Stefan Schantl [Fri, 23 Jun 2023 04:39:28 +0000 (06:39 +0200)]
extrahd.cgi: Drop select for FS selection.
This feature does not have any benefit because the linux kernel
knows best which filesystem a device/partition has.
So there is no need for a user to specify this by-hand. This also
prevents from choosing a wrong fs type and as a direct result in a
not mountable device.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Sun, 11 Jun 2023 10:05:14 +0000 (12:05 +0200)]
extrahd.cgi: Add various perl functions deal with block devices
This functions are going to replace the former used scan/write to file/read from
file approach by directly collecting the required informations from the
kernel sysfs and devfs.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
For details see:
http://lists.squid-cache.org/pipermail/squid-users/2023-July/025929.html
"The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-6.1 release!
This release is we believe, stable enough for general production use.
Support for Squid-5 bug fixes has now officially ceased. Bugs in 5.x
will continue to be fixed, however the fixes will be added to the 6.x
series. All users of Squid-5.x are encouraged to plan for upgrades."
Adolf Belka [Tue, 4 Jul 2023 19:17:33 +0000 (21:17 +0200)]
cups: Remove 5 minutes delay in start_service line in install.sh paks file
- When cups is installed (including when doing a Core Update that includes a cups update)
the 5 min delay for starting cups means that it has not restarted by the time that the
reboot for the CU has been started. There are then error messages that say that cups
couldn't be stopped as it was not running.
- When a normal reboot is carried out withoutr any update of cups then the startup has
no delay and it starts without any trouble.
- This patch removes the 300 secs delay from the start_service line in the install.sh paks
file.
- The PAK_VER is bumped to ensure that this change is shipped
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Tue, 4 Jul 2023 13:08:19 +0000 (15:08 +0200)]
squidclamav: Remove package from IPFire as agreed in dev video call 3rd Jul 2023
- Removal of lfs file
- Removal of rootfile
- Removal of backup includes file
- Removal of three patches
- Removal of paks files
- Adjustment of make.sh to remove squidclamav
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 20230404 to 20230625
- Update of rootfile carried out based on Peter Mueller's description from last
linux-firmware update.
- It would be good to have it checked that my results are in line with what they should be.
- Changelog
For changes see the commits in the git repo
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 22 Mar 2023 18:28:52 +0000 (19:28 +0100)]
squid-asnbl: Fix for bug#13023 - squid-asnbl-helper segfaulting and shutdown squid
- Patch provided by bug reporter. Here is the description of the problem from the bug.
First I discovered that the helper only sometimes throwing the error and quits even
for the same values and queries. Also the timespan until the error happens was quite
different for every restart of squid (minutes to hours). And it does not depend on
the traffic on the proxy, even one connection could cause a crash while ten or
hundrets won't. After a few days of testing different solutions and done a lot of
debugging, redesigning the function did not fully solve the problem. Such standard
things like checking the result variable for NULL (or it's equivalent "is None" in
python) before evaluating it's subfunction produces the exact same error message. But
with that knowledge it more and more turns out that python3 sometimes 'detects' the
local return variable if it was a misused global. So for a full fix, the return
variable also has to be initialized that python3 won't detect it's usage as an
'UnboundLocalError' to succesfully fix this bug.
- LFS file updated to run patch before copying helper into place.
- Update of rootfile not needed.
- Bug reporter has been requested to raise this issue at the git repo for squid-asnbl.
Fixes: Bug#13023 Tested-by: Nicolas Pӧhlmann <business@hardcoretec.com> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Thu, 29 Jun 2023 17:04:45 +0000 (19:04 +0200)]
util-linux: Update to version 2.39.1
- Update from version 2.38.1 to 2.39.1
- Update of rootfile made for x86_64 but not for aarch64 or riscv64
- Changelog can only be reviewed by looking at the commits in the git repo
https://github.com/util-linux/util-linux/commits/master
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Thu, 29 Jun 2023 17:04:43 +0000 (19:04 +0200)]
iproute2: Update to version 6.4.0
- Update from version 6.3.0 to 6.4.0
- Update of rootfile not required
- Changelog can only be reviewed by looking at the commits in the git repo
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 28 Jun 2023 13:14:34 +0000 (15:14 +0200)]
sudo: Update to version 1.9.14
- Update from version 1.9.13p3 to 1.9.14
- Update of rootfile not required
- Changelog
Significant change is that use_pty is now defined as the default setting.
This parameter was made available back in version 1.8.0 but not as default.
It was implemented in response to a variety of CVE's related to being vulnerable to
privilege escalation via TIOCSTI and/or lesser-known TIOCLINUX command injection.
Apparently it was not made default as that would change the way that sudo worked.
As various existing bugs have been resolved it has now been declared by the sudo devs
that now sudo with a pseudo terminal works close to the same as with the users terminal
Hence in this version the use of the pseudo terminal is now default.
See https://github.com/sudo-project/sudo/issues/258 for more details.
1.9.14
Fixed a bug where if the intercept or log_subcmds sudoers option was enabled and a
sub-command was run where the first entry of the argument vector didn't match the
command being run. This resulted in commands like sudo su - being killed due to the
mismatch. Bug #1050.
The sudoers plugin now canonicalizes command path names before matching (where
possible). This fixes a bug where sudo could execute the wrong path if there are
multiple symbolic links with the same target and the same base name in sudoers that a
user is allowed to run. GitHub issue #228.
Improved command matching when a chroot is specified in sudoers. The sudoers plugin
will now change the root directory id needed before performing command matching.
Previously, the root directory was simply prepended to the path that was being
processed.
When NETGROUP_BASE is set in the ldap.conf file, sudo will now perform its own
netgroup lookups of the host name instead of using the system innetgr(3) function.
This guarantees that user and host netgroup lookups are performed using the same LDAP
server (or servers).
Fixed a bug introduced in sudo 1.9.13 that resulted in a missing " ; " separator
between environment variables and the command in log entries.
The visudo utility now displays a warning when it ignores a file in an include dir
such as /etc/sudoers.d.
When running a command in a pseudo-terminal, sudo will initialize the terminal
settings even if it is the background process. Previously, sudo only initialized the
pseudo-terminal when running in the foreground. This fixes an issue where a program
that checks the window size would read the wrong value when sudo was running in the
background.
Fixed a bug where only the first two digits of the TSID field being was logged.
Bug #1046.
The use_pty sudoers option is now enabled by default. To restore the historic behavior
where a command is run in the user's terminal, add Defaults !use_pty to the sudoers
file. GitHub issue #258.
Sudo's -b option now works when the command is run in a pseudo-terminal.
