Adolf Belka [Fri, 9 Aug 2024 10:37:33 +0000 (12:37 +0200)]
libgcrypt: Update to version 1.11.0
- Update from version 1.10.3 to 1.11.0
- Update of rootfile
- Update of libgcrypt requires an update of netatalk as old version will not build with
libgcrypt-1.11.0
- Changelog
1.11.0
* New and extended interfaces:
- Add an API for Key Encapsulation Mechanism (KEM). [T6755]
- Add Streamlined NTRU Prime sntrup761 algorithm. [rCcf9923e1a5]
- Add Kyber algorithm according to FIPS 203 ipd 2023-08-24.
[rC18e5c0d268]
- Add Classic McEliece algorithm. [rC003367b912]
- Add One-Step KDF with hash and MAC. [T5964]
- Add KDF algorithm HKDF of RFC-5869. [T5964]
- Add KDF algorithm X963KDF for use in CMS. [rC3abac420b3]
- Add GMAC-SM4 and Poly1305-SM4. [rCd1ccc409d4]
- Add ARIA block cipher algorithm. [rC316c6d7715]
- Add explicit FIPS indicators for MD and MAC algorithms. [T6376]
- Add support for SHAKE as MGF in RSA. [T6557]
- Add gcry_md_read support for SHAKE algorithms. [T6539]
- Add gcry_md_hash_buffers_ext function. [T7035]
- Add cSHAKE hash algorithm. [rC065b3f4e02]
- Support internal generation of IV for AEAD cipher mode. [T4873]
* Performance:
- Add SM3 ARMv8/AArch64/CE assembly implementation. [rCfe891ff4a3]
- Add SM4 ARMv8/AArch64 assembly implementation. [rCd8825601f1]
- Add SM4 GFNI/AVX2 and GFI/AVX512 implementation.
[rC5095d60af4,rCeaed633c16]
- Add SM4 ARMv9 SVE CE assembly implementation. [rC2dc2654006]
- Add PowerPC vector implementation of SM4. [rC0b2da804ee]
- Optimize ChaCha20 and Poly1305 for PPC P10 LE. [T6006]
- Add CTR32LE bulk acceleration for AES on PPC. [rC84f2e2d0b5]
- Add generic bulk acceleration for CTR32LE mode (GCM-SIV) for SM4
and Camellia. [rCcf956793af]
- Add GFNI/AVX2 implementation of Camellia. [rC4e6896eb9f]
- Add AVX2 and AVX512 accelerated implementations for GHASH (GCM)
and POLYVAL (GCM-SIV). [rCd857e85cb4, rCe6f3600193]
- Add AVX512 implementation for SHA512. [rC089223aa3b]
- Add AVX512 implementation for Serpent. [rCce95b6ec35]
- Add AVX512 implementation for Poly1305 and ChaCha20
[rCcd3ed49770, rC9a63cfd617]
- Add AVX512 accelerated implementation for SHA3 and Blake2
[rCbeaad75f46,rC909daa700e]
- Add VAES/AVX2 accelerated i386 implementation for AES.
[rC4a42a042bc]
- Add bulk processing for XTS mode of Camellia and SM4.
[rC32b18cdb87, rCaad3381e93]
- Accelerate XTS and ECB modes for Twofish and Serpent.
[rCd078a928f5,rC8a1fe5f78f]
- Add AArch64 crypto/SHA512 extension implementation for
SHA512. [rCe51d3b8330]
- Add AArch64 crypto-extension implementation for Camellia.
[rC898c857206]
- Accelerate OCB authentication on AMD with AVX2. [rC6b47e85d65]
* Bug fixes:
- For PowerPC check for missing optimization level for vector
register usage. [T5785]
- Fix EdDSA secret key check. [T6511]
- Fix decoding of PKCS#1-v1.5 and OAEP padding. [rC34c2042792]
- Allow use of PKCS#1-v1.5 with SHA3 algorithms. [T6976]
- Fix AESWRAP padding length check. [T7130]
* Other:
- Allow empty password for Argon2 KDF. [rCa20700c55f]
- Various constant time operation imporvements.
