5891]
- Allow building with -Oz. [T6432]
- Enable the fast path to ChaCha20 only when supported. [T6384]
- Use size_t to avoid counter overflow in Keccak when directly
feeding more than 4GiB. [T6217]
* Other:
- Do not use secure memory for a DRBG instance. [T5933]
- Do not allow PKCS#1.5 padding for encryption in FIPS mode.
[T5918]
- Fix the behaviour for child process re-seeding in the DRBG.
[rC019a40c990]
- Allow verification of small RSA signatures in FIPS mode. [T5975]
- Allow the use of a shorter salt for KDFs in FIPS mode. [T6039]
- Run digest+sign self tests for RSA and ECC in FIPS mode.
[rC06c9350165]
- Add function-name based FIPS indicator function.
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered
an ABI changes because the new FIPS features were not yet
approved. [rC822ee57f07]
- Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397]
- Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9]
- Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a]
- Check minimum allowed key size in PBKDF in FIPS mode.
[T6039,T6219]
- Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba]
- Prefer gpgrt-config when available. [T5034]
- Mark AESWRAP as approved FIPS algorithm. [T5512]
- Prevent usage of long salt for PSS in FIPS mode. [rCfdd2a8b332]
- Prevent usage of X9.31 keygen in FIPS mode. [rC392e0ccd25]
- Remove GCM mode from the allowed FIPS indicators. [rC1540698389]
- Add explicit FIPS indicators for hash and MAC algorithms. [T6376]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 19 Apr 2023 12:31:38 +0000 (14:31 +0200)]
libgpg-error: Update to version 1.47
- Update from version 1.46 to 1.47
- Update of rootfile
- Changelog
Noteworthy changes in version 1.47 (2023-04-06) [C34/A34/R0]
* New error codes for PUKs and reset codes. [T6421]
* Avoid segv in logging with improper use of the "socket://".
[rE68333be630]
* Fixed translation of argparse's internal option --help.
[rE885a287a57]
* Interface changes relative to the 1.46 release:
GPG_ERR_SOURCE_TKD NEW.
GPG_ERR_BAD_PUK NEW.
GPG_ERR_NO_RESET_CODE NEW.
GPG_ERR_BAD_RESET_CODE NEW.
GPGRT_SPAWN_KEEP_STDIN NEW.
GPGRT_SPAWN_KEEP_STDOUT NEW.
GPGRT_SPAWN_KEEP_STDERR NEW.
GPGRT_SPAWN_INHERIT_FILE NEW.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Michael Tremer [Fri, 21 Apr 2023 12:18:14 +0000 (12:18 +0000)]
Increase size of /boot to 512 MiB
Is XFS is being selected as file system, the minimum size requirement is
300 MiB. In order to keep it to a round number, this patch increases the
size of /boot to 512 MiB.
To keep all systems consistent, we will also do this on systems that are
being formatted using different file systems.
Fixes: #13077 - xfs cannot installed anymore because boot is to small Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-1
"Features
Expose 'statistics-inhibit-zero' as a configuration option; the default
value retains Unbound's behavior.
Expose 'max-sent-count' as a configuration option; the default value
retains Unbound's behavior.
Merge #461 from Christian Allred: Add max-query-restarts option.
Exposes an internal configuration but the default value retains
Unbound's behavior.
Merge #569 from JINMEI Tatuya: add keep-cache option to
'unbound-control reload' to keep caches.
Bug Fixes
Merge #768 from fobser: Arithmetic on a pointer to void is a GNU
extension.
In unit test, print python script name list correctly.
testcode/dohclient sets log identity to its name.
Clarify the use of MAX_SENT_COUNT in the iterator code.
Fix that cachedb does not store failures in the external cache.
Merge #767 from jonathangray: consistently use IPv4/IPv6 in
unbound.conf.5.
Fix to ignore tcp events for closed comm points.
Fix to make sure to not read again after a tcp comm point is closed.
Fix #775: libunbound: subprocess reap causes parent process reap to
hang.
iana portlist update.
Complementary fix for distutils.sysconfig deprecation in Python 3.10 to
commit 62c5039ab9da42713e006e840b7578e01d66e7f2.
Fix #779: [doc] Missing documention in ub_resolve_event() for callback
parameter was_ratelimited.
Ignore expired error responses.
Merge #720 from jonathangray: fix use after free when WSACreateEvent()
fails.
Fix for the ignore of tcp events for closed comm points, preserve the
use after free protection features.
Fix #782: Segmentation fault in stats.c:404.
Add SVCB and HTTPS to the types removed by 'unbound-control flush'.
Clear documentation for interactivity between the subnet module and the
serve-expired and prefetch configuration options.
Fix #773: When used with systemd-networkd, unbound does not start until
systemd-networkd-wait-online.service times out.
Merge #808: Wrap Makefile script's directory variables in quotes.
Fix to wrap Makefile scripts directory in quotes for uninstall.
Fix windows compile for libunbound subprocess reap comm point closes.
Update github workflows to use checkout v3.
Fix wildcard in hyperlocal zone service degradation, reported by Sergey
Kacheev."
Michael Tremer [Fri, 21 Apr 2023 12:23:00 +0000 (12:23 +0000)]
firewall: Drop legacy rules for PPPoE/PPTP
These rules where created to permit any local traffic to the firewall
when using a PPP connection that utilised Ethernet as transport.
This is however nonsensical and a security issue for any other
connection methods that call the RED interface "red0" and use PPP (e.g.
QMI).
Since PPPoE packets do not flow through iptables, these rules can be
dropped safely. We do not know whether PPTP works at all these days.
Fixes: #13088 - firewall: INPUT accepts all packets when using QMI for dial-in Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Tested-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 13 Apr 2023 12:06:25 +0000 (12:06 +0000)]
hostapd: Enable QCA vendor extensions to nl80211
This should allow hostapd to utilize some vendor-specific features in
Qualcomm/Atheros cards. I am not sure what my card supports, but it is
all running fine.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.57
"Changes with Apache 2.4.57
*) mod_proxy: Check before forwarding that a nocanon path has not been
rewritten with spaces during processing. [Yann Ylavic]
*) mod_proxy: In case that AllowEncodedSlashes is set to NoDecode do not
double encode encoded slashes in the URL sent by the reverse proxy to the
backend. [Ruediger Pluem]
*) mod_http2: fixed a crash during connection termination. See PR 66539.
[Stefan Eissing]
*) mod_rewrite: Fix a 2.4.56 regression for substitutions ending
in a question mark. PR66547. [Eric Covener]
*) mod_rewrite: Add "BCTLS" and "BNE" RewriteRule flags. Re-allow encoded
characters on redirections without the "NE" flag.
[Yann Ylavic, Eric Covener]
*) mod_proxy: Fix double encoding of the uri-path of the request forwarded
to the origin server, when using mapping=encoded|servlet. [Yann Ylavic]
*) mod_mime: Do not match the extention against possible query string
parameters in case ProxyPass was used with the nocanon option.
[Ruediger Pluem]"
Adolf Belka [Tue, 4 Apr 2023 10:19:07 +0000 (12:19 +0200)]
powertop: Remove this addon as it does not work without debug_fs enabled
- powertop requires debug_fs to be enabled in the kernel for it to function. In Core
Update 171 debug_fs was disabled as a security risk for a firewall application.
- Based on the above powertop has stopped functioning since Core Update 171. Discussed
at IPFire Developers monthly conf call for April and agreed to remove the addon as
debug_fs will not be re-enabled.
- removal of lfs and rootfiles and removal of powertop line in make.sh
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Tue, 18 Apr 2023 20:51:00 +0000 (20:51 +0000)]
linux: Update to 6.1.24
Compiling the kernel has automatically introduced
CONFIG_INIT_STACK_ALL_ZERO=y and removed GCC's structleak plugin (not to
be confused with its stackleak counterpart). However, according to
related documentation, this neither introduces a security nor
performance disadvantage.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 3 Apr 2023 16:09:26 +0000 (18:09 +0200)]
pmacct: Update to version 1.7.8
- Update from version 1.7.6 to 1.7.8
- Update of rootfile not required
- patch to remove Werror no longer required as the build with this version of pmacct
had no problems with errors being flagged as warnings anymore unlike with the
previous version.