When disabling core dumps, sudo now only modifies the soft limit and leaves the hard
limit as-is. This avoids problems on Linux when sudo does not have CAP_SYS_RESOURCE,
which may be the case when run inside a container. GitHub issue #42.
Sudo configuration file paths have been converted to colon-separated lists of paths.
This makes it possible to have configuration files on a read-only file system while
still allowing for local modifications in a different (writable) directory. The new
--enable-adminconf configure option can be used to specify a directory that is
searched for configuration files in preference to the sysconfdir (which is usually
/etc).
The intercept_verify sudoers option is now only applied when the intercept option is
set in sudoers. Previously, it was also applied when log_subcmds was enabled.
The NETGROUP_QUERY ldap.conf parameter can now be disabled for LDAP servers that do
not support querying the nisNetgroup object by its nisNetgroupTriple attribute, while
still allowing sudo to query the LDAP server directly to determine netgroup
membership.
Fixed a long-standing bug where a sudoers rule without an explicit runas list allowed
the user to run a command as root and any group instead of just one of the groups
that root is a member of. For example, a rule such as myuser ALL = ALL would permit
sudo -u root -g othergroup even if root did not belong to othergroup.
Fixed a bug where a sudoers rule with an explicit runas list allowed a user to run
sudo commands as themselves. For example, a rule such as myuser ALL = (root) ALL,
myuser should only allow commands to be run as root (optionally using one of root's
groups). However, the rule also allowed the user to run sudo -u myuser -g myuser
command.
Fixed a bug that prevented the user from specifying a group on the command line via
sudo -g if the rule's Runas_Spec contained a Runas_Alias.
Sudo now requires a C99 compiler due to the use of flexible array members.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 28 Jun 2023 17:59:52 +0000 (19:59 +0200)]
ntp: Update to version 4.2.8p17
- Update from version 4.2.8p15 to 4.2.8p17
- Update of rootfile not required
- Tested out on vm testbed. Time correctly updated every hour and pakfire was able to
download and install various addons without any problems indicating that the time
is working correctly.
- patch to enable build with glibc-2.34 no longer needed. ntp updated to work correctly
with glibc-2.34 but IPFire running with version 2.37. Version 2.4.8p17 built without
any problems without the patch.
- Changelog
4.2.8p17 2023/06/06 Released by Harlan Stenn <stenn@ntp.org>
* [Bug 3824] Spurious "ntpd: daemon failed to notify parent!" logged at
event_sync. Reported by Edward McGuire. <hart@ntp.org>
* [Bug 3822] ntpd significantly delays first poll of servers specified by name.
<hart@ntp.org> Miroslav Lichvar identified regression in 4.2.8p16.
* [Bug 3821] 4.2.8p16 misreads hex authentication keys, won't interop with
4.2.8p15 or earlier. Reported by Matt Nordhoff, thanks to
Miroslav Lichvar and Matt for rapid testing and identifying the
problem. <hart@ntp.org>
* Add tests/libntp/digests.c to catch regressions reading keys file or with
symmetric authentication digest output.
4.2.8p16 2023/05/31 Released by Harlan Stenn <stenn@ntp.org>
* [Sec 3808] Assertion failure in ntpq on malformed RT-11 date <perlinger@ntp.org>
* [Sec 3807] praecis_parse() in the Palisade refclock driver has a
hypothetical input buffer overflow. Reported by ... stenn@
* [Sec 3806] libntp/mstolfp.c needs bounds checking <perlinger@ntp.org>
- solved numerically instead of using string manipulation
* [Sec 3767] An OOB KoD RATE value triggers an assertion when debug is enabled.
<stenn@ntp.org>
* [Bug 3819] Updated libopts/Makefile.am was missing NTP_HARD_* values. <stenn@>
* [Bug 3817] Bounds-check "tos floor" configuration. <hart@ntp.org>
* [Bug 3814] First poll delay of new or cleared associations miscalculated.
<hart@ntp.org>
* [Bug 3802] ntp-keygen -I default identity modulus bits too small for
OpenSSL 3. Reported by rmsh1216@163.com <hart@ntp.org>
* [Bug 3801] gpsdjson refclock gps_open() device name mishandled. <hart@ntp.org>
* [Bug 3800] libopts-42.1.17 does not compile with Microsoft C. <hart@ntp.org>
* [Bug 3799] Enable libopts noreturn compiler advice for MSC. <hart@ntp.org>
* [Bug 3797] Windows getaddrinfo w/AI_ADDRCONFIG fails for localhost when
disconnected, breaking ntpq and ntpdc. <hart@ntp.org>
* [Bug 3795] pollskewlist documentation uses | when it shouldn't.
- ntp.conf manual page and miscopt.html corrections. <hart@ntp.org>
* [Bug 3793] Wrong variable type passed to record_raw_stats(). <hart@ntp.org>
- Report and patch by Yuezhen LUAN <wei6410@sina.com>.
* [Bug 3786] Timer starvation on high-load Windows ntpd. <hart@ntp.org>
* [Bug 3784] high-load ntpd on Windows deaf after enough ICMP TTL exceeded.
<hart@ntp.org>
* [Bug 3781] log "Unable to listen for broadcasts" for IPv4 <hart@ntp.org>
* [Bug 3774] mode 6 packets corrupted in rawstats file <hart@ntp.org>
- Reported by Edward McGuire, fix identified by <wei6410@sina.com>.
* [Bug 3758] Provide a 'device' config statement for refclocks <perlinger@ntp.org>
* [Bug 3757] Improve handling of Linux-PPS in NTPD <perlinger@ntp.org>
* [Bug 3741] 4.2.8p15 can't build with glibc 2.34 <perlinger@ntp.org>
* [Bug 3725] Make copyright of clk_wharton.c compatible with Debian.
Philippe De Muyter <phdm@macqel.be>
* [Bug 3724] ntp-keygen with openSSL 1.1.1 fails on Windows <perlinger@ntp.org>
- openssl applink needed again for openSSL-1.1.1
* [Bug 3719] configure.ac checks for closefrom() and getdtablesize() missing.
Reported by Brian Utterback, broken in 2010 by <hart@ntp.org>
* [Bug 3699] Problems handling drift file and restoring previous drifts <perlinger@ntp.org>
- command line options override config statements where applicable
- make initial frequency settings idempotent and reversible
- make sure kernel PLL gets a recovered drift componsation
* [Bug 3695] Fix memory leak with ntpq on Windows Server 2019 <perlinger@ntp.org>
* [Bug 3694] NMEA refclock seems to unnecessarily require location in messages
- misleading title; essentially a request to ignore the receiver status.