- Add "bp256", "bp384", "bp512" aliases for Brainpool curves.
- Support for the random server has been removed. [T5811]
- The control code GCRYCTL_ENABLE_M_GUARD is deprecated and not
supported any more. Please use valgrind or other tools. [T5822]
- Logging is now done via the libgpg-error logging functions.
[rCab0bdc72c7]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 9 Aug 2024 10:05:38 +0000 (12:05 +0200)]
libjpeg: Update to version 3.0.3
- Update from version 2.1.4 to 3.0.3
- Update of rootfile
- CVE fix in 3.0.0
- Changelog
3.0.3
1. Fixed an issue in the build system, introduced in 3.0.2, that caused all
libjpeg-turbo components to depend on the Visual C++ run-time DLL when built
with Visual C++ and CMake 3.15 or later, regardless of value of the
`WITH_CRT_DLL` CMake variable.
2. The x86-64 SIMD extensions now include support for Intel Control-flow
Enforcement Technology (CET), which is enabled automatically if CET is enabled
in the C compiler.
3. Fixed a regression introduced by 3.0 beta2[6] that made it impossible for
calling applications to supply custom Huffman tables when generating
12-bit-per-component lossy JPEG images using the libjpeg API.
4. Fixed a segfault that occurred when attempting to use the jpegtran `-drop`
option with a specially-crafted malformed input image or drop image
(specifically an image in which all of the scans contain fewer components than
the number of components specified in the Start Of Frame segment.)
3.0.2
1. Fixed a signed integer overflow in the `tj3CompressFromYUV8()`,
`tj3DecodeYUV8()`, `tj3DecompressToYUV8()`, and `tj3EncodeYUV8()` functions,
detected by the Clang and GCC undefined behavior sanitizers, that could be
triggered by setting the `align` parameter to an unreasonably large value.
This issue did not pose a security threat, but removing the warning made it
easier to detect actual security issues, should they arise in the future.
2. Introduced a new parameter (`TJPARAM_MAXMEMORY` in the TurboJPEG C API and
`TJ.PARAM_MAXMEMORY` in the TurboJPEG Java API) and a corresponding TJBench
option (`-maxmemory`) for specifying the maximum amount of memory (in
megabytes) that will be allocated for intermediate buffers, which are used with
progressive JPEG compression and decompression, optimized baseline entropy
coding, lossless JPEG compression, and lossless transformation. The new
parameter and option serve the same purpose as the `max_memory_to_use` field in
the `jpeg_memory_mgr` struct in the libjpeg API, the `JPEGMEM` environment
variable, and the cjpeg/djpeg/jpegtran `-maxmemory` option.
3. Introduced a new parameter (`TJPARAM_MAXPIXELS` in the TurboJPEG C API and
`TJ.PARAM_MAXPIXELS` in the TurboJPEG Java API) and a corresponding TJBench
option (`-maxpixels`) for specifying the maximum number of pixels that the
decompression, lossless transformation, and packed-pixel image loading
functions/methods will process.
4. Fixed an error ("Unsupported color conversion request") that occurred when
attempting to decompress a 3-component lossless JPEG image without an Adobe
APP14 marker. The decompressor now assumes that a 3-component lossless JPEG
image without an Adobe APP14 marker uses the RGB colorspace if its component
IDs are 1, 2, and 3.
3.0.1
1. The x86-64 SIMD functions now use a standard stack frame, prologue, and
epilogue so that debuggers and profilers can reliably capture backtraces from
within the functions.
2. Fixed two minor issues in the interblock smoothing algorithm that caused
mathematical (but not necessarily perceptible) edge block errors when
decompressing progressive JPEG images exactly two MCU blocks in width or that
use vertical chrominance subsampling.