- Changelog
The keys used are:
!: fixed/modified feature, -: deleted feature, +: new feature
1.7.8 -- 31-12-2022
+ Introduced support for eBPF for all daemons: if SO_REUSEPORT is
supported by the OS and eBPF support is compiled in, this allows
to load a custom load-balancer. To load-share, daemons have to
be part of the same cluster_name and each be configured with a
distinct cluster_id.
+ Introduced support for listening on VRF interfaces on Linux for
all daemons. The feature can be enabled via nfacctd_interface,
bgp_daemon_interface and equivalent knobs. Many thanks to
Marcel Menzel ( @WRMSRwasTaken ) for this contribution.
+ pre_tag_map: introduced limited tagging / labelling support for
BGP (pmbgpd), BMP (pmbmpd), Streaming Telemetry (pmtelemetryd)
daemons. ip, set_tag, set_label keys being currently supported.
+ pre_tag_map: defined a new pre_tag_label_encode_as_map config
knob to encode the output 'label' value as a map for JSON and
Apache Avro encodings, ie. in JSON "label": { "key1": "value1",
"key2": "value2" }. For keys and values to be correctly mapped,
the '%' delimiter is used when composing a pre_tag_map, ie.
"set_label=key1%value1,key2%value2 ip=0.0.0.0/0". Thanks to
Salvatore Cuzzilla ( @scuzzilla ) for this contribution.
+ pre_tag_map: introduced support for IP prefixes for src_net
and dst_net keys for indexed maps (maps_index set to true).
Indexing being an hash map, this feature currently tests data
against all defined IP prefix lenghts in the map for a match
(first defined matching prefix wins).
+ pre_tag_map: introduced two new 'is_nsel', 'is_nel' keys to
check for the presence of firewallEvent field (233) and
natEvent field (230) in NetFlow/IPFIX respectively in order
to infer whether data is NSEL / NEL. If set to 'true' this
does match NSEL / NEL data, if set to 'false' it does match
non NSEL / NEL data respectively.
+ Introduced a new mpls_label_stack primitive, encoded as a
string and includes a comma-separated list of integers (label
values). Thanks to Salvatore Cuzzilla ( @scuzzilla ) for this
contribution.
+ Introduced a new fw_event primitive, to support NetFlow v9/
IPFIX firewallEvent 233 Information Element.
+ Introduced a new tunnel_tcp_flags primitive for pmacctd and
sfacctd to record TCP flags for the inner layer of a tunneled
technology (ie. VXLAN). Also tunnel_dst_port decoding was
fixed for sfacctd.
+ Introduced support for in/out VLAN support for sfacctd. To be
savy, 'in_vlan' and 'vlan' were muxed onto the same primitive
depending on the daemon being used. Thanks to Jim Westfall
( @jwestfall69 ) for this contribution.
+ Introduced a new mpls_label_stack_encode_as_array config knob
to encode the MPLS label stack as an array for JSON and Apache
Avro encodings, ie. in JSON "mpls_label_stack": [ "0-label0",
"1-label1", "2-label2", "3-label3", "4-label4", "5-label5" ]
and in Avro "name": "mpls_label_stack", "type": { "type":
"array", "items": { "type": "string" } }. Thanks to Salvatore
Cuzzilla ( @scuzzilla ) for this contribution.
+ Introduced a new tcpflags_encode_as_array config knob to encode
TCP flags as an array for JSON and Apache Avro, ie. in JSON
"tcp_flags": [ "URG", "ACK", "PSH", "RST", "SYN", "FIN" ] and
in Avro "name": "tcp_flags", "type": { "type": "array",
"items": { "type": "string" } }. Thanks to Salvatore Cuzzilla
( @scuzzilla ) for this contribution.
+ Introduced a new fwd_status_encode_as_string config knob to
encode the 'fwd_status' primitive in human-readable format
like described by RFC-7270 Section 4.12 when JSON or Avro
formats are selected for output. Thanks to Salvatore Cuzzilla
( @scuzzilla ) for this contribution.
+ Introduced a new protos_file to define a list of (known/
interesting/meaningful) IP protocols. Both protocol names, ie.
"tcp", and protocol numbers, ie. 1 (for icmp), are accepted.
IANA reserved protocol value 255 is used to bucket as 'others'
those IP protocols not matching the ones defined in the list.
+ Introduced a new tos_file to define a list of (meaningful) IP
ToS values; if tos_encode_as_dscp is set to true then DSCP
values are expected as part of the file. The directive uses
value 255 to bucket as 'others' those ToS/DSCP values not
matching the ones defined in the list.
+ A new tos_encode_as_dscp config knob makes pmacct to honour
only the 6 bits used by DSCP and report only on those.
+ BGP, BMP, Streaming Telemetry daemons: introduced a new
dump_time_slots config knob to spread the load deriving by
dumps over the configured refresh time interval. The interval
is divided into time slots and nodes are assigned to such
slots. The slot for each node is determined using its IP
address. Thanks to Raphael Barazzutti ( @rbarazzutti ) for
this contribution.
+ BGP, BMP daemons: End-of-RIB messages are now being exposed
in the output feed in order to facilitate tracking their
arrival (or not!).
+ pmtelemetryd: aligned daemon to the latest Unyte UDP-Notif API
(0.6.1) and related standardization draft-ietf-netconf-udp-notif
+ RPKI daemon: added case for input "asn" value being integer (ie.
"asn" : 2914) on top of the string case (ie. "asn" : "AS2914").
+ Kafka, amqp plugins: introduced a new writer_id_string config
knob to allow to customize the the "writer_id" field value. A
few variables are supported along with static text definitions.
+ Added a new aggregate_unknown_etype config knob to account also
frames with EtherTypes for which there is no decoding support
and allow to aggregate them by the available Ethernet L2 fields
(ie. 'src_mac', 'dst_mac', 'vlan', 'cos', 'etype'). Thanks to
@singularsyntax for this contribution.
+ Added a new bgp_daemon_add_path_ignore config knob to ignore
(do not advertise back) the ADD-PATH capability advertised by
remote BGP peers.
+ nfacctd, sfacctd: extended the possibility to run daemons from
a user with non root privileges to these daemons.
+ nfacctd: if Information Element 90 (MPLS VPN RD) is present in
NetFlow v9/IPFIX, make it available for BGP/BMP correlation.
+ pmacctd, sfacctd: introduced basic support for QinQ, 802.1AD.
+ [print|kafka|amqp]_preprocess: added suppport for 'maxp',
'maxb' and 'maxf' keys when preprocessing aggregates of non-
SQL plugins. Thanks to Andrew R. Lake ( @arlake228 ) for this
contribution.
+ nDPI: newer versions of the library (ie. >= 4.0) bring changes
to the API. pmacct is now aligned to compile against these. At
the same time support for nDPI 3.x was dropped.
! fix, plugin_common.[ch]: when stitching feature was enabled,
ie. nfacctd_stitching, timestamp_min was never reset. Also both
timestamp_min and timestamp_max were clamped to sec granularity.
! fix, BGP, BMP daemons: added a tmp_bgp_daemon_origin_type_int to
print out BGP "origin" field as int (legacy behaviour) instead
of string (current behaviour). In a future major release the
legacy behaviour will be dropped.
! fix, BGP, BMP daemons: MPLS labels are now encoded in both JSON
and Apache Avro as 'mpls_label' instead of 'label'. This is to
align behaviour with pre_tag_map where 'label' has a different
semantic.
! fix, BGP, BMP daemons: resolved memory leak when encoding log
messaging (logmsg) in Avro format with Schema Registry support.
! fix, BGP daemon: improved handling of ADD-PATH capability,
making it per-AF (as it is supposed to be) and not global.
! fix, BMP daemon: now checking that ADD-PATH capability is
enabled at both ends of the monitored session (check both BGP
OPEN in a Peer Up message) in order to infer that the capability
exchange was successful. Also some heuristics were added to
conciliate BGP Open vs BGP Update 4-bytes ASN reality.