Added a mode bit for this. <perlinger@ntp.org>
* [Bug 3693] Improvement of error handling key lengths <perlinger@ntp.org>
- original patch by Richard Schmidt, with mods & unit test fixes
* [Bug 3692] /dev/gpsN requirement prevents KPPS <perlinger@ntp.org>
- implement/wrap 'realpath()' to resolve symlinks in device names
* [Bug 3691] Buffer Overflow reading GPSD output
- original patch by matt<ntpbr@mattcorallo.com>
- increased max PDU size to 4k to avoid truncation
* [Bug 3690] newline in ntp clock variable (parse) <perlinger@ntp.org>
- patch by Frank Kardel
* [Bug 3689] Extension for MD5, SHA-1 and other keys <perlinger@ntp.org>
- ntp{q,dc} now use the same password processing as ntpd does in the key
file, so having a binary secret >= 11 bytes is possible for all keys.
(This is a different approach to the problem than suggested)
* [Bug 3688] GCC 10 build errors in testsuite <perlinger@ntp.org>
* [Bug 3687] ntp_crypto_rand RNG status not known <perlinger@ntp.org>
- patch by Gerry Garvey
* [Bug 3682] Fixes for warnings when compiled without OpenSSL <perlinger@ntp.org>
- original patch by Gerry Garvey
* [Bug 3677] additional peer events not decoded in associations listing <perlinger@ntp.org>
- original patch by Gerry Garvey
* [Bug 3676] compiler warnings (CMAC, interrupt_buf, typo, fallthrough)
- applied patches by Gerry Garvey
* [Bug 3675] ntpq ccmds[] stores pointer to non-persistent storage
* [Bug 3674] ntpq command 'execute only' using '~' prefix <perlinger@ntp.org>
- idea+patch by Gerry Garvey
* [Bug 3672] fix biased selection in median cut <perlinger@ntp.org>
* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
- follow-up: fix inverted sense in check, reset shortfall counter
* [Bug 3660] Revert 4.2.8p15 change to manycast. <hart@ntp.org>
* [Bug 3640] document "discard monitor" and fix the code. <hart@ntp.org>
- fixed bug identified by Edward McGuire <perlinger@ntp.org>
* [Bug 3626] (SNTP) UTC offset calculation needs dst flag <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3428] ntpd spinning consuming CPU on Linux router with full table.
Reported by Israel G. Lugo. <hart@ntp.org>
* [Bug 3103] libopts zsave_warn format string too few arguments <bkorb@gnu.org>
* [Bug 2990] multicastclient incorrectly causes bind to broadcast address.
Integrated patch from Brian Utterback. <hart@ntp.org>
* [Bug 2525] Turn on automake subdir-objects across the project. <hart@ntp.org>
* [Bug 2410] syslog an error message on panic exceeded. <brian.utterback@oracle.com>
* Use correct rounding in mstolfp(). perlinger/hart
* M_ADDF should use u_int32. <hart@ntp.org>
* Only define tv_fmt_libbuf() if we will use it. <stenn@ntp.org>
* Use recv_buffer instead of the longer recv_space.X_recv_buffer. hart/stenn
* Make sure the value returned by refid_str() prints cleanly. <stenn@ntp.org>
* If DEBUG is enabled, the startup banner now says that debug assertions
are in force and that ntpd will abort if any are violated. <stenn@ntp.org>
* syslog valid incoming KoDs. <stenn@ntp.org>
* Rename a poorly-named variable. <stenn@ntp.org>
* Disable "embedded NUL in string" messages in libopts, when we can. <stenn@>
* Use https in the AC_INIT URLs in configure.ac. <stenn@ntp.org>
* Implement NTP_FUNC_REALPATH. <stenn@ntp.org>
* Lose a gmake construct in ntpd/Makefile.am. <stenn@ntp.org>
* upgrade to: autogen-5.18.16
* upgrade to: libopts-42.1.17
* upgrade to: autoconf-2.71
* upgrade to: automake-1.16.15
* Upgrade to libevent-2.1.12-stable <stenn@ntp.org>
* Support OpenSSL-3.0
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Michael Tremer [Tue, 27 Jun 2023 09:55:20 +0000 (09:55 +0000)]
core176: Re-ship lots of stuff that is still linked against OpenSSL 1.1.1
There are no functional changes in these files, but they are however
linked against OpenSSL 1.1.1 and need to be re-shipped before we remove
the legacy library.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This cannot be done, yet, because an updated system still has hundreds
of files using the old libraries. Those will have to be re-shipped first
before we actually remove OpenSSL 1.1.1.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 25 Jun 2023 21:04:19 +0000 (21:04 +0000)]
CUPS: Update to 2.4.6
Several security-relevant bugs have been fixed since version 2.4.2,
please refer to https://github.com/OpenPrinting/cups/releases for the
respective changelogs.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Michael Tremer [Fri, 24 Mar 2023 15:49:22 +0000 (15:49 +0000)]
proxy: Skip VPNs that route everything for proxy.pac
The function tries to figure out which networks are connected locally,
but VPN tunnels that use 0.0.0.0 and GRE/VTI interfaces will be
considered local and the proxy is being disabled for everyone.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 May 2023 18:43:21 +0000 (20:43 +0200)]
go: Update to version 1.20.4
- Update from version 1.15.4 to 1.20.4
- Update of x86_64 rootfile
aarch64 rootfile needs to be created on a aarch64 build system
- Changelog is very large. For details see https://go.dev/doc/devel/release
50 mentions of security fixes in the changes from 1.15.4 to 1.20.4
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Jon Murphy [Fri, 2 Jun 2023 19:01:16 +0000 (14:01 -0500)]
extrahd.cgi: Fix for Bug #12863
-Fixes remove entries in 'extrahd' via the webinterface for extrahd.cgi file.
Suggested-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Jon Murphy <jon.murphy@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Adolf Belka [Sun, 18 Jun 2023 18:02:10 +0000 (20:02 +0200)]
update.sh: Fixes bug-13151 - removes old 69-dm-lvm-metad.rules file
- In Core Update 175 lvm was updated and 69-dm-lvm-metad.rules was replaced with
69-dm-lvm.rules in the lvm rootfile.
- That previous patch update did not remove the no longer existing 69-dm-lvm-metad.rules
from existing installations. This patch corrects that.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sun, 18 Jun 2023 18:02:09 +0000 (20:02 +0200)]
lvm: Fixes bug-13151 - update 69-dm-lvm.rules
- Redhat updated lvm udev rule 69-dm-lvm.rules to only work with systemd
- Update 69-dm-lvm.rules to work with IPFire based on input from @Daniel of what worked
to mount an existing lvm volume
Suggested-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 16 Jun 2023 18:24:34 +0000 (20:24 +0200)]
pciutils: Update to version 3.10.0
- Update from version 3.9.0 to 3.10.0
- Update of rootfile
- version 3.9.0 failed to output some of the symbols. This was found as a bug in Fedora but
also seen by some people in IPFire CU175 with flashrom where the version 3.3 symbol is
provided.
