Michael Tremer [Fri, 19 Nov 2021 17:44:52 +0000 (17:44 +0000)]
suricata: Include all default rules
These rules do not drop anything, but only alert when internal parts of
the engine trigger an event. This will allow us more insight on what is
happening.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 20 Oct 2021 20:29:05 +0000 (22:29 +0200)]
jansson: Update to version 2.14
- Update from 2.12 to 2.14
- Update rootfile
- Changelog
Version 2.14 Released 2021-09-09
* New Features:
- Add `json_object_getn`, `json_object_setn`, `json_object_deln`, and the
corresponding `nocheck` functions. (#520, by Maxim Zhukov)
* Fixes:
- Handle `sprintf` corner cases (#537, by Tobias Stoeckmann)
* Build:
- Symbol versioning for all exported symbols (#540, by Simon McVittie)
- Fix compiler warnings (#555, by Kelvin Lee)
* Documentation:
- Small fixes (#544, #546, by @i-ky)
- Sphinx 3 compatibility (#543, by Pierce Lopez)
Version 2.13.1 Released 2020-05-07
* Build:
- Include `jansson_version_str()` and `jansson_version_cmp()` in
shared library. (#534)
- Include ``scripts/`` in tarball. (#535)
Version 2.13 Released 2020-05-05
* New Features:
- Add `jansson_version_str()` and `jansson_version_cmp()` for runtime
version checking (#465).
- Add `json_object_update_new()`, `json_object_update_existing_new()`
and `json_object_update_missing_new()` functions (#499).
- Add `json_object_update_recursive()` (#505).
* Build:
- Add ``-Wno-format-truncation`` to suppress format truncation warnings (#489).
* Bug fixes:
- Remove ``strtod`` macro definition for MinGW (#498).
- Add infinite loop check in `json_deep_copy()` (#490).
- Add ``pipe`` macro definition for MinGW (#500).
- Enhance ``JANSSON_ATTRS`` macro to support earlier C standard(C89) (#501).
- Update version detection for sphinx-build (#502).
* Documentation:
- Fix typos (#483, #494).
- Document that call the custom free function to free the return value
of `json_dumps()` if you have a custom malloc/free (#490).
- Add vcpkg installation instructions (#496).
- Document that non-blocking file descriptor is not supported on
`json_loadfd()` (#503).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 20 Nov 2021 12:47:31 +0000 (13:47 +0100)]
suricata: Update to 5.0.8
For details see:
https://forum.suricata.io/t/suricata-6-0-4-and-5-0-8-released/1942
"Various security, performance, accuracy and stability issues have been fixed,
including two TCP evasion issues. CVE 2021-37592 was assigned."
Changelog:
"5.0.8 -- 2021-11-16
Security #4635: tcp: crafted injected packets cause desync after 3whs
Security #4727: Bypass of Payload Detection on TCP RST with options of MD5header
Bug #4345: Failed assert in TCPProtoDetectCheckBailConditions size_ts > 1000000UL
Bug #4382: fileinfo "stored: false" even if the file is kept on disk
Bug #4626: DNP3: intra structure overflow in DNP3DecodeObjectG70V6
Bug #4628: alert count shows up as 0 when stats are disabled
Bug #4631: Protocol detection : confusion with SMB in midstream
Bug #4639: Failed assertion in SMTP SMTPTransactionComplete
Bug #4646: TCP reassembly, failed assert app_progress > last_ack_abs, both sides need to be pruned
Bug #4647: rules: Unable to find the sm in any of the sm lists
Bug #4674: rules: mix of drop and pass rules issues
Bug #4676: rules: drop rules with noalert not fully dropping
Bug #4688: detect: too many prefilter engines lead to FNs
Bug #4690: nfs: failed assert self.tx_data.files_logged > 1
Bug #4691: IPv6 : decoder event on invalid fragment length
Bug #4696: lua: file info callback returns wrong value
Bug #4718: protodetect: SEGV due to NULL ptr deref
Bug #4729: ipv6 evasions : fragmentation
Bug #4788: Memory leak in SNMP with DetectEngineState
Bug #4790: af-packet: threads sometimes get stuck in capture
Bug #4794: loopback: different AF_INET6 values per OS
Bug #4816: flow-manager: cond_t handling in emergency mode is broken
Bug #4831: SWF decompression overread
Bug #4833: Wrong list_id with transforms for http_client_body and http file_data
Optimization #3429: improve err msg for dataset rules parsing
Task #4835: libhtp 0.5.39"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
This patch adds a little "help" icon to the page header.