! fix, nfacctd: improved parsing of NetFlow v9 Options data
particularly when multiple IEs are packed as part of a flowset.
! fix, nfacctd: corrected parsing of Information Element 351
(layer2SegmentId).
! fix, pmacctd: improved processing of pcap_interfaces_map for
cases where the same interface is present multiple times (maybe
with different directions). Also, if the map is empty then bail
out at startup.
! fix, pmacctd: SEGV when ICMP/ICMPv6 traffic was processed and
'flows' primitive was enabled.
! fix, pmacctd: sampling_rate primitive value was not reported
correctly when 'sampling_rate' config directive was specified.
! fix, pmbgpd, pmpmbd, pmtelemtryd: changed SIGCHLD handler to
prevent zombification of last spawned data dump writer.
! fix, Kafka plugin: moved the schema registration from the dump
writer to the plugin process in order to register the schemas
only once at plugin startup and not on every start of a writer
process. Thanks to Uwe Storbeck ( @ustorbeck ) for this
contribution.
! fix, Kafka plugin: a check for kafka_partition was missing,
leading the plugin to always use the default partitioner
instead of sending data to the configured fixed partition.
Thanks to Martin Pels ( @rodecker ) for this contribution.
! fix, nfprobe plugin: BGP data enrichment was not working due to
a mistakenly moved pointer.
! fix, sfprobe plugin: AS-PATH was being populated even when null;
added a check to see if the destination AS is not zero in order
to put the destination AS into the AS-PATH for sFlow packets.
Thanks to Marcel Menzel ( @WRMSRwasTaken ) for this contribution.
! fix, networks_file: remove_dupes() was making partial commits
of valid rows hence creating data inconsistencies.
! fix, pre_tag_map: resolved a potential string overflow that was
being triggered in pretag_append_label() when data would be
assigned more than one single label. Also now allow ',' chars
in set_label.
! fix, maps_index: uninitialized var could cause SEGV in case no
results are found in the map index. Also introduced support for
catch-all rules, ie. "set_label=unknown".
! fix, maps_index: optimized the case of no 'ip' key specified
(for nfacctd and sfacctd): when indexing is enabled, prevent
recirculation from happening, ie. test v4 first then v6, since
the 'ip' key is not going to be part of the hash serializer.
! fix, pretag.c: allow to allocate maps greater than 2GB in size.
Also several optimizations were carried out yelding to a better
memory utilization for allocated maps along with improved times
to resolve JEQs.
! fix, pre_tag_label_filter: optimized and improved runtime
evaluation part of this feature, avoiding a costly strdup() and
returning immediately on certain basic mismatch conditions.
! fix, kafka_common.[ch]: a new p_kafka_produce_data_and_free()
is invoked to optimize memory allocations and releases.
! fix, plugin_cmn_avro.c: when a schema registry is being defined,
ie. kafka_avro_schema_registry, the logic to generate the schema
name has been changed: use topic plus record name as the schema
name, use underscore as separator within the record name, stop
adding a "-value" suffix. Thanks to Uwe Storbeck ( @ustorbeck )
for this contribution.
! fix, util.c: roundoff_time() to reason always with the locally
configured time, like for the rest of functional (as in non-data)
timestamps, ie. refresh time, deadline, etc.
! fix, log.c: when log messages are longer than message buffer,
the message gets cut off. As the trailing newline also gets cut
off the message will be concatenated with the following message
which makes the log hard to read. Thanks to Uwe Storbeck
( @ustorbeck ) for this contribution.
- Completed the retirement of legacy packet classification based
on home-grown code (Shared Objects) and the L7 layer project.
- Removed the mpls_stck_depth primitive due to the introduction
of the mpls_label_stack primitive.
1.7.7 -- 07-11-2021
+ BGP, BMP, Streaming Telemetry daemons: introduced parallelization
of dump events via a configurable amount of workers where the unit
of parallelization is the exporter (BGP, BMP, telemetry exporter),
ie. in a scenario where there are 4 workers and 4 exporters each
worker is assigned one exporter data to dump.
+ pmtelemetryd: added support for draft-ietf-netconf-udp-notif:
a UDP-based notification mechanism to collect data from networking
devices. A shim header is proposed to facilitate the data streaming
directly from the publishing process on network processor of line
cards to receivers. The objective is a lightweight approach to
enable higher frequency and less performance impact on publisher
and receiver process compared to already established notification
mechanisms. Many thanks to Alex Huang Feng ( @ahuangfeng ) and the
whole Unyte team.
+ BGP, BMP, Streaming Telemetry daemons: now correctly honouring the
supplied Kafka partition key for BGP, BMP and Telemetry msg logs
and dump events.
+ BGP, BMP daemons: a new "rd_origin" field is added to output log/
dump to specify the source of Route Distinguisher information (ie.
flow vs BGP vs BMP).
+ pre_tag_map: added ability to tag new NetFlow/IPFIX and sFlow
sample_type types: "flow-ipv4", "flow-ipv6", "flow-mpls-ipv4" and
"flow-mpls-ipv6". Also added a new "is_bi_flow" true/false key to
tag (or exclude) NSEL bidirectional flows. Added as well a new
"is_multicast" true/false config key to tag (or exclude) IPv4/IPv6
multicast destinations.
+ maps_index: enables indexing of maps to increase lookup speeds on
large maps and/or sustained lookup rates. The feature has been
remplemented using stream-lined structures from libcdada. This is
a major work that helps preventing the unpredictable behaviours
caused by the homegrown map indexing mechanism. Many thanks to
Marc Sune ( @msune ).
+ maps_index: support for indexing src_net and dst_net keywords has
been added.
+ Added <daemon_name>_ipv6_only config directives to optionally
enable the IPV6_V6ONLY socket option. Also changed the wrong
setsockopt() IPV6_BINDV6ONLY id to IPV6_V6ONLY.
+ Added log function to libserdes to debug transactions with the
Schema Registry when kafka_avro_schema_registry is set.
+ nDPI: newer versions of the library (ie. >= 3.5) bring changes
to the API. pmacct is now aligned to compile against these.
+ pmacctd: added pcap_arista_trailer_offset config directive since
Arista has changed the structure of the trailer format in recent
releases of EOS. Thanks to Jeremiah Millay ( @floatingstatic )
for his patch.
+ More improvements carried out on the Continuous Integration
(CI) side by migrating from Travis CI to GitHub Actions. Huge
thanks to Marc Sune ( @msune ) to make all of this possible.
+ More improvements also carried out in the space of the Docker
images being created: optimized image size and a better layered
pipeline. Thanks to Marc Sune ( @msune ) and Daniel Caballero
( @dcaba ) to make all of this possible.
+ libcdada shipped with pmacct was upgraded to version 0.3.5. Many
thanks Marc Sune ( @msune ) for his work with libcdada.
! build system: several improvements carried out in this area,
ie. improved MySQL checks, introduced pcap-config tool for
libpcap, compiling on BSD/old compilers, etc. Monumental thanks
to Marc Sune ( @msune ) for his continued help.
! fix, nfacctd: improved euristics to support the case of flows
with both IPv4 and IPv6 source / destination addresses (either
or populated). Also improved euristics to distinguish event data
vs traffic data in NetFlow v9/IPFIX from Cisco 9300/9500, ASA
firewalls and Cisco 4500X.
! fix, nfacctd: improved support for initiatorOctets (IE #231) and
responderOctets (IE #232). Thanks to Esben Laursen ( @hyberdk )
for reporting the issue.
! fix, nfacctd: in NF_mpls_vpn_id_handler() double ntohl() calls
were applied for the case of 'vrfid'-encoded mpls_vpn_rd field.
! fix, sfacctd: wrong ethertype set for VLAN-tagged, MPLS-labelled
IPv6 traffic. Impacting BGP resolution among others. Thanks to
Jeremiah Millay ( @floatingstatic ) for his help resolving the
problem.
! fix, BGP, BMP daemons: parsing improvements: added a check for
BGP Open message and BGP Open Options lengths. Strengthened
parsing of Peer Up, Route Monitoring and Peer Down v4 messages.