Fedora made a patch to resolve this issue for 3.9.0 but 3.10.0 has been released since
then and Fedora removed the patch that was used for 2.9.0 as pciutils has had that bug
fixed - see first item in changelog.
- Changelog
Released as 3.10.0.
Fixed bug in definition of versioned symbol aliases
in shared libpci, which made compiling with link-time
optimization fail.
Filters now accept "0x..." syntax for backward compatibility.
Windows: The cfgmgr32 back-end which provides the list of devices
can be combined with another back-end which provides access
to configuration space.
ECAM (Enhanced Configuration Access Mechanism), which is defined
by the PCIe standard, is now supported. It requires root privileges,
access to physical memory, and also manual configuration on some
systems.
lspci: Tree view now works on multi-domain systems. It now respects
filters properly.
Last but not least, pci.ids were updated to the current snapshot
of the database. This includes overall cleanup of entries with
non-ASCII characters in their names -- such characters are allowed,
but only if they convey interesting information (e.g., umlauts
in German company names, but not the "registered trade mark" sign).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 30 May 2023 11:13:41 +0000 (13:13 +0200)]
ovpnmain.cgi: Fix Bug#13136 - Allow spaces when editing a static ip address pool name
- This was fixed for creating a static ip address pool name in bug#12865 but was not
applied to the case when the static ip address pool name was being edited.
- This fix corrects that oversight.
Fixes: Bug#13136 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Matthias Fischer [Fri, 16 Jun 2023 15:52:08 +0000 (17:52 +0200)]
suricata: Update to 6.0.13
Excerpt from changelog:
"6.0.13 -- 2023-06-15
Security #6119: datasets: absolute path in rules can overwrite arbitrary files (6.0.x backport)
Bug #6138: Decode-events of IPv6 packets are not triggered (6.0.x backport)
Bug #6136: suricata-update: dump-sample-configs: configuration files not found (6.0.x backport)
Bug #6125: http2: cpu overconsumption in rust moving/memcpy in http2_parse_headers_blocks (6.0.x backport)
Bug #6113: ips: txs still logged for dropped flow (6.0.x backport)
Bug #6056: smtp: long line discard logic should be separate for server and client (6.0.x backport)
Bug #6055: ftp: long line discard logic should be separate for server and client (6.0.x backport)
Bug #5990: smtp: any command post a long command gets skipped (6.0.x backport)
Bug #5982: smtp: Long DATA line post boundary is capped at 4k Bytes (6.0.x backport)
Bug #5809: smb: convert transaction list to vecdeque (6.0.x backport)
Bug #5604: counters: tcp.syn, tcp.synack, tcp.rst depend on flow (6.0.x backport)
Bug #5550: dns: allow dns messages with invalid opcodes (6.0.x backport)
Task #5984: libhtp 0.5.44 (6.0.x backport)
Documentation #6134: userguide: add instructions/explanation for (not) running suricata with root (6.0.x backport)
Documentation #6121: datasets: 6.0.x work-arounds for dataset supply chain attacks"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 15 Jun 2023 19:55:01 +0000 (21:55 +0200)]
vpnmain.cgi: unique_subject = yes in index.txt.attr for first attempt with fresh install
- The patches for Bug#13138
https://patchwork.ipfire.org/project/ipfire/patch/20230603140541.13834-1-adolf.belka@ipfire.org/
https://patchwork.ipfire.org/project/ipfire/patch/20230606104050.8290-1-adolf.belka@ipfire.org/
work for an update to Core Update 175 but a fresh install of CU175 will still fail with
the error when creating the root/host certificate set for the first time.
- This patch ensures that the unique_subject = yes line is addeed to index.txt.attr
when the root/host certificate set is attempted to be created or is uploaded also for
the first attempt.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Updated from version 20230214 to 20230512-rev2 where the source tarball is named version 20230613
- Update of rootfile
- Changelog details for versions 20230512 and 20230512-rev2 can be found at
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 9 Jun 2023 21:10:10 +0000 (23:10 +0200)]
transmission: Update to version 4.0.3
- Update from version 3.00 to 4.0.3
- This v2 version has usr/share/transmission directory uncommented.
- Update of rootfile
- Build changed from autotools configure to cmake
- Changelog is very large. For details see
https://github.com/transmission/transmission/releases/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 24 May 2023 09:08:41 +0000 (09:08 +0000)]
misc-progs: setuid: Return exit code from called process
This patch will return the exit code from the called process which has
not been done before. This made it more difficult to catch any
unsuccessful calls from the web UI.
Partly Fixes: #12863 Tested-by: Jon Murphy <jon.murphy@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 20 May 2023 12:10:48 +0000 (14:10 +0200)]
wavemon: Update to version 0.9.4
- Update from version 0.7.5 to 0.9.4
- Update of rootfile
- wavemon would not build because it could not find the netlink include files. wavemon was
still looking in include/netlink/ as for libnl version 1 but with libnl3 the include
files are in include/libnl3/netlink/
- Based on an issue entry in the wavemon github repo I created the patch to force wavemon
to look in the correct place.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 20 May 2023 12:10:46 +0000 (14:10 +0200)]
tmux: Update to version 3.3a
- Update from version 3.3 to 3.3a
- Update of rootfile not required
- Changelog
CHANGES FROM 3.3 TO 3.3a
* Do not crash when run-shell produces output from a config file.
* Do not unintentionally turn off all mouse mode when button mode is also
present.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 20 May 2023 12:10:45 +0000 (14:10 +0200)]
stunnel: Update to version 5.69
- Update from version 5.63 to 5.69
- Update of rootfile not required
- Changelog
Version 5.69, 2023.03.04, urgency: MEDIUM
* New features
- Improved logging performance with the "output" option.
- Improved file read performance on the WIN32 platform.
- DH and kDHEPSK ciphersuites removed from FIPS defaults.
- Set the LimitNOFILE ulimit in stunnel.service to allow
for up to 10,000 concurrent clients.
* Bugfixes
- Fixed the "CApath" option on the WIN32 platform by
applying https://github.com/openssl/openssl/pull/20312.
- Fixed stunnel.spec used for building rpm packages.
- Fixed tests on some OSes and architectures by merging
Debian 07-tests-errmsg.patch (thx to Peter Pentchev).