If a manual entry exists for a configuration page, the icon
appears and offers a quick way to access the wiki.
Wiki pages can be configured in the "manualpages" file.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Tested-by: Bernhard Bitsch <bbitsch@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 23 Oct 2021 16:50:00 +0000 (18:50 +0200)]
libffi: Update to version 3.4.2
- Update from 3.3 to 3.4.2
- Update rootfile - No dependency issues due to so bump
- Changelog
3.4.2 Jun-28-21
Add static trampoline support for Linux on x86_64 and ARM64.
Add support for Alibaba's CSKY architecture.
Add support for Kalray's KVX architecture.
Add support for Intel Control-flow Enforcement Technology (CET).
Add support for ARM Pointer Authentication (PA).
Fix 32-bit PPC regression.
Fix MIPS soft-float problem.
Enable tmpdir override with the $LIBFFI_TMPDIR environment variable.
Enable compatibility with MSVC runtime stack checking.
Reject float and small integer argument in ffi_prep_cif_var().
Callers must promote these types themselves.
3.3 Nov-23-19
Add RISC-V support.
New API in support of GO closures.
Add IEEE754 binary128 long double support for 64-bit Power
Default to Microsoft's 64-bit long double ABI with Visual C++.
GNU compiler uses 80 bits (128 in memory) FFI_GNUW64 ABI.
Add Windows on ARM64 (WOA) support.
Add Windows 32-bit ARM support.
Raw java (gcj) API deprecated.
Add pre-built PDF documentation to source distribution.
Many new test cases and bug fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 2 Nov 2021 10:07:20 +0000 (11:07 +0100)]
gawk: Update to version 5.1.1
- Update from 5.1.0 to 5.1.1
- Update rootfile
- Changelog is quite long and detailed so the following are the high level descriptions
of the changes from the NEWS file in the source tarball. More details can be found in
the ChangeLog file in the source tarball.
Changes from 5.1.0 to 5.1.1
1. Infrastructure upgrades: Bison 3.8, Gettext 0.20.2, Automake 1.16.4,
and (will wonders never cease) Autoconf 2.71.
2. asort and asorti now allow FUNCTAB and SYMTAB as the first argument if a
second destination array is supplied. Similarly, using either array as
the second argument is now a fatal error. Additionally, using either
array as the destination for split(), match(), etc. also causes a
fatal error.
3. The new -I/--trace option prints a trace of the byte codes as they
are executed.
4. A number of subtle bugs relating to MPFR mode that caused differences
between regular operation and MPFR mode have been fixed.
5. The API now handles MPFR/GMP values slightly differently, requiring
different memory management for those values. See the manual for the
details if you have an extension using those values. As a result,
the minor version was incremented.
6. $0 and the fields are now cleared before starting a BEGINFILE rule.
7. The duplication of m4 and build-aux directories between the main
directory and the extension directory has been removed. This
simplifies the distribution.
8. The test suite has been improved, making it easier to run the entire
suite with -M. Use `GAWK_TEST_ARGS=-M make check' to do so.
9. Profiling and pretty-printing output has been modified slightly so
that functions are presented in a reasonable order with respect
to the namespaces that contain them.
10. Several example programs in the manual have been updated to their
modern POSIX equivalents.
11. A number of examples in doc/gawkinet.texi have been updated for
current times. Thanks to Juergen Kahrs for the work.
12. Handling of Infinity and NaN values has been improved.
13. There has been a general tightening up of the use of const and
of types.
14. The "no effect" lint warnings have been fixed up and now behave
more sanely.
15. The manual has been updated with much more information about what is
and is not a bug, and the changes in the gawk mailing lists.
16. The behavior of strongly-typed regexp constants when passed as the
third argument to sub() or gsub() has been clarified in the code and
in the manual.
17. Similar to item #4 above, division by zero is now fatal in MPFR
mode, as it is in regular mode.
18. There have been numerous minor code cleanups and bug fixes. See the
ChangeLog for details.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sun, 26 Sep 2021 10:37:00 +0000 (12:37 +0200)]
libxcrypt: Update to version 4.4.26
- v2 version is to extend from 4.4.25 to 4.4.26
- Update from 4.4.23 to 4.4.26
- Update of rootfile not required
- Changelog
Version 4.4.26
* Fix compilation on systems with GCC >= 10, that do not support
declarations with __attribute__((symver)).