! fix, BGP, BMP daemon: when using Avro encoding and Avro Schema
Registry, attempt to reconnect if serdes schemas are voided.
Also now checking for serdes schema definitions before doing a
serdes_schema_serialize_avro() to avoid triggering a SEGV.
Finally improved serdes logging.
! fix, BGP, Streaming Telemetry daemons: in daemon logs, summary
counters for amount of tables / entries dumped were wrong.
! fix, BGP daemon: distinguish among null and zero value AIGP
and Prefix SID attributes. Same applies for Local Preference
and MED attributes.
! fix, BMP daemon: resolved a memory leak in bgp_peers_free().
Thanks to Pether Pothier ( @pothier-peter ) for his patch. Also
resolved a leak caused by an invalid BGP message contained in a
BMP Route Message v4.
! fix, BMP daemon: correctly setting peer_ip and peer_tcp_port
JSON fields for Term messages. Also the correct bmp_router
value when bmp_daemon_parse_proxy_header feature is enabled.
! fix, BMP daemon: several encoding issues when using Apache Avro
ie. u_int64_t now correctly encoded with avro_value_set_long(),
certain u_int32_t fields switched to avro_value_set_long() due
to lack of unsignedness in Avro encoding, improved various
aspectes of Avro-JSON format output, etc.
! fix, pmtelemetryd: wrong parsing of pm_tfind() output was
leading to mistaken data attribution of UDP-based peers (always
first peer to connect was being picked).
! fix, pmtelemetryd: when set, the pidfile config directive was
not being correctly honoured.
! fix, RPKI: the RTR PDU element for maxLength is uint8, therefore
it might have been possible to transmit incorrect RTR data.
Thanks to Job Snijders ( @job ) for his patch.
! fix, SQL plugins: amended the text composition of SQL queries
that are involving latitude and longitude keys.
! fix, MySQL plugin: check for 'unix:' prefix string only when a
sql_host configuration directive is specified.
! fix, nfprobe: modernized Application Information export. Until
the previous release pmacct was adhering to aging NBAR model
whereas now NBAR2 has been implemented. Thanks to Rob Cowart
( @robcowart ) for helping out resolving this issue.
! fix, tee plugin: restored usefulness of tee_source_ip which was
broken in 1.7.6. Thanks to Jeremiah Millay ( @floatingstatic )
for reporting the issue.
! fix, maps_index: indexing of mpls_pw_id was broken. Also now,
when the feature is enabled, actual data is being referenced in
the index structure instead of creating a copy of it; thanks to
Sander van Delden ( @SanderDelden ) for reporting the memory
leak that was resulting from the copy.
! fix, kafka_common.c: solved memory leak in p_kafka_set_topic()
when Kafka session was getting in down state. Many thanks to
Peter Pothier ( @pothier-peter ) for nailing the issue.
! fix, net_aggr.[ch]: when a networks_file is specified in the
config, gracefully handle max memory structure depth; added
also de-duplication of entries.
! fix, pmacct-defines.h: if PCAP_NETMASK_UNKNOWN is not defined,
ie. in libpcap < 1.1.0, let's define it.
! fix, SO_REUSEPORT feature was being restricted to Linux only in
previous releases: now it has been unlocked to all other OS that
do support the feature.
! fix, split SO_REUSEPORT and SO_REUSEADDR setsockopt() calls.
Thanks to @eduarrrd for reporting and resolving the issue.
! fix, several code warnings catched gcc9 and clang.
- Obsoleted sql_history_since_epoch, pre_tag_map_entries and
refresh_maps configuration directives.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 3 Apr 2023 12:07:17 +0000 (14:07 +0200)]
xfsprogs: Update to version 6.2.0
- Update from version 6.1.1 to 6.2.0
- Update of rootfile not required
- Changelog
There is no changelog in the source tarball or in the kernel site where the source
tarballs are available from. The only sourec of change info is the git commit log
https://git.kernel.org/pub/scm/fs/xfs/xfsprogs-dev.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 3 Apr 2023 12:07:16 +0000 (14:07 +0200)]
housekeeping: removal of menu items for no longer available addons
- removal of EX-addonsvc.menu entry in config/menu/ as the lfs file for this could not be
found in the IPFire git repo all the way back to CU30
- removal of EX-addonsvc.menu, EX-asterisk.menu and EX-bluetooth.menu which are no longer
in IPfire for two years or longer.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 28 Mar 2023 20:17:36 +0000 (22:17 +0200)]
bird: Update to version 2.0.12
- Update from version 2.0.11 to 2.0.12
- Update of rootfile
- Changelog
Version 2.0.12 (2023-01-23)
o Filter: New 'onlink' route attribute
o Compile-time option to use 4-way tries instead of 16-way ones
o BSD: Support for kernel route metric and other improvements
o Important bugfixes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 28 Mar 2023 20:17:34 +0000 (22:17 +0200)]
bash: Update version to 5.2 with patches 1 to 15
- Update from version 5.2 patches 1-9 to 5.2 patches 1-15
- Update of rootfile not required
- Changelog
bash52-015
There are several cases where bash is too aggressive when optimizing out forks
in subshells. For example, `eval' and traps should never be optimized.
bash52-014
Bash defers processing additional terminating signals when running the
EXIT trap while exiting due to a terminating signal. This patch allows the
new terminating signal to kill the shell immediately.
bash52-013
Bash can leak memory when referencing a non-existent associative array
element.
bash52-012
When running in bash compatibility mode, nested command substitutions can
leave the `extglob' option enabled.
bash52-011
Using timeouts and readline editing with the `read' builtin (read -e -t) can
leave the readline timeout enabled, potentially resulting in an erroneous
timeout on the next call.
bash52-010
Bash-5.2 checks the first 128 characters of an executable file that execve()
refuses to execute to see whether it's a binary file before trying to
execute it as a shell script. This defeats some previously-supported use
cases like "self-executing" jar files or "self-uncompressing" scripts.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 28 Mar 2023 20:17:33 +0000 (22:17 +0200)]
aws-cli: Update to version 1.27.100
- Update from version 1.23.12 to 1.27.100
- Update of rootfile
- Changelog is over 2000 lines long. For details please see the CHNGELOG.rst file in the
source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 28 Mar 2023 20:17:32 +0000 (22:17 +0200)]
automake: Update to version 1.16.5
- Update from version 1.16.3 to 1.16.5
- Update of rootfile not required
- Chyangelog
New in 1.16.5:
* Bugs fixed
- PYTHON_PREFIX and PYTHON_EXEC_PREFIX are now set according to
Python's sys.* values only if the new configure option
--with-python-sys-prefix is specified. Otherwise, GNU default values
are used, as in the past. (The change in 1.16.3 was too incompatible.)
- consistently depend on install-libLTLIBRARIES.
* Distribution
- use const for yyerror declaration in bison/yacc tests.
New in 1.16.4:
* New features added
- The PYTHON_PREFIX and PYTHON_EXEC_PREFIX variables are now set from
Python's sys.prefix and sys.exec_prefix; use the new configure options
--with-python_prefix and --with-python_exec_prefix to specify explicitly.
- Common top-level files can be provided as .md; the non-md version is
used if both are present:
AUTHORS ChangeLog INSTALL NEWS README README-alpha THANKS
- CTAGS, ETAGS, SCOPE variables can be set via configure.
- Silent make output for custom link commands.
- New option "no-dist-built-sources" skips generating $(BUILT_SOURCES)
before building the tarball as part of "make dist", that is,
omits the dependency of $(distdir): $(BUILT_SOURCES).
* Bugs fixed
- automake output more reproducible.
- test-driver less likely to clash with tests writing to the same file.
- DejaGnu tests always use the directory name, testsuite/, for
compatibility with the newer dejagnu-1.6.3 and with prior versions.
* Distribution
- config.sub and config.guess updates include restoration of `...`
for maximum portability.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 28 Mar 2023 11:48:52 +0000 (13:48 +0200)]
ghostscript: Update to version 10.01.1
- Update from version 10.0.0 to 10.01.1
- Update of rootfile
- Changelog highlights is only shown in the website. For more details of the changes made
you bhave to go and look at the commit log
https://git.ghostscript.com/?p=ghostpdl.git;a=shortlog;h=refs/heads/master
Version 10.01.0 (2023-03-22)
Highlights in this release include:
We've continued to improve the performance of the PDF interpreter written in
C and improve it's behaviour in edge and out-of-specification cases.