Version 5.68, 2023.02.07, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.8.
* New features
- Added the new 'CAengine' service-level option
to load a trusted CA certificate from an engine.
- Added requesting client certificates in server
mode with 'CApath' besides 'CAfile'.
- Improved file read performance.
- Improved logging performance.
* Bugfixes
- Fixed EWOULDBLOCK errors in protocol negotiation.
- Fixed handling TLS errors in protocol negotiation.
- Prevented following fatal TLS alerts with TCP resets.
- Improved OpenSSL initialization on WIN32.
- Improved testing suite stability.
Version 5.67, 2022.11.01, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.7.
* New features
- Provided a logging callback to custom engines.
* Bugfixes
- Fixed "make cert" with OpenSSL older than 3.0.
- Fixed the code and the documentation to use conscious
language for SNI servers (thx to Clemens Lang).
Version 5.66, 2022.09.11, urgency: MEDIUM
* New features
- OpenSSL 3.0 FIPS Provider support for Windows.
* Bugfixes
- Fixed building on machines without pkg-config.
- Added the missing "environ" declaration for
BSD-based operating systems.
- Fixed the passphrase dialog with OpenSSL 3.0.
Version 5.65, 2022.07.17, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.5.
* Bugfixes
- Fixed handling globally enabled FIPS.
- Fixed openssl.cnf processing in WIN32 GUI.
- Fixed a number of compiler warnings.
- Fixed tests on older versions of OpenSSL.
Version 5.64, 2022.05.06, urgency: MEDIUM
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.3.
* New features
- Updated the pkcs11 engine for Windows.
* Bugfixes
- Removed the SERVICE_INTERACTIVE_PROCESS flag in
"stunnel -install".
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 17:04:52 +0000 (19:04 +0200)]
stress: Update to version 1.0.7
- Update from version 1.0.5 to 1.0.7
- Update of rootfile not required
- Changelog
Version 1.0.7
* Check for sys/prctl.h availability, because non-Linux
architectures don't provide <sys/prctl.h>.
* Improved GitHub CI:
- Added CI test for macOS.
- Added a check for stress command.
- Added a test for 'make dist-bzip2'.
* Moved manpage from doc/ to man/.
Version 1.0.6
* Register parent termination signal in child processes.
* Added 'make dist' check in CI test.
* Added rights for Vratislav Bendel.
* Re-organized src/stress.c via astyle command.
* Updated GPL-2 license text for src/stress.c.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 17:04:51 +0000 (19:04 +0200)]
strace: Update to version 6.3
- Update from version 6.1 to 6.3
- Update of rootfile not required
- Changelog
Noteworthy changes in release 6.3 (2023-05-08)
* Improvements
* Implemented --trace-fds=set option for filtering only the syscalls
that operate on the specified set of file descriptors.
* Implemented --decode-fds=signalfd option for decoding of signal masks
associated with signalfd file descriptors.
* Implemented --syscall-limit option to automatically detach tracees
after capturing the specified number of syscalls.
* Implemented --argv0 option to set argv[0] of the command being executed.
* Implemented decoding of PR_GET_MDWE and PR_SET_MDWE operations of prctl
syscall.
* Implemented decoding of IP_LOCAL_PORT_RANGE socket option.
* Implemented decoding of IFLA_BRPORT_MCAST_N_GROUPS,
IFLA_BRPORT_MCAST_MAX_GROUPS, IFLA_GSO_IPV4_MAX_SIZE,
IFLA_GRO_IPV4_MAX_SIZE, and TCA_EXT_WARN_MSG netlink attributes.
* Updated lists of F_SEAL_*, IFLA_*, IORING_*, MFD_*, NFT_*, TCA_*,
and V4L2_PIX_FMT_* constants.
* Updated lists of ioctl commands from Linux 6.3.
* Bug fixes
* Fixed build on hppa with uapi headers from Linux >= 6.2.
* Fixed --status filtering when -c option is in use.
Noteworthy changes in release 6.2 (2023-02-26)
* Improvements
* Implemented collision resolution for overlapping ioctl commands
from tty and snd subsystems.
* Implemented decoding of IFLA_BRPORT_MAB and IFLA_DEVLINK_PORT
netlink attributes.
* Updated lists of ALG_*, BPF_*, IFLA_*, KEY_*, KVM_*, LANDLOCK_*,
MEMBARRIER_*, NFT_*, NTF_*, and V4L2_* constants.
* Updated lists of ioctl commands from Linux 6.2.
* Bug fixes
* Fixed build on alpha architecture.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 17:04:50 +0000 (19:04 +0200)]
nginx: Update to version 1.24.0
- Update from version 1.22.1 to 1.24.0
- Update of rootfile not required
- Changelog (including some CVE's)
Changes with nginx 1.24.0 11 Apr 2023
*) 1.24.x stable branch.
Changes with nginx 1.23.4 28 Mar 2023
*) Change: now TLSv1.3 protocol is enabled by default.
*) Change: now nginx issues a warning if protocol parameters of a
listening socket are redefined.
*) Change: now nginx closes connections with lingering if pipelining was
used by the client.
*) Feature: byte ranges support in the ngx_http_gzip_static_module.
*) Bugfix: port ranges in the "listen" directive did not work; the bug
had appeared in 1.23.3.
Thanks to Valentin Bartenev.
*) Bugfix: incorrect location might be chosen to process a request if a
prefix location longer than 255 characters was used in the
configuration.
*) Bugfix: non-ASCII characters in file names on Windows were not
supported by the ngx_http_autoindex_module, the ngx_http_dav_module,
and the "include" directive.
*) Change: the logging level of the "data length too long", "length too
short", "bad legacy version", "no shared signature algorithms", "bad
digest length", "missing sigalgs extension", "encrypted length too
long", "bad length", "bad key update", "mixed handshake and non
handshake data", "ccs received early", "data between ccs and
finished", "packet length too long", "too many warn alerts", "record
too small", and "got a fin before a ccs" SSL errors has been lowered
from "crit" to "info".
*) Bugfix: a socket leak might occur when using HTTP/2 and the
"error_page" directive to redirect errors with code 400.
*) Bugfix: messages about logging to syslog errors did not contain
information that the errors happened while logging to syslog.
Thanks to Safar Safarly.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: in the mail proxy server.
Changes with nginx 1.23.3 13 Dec 2022
*) Bugfix: an error might occur when reading PROXY protocol version 2
header with large number of TLVs.
*) Bugfix: a segmentation fault might occur in a worker process if SSI
was used to process subrequests created by other modules.
Thanks to Ciel Zhao.
*) Workaround: when a hostname used in the "listen" directive resolves
to multiple addresses, nginx now ignores duplicates within these
addresses.