Version 4.4.25
* Add support for Python 3.11 in the configure script.
* Stricter checking of invalid salt characters (issue #135).
Hashed passphrases are always entirely printable ASCII, and do
not contain any whitespace or the characters ':', ';', '*', '!',
or '\'. (These characters are used as delimiters and special
markers in the passwd(5) and shadow(5) files.)
Version 4.4.24
* Add hash group for Debian in lib/hashes.conf.
Debian has switched to use the yescrypt hashing algorithm as
the default for new user passwords, so we should add a group
for this distribution.
* Overhaul the badsalt test.
Test patterns are now mostly generated rather than manually coded
into a big table. Not reading past the end of the “setting” part
of the string is tested more thoroughly (this would have caught the
sunmd5 $$ bug if it had been available at the time).
Test logs are tidier.
* Add ‘test-programs’ utility target to Makefile.
It is sometimes useful to compile all the test programs but not run
them. Add a Makefile target that does this.
* Fix incorrect bcrypt-related ifdeffage in test/badsalt.c.
The four variants of bcrypt are independently configurable, but the
badsalt tests for them were all being toggled by INCLUDE_bcrypt,
which is only the macro for the $2b$ variant.
* Fix bigcrypt-related test cases in test/badsalt.c.
The test spec was only correct when both or neither of bigcrypt and
descrypt were enabled.
* Detect ASan in configure and disable incompatible tests.
ASan’s “interceptors” for crypt and crypt_r have a semantic conflict
with libxcrypt, requiring a few tests to be disabled for builds with
-fsanitize-address. See commentary in test/crypt-badargs.c for an
explanation of the conflict, and the commentary in
build-aux/zw_detect_asan.m4 for why a configure test is required.
* Fix several issues found by Covscan in the testsuite. These include:
- CWE-170: String not null terminated (STRING_NULL)
- CWE-188: Reliance on integer endianness (INCOMPATIBLE_CAST)
- CWE-190: Unintentional integer overflow (OVERFLOW_BEFORE_WIDEN)
- CWE-569: Wrong sizeof argument (SIZEOF_MISMATCH)
- CWE-573: Missing varargs init or cleanup (VARARGS)
- CWE-687: Argument cannot be negative (NEGATIVE_RETURNS)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Stefan Schantl [Thu, 15 Jul 2021 10:07:37 +0000 (12:07 +0200)]
fwhosts.cgi: Fix check to limit amount of ports in custom service groups.
iptables multiport only supports up to 15 elements for each protocol (TCP or UDP).
That can be single ports or portranges (they count doubble).
This commit extends the check to calculate the amount of used TCP and/or
UDP ports of all existing entries in a group, by increasing the amount
for the service which should be added.
If the amount of ports for TCP or UDP ports become greater than the
limit of 15 the error message will be displayed.
Fixes #11323.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Stefan Schantl [Sat, 23 Oct 2021 19:16:25 +0000 (21:16 +0200)]
ddns: Add upstream patch to fix a typo for FreeDNSAfraid.org provider
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reported-by: Bernhard Bitsch <bbitsch@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Tested-by: Bernhard Bitsch <bbitsch@ipfire.org>
Adolf Belka [Mon, 27 Sep 2021 15:33:59 +0000 (17:33 +0200)]
openssh: Update to version 8.8p1
- Update from 8.7p1 to 8.8p1
- Update of rootfile not required
- Changelog
OpenSSH 8.8p1
Future deprecation notice
A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug- compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path@openssh.com" to support
this.
Security
sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly initialise
supplemental groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or
AuthorizedPrincipalsCommandUser directive has been set to run the
command as a different user. Instead these commands would inherit
the groups that sshd(8) was started with.
Depending on system configuration, inherited groups may allow
AuthorizedKeysCommand/AuthorizedPrincipalsCommand helper programs to
gain unintended privilege.
Neither AuthorizedKeysCommand nor AuthorizedPrincipalsCommand are
enabled by default in sshd_config(5).