Our efforts in code hygiene and maintainability continue.
The usual round of bug fixes, compatibility changes, and incremental
improvements.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 28 Mar 2023 11:48:51 +0000 (13:48 +0200)]
arping: Update to version 2.23
- Update from version 2.21 to 2.23
- Update of rootfile not required
- Changelog
2.23
Notable changes:
* Work around VLAN bug in libpcap 1.7-1.9.0
* Linux: Experimental support for seccomp (off by default)
* Android: Don't attempt to use caps if header files missing
* OpenBSD: try lo0, not just lo, for interface fallback
* Made -P set target MAC address (-t)
2.22
Only real changes are to support newer version of unit test framework.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 28 Mar 2023 11:48:50 +0000 (13:48 +0200)]
aprutil: Update to version 1.6.3
- Update from version 1.6.1 to 1.6.3
- Update of rootfile
- Changelog
1.6.3
*) Correct a packaging issue in 1.6.2. The contents of the release were
correct, but the top level directory was misnamed.
1.6.2
*) SECURITY: CVE-2022-25147 (cve.mitre.org)
Integer Overflow or Wraparound vulnerability in apr_base64 functions
of Apache Portable Runtime Utility (APR-util) allows an attacker to
write beyond bounds of a buffer.
*) Teach configure how to find and build against MariaDB 10.2. PR 61517
[Kris Karas <bugs-a17 moonlit-rail.com>]
*) apr_crypto_commoncrypto: Remove stray reference to -lcrypto that
prevented commoncrypto being enabled. [Graham Leggett]
*) Add --tag=CC to libtool invocations. PR 62640. [Michael Osipov]
*) apr_dbm_gdbm: Fix handling of error codes. This makes gdbm 1.14 work.
apr_dbm_gdbm will now also return error codes starting with
APR_OS_START_USEERR, as apr_dbm_berkleydb does, instead of always
returning APR_EGENERAL. [Stefan Fritsch]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 28 Mar 2023 11:48:49 +0000 (13:48 +0200)]
amazon-ssm-agent: Update to version 3.2.582.0
- Update from version 3.0.356.0
- Update of rootfile not required
- Changelog
3.2.574.0
- Fixed go-vet issues by passing mocks by value
- Updated domainjoin and cloudwatch executables for windows
3.2.532.0
- Removed explicit setting of EC2 aws credential profile
- Added public key to registration info
- Sends non-interactive command errors that occur before command execution to data channel
- Added instance id verification to registration process
3.2.419.0
- Added minimum retry sleep for Registrar RegisterManagedInstance calls
- Explicitly skip AZ info check for on-prem and ECS targets
- Fix for SSM-Agent that is unable to start on Apple Mac M1's (mac2.metal instances)
- Ensuring powershell path is set to system directory on Windows
- Load DLLs with using system/absolute paths on Windows
- Added workaround for Samba limit when loading Active Directory ids
- Dynamically get network interface name for SeamlessDomainJoin
- Added install-yum-rpm to makefile to install agent on host from source code
- Added logging for specifying credential source
- Refactored tests to remove mocks from production binaries
- Updated Windows DomainJoin plugin SharpZipLib and Newtonsoft.json dependencies
3.2.345.0
- Updated yaml.v3 dependency
3.2.286.0
- Separated EC2 identity vault manifest from OnPrem identity vault manifest
- Fix for credential retrieval blocking os termination signals
- Fix for agent updater using shared credentials on EC2
- Added guards against panic for agent identity health checks
- Added logging around agent module start/stop
3.2.183.0
- Added logging when assuming identity
- Increased retries to ECS metadata endpoint
- Added linux debug build to makefile
- Implemented aws sdk logging interface
- Updated agent minor version to 3.2
- Added functionality to retrieve agent credentials from Systems Manager on EC2
3.1.1927.0
- Update shell for Session Manager on MacOS
3.1.1856.0
- Lower message length threshold for cloudwatch log streaming
- Ran gofmt and goimports with golang version 1.19
- Report AvailabilityZone and AvailabilityZoneId in health pings
- Update AWS Go SDK to v1.44.78
3.1.1767.0
- Fix samba configuration for sub-domains
3.1.1732.0
- Add code in document/session worker to fallback to default identity selector when runtime config not present
- Fix to handle command-line-arguments in document/session worker when launched by old agent workers
3.1.1634.0
- Fallback to file based IPC if named pipe creation times out
- Increase tls handshake timeout in http download client
- Log mds client timeout errors as WARN
3.1.1575.0
- Added separate metric for snapd running apps failure during update
- Fixed idle session timeout with smux keep alive configuration based on CLI version
- Updated AgentTaskComplete message retry
- Updated go version to 1.18.3
3.1.1511.0
- Collect kernel version in InstanceDetailedInformation
- Support separate output stream for non-interactive session
- Cleanup default log group name for runcommands
- Updated rpm spec file to include build id
3.1.1476.0
- Fix port session premature close when local server is not connected before timeout
3.1.1446.0
- Add created date to AgentJobAck message
- Disable smux keep alive to use idle session timeout feature
- Fix unit-tests running on windows
3.1.1374.0
- Added timeout for s3 HEAD requests
- Added vpc address deny to port forwarding
- Fixed for reboot scenario in configure package plugin
- Fixed goroutine leak in seelog library
- Fixed nullpointer segmentation fault in configure package plugin
- Improved error handling in manifest download in updater
- Improved worker initialization to improve startup failure logging
3.1.1260.0
- Added missing check for invalid S3 path parameter
- Added support for domain join using a non-local username
- Fixed broken links in README.md
- Fixed ECS Exec issue where agent was using environment variables for credentials
- Updated Ec2Detector test to query smbios directly for system information
3.1.1208.0
- Updated ec2detector module to use Get-CmiInstance instead of wmic.exe
- Fixed file creation mode of ssm-agent-users sudoer file
3.1.1188.0
- Added new ec2detector module to determine if agent is on EC2
- Added support for port forwarding to remote host
- Added quotes around inventory parameter ValueName on Windows
- Fix for domain join DNS IP assignments in shared directories
- Replaced namedpipe updater test with ec2detector test
3.1.1141.0
- Add application inventory by file for Bottlerocket
- Fix infinite retry logic to send failed replies in MGSInteractor
- Remove usage of io/fs package
3.1.1080.0
- (windows only) Remove symlink scan during update
3.1.1045.0
- Fixed sourceHash validation for aws:application document plugin
- Added document parameter validation for values passed to target document of aws:runDocument plugin
- (windows only) Fix process leak when legacy cloudwatch plugin is enabled
- (windows only) Fail installation if C:\ProgramData\Amazon\SSM\ has symlinks
3.1.1004.0
- Added platform detection for Bottlerocket OS
- Consolidated regional endpoint generation to common endpoint module
3.1.941.0
- Added support for Rocky linux
- Fixed sharefile/shareprofile not being propagated to updateutil
- Fixed incorrect darwin platform detection post BigSur
- Fixed log flush issue in updater
- Updated .NET dependencies for domainjoin and cloudwatch (windows only)
- Updated go version to 1.17.6
3.1.821.0
- Implement new core module named MessageService to start processing commands from both MGS and MDS
- Merge functionalities from RunCommandService core module and Session core module.
- Receive run command documents through MGS if connected and fallback to MDS otherwise. This functionality requires appropriate permissions for both endpoints and will be rolled out gradually to end users.
- Provide filesystem based idempotency check to avoid duplicate run command document execution.
- Increase default run command pool buffer size from 1 to 5 to load additional documents before-hand for processing.