*) Bugfix: nginx might hog CPU during unbuffered proxying if SSL
connections to backends were used.
Changes with nginx 1.23.2 19 Oct 2022
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, worker
process memory disclosure, or might have potential other impact
(CVE-2022-41741, CVE-2022-41742).
*) Feature: the "$proxy_protocol_tlv_..." variables.
*) Feature: TLS session tickets encryption keys are now automatically
rotated when using shared memory in the "ssl_session_cache"
directive.
*) Change: the logging level of the "bad record type" SSL errors has
been lowered from "crit" to "info".
Thanks to Murilo Andrade.
*) Change: now when using shared memory in the "ssl_session_cache"
directive the "could not allocate new session" errors are logged at
the "warn" level instead of "alert" and not more often than once per
second.
*) Bugfix: nginx/Windows could not be built with OpenSSL 3.0.x.
*) Bugfix: in logging of the PROXY protocol errors.
Thanks to Sergey Brester.
*) Workaround: shared memory from the "ssl_session_cache" directive was
spent on sessions using TLS session tickets when using TLSv1.3 with
OpenSSL.
*) Workaround: timeout specified with the "ssl_session_timeout"
directive did not work when using TLSv1.3 with OpenSSL or BoringSSL.
Changes with nginx 1.23.1 19 Jul 2022
*) Feature: memory usage optimization in configurations with SSL
proxying.
*) Feature: looking up of IPv4 addresses while resolving now can be
disabled with the "ipv4=off" parameter of the "resolver" directive.
*) Change: the logging level of the "bad key share", "bad extension",
"bad cipher", and "bad ecpoint" SSL errors has been lowered from
"crit" to "info".
*) Bugfix: while returning byte ranges nginx did not remove the
"Content-Range" header line if it was present in the original backend
response.
*) Bugfix: a proxied response might be truncated during reconfiguration
on Linux; the bug had appeared in 1.17.5.
Changes with nginx 1.23.0 21 Jun 2022
*) Change in internal API: now header lines are represented as linked
lists.
*) Change: now nginx combines arbitrary header lines with identical
names when sending to FastCGI, SCGI, and uwsgi backends, in the
$r->header_in() method of the ngx_http_perl_module, and during lookup
of the "$http_...", "$sent_http_...", "$sent_trailer_...",
"$upstream_http_...", and "$upstream_trailer_..." variables.
*) Bugfix: if there were multiple "Vary" header lines in the backend
response, nginx only used the last of them when caching.
*) Bugfix: if there were multiple "WWW-Authenticate" header lines in the
backend response and errors with code 401 were intercepted or the
"auth_request" directive was used, nginx only sent the first of the
header lines to the client.
*) Change: the logging level of the "application data after close
notify" SSL errors has been lowered from "crit" to "info".
*) Bugfix: connections might hang if nginx was built on Linux 2.6.17 or
newer, but was used on systems without EPOLLRDHUP support, notably
with epoll emulation layers; the bug had appeared in 1.17.5.
Thanks to Marcus Ball.
*) Bugfix: nginx did not cache the response if the "Expires" response
header line disabled caching, but following "Cache-Control" header
line enabled caching.
Changes with nginx 1.21.6 25 Jan 2022
*) Bugfix: when using EPOLLEXCLUSIVE on Linux client connections were
unevenly distributed among worker processes.
*) Bugfix: nginx returned the "Connection: keep-alive" header line in
responses during graceful shutdown of old worker processes.
*) Bugfix: in the "ssl_session_ticket_key" when using TLSv1.3.
Changes with nginx 1.21.5 28 Dec 2021
*) Change: now nginx is built with the PCRE2 library by default.
*) Change: now nginx always uses sendfile(SF_NODISKIO) on FreeBSD.
*) Feature: support for sendfile(SF_NOCACHE) on FreeBSD.
*) Feature: the $ssl_curve variable.
*) Bugfix: connections might hang when using HTTP/2 without SSL with the
"sendfile" and "aio" directives.
Changes with nginx 1.21.4 02 Nov 2021
*) Change: support for NPN instead of ALPN to establish HTTP/2
connections has been removed.
*) Change: now nginx rejects SSL connections if ALPN is used by the
client, but no supported protocols can be negotiated.
*) Change: the default value of the "sendfile_max_chunk" directive was
changed to 2 megabytes.
*) Feature: the "proxy_half_close" directive in the stream module.
*) Feature: the "ssl_alpn" directive in the stream module.
*) Feature: the $ssl_alpn_protocol variable.
*) Feature: support for SSL_sendfile() when using OpenSSL 3.0.
*) Feature: the "mp4_start_key_frame" directive in the
ngx_http_mp4_module.
Thanks to Tracey Jaquith.
*) Bugfix: in the $content_length variable when using chunked transfer
encoding.
*) Bugfix: after receiving a response with incorrect length from a
proxied backend nginx might nevertheless cache the connection.
Thanks to Awdhesh Mathpal.
*) Bugfix: invalid headers from backends were logged at the "info" level
instead of "error"; the bug had appeared in 1.21.1.
*) Bugfix: requests might hang when using HTTP/2 and the "aio_write"
directive.
Changes with nginx 1.21.3 07 Sep 2021
*) Change: optimization of client request body reading when using
HTTP/2.
*) Bugfix: in request body filters internal API when using HTTP/2 and
buffering of the data being processed.
Changes with nginx 1.21.2 31 Aug 2021
*) Change: now nginx rejects HTTP/1.0 requests with the
"Transfer-Encoding" header line.
*) Change: export ciphers are no longer supported.
*) Feature: OpenSSL 3.0 compatibility.
*) Feature: the "Auth-SSL-Protocol" and "Auth-SSL-Cipher" header lines
are now passed to the mail proxy authentication server.
Thanks to Rob Mueller.
*) Feature: request body filters API now permits buffering of the data
being processed.
*) Bugfix: backend SSL connections in the stream module might hang after
an SSL handshake.
*) Bugfix: the security level, which is available in OpenSSL 1.1.0 or
newer, did not affect loading of the server certificates when set
with "@SECLEVEL=N" in the "ssl_ciphers" directive.
*) Bugfix: SSL connections with gRPC backends might hang if select,
poll, or /dev/poll methods were used.