Potentially-incompatible changes
This release disables RSA signatures using the SHA-1 hash algorithm
by default. This change has been made as the SHA-1 hash algorithm is
cryptographically broken, and it is possible to create chosen-prefix
hash collisions for <USD$50K [1]
For most users, this change should be invisible and there is
no need to replace ssh-rsa keys. OpenSSH has supported RFC8332
RSA/SHA-256/512 signatures since release 7.2 and existing ssh-rsa keys
will automatically use the stronger algorithm where possible.
Changes since OpenSSH 8.7p1
This release is motivated primarily by the above deprecation and
security fix.
New features
* ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs
directive to accept a "none" argument to specify the default
behaviour.
Bugfixes
* scp(1): when using the SFTP protocol, continue transferring files
after a transfer error occurs, better matching original scp/rcp
behaviour.
* ssh(1): fixed a number of memory leaks in multiplexing,
* ssh-keygen(1): avoid crash when using the -Y find-principals
command.
* A number of documentation and manual improvements, including
bz#3340, PR139, PR215, PR241, PR257
Portability
* ssh-agent(1): on FreeBSD, use procctl to disable ptrace(2)
* ssh(1)/sshd(8): some fixes to the pselect(2) replacement
compatibility code. bz#3345
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 10 Nov 2021 11:09:29 +0000 (12:09 +0100)]
openvpn: Update to version 2.5.4
- Update from 2.5.0 to 2.5.4
- Update rootfile
- Tested new version in vm testbed. Openvpn server successfully started.
Client connections working with 2.5.0 also successfully worked with 2.5.4
- Changelog
Overview of changes in 2.5.4
Bugfixes
- fix prompting for password on windows console if stderr redirection
is in use - this breaks 2.5.x on Win11/ARM, and might also break
on Win11/adm64 when released.
- fix setting MAC address on TAP adapters (--lladdr) to use sitnl
(was overlooked, and still used "ifconfig" calls)
- various improvements for man page building (rst2man/rst2html etc)
- minor bugfix with IN6_IS_ADDR_UNSPECIFIED() use (breaks build on
at least one platform strictly checking this)
- fix minor memory leak under certain conditions in add_route() and
add_route_ipv6()
User-visible Changes
- documentation improvements
- copyright updates where needed
- better error reporting when win32 console access fails
New features
- also build man page on Windows builds
Overview of changes in 2.5.3
Bugfixes
- CVE-2121-3606
see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
OpenVPN windows builds could possibly load OpenSSL Config files from
world writeable locations, thus posing a security risk to OpenVPN.
As a fix, disable OpenSSL config loading completely on Windows.
- disable connect-retry backoff for p2p (--secret) instances
(Trac #1010, #1384)
- fix build with mbedtls w/o SSL renegotiation support
- Fix SIGSEGV (NULL deref) receiving push "echo" (Trac #1409)
- MSI installers: properly schedule reboot in the end of installation
- fix small memory leak in free_key_ctx for auth_token
User-visible Changes
- update copyright messages in files and --version output
New features
- add --auth-token-user option (for --auth-token deployments without
--auth-user-pass in client config)
- improve MSVC building for Windows
- official MSI installers will now contain arm64 drivers and binaries
(x86, amd64, arm64)
Overview of changes in 2.5.2
Bugfixes
- CVE-2020-15078
see https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements
This bug allows - under very specific circumstances - to trick a
server using delayed authentication (plugin or management) into
returning a PUSH_REPLY before the AUTH_FAILED message, which can
possibly be used to gather information about a VPN setup.
In combination with "--auth-gen-token" or an user-specific token auth
solution it can be possible to get access to a VPN with an
otherwise-invalid account.
- restore pushed "ping" settings correctly on a SIGUSR1 restart
- avoid generating unecessary mbed debug messages - this is actually
a workaround for an mbedTLS 2.25 bug when using Curve25519 and Curve448
ED curves - mbedTLS crashes on preparing debug infos that we do not
actually need unless running with "--verb 8"
- do not print inlined (<dh>...</dh>) Diffie Hellman parameters to log file
- fix Linux/SITNL default route lookup in case of multiple routing tables
with more than one default route present (always use "main table" for now)
- Fix CRL file handling in combination with chroot
User-visible Changes
- OpenVPN will now refuse to start if CRL file is not present at startup
time. At "reload time" absense of the CRL file is still OK (and the
in memory copy is used) but at startup it is now considered an error.
New features
- printing of the TLS ciphers negotiated has been extended, especially
displaying TLS 1.3 and EC certificates more correctly.