- Fix nil pointer deference panic produced in named pipe test case during agent update
- Remove StopType concept in ssm-agent-worker and add different waits for reboot and shutdown stop
3.1.804.0
- Add support for upstart when running get-diagnostic command using ssm-cli
- Fix systemctl service name to support older versions of systemctl
- Include changes to facilitate testing
- Update DNS server selection logic for seamless domain join on linux and darwin
- Update go version to go1.17.5
- Update golang sys package dependency
3.1.715.0
- Derive default directories from appconfig on Darwin
- Set x-bit on newly-created directories
3.1.634.0
- Fix for ssm-setup-cli to be able to select service manager without the agent being installed
3.1.630.0
- Added greengrass component recipe for the new SystemsManagerAgent component
- Added support for registering agent on a greengrass device
- Added support for downloading more than 1000 objects in downloadContent
- Fixed retry logic for onprem and s3 upload
- Fixed unit tests when running on Mac
- Update AWS SDK to v1.41.4
- Update logic to retrieve platform details for Rocky Linux
3.1.501.0
- Add diagnostics command to ssm-cli
- Fix caching for onprem credentials
- Additional configuration options for Seamless Domain Join
- Gracefully exit session if group of runas user is modified
- Skip retries for cert validation errors in S3 HEAD requests
- Fix DNS failures on CentOS 8.2
- Update several dependencies
3.1.459.0
- Fixed a bug with powershell command for Inventory
3.1.426.0
- Fixed cpu spike issue manifesting on snap
- Fixed issue with version comparison in EC2Config update plugin
- Fixed panic when command output was being truncated
- Updated build to use go1.16.8
- Removed Profile from inventory powershell commands on Windows
3.1.338.0
- Fix to eliminate WaitGroup reuse panic triggered during agent reboot
- Fix to include applications without UninstallString in Inventory for Windows
- Fixed a bug where multi-plugin documents with large outputs would timeout RunCommand
- Fixed a bug where RunCommand could delay executions for up to 15 minutes
3.1.282.0
- Add serial port logging of AwsNitroEnclaves package version on windows during startup
- Allow usage of existing loggroup/logstream when the user does not have create permission
- Change service interrogate request log to debug
- Cleanup old surveyor channel files on startup
- Fix filehandle leak in windows leading to agent going offline
- Fix to schedule correct next run time during orchestration directories cleanup
- Fix to sequentially update correct runcount value in the document bookkeeping file
- Fix a bug with version parsing EC2Config updater
- Updated rpm packaging for fips compliance
3.1.192.0
- Added darwin arm64 to makefile
- Added logic to limit orchestration directory cleanup
- Added packaging for public SSM Agent container image
- Fixed cloudwatch endpoint for telemetry metrics requests
- Fixed handling of Windows filepaths and mutex locks
- Fixed agent worker handling of OS signals and termination channel requests
- Updated datachannel retry strategy to not retry for a specific error scenario
- Updated default gomaxproc value for Windows
- Update build to use go1.16.6
3.1.127.0
- Added a workaround for windows random halts
- Fixed race condition during reboot document execution
3.1.90.0
- Updated to version 3.1
- Updated build to build statically linked binaries for linux 64bit
- Minimum supported linux kernel version for linux 64bit is 3.2+
- Fixed permissions for docker config file
- Fixed issue with ubuntu prerm and postinst scripts
- Fixed issue where processor stop was being called twice
3.0.1390.0
- Added config option to delete orchestration folder
- Added snapcraft packaging config
- Added workaround for aws:runDocument status bug
- Added improved handling of file closure
- Added support for go mod and updated build to use go 1.16.4
- Fixed bug parsing vpce s3 urls
- Refactored use of agent identity in agent cli
- Updated check if agent is running as windows service
- Updated handling of session cancellation to still send output to client side
- Updated interactive session exit code logic to match non-interactive mode
- Updated vendor dependencies
3.0.1295.0
- Added configurable custom identity and identity consumption order
- Added cross-account domain join
- Added cleanup for older versions of updater artifacts
- Added a workaround for MacOS kernel bug that sometimes kept RunCommand from launching
- Added a workaround for log file contention on Windows
- Added synchronization to RunCommand service stop
- Changed hibernation log level
- MacOS executables are now signed
- Removed delay in non-interactive session type
3.0.1209.0
- Fixed issue where registration file is not removed when registration is cleared
- Removed unnecessary CloudWatch Log api calls
- Added support for IMDSv2 in Windows AD domain join plugin
3.0.1181.0
- Added support for digest authorization in downloadContent plugin
- Added missing defer close for windows service in updater
- Added support to disable onprem hardware similarity check
- Fixed windows random halts issue
- Refactored windows startup
- Refactored task pool to dynamically dispatch goroutines
3.0.1124.0
- Added a check for broken symlink after update
- Added support for NonInteractiveCommands session type on Linux and Windows platforms
- Added lint-all flag to makefile
- Changed Inventory plugin billinginfo to use IMDSv2
- Fixed indefinite retries for ResourceError during CWLogging
- Fixed go vet call in checkstyle.sh
- Fixed inter process communication log line
- Fixed a bug where CloudWatch logs were not being uploaded
- Fixed timer and goroutine leaks
- Fixed an issue where document workers on Windows were not exiting
3.0.1031.0
- Added test-all flag to the makefile
- Added support for onprem private key auto rotation
- Added config to remove plugin output files after upload to s3
- Added update precondition for upcoming 3.1 release
- Fixed cloudwatch windows where TLS 1.0 is disabled
- Fixed document cloudwatch upload when CreateLogStream permissions were missing left instances stuck in terminating
- Fixed domain join windows EC2 instances where TLS 1.0 is disabled
- Fixed domain join script for .local domain names
- Fixed domain join script to exit when domain is already joined
- Fixed panic issue in windows startup script when executing powershell command
- Fixed session manager issue on MacOS for root and home path
- Removed IMDS call in domain join script
- Refactored update plugin and updater interaction
3.0.882.0
- Added jitter to first control channel call
- Added dedicated folder for plugins
- Added option to overwrite corrupt shared credentials
3.0.854.0
- Added $HOME env variable for root user when runAsElevated is true in session
- Added CREAD flag in serial port control flags on linux
- Added PlatformName and PlatformVersion as env variables for aws:runShellScript
- Added support for macOS updater
- Added v2.2 document support in updater
- Added defer recover statements
- Fixed inventory error log when dpkg is not available
- Fixed ssm-cli logging to stdout
- Removed consideration of unimportant error codes in service side
- Updated ec2 credential caching time to ~1 hour
- Updated service query logic for Windows
- Updated golang sys package dependency
3.0.755.0
- Fix fallback logic for MGS endpoint generation
- Fix regional endpoint generation
3.0.732.0
- Fix bug in document parameter expansion
- Fix datachannel to wait for empty message buffer before closing
- Fix for hung Session Manager sessions
- Fix for folder permission issue in domain join
- Refactor identity handling
- Update session plugin to pause reading when datachannel not actively sending data
- Update ssm-user creation details in README.md
3.0.655.0
- Add feature to retain hostname during domain join
- Add delay to pty start failure for session-worker
- Add nil pointer check on shell command for session-worker
- Add shlex to vendor which is used to parse session interactive command input for session-worker
- Change log level for IPC not readable message
- Change v2 agent to use v3 agent executor
- Fix network connectivity issues on RHEL8
- Fix race condition where first message is dropped when session plugin's message handler is not ready
- Fix file channel protocol test cases
- Fix blocking http call when certificates are not available
- Move aws cli installation out of /tmp for domain join plugin
- Update boolean attributes in Session Document to accept both string and bool values
- Upgrade vendor dependencies and build to use go1.15.7
3.0.603.0
- Added instruction to README.md for getting the latest version of SSM Agent in a specific region
- Fix for PowerShell stream data being executed in reverse order
- Fix to create update lock folder before creating update locks
- Fix to reset ipcTempFile properties at the end of session
3.0.529.0
- Fix for encrypted s3 bucket upload
3.0.502.0
- Add agent version flag to retrieve agent version
- Add onFailure/onSuccess/finallyStep support for plugins
- Add SSE header for S3 Upload
- Add SSM Agent support in MacOS
- Extend use of default http transport
- Fix for Agent not aquiring new instance role credentials after EC2 hibernation
- Fix for shell profile powershell commands not being executed in the expected order
- Fix to delete undeleted channel while using reboot document
- Fix to consider status of all plugin steps in document after system restart
- Fix bug capturing rpm install exit code
- Handle sourceInfo json sent from CLI in downloadContent plugin
- Optimize agent startup time by removing additional wait times
- Refactor makefile
- Replace master branch with mainline branch
- Upgrade aws-sdk-go to latest version(v1.35.23)
3.0.431.0
- Use DefaultTransport as underlying RoundTripper for S3 access
3.0.413.0
- Add additional checks and logs to install scripts
- Add retry logic to handle ssm document during reboot
- Add dockerfile to build agent
- Add script to package binaries to tar
- Change default download directory on Linux to /var/lib/amazon/ssm
- Extend SSM Agent ability to execute from relative path and use custom certificates
- Fix IP address parsing in domain join plugin
- Fix self update logging
- Log fingerprint similarity check failures as ERROR and each changed machine property as WARN
- Prefix ecs target id with 'ecs:'
- Prefer non-link-local addresses to show in Console
- Use IMDSv1 after IMDSv2
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 28 Mar 2023 11:48:48 +0000 (13:48 +0200)]
acpid: Update to version 2.0.34
- Update from version 2.0.32 to 2.0.34
- Update of rootfile
- Changelog
2.0.34 2022-09-15 Ted Felix <ted@tedfelix.com>
- 2.0.34 release
(configure.ac) (Ted Felix)
- Add MSG_CMSG_CLOEXEC for systems that are missing it.