*) Bugfix: when using HTTP/2 client request body was always written to
disk if the "Content-Length" header line was not present in the
request.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 17:04:49 +0000 (19:04 +0200)]
mpfr: Update with latest bug patches
- Update version 4.2.0 from 4 bug patches to 9 bug patches
- Update of rootfile not required
- Bug fix changelog
5 The mpfr_reldiff function, which computes |b−c|/b, is buggy on special values,
e.g. on the following (b,c) values: (+Inf,+Inf) gives ±0 instead of NaN (like
NaN/Inf); (+0,+0) gives 1 instead of NaN (like 0/0); (+0,1) gives 1 instead of
Inf (like 1/0). Moreover, the sign of 0 for (+Inf,+Inf) or (−Inf,−Inf) is not
set, i.e. it is just the sign of the destination before the call; as a
consequence, results are not even consistent. These bugs are fixed by the
reldiff patch.
Corresponding changeset in the 4.2 branch: 81e4d4427.
6 The reuse tests are incomplete: the sign of a result zero is not checked, so
that it can miss bugs (one of the mpfr_reldiff bugs mentioned above, in
particular). The tests-reuse patch adds a check of the sign of zero and
contains other minor improvements.
Corresponding changeset in the 4.2 branch: e6d47b8f5.
7 The general code for the power function (mpfr_pow_general internal function) has
two bugs in particular cases: the first one is an incorrect computation of the
error bound when there has been an intermediate underflow or overflow (in such
a case, the computation is performed again with a rescaling, thus with an
additional error term, but there is a bug in the computation of this term), so
that the result may be rounded incorrectly (in particular, a spurious overflow
is possible); the second one occurs in a corner case (destination precision 1,
rounding to nearest, and where the rounded result assuming an unbounded
exponent range would be 2emin−2 and the exact result is larger than this value),
with the only consequence being a missing underflow exception (the underflow
flag is not set). These two bugs are fixed by the pow_general patch, which also
provides testcases.
Note: The second bug was introduced by commit 936df8ef6 in MPFR 4.1.0 (the code
simplification was incorrect, and there were no associated tests in the
testsuite).
Corresponding changesets in the 4.2 branch: 85bc7331c, 5fa407a6c, 9a16c173e.
8 The mpfr_compound_si function can take a huge amount of memory and time in some
cases (when the argument x is a large even integer and xn is represented exactly
in the target precision) and does not correctly detect overflows and underflows.
This is fixed by the compound patch, which also provides various tests.
Corresponding changesets in the 4.2 branch: 7635c4a35, 74d86a61f, 952fb0f5c, a4894f68d, 7bb748775, f5cb40571, d87459969.
9 MPFR can crash when a formatted output function is called with %.2147483648Rg in
the format string. For instance: mpfr_snprintf (NULL, 0, "%.2147483648Rg\n", x);
This is fixed by the printf_large_prec_for_g patch, which also provides
testcases.
Corresponding changesets in the 4.2 branch: 686f82776, 769ad91a6.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 17:04:48 +0000 (19:04 +0200)]
minidlna: Update to version 1.3.2
- Update from version 1.3.0 to 1.3.2
- Update of rootfile not required
- Patch for CVE-2022-26505 is now built into the source tarball
- Changelog
1.3.2 - Released 30-Aug-2022
- Improved DNS rebinding attack protection.
- Added Samsung Neo QLED series (2021) support.
- Added webm/rm/rmvb support.
1.3.1 - Released 11-Feb-2022
- Fixed a potential crash in SSDP request parsing.
- Fixed a configure script failure on some platforms.
- Protect against DNS rebinding attacks.
- Fix an socket leakage issue on some platforms.
- Minor bug fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 17:04:47 +0000 (19:04 +0200)]
fping: Update to version 5.1
- Update from version 5.0 to 5.1
- Update of rootfile not required
- Changelog
fping 5.1 (2022-02-06)
## Bugfixes and other changes
- Use setcap to specify specific files in fping.spec (#232, thanks @zdyxry)
- Netdata: use host instead name as family label (#226, thanks @k0ste)
- Netdata: use formatstring macro PRId64 (#229, thanks @gsnw)
- Allow -4 option to be given multiple times (#215, thanks @normanr)
- Documentation fix (#208, thanks @timgates42)
- Retain privileges until after privileged setsockopt (#200, thanks @simetnicbr)
- Set bind to source only when option is set (#198, thanks @dinoex)
- Update Azure test pipeline (#197, thanks @gsnw)
- Fix getnameinfo not called properly for IPv4 (#227, thanks @aafbsd)
- Fixed wrong timestamp under Free- and OpenBSD and macOS (#217, thanks @gsnw)
- Documentation updates (#240, thanks @auerswal)
- Updated autotools (autoconf 2.71, automake 1.16.5, libtool 2.4.6)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 11:47:53 +0000 (13:47 +0200)]
pam: Update to version 1.5.3
- Update from version 1.5.2 to 1.5.3
- Update of rootfile
- Changelog
Release 1.5.3
* configure: added options to configure stylesheets.
* configure: added --enable-logind option to use logind instead of utmp
in pam_issue and pam_timestamp.
* pam_modutil_getlogin: changed to use getlogin() from libc instead of parsing
utmp.
* Added libeconf support to pam_env and pam_shells.
* Added vendor directory support to pam_access, pam_env, pam_group, pam_faillock,
pam_limits, pam_namespace, pam_pwhistory, pam_sepermit, pam_shells, and pam_time.
* pam_limits: changed to not fail on missing config files.
* pam_pwhistory: added conf= option to specify config file location.
* pam_pwhistory: added file= option to specify password history file location.
* pam_shells: added shells.d support when libeconf and vendordir are enabled.
* Deprecated pam_lastlog: this module is no longer built by default because
it uses utmp, wtmp, btmp and lastlog, but none of them are Y2038 safe,
even on 64bit architectures.
pam_lastlog will be removed in one of the next releases, consider using
pam_lastlog2 (from https://github.com/thkukuk/lastlog2) and/or
pam_wtmpdb (from https://github.com/thkukuk/wtmpdb) instead.
* Deprecated _pam_overwrite(), _pam_overwrite_n(), and _pam_drop_reply() macros
provided by _pam_macros.h; the memory override performed by these macros can
be optimized out by the compiler and therefore can no longer be relied upon.
* Multiple minor bug fixes, portability fixes, documentation improvements,
and translation updates.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 11:47:52 +0000 (13:47 +0200)]
nettle: Update to version 3.9
- Update from version 3.8.1 to 3.9
- Update of rootfile
- Changelog
NEWS for the Nettle 3.9 release
This release includes bug fixes, several new features, a few
performance improvements, and one performance regression
affecting GCM on certain platforms.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.7 and libhogweed.so.6.7, with sonames
libnettle.so.8 and libhogweed.so.6.
This release includes a rewrite of the C implementation of
GHASH (dating from 2011), as well as the plain x86_64 assembly
version, to use precomputed tables in a different way, with
tables always accessed in the same sequential manner.