Overview of changes in 2.5.1
New features
- "echo msg" support, to enable the server to pushed messages that are
then displayed by the client-side GUI. See doc/gui-notes.txt and
doc/management-notes.txt.
Supported by the Windows GUI shipped in 2.5.1, not yet supported by
Tunnelblick and the Android GUI.
User-visible Changes
- make OPENVPN_PLUGIN_ENABLE_PF plugin failures FATAL - if a plugin offers
to set the "openvpn packet filter", and returns a failure when requested
to, OpenVPN 2.5.0 would crash trying to clean up not-yet-initialized
structure members. Since PF is going away in 2.6.0, this is just turning
the crash into a well-defined program abort, and no further effort has
been spent in rewriting the PF plugin error handling (see trac #1377).
Documentation
- rework sample-plugins/defer/simple.c - this is an extensive rewrite
of the plugin to bring code quality to acceptable standards and add
documentation on the various plugin API aspects. Since it's just
example code, filed under "Documentation", not under "Bugfix".
- various man page improvements.
- clarify ``--block-ipv6`` intent and direction
Bugfixes
- fix installation of openvpn.8 manpage on systems without docutils.
- Windows: fix DNS search list setup for domains with "-" chars.
- Fix tls-auth mismatch OCC message when tls-cryptv2 is used.
- Windows: Skip DHCP renew with Wintun adapter (Wintun does not support
DHCP, so this was just causing an - harmless - error and needless delay).
- Windows: Remove 1 second delay before running netsh - speeds up
interface init for wintun setups not using the interactive service.
- Windows: Fix too early argv freeing when registering DNS - this would
cause a client side crash on Windows if ``register-dns`` is used,
and the interactive service is not used.
- Android: Zero initialise msghdr prior to calling sendmesg.
- Fix line number reporting on config file errors after <inline> segments
(see Trac #1325).
- Fix port-share option with TLS-Crypt v2.
- tls-crypt-v2: also preload tls-crypt-v2 keys (if --persist-key), otherwise
dropping privs on the server would fail.
- tls-crypt-v2: fix server memory leak (about 600 bytes per connecting
client with tls-crypt-v2)
- rework handling of server-pushed ``--auth-token`` in combination with
``--auth-nocache`` on reconnection / TLS renegotiation events. This
used to "forget" to update new incoming token after a reconnection event
(leading to failure to reauth some time later) and now works in all
tested cases.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Sun, 14 Nov 2021 20:42:52 +0000 (21:42 +0100)]
ovpnmain.cgi: Bug 12574 - OpenVPN Internal server error when returning after generating root/host certificates
- Option "--secret" was deprecated in OpenVPN 2.4 and removed in OpenVPN 2.5
It was replaced by "secret". If "--secret" is used with genkey then a user warning is
printed and this is what gives the Internal server error.
- Patch was defined by Erik Kapfer but currently he does not have a build environment
so I have submitted the patch on his behalf.
- Patch tested on a vm testbed running Core Update 160. Confirmed that without patch the
error still occurs and with patch everything runs smoothly.
Fixes: Bug #12574 Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by : Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
This enables creating firewall rules using the special country code "XD"
for hostile networks safe to drop and ipinfo.cgi to display a meaningful
text for IP addresses having this flag set.
At the moment, the "LOC_NETWORK_FLAG_DROP" is not yet populated, but
will be in the future (as soon as libloc 0.9.9 is released and running
in production).
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 29 Oct 2021 17:11:34 +0000 (19:11 +0200)]
avahi: Install backup definition - bug#12714
- Addition of backup definition install into lfs file
- Update of rootfile
Fixes: 12714 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 23 Oct 2021 11:54:51 +0000 (13:54 +0200)]
backup definitions: housekeeping to remove orphaned definitions
- check_mk_agent, client175 & lcr are addons that have been removed so the backup
definitions are no longer required.
- dma is not a package but a core program and has its config backup requirements
built into the core backup include file so the addon backup definition is not
used or needed.