(libnetlink.h libnetlink.c kacpimon/libnetlink.h
kacpimon/libnetlink.c)
(Fabrice Fontaine <fontaine.fabrice@gmail.com>)
- Fix a bug with input layer event table not working on 32-bit builds
with 64-bit time types. (input_layer.c) (Ted Felix)
- Use binary search to find input layer events in the table.
(input_layer.c) (Ted Felix)
- Use AC_PROG_CC instead of the obsolete AC_PROG_CC_STDC.
(configure.ac) (Ted Felix)
- Add support for more input layer events. (input_layer.c)
(Ted Felix)
2.0.33 2021-09-15 Ted Felix <ted@tedfelix.com>
- 2.0.33 release
(configure.ac) (Ted Felix)
- Detect newer GNOME power manager.
(powerbtn.sh) (Andrey Utkin <andrey_utkin@gentoo.org>)
- openrc-shutdown: Set shutdown time to 'now'.
(powerbtn.sh) (Jonathan Davies <jpds@protonmail.com>)
- Attempt to open input layer devices whose permissions have changed.
(inotify_handler.c) (Torsten Hilbrich <torsten.hilbrich@secunet.com>)
- Comments added.
(TESTPLAN inotify_handler.c) (Ted Felix)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 27 Mar 2023 21:27:09 +0000 (23:27 +0200)]
slang: Update to version 2.3.3
- Update from version 2.3.2 to 2.3.3
- Update of rootfile
- Changelog
2.3.3
1. src/slposdir.c: stat_file now support open file descriptors, in
addition to filenames.
2. src/sltoken.c: Ignore the \r character in multiline strings that
appear to have CRLF line terminators. (Manfred Hanke)
3. *.tm: minor documentation updates
4. src/slang.h: SLANG_VERSION_STRING was missing the "pre" prefix.
5. src/sltermin.c: Added support for TERMINFO_DIRS (based upon a patch
forwarded by Jörg Thalheim)
6. src/slarray.c: src/slarray.c: some integer overflow checks were
resulting undefined behavior (reported by Sergey)
7. modules/csv.sl: Strip leading/trailing whitespace from column names
8. src/slsmg.c,sldisply.c: Removed static buffers with sizes dependent
upon SLTT_MAX_SCREEN_ROWS/COLS in favor of dynamically allocated
ones.
9. modules/chksum-module: added CRC-8,16,32 checksums to the chksum module
10. modules/csv.sl: An error message in the form of a dollar-string
was not marked as such.
11. modules/csv.sl: Added support for empty CSV files
12. src/sltime.c: The timegm function will ignore the tm_wday and
tm_yday fields, and instead use the tm_mon and tm_mday fields.
13. modules/mkfiles/makefile.all: Added a target for chksum_crc.o for
win32/64 platforms (see change #9)
14. modules/chksum-module.c: The memset function was used with the
wrong structure size causing a buffer overflow on 32 bit systems.
15. src/terminfo/parsecaps.sl: Tweaked an auto-generated comment
produced by parsecaps.sl to produce a more deterministic build
(Ian Rogers).
16. src/slarray.c: Changed two instances of index errors to throw an
IndexError exception instead of InvalidParmError exception.
17. src/slposdir.c; The statvfs function was returning a struct with
duplicated f_bsize fields.
18. *.c: In switch statements, changed the /* drop */ comment to /*
fall through */ to avoid gcc-8 warnings.
19. modules/csv.sl: If a comment string appears at the start of a line
forming a multiline string, then treat it as part of the string.
20. slsh/lib/timestamp.sl: Added a function timestamp_parse that parses
strings such as `Thu May 14 18:05:05 2020` and returns the number
of seconds since the Unix epoch.
21. src/slregexp.c: Added \D (non-digit), \s (whitespace), and \S
(non-whitespace).
22. src/slstrops.c: Added a compiled regexp cache
23. src/slstdio.c: Added trim qualifier to the fgetlines intrinsic:
;trim=1 ==> trim trailing whitespace
;trim=2 ==> trim leading whitespace
;trim=3 ==> trim leading and trailing whitespace
24. slsh/lib/timestamp.sl: When matching a regexp to a timestamp,
start with the RE that was used in the previous match.
25. Another timestamp RE tweak to pickup additional irregular forms
26. modules/csv.sl: If a CSV file has a byte-order mark (BOM), ignore it.
27. src/sldisply.c: Increased the buffer size for the SLtt_tgoto
function to allow for larger terminfo strings
28. modules/Makefile.in: Added STATS_OBJS to the clean target
29. src/slstrops.c: The is_substr function was not handling a NULL
argument
30. slsh/lib/timestamp.sl: Corrected a regular expression for a
timestamp with "Z" as the timezone.
31. modules/csv-module.c: Fields with an embedded \r were not being
properly handled.
32. src/slarray.c: Improved the speed of multi-dimensional array
indexing by about a factor of 2
33. slsh/lib/timestamp.sl: The computation of leap days was incorrect
for some years
34. src/slang.h: Added `typedef void (*SLFVOID_STAR)(void)', which
will replace FVOID_STAR in version 3. The library code was
updated to use this.
35. slsh/lib/fswalk.sl: Added an optional callback argument to the
fswalk that is called when leaving a directory.
36. modules/termios-module.c: Avoid a potential problem with the
tcgetpgrp intrinsic in the unlikely case that sizeof(pid_t) is
larger than sizeof(int).
37. src/slarray.c: Simplified the range checking in the
linear_get_data_addr function and removed unused code.
38. Updated the copyright year
39. slsh/lib/fswalk.sl: Change #35 regression: The get_stat function
was being called with the wrong number of arguments.
40. src/slarith.c: Additional binary arithmetic optimizations involving
arrays of char and short.
41. src/slang.c,slarray.c: Added qualifier support to the array_map
function.
42. src/slang.c: Flagged the use of an uninitialized variable as soon
as it is accessed ("pushed") rather than waiting until it is used
("popped"). Fixed a bug in slsh/lib/setfuns.sl:union that was
detected by this change.
43. src/sl-feat.h: Floating point support by the interpreter is now
required. The library has not compiled without it for a long
time. As such, this option is no longer available.
44. */test/*.sl: Surrounded regression test code that makes use of
complex numbers with `#ifexists Complex_Type' so that they run
when the interpreter is compiled without complex variable support.
45. src/slarray.c: The _pSLarray1d_push_elem needed to be exposed when
compiling the interpreter without optimization.
46. src/slarith.c,...: Rewrote the various macros used by this file to
simplify the code, permit better optimization, and easier
maintenance. Some of the loops were also unrolled.