This should make Nettle's GHASH implementation side-channel
silent on all platforms, but considerably slower on platforms
without carry-less mul instructions. E.g., benchmarks of the C
implementation on x86_64 showed a slowdown of 3 times.
Bug fixes:
* Fix bug in ecdsa and gostdsa signature verify operation, for
the unlikely corner case that point addition really is point
duplication.
* Fix for chacha on Power7, nettle's assembly used an
instruction only available on later processors. Fixed by
Mamone Tarsha.
* GHASH implementation should now be side-channel silent on
all architectures.
* A few portability fixes for *BSD.
New features:
* Support for the SM4 block cipher, contributed by Tianjia
Zhang.
* Support for the Balloon password hash, contributed by Zoltan
Fridrich.
* Support for SIV-GCM authenticated encryption mode,
contributed by Daiki Ueno.
* Support for OCB authenticated encryption mode.
* New exported functions md5_compress, sha1_compress,
sha256_compress, sha512_compress, based on patches from
Corentin Labbe.
Optimizations:
* Improved sha256 performance, in particular for x86_64 and
s390x.
* Use GMP's mpn_sec_tabselect, which is implemented in
assembly on many platforms, and delete the similar nettle
function. Gives a modest speedup to all ecc operations.
* Faster poly1305 for x86_64 and ppc64. New ppc code
contributed by Mamone Tarsha.
Miscellaneous:
* New ASM_FLAGS variable recognized by configure.
* Delete all arcfour assembly code. Affects 32-bit x86, 32-bit
and 64-bit sparc.
Known issues:
* Version 6.2.1 of GNU GMP (the most recent GMP release as of
this writing) has a known issue for MacOS on 64-bit ARM: GMP
assembly files use the reserved x18 register. On this
platform it is recommended to use a GMP snapshot where this
bug is fixed, and upgrade to a later GMP release when one
becomes available.
* Also on MacOS, Nettle's testsuite may still break due to
DYLD_LIBRARY_PATH being discarded under some circumstances.
As a workaround, use
* make check EMULATOR='env DYLD_LIBRARY_PATH=$(TEST_SHLIB_DIR)'
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 11:47:51 +0000 (13:47 +0200)]
libcap: Update to version 2.69
- Update from version 2.67 to 2.69
- Update of rootfile
- Changelog
Release notes for 2.69
2023-05-14 19:10:04 -0700
An audit was performed on libcap and friends by https://x41-dsec.de/
https://x41-dsec.de/news/2023/05/15/libcap-source-code-audit/
The audit (final report, 2023-05-10)
https://drive.google.com/file/d/1lsuC_tQbQ5pCE2Sy_skw0a7hTzQyQh2C/view?usp=sharing
was sponsored by the the Open Source Technology Improvement Fund,
https://ostif.org/ (blog). Five issues were found. Four of them are
addressed in this release. Each issue was labeled in the audit results as
follows:
LCAP-CR-23-01 (SEVERITY) LOW (CVE-2023-2602) - found by David Gstir
LCAP-CR-23-02 (SEVERITY) MEDIUM (CVE-2023-2603) - found by Richard Weinberger
LCAP-CR-23-100 (SEVERITY) NONE
LCAP-CR-23-101 (SEVERITY) NONE
Man page style improvement from Emanuele Torre
Partially revive the ability to build the binaries fully statically.
This was needed to make bleeding edge kernel debugging/testing via
qemu+busybox work again. Addressing an issue I realized only when I
tried to answer this stackexchange question.
https://unix.stackexchange.com/questions/741532/launch-process-with-limited-capabilities-on-minimal-busybox-based-system
Release notes for 2.68
2023-03-25 17:03:17 -0700
Force libcap internal functions to be hidden outside the library (Bug 217014)
Expanded the list of man page (links) to all of the supported API functions.
fixed some formatting issues with the libpsx(3) manpage.
Add support for a markdown preamble and postscript when generating .md
versions of the man pages (Bug 217007)
psx package clean up
fix some copy-paste errors with TestShared()
added a more complete psx testing into this test as well
cap package clean up
drop an unnecessary use of ", _" in the sources
cleaned up cap.NamedCount documentation
Converted goapps/web/README to .md format and fixed the instructions to
indicate go mod tidy is needed.
cap_compare test binary now cleans up after itself (Bug 217018)
Figured out how to cross compile Go programs for arm (i.e. RPi) that use C
code, don't use cgo but do use the psx package (all part of investigating
bug 216610).
Eliminate use of vendor directory
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 11:47:50 +0000 (13:47 +0200)]
harfbuzz: Update to version 7.3.0
- Update from 7.2.0 to 7.3.0
- Update of rootfile
- Changelog
Overview of changes leading to 7.3.0
Tuesday, May 9, 2023
- Speedup applying glyph variation in VarComposites fonts (over 40% speedup).
(Behdad Esfahbod)
- Speedup instancing some fonts (over 20% speedup in instancing RobotoFlex).
(Behdad Esfahbod)
- Speedup shaping some fonts (over 30% speedup in shaping Roboto).
(Behdad Esfahbod)
- Support subsetting VarComposites and beyond-64k fonts. (Behdad Esfahbod)
- New configuration macro HB_MINIMIZE_MEMORY_USAGE to favor optimizing memory
usage over speed. (Behdad Esfahbod)
- Supporting setting the mapping between old and new glyph indices during
subsetting. (Garret Rieger)
- Various fixes and improvements.
(Behdad Esfahbod, Denis Rochette, Garret Rieger, Han Seung Min, Qunxin Liu)
- New API:
+hb_subset_input_old_to_new_glyph_mapping()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 11:47:49 +0000 (13:47 +0200)]
ethtool: Update to version 6.3
- Update from version 6.2 to 6.3
- Update of rootfile not required
- Changelog
Version 6.3 - May 8, 2023
* Feature: PLCA support (--[gs]et-plca-cfg, --get-plca-status)
* Feature: MAC Merge layer support (--show-mm, --set-mm)
* Feature: pass source of statistics for port stats
* Feature: get/set rx push in ringparams (-g and -G)
* Feature: coalesce tx aggregation parameters (-c and -C)
* Feature: PSE and PD devices (--show-pse, --set-pse)
* Fix: minor fixes of help text (--help)
* Fix: fix build on systems with older system headers
* Fix: fix netlink support when PLCA is not present (no option)
* Fix: fixes for issues found with gcc13 -fanalyzer
* Fix: fix return code in rxclass_rule_ins (-N)
* Fix: more robust argc/argv handling
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / people / stevee / ipfire-2.x.git / log