- No issues found in the build after these files were removed.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 23 Oct 2021 16:49:01 +0000 (18:49 +0200)]
git: Update to version 2.33.1
- Update from 2.31.0 to 2.33.1
- Update rootfile
- Changelog is too long to show here. The details can be found in the 2.31.1.txt,
2.32.0.txt, 2.33.0.txt and 2.33.1.txt files in the Documentation/RelNotes
directory in the source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 23 Oct 2021 16:49:32 +0000 (18:49 +0200)]
htop: Update to version 3.1.1
- Update from 3.0.5 to 3.1.1
- Update of rootfile not required
- Changelog is too long to include here. Full details can be found at
https://github.com/htop-dev/htop/blob/main/ChangeLog
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 27 Sep 2021 15:32:40 +0000 (17:32 +0200)]
curl: Update to version 7.79.1
- Update from 7.78.0 to 7.79.1
- Update of rootfile not required
- Changelog
Fixed in 7.79.1 - September 22 2021
Bugfixes:
Curl_http2_setup: don't change connection data on repeat invokes
curl_multi_fdset: make FD_SET() not operate on sockets out of range
dist: provide lib/.checksrc in the tarball
FAQ: add GOPHERS + curl works on data, not files
hsts: CURLSTS_FAIL from hsts read callback should fail transfer
hsts: handle unlimited expiry
http: fix the broken >3 digit response code detection
strerror: use sys_errlist instead of strerror on Windows
test1184: disable
tests/sshserver.pl: make it work with openssh-8.7p1
Fixed in 7.79.0 - September 15 2021
Changes:
bearssl: support CURLOPT_CAINFO_BLOB
http: consider cookies over localhost to be secure
secure transport: support CURLINFO_CERTINFO
Bugfixes:
CVE-2021-22945: clear the leftovers pointer when sending succeeds
CVE-2021-22946: do not ignore --ssl-reqd
CVE-2021-22947: reject STARTTLS server response pipelining
ares: use ares_getaddrinfo()
asyn-ares.c: move all version number checks to the top
auth: do not append zero-terminator to authorisation id in kerberos
auth: properly handle byte order in kerberos security message
auth: use sasl authzid option in kerberos
auth: we do not support a security layer after kerberos authentication
BINDINGS.md: update links to use https where available
build: fix compiler warnings
c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
c-hyper: fix header value passed to debug callback
c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
c-hyper: initial step for 100-continue support
c-hyper: initial support for "dumping" 1xx HTTP responses
c-hyper: remove the hyper_executor_poll() loop from Curl_http
CI/cirrus: reduce compile time with increased parallism
CI: use GitHub Container Registry instead of Docker Hub
cirrus: Add FreeBSD 13.0 job and disable sanitizer build
cmake: avoid poll() on macOS
cmake: sync CURL_DISABLE options
codeql: fix error "Resource not accessible by integration"
compressed.d: it's a request, not an order
config.d: escape the backslash properly
config.d: note that curlrc is used even when --config
config: get rid of the unused HAVE_SIG_ATOMIC_T et. al.
configure.ac: revert bad nghttp2 library detection improvements
configure: error out if both ngtcp2 and quiche are specified
configure: make --disable-hsts work
configure: set classic mingw minimum OS version to XP
configure: tweak nghttp2 library name fix
connect: get local port + ip also when reusing connections
connect: remove superfluous conditional
curl-openssl.m4: check lib64 for the pkg-config file
curl-openssl.m4: show correct output for OpenSSL v3
curl.1: mention "global" flags
curl.1: provide examples for each option
curl: add warning for ignored data after quoted form parameter
curl: add warning for incompatible parameters usage
curl: better error message when -O fails to get a good name
curl: stop retry if Retry-After: is longer than allowed
curl_easy_setopt.3: improve the string copy wording
Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited
curl_setup.h: sync values for HTTP_ONLY
curl_url_get.3: clarify about path and query
CURLMOPT_TIMERFUNCTION.3: remove misplaced "time"
CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited
CURLOPT_SSL_CTX_*.3: tidy up the example
CURLOPT_UNIX_SOCKET_PATH.3: remove nginx reference, add see also
docs/MQTT: update state of username/password support
docs: remove experimental mentions from HSTS and MQTT
docs: the security list is reached at security at curl.se now
easy: use a custom implementation of wcsdup on Windows
examples/*hiperfifo.c: fix calloc arguments to match function proto
examples/cookie_interface: avoid printfing time_t directly
examples/cookie_interface: fix scan-build printf warning
examples/ephiperfifo.c: simplify signal handler
FAQ: add two dev related questions
getparameter: fix the --local-port number parser
happy-eyeballs-timeout-ms.d: polish the wording
hostip: Make Curl_ipv6works function independent of getaddrinfo