47. src/slarray.c: Made the array bounds index checking code more
uniform for better readability.
48. src/slarray.c: The previous change introduced a bug that caused
array indexing with no (empty) indices to fail.
49. modules/chksum-module.c: When a CRC object went out of scope
without being closed, it would leave its value on the stack.
50. slsh/lib/process.sl: If the file descriptor that is used to
communicate messages from the child process back to the parent is
requested by the caller, then dup an unused one. To facilitate
testing, two additional hooks were added: exit_hook and exec_hook.
51. slsh/lib/cmdopt.sl: If a command line option is associated with a
callback function, and the value of the command line argument is
optional, pass the default value to the callback if not given on
the command line.
52. modules: Added cumulant function to the stats module; updated
regression scripts/unit tests for better code coverage; fixed a
bug in the _zlib_inflate_reset function where deflateReset was
being called instead of inflateReset.
53. slsh/lib: Updated unit/regression tests for better coverage
54. slsh/lib/print.sl: Use >= instead of > when comparing the number
of screen rows to determine if the pager should be used.
55. modules/chksum-module: Added sha224, sha256, sha384, and sha512
algorithms kindly provided by Jakob Stierhof
56. modules/chksum-module: Added HMAC message authentication code
algorithm (Jakob Stierhof)
57. modules/mkfiles/makefile.all: Added chksum_sha2 to the non-Unix
makefile.
58. src/slgetkey.c: Use memmove instead of SLMEMCPY to avoid issues
with coping to an overlapping buffer. (William Ahern)
59. modules/pcre.sl: The options qualifier was not being properly
handled by the pcre_matches function.
60. src/_slang.h,etc: replaced the dependence of the internal
_pSLang_get_run_stack* functions, which return absolute pointers,
in favor of relative offsets.
61. src/slang.c: Made the run-time stack dynamically growable up to a
maximum configured size.
62. modules/: Documentation updates
63. src/: Added _set_bos/f_compile_hook functions to specify a
function to get called when a statement or function gets compiled.
64. src/sllimits.h: Reduced the initial stack size to a value similar
to what it was before change #61.
65. src/slarrfun.c: array_swap was returning a copy of the input array
when when swapping an array element with itself (bug reported by
Jakob Stierhof)
66. modules/csv.sl: If _csv_decode_row fails, include in the error
message the line number of the file where the error was detected
67. modules/socket-module.c: Corrected an error message for the bind
function
68. Updated the copyright year
69. Added slcov script which generates lcov-compatible code coverage
data
70. autoconf/aclocal.m4: Updated to v0.3.4.1
71. slsh/Makefile.in: Changed the order of the linker flags to avoid a
linking problem on MacPorts (Ryan Schmidt)
72. slsh/lib/cmdopt.sl: Corrected a usage message
73. src/slposio.c: Added the flock function for the creation of
advisory locks
74. src/slcurses.h: Added 'extern "C"' to enable the file to be used
in C++ programs; also marked some variables as dynamically
exportable by using SL_EXTERN (Gisle Vanem)
75. src/slstrops.c: "%0*" was being flagged as invalid by the sprintf
function (Jakob Stierhof)
76. modules/csv.sl: When writing a CSV file with a single row, convert
any scalar data values to single element arrays.
77. src/Makefile.in, slsh/Makefile.in: Addressed some dependency
problems found by `make --shuffle` that were causing parallel
builds to fail (Sergei Trofimovich)
78. src/slarray.c: Flag out-of-range indexing of indefinite ranges
involving negative indexes, e.g., x = [1]; y = x[[-2:]];
Previousely this resulted in y = [1,1] instead of an error.
79. modules/csv.sl: Avoid indexing an empty array with a negative
index (detected by change #78)
80. src/slarray:c: #78 was flagging x[[:-2]] as invalid instead of
producing an empty array for x=[1]
81. src/slarray.c: Tweaked the handling of negative indices in
indefinite ranges such that x[[:-i]] will produce an empty array
wheneve i > length(x)
82. src/sltermin.c: Added support for so-called user-defined terminfo
extensions. In particular, if the terminfo file defines RGB=true,
then truecolor support will be enabled.
83. src/sldisply.c: The Has_True_Color variable was not defined for 32
bit systems
84. modules/csv.sl: Improved read speed for large CSV files
85. src/test/posixio.sl: Do not test the flock function using an NFS
mounted direcory, which requires lockd to be running on the server
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 27 Mar 2023 21:27:08 +0000 (23:27 +0200)]
pciutils: Update to version 3.9.0
- Update from version 3.8.0 to 3.9.0
- Update of rootfile
- Changelog
3.9.0.
* We decode Compute Express Link (CXL) capabilities.
* The tree mode of lspci is now compatible with filtering options.
* When setpci is used with a named register, it checks whether
the register is present in the particular header type.
* Linux: The intel-conf[12] back-ends prefer to use ioperm() instead
of iopl() to gain access to I/O ports.
* Windows: We have two new back-ends thanks to Pali Rohár.
One uses the NT SysDbg interface, the other uses kldbgdrv.sys
(which is a part of the Microsoft WinDbg tool).
* Windows: We support building libpci as a DLL. Also, Windows
binaries now include meta-data with version.
* Hurd: The Hurd back-end works again.
* mmio-conf1(-ext): Added a new back-end implementing the intel-conf1
interface over MMIO. This is useful on some ARM machines, but it
requires manual configuration of the MMIO addresses.
* As usually, updated pci.ids to the current snapshot of the database.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 27 Mar 2023 21:27:07 +0000 (23:27 +0200)]
openssh: Update to version 9.3p1
- Update from version 9.2p1 to 9.3p1
- Update of rootfile not required
- Removal of patch as this was only required for i586 builds which are no longer done in
IPFire
- Changelog
9.3p1 (2023-03-15)
This release fixes a number of security bugs.
Security
This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in OpenSSH
8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This problem
was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the system's
standard library lacks this function and portable OpenSSH was not
compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
problem was found by the Coverity static analyzer.
New features
* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
outputting SSHFP fingerprints to allow algorithm selection. bz3493
* sshd(8): add a `sshd -G` option that parses and prints the
effective configuration without attempting to load private keys
and perform other checks. This allows usage of the option before
keys have been generated and for configuration evaluation and
verification by unprivileged users.
Bugfixes
* scp(1), sftp(1): fix progressmeter corruption on wide displays;
bz3534
* ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
of private keys as some systems are starting to disable RSA/SHA1
in libcrypto.
* sftp-server(8): fix a memory leak. GHPR363
* ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
compatibility code and simplify what's left.
* Fix a number of low-impact Coverity static analysis findings.
These include several reported via bz2687
* ssh_config(5), sshd_config(5): mention that some options are not
first-match-wins.
* Rework logging for the regression tests. Regression tests will now
capture separate logs for each ssh and sshd invocation in a test.
* ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
says it should; bz3532.
* ssh(1): ensure that there is a terminating newline when adding a
new entry to known_hosts; bz3529
Portability
* sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
mmap(2), madvise(2) and futex(2) flags, removing some concerning
kernel attack surface.
* sshd(8): improve Linux seccomp-bpf sandbox for older systems;
bz3537
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Mon, 27 Mar 2023 21:27:06 +0000 (23:27 +0200)]
newt: Update to version 0.52.23
- Update from version 0.52.21 to 0.52.23
- Update of rootfile
- Changelog
0.52.23
- fix automatic height of menu/list in whiptail (broken in 0.52.22)
- fix automatic width of whiptail --yesno box
- fix automatic width in whiptail with unicode characters
- fix automatic width with whiptail --noitem and --notags options
- fix spacing with longer tags in whiptail
- avoid overlapping backtitle in whiptail with automatic height
0.52.22
- fix crash in whiptail with new libpopt
- switch from usleep to nanosleep (Rosen Penev)
- fix libnewt.pc to enable static linking (Alexey Sheplyakov)
- fix LDFLAGS order in snack linking (Sam James)
- use CFLAGS when compiling snack
- improve configure.ac (Thomas Kuehne)
- install header and libnewt.pc with shared library (Michael Olbrich)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
projects / ipfire-2.x.git / log