3. Fixed a regression introduced by 3.0 beta2[6] that, in rare cases, caused
the C Huffman encoder (which is not used by default on x86 and Arm CPUs) to
generate incorrect results if the Neon SIMD extensions were explicitly disabled
at build time (by setting the `WITH_SIMD` CMake variable to `0`) in an AArch64
build of libjpeg-turbo.
3.0.0
1. The TurboJPEG API now supports 4:4:1 (transposed 4:1:1) chrominance
subsampling, which allows losslessly transposed or rotated 4:1:1 JPEG images to
be losslessly cropped, partially decompressed, or decompressed to planar YUV
images.
2. Fixed various segfaults and buffer overruns (CVE-2023-2804) that occurred
when attempting to decompress various specially-crafted malformed
12-bit-per-component and 16-bit-per-component lossless JPEG images using color
quantization or merged chroma upsampling/color conversion. The underlying
cause of these issues was that the color quantization and merged chroma
upsampling/color conversion algorithms were not designed with lossless
decompression in mind. Since libjpeg-turbo explicitly does not support color
conversion when compressing or decompressing lossless JPEG images, merged
chroma upsampling/color conversion never should have been enabled for such
images. Color quantization is a legacy feature that serves little or no
purpose with lossless JPEG images, so it is also now disabled when
decompressing such images. (As a result, djpeg can no longer decompress a
lossless JPEG image into a GIF image.)
3. Fixed an oversight in 1.4 beta1[8] that caused various segfaults and buffer
overruns when attempting to decompress various specially-crafted malformed
12-bit-per-component JPEG images using djpeg with both color quantization and
RGB565 color conversion enabled.
4. Fixed an issue whereby `jpeg_crop_scanline()` sometimes miscalculated the
downsampled width for components with 4x2 or 2x4 subsampling factors if
decompression scaling was enabled. This caused the components to be upsampled
incompletely, which caused the color converter to read from uninitialized
memory. With 12-bit data precision, this caused a buffer overrun or underrun
and subsequent segfault if the sample value read from uninitialized memory was
outside of the valid sample range.
5. Fixed a long-standing issue whereby the `tj3Transform()` function, when used
with the `TJXOP_TRANSPOSE`, `TJXOP_TRANSVERSE`, `TJXOP_ROT90`, or
`TJXOP_ROT270` transform operation and without automatic JPEG destination
buffer (re)allocation or lossless cropping, computed the worst-case transformed
JPEG image size based on the source image dimensions rather than the
transformed image dimensions. If a calling program allocated the JPEG
destination buffer based on the transformed image dimensions, as the API
documentation instructs, and attempted to transform a specially-crafted 4:2:2,
4:4:0, 4:1:1, or 4:4:1 JPEG source image containing a large amount of metadata,
the issue caused `tj3Transform()` to overflow the JPEG destination buffer
rather than fail gracefully. The issue could be worked around by setting
`TJXOPT_COPYNONE`. Note that, irrespective of this issue, `tj3Transform()`
cannot reliably transform JPEG source images that contain a large amount of
metadata unless automatic JPEG destination buffer (re)allocation is used or
`TJXOPT_COPYNONE` is set.
6. Fixed a regression introduced by 3.0 beta2[6] that prevented the djpeg
`-map` option from working when decompressing 12-bit-per-component lossy JPEG
images.
7. Fixed an issue that caused the C Huffman encoder (which is not used by
default on x86 and Arm CPUs) to read from uninitialized memory when attempting
to transform a specially-crafted malformed arithmetic-coded JPEG source image
into a baseline Huffman-coded JPEG destination image.
2.1.91
1. Significantly sped up the computation of optimal Huffman tables. This
speeds up the compression of tiny images by as much as 2x and provides a
noticeable speedup for images as large as 256x256 when using optimal Huffman
tables.
2. All deprecated fields, constructors, and methods in the TurboJPEG Java API
have been removed.
3. Arithmetic entropy coding is now supported with 12-bit-per-component JPEG
images.
4. Overhauled the TurboJPEG API to address long-standing limitations and to
make the API more extensible and intuitive:
- All C function names are now prefixed with `tj3`, and all version
suffixes have been removed from the function names. Future API overhauls will
increment the prefix to `tj4`, etc., thus retaining backward API/ABI
compatibility without versioning each individual function.
- Stateless boolean flags have been replaced with stateful integer API
parameters, the values of which persist between function calls. New
functions/methods (`tj3Set()`/`TJCompressor.set()`/`TJDecompressor.set()` and
`tj3Get()`/`TJCompressor.get()`/`TJDecompressor.get()`) can be used to set and
query the value of a particular API parameter.
- The JPEG quality and subsampling are now implemented using API
parameters rather than stateless function arguments (C) or dedicated set/get
methods (Java.)
- `tj3DecompressHeader()` now stores all relevant information about the
JPEG image, including the width, height, subsampling type, entropy coding
algorithm, etc., in API parameters rather than returning that information
through pointer arguments.
- `TJFLAG_LIMITSCANS`/`TJ.FLAG_LIMITSCANS` has been reimplemented as an
API parameter (`TJPARAM_SCANLIMIT`/`TJ.PARAM_SCANLIMIT`) that allows the number
of scans to be specified.
- Optimized baseline entropy coding (the computation of optimal Huffman
tables, as opposed to using the default Huffman tables) can now be specified,
using a new API parameter (`TJPARAM_OPTIMIZE`/`TJ.PARAM_OPTIMIZE`), a new
transform option (`TJXOPT_OPTIMIZE`/`TJTransform.OPT_OPTIMIZE`), and a new
TJBench option (`-optimize`.)
- Arithmetic entropy coding can now be specified or queried, using a new
API parameter (`TJPARAM_ARITHMETIC`/`TJ.PARAM_ARITHMETIC`), a new transform
option (`TJXOPT_ARITHMETIC`/`TJTransform.OPT_ARITHMETIC`), and a new TJBench
option (`-arithmetic`.)
- The restart marker interval can now be specified, using new API
parameters (`TJPARAM_RESTARTROWS`/`TJ.PARAM_RESTARTROWS` and
`TJPARAM_RESTARTBLOCKS`/`TJ.PARAM_RESTARTBLOCKS`) and a new TJBench option
(`-restart`.)
- Pixel density can now be specified or queried, using new API parameters
(`TJPARAM_XDENSITY`/`TJ.PARAM_XDENSITY`,
`TJPARAM_YDENSITY`/`TJ.PARAM_YDENSITY`, and
`TJPARAM_DENSITYUNITS`/`TJ.PARAM_DENSITYUNITS`.)
- The accurate DCT/IDCT algorithms are now the default for both
compression and decompression, since the "fast" algorithms are considered to be
a legacy feature. (The "fast" algorithms do not pass the ISO compliance tests,
and those algorithms are not any faster than the accurate algorithms on modern
x86 CPUs.)
- All C initialization functions have been combined into a single function
(`tj3Init()`) that accepts an integer argument specifying the subsystems to
initialize.
- All C functions now use the `const` keyword for pointer arguments that
point to unmodified buffers (and for both dimensions of pointer arguments that
point to sets of unmodified buffers.)
- All C functions now use `size_t` rather than `unsigned long` to
represent buffer sizes, for compatibility with `malloc()` and to avoid
disparities in the size of `unsigned long` between LP64 (Un*x) and LLP64
(Windows) operating systems.
- All C buffer size functions now return 0 if an error occurs, rather than
trying to awkwardly return -1 in an unsigned data type (which could easily be
misinterpreted as a very large value.)
- Decompression scaling is now enabled explicitly, using a new
function/method (`tj3SetScalingFactor()`/`TJDecompressor.setScalingFactor()`),
rather than implicitly