http2: Curl_http2_setup needs to init stream data in all invokes
http2: revert a change that broke upgrade to h2c
http2: revert call the handle-closed function correctly on closed stream
http: disallow >3-digit response codes
http: ignore content-length if any transfer-encoding is used
http_proxy: clear 'sending' when the outgoing request is sent
http_proxy: fix the User-Agent inclusion in CONNECT
http_proxy: fix user-agent and custom headers for CONNECT with hyper
http_proxy: only wait for writable socket while sending request
INTERNALS: bump c-ares requirement to 1.16.0
INTERNALS: c-ares has a new home: c-ares.org
lib: don't use strerror()
libcurl-errors.3: clarify two CURLUcode errors
limit-rate.d: clarify base unit
mailing lists: move from cool.haxx.se to lists.haxx.se
mbedtls: avoid using a large buffer on the stack
mbedTLS: initial 3.0.0 support
mbedtls_threadlock: fix unused variable warning
mksymbolsmanpage.pl: Fix showing symbol's last used version
mksymbolsmanpage.pl: match symbols case insenitively
multi: fix compiler warning with `CURL_DISABLE_WAKEUP`
ngtcp2: compile with the latest ngtcp2 and nghttp3
ngtcp2: fix build with ngtcp2 and nghttp3
ngtcp2: remove the acked_crypto_offset struct field init
ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read
ngtcp2: reset the oustanding send buffer again when drained
ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream
ngtcp2: stop buffering crypto data
ngtcp2: utilize crypto API functions to simplify
openssl: annotate SSL3_MT_SUPPLEMENTAL_DATA
openssl: when creating a new context, there cannot be an old one
opt-docs: make sure all man pages have examples
opt-docs: verify man page sections + order
opts docs: unify phrasing in NAME header
output.d: add method to suppress response bodies
page-header: add GOPHERS, simplify wording in the 1st para
progress: fix a compile warning on some systems
progress: make trspeed avoid floats
runtests: add option -u to error on server unexpectedly alive
schannel: Work around typo in classic mingw macro
scripts: invoke interpreters through /usr/bin/env
setopt: enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper
strerror.h: remove the #include from files not using it
symbols-in-versions: fix CURLSSLBACKEND_QSOSSL last used version
test1138: remove trailing space to make work with hyper
test1173: check references to libcurl options
test1280: CRLFify the response to please hyper
test1565: fix windows build errors
test365: verify response with chunked AND Content-Length headers
tests/*server.pl: flush output before executing subprocess
tests/*server.py: remove pidfile on server termination
tests/runtests.pl: cleanup copy&paste mistakes and unused code
tests/server/*.c: align handling of portfile argument and file
tests: adjust the tftpd output to work with hyper mode
tests: be explicit about using 'python3' instead of 'python'
tests: enable test 1129 for hyper builds
tests: make three tests pass until 2037
tool/tests: fix potential year 2038 issues
tool_operate: Fix --fail-early with parallel transfers
url: fix compiler warning in no-verbose builds
urlapi.c:seturl: assert URL instead of using if-check
vtls: fix typo in schannel_verify.c
winbuild/README.md: clarify GEN_PDB option
wolfssl: clean up wolfcrypt error queue
write-out.d: clarify size_download/upload
x509asn1: fix heap over-read when parsing x509 certificates
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 23 Oct 2021 12:49:52 +0000 (14:49 +0200)]
strongSwan: update to 5.9.4
Release notes as per https://github.com/strongswan/strongswan/releases/tag/5.9.4:
Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.
Please refer to our blog for details.
Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.
Please refer to our blog for details.
Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure.
AUTH_LIFETIME notifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs.
Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2).
Serial number generation in several pki sub-commands has been fixed so they don't start with an unintended zero byte (#631).
Loading SSH public keys via vici has been improved (#467).
Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory.
Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it's used in FIPS-mode (#557).
The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn't do anything without a TSS 2.0.
libtpmtss is initialized in all programs and libraries that use it.
Migrated testing scripts to Python 3.
The testing environment uses images based on Debian bullseye by default (support for jessie was removed).
To my understanding, IPFire is not affected by CVE-2021-41990, as we do
not support creation of IPsec connections using RSASSA-PSS (please
correct me if we do :-). In contrast, CVE-2021-41991 affects IPFire
installations indeed.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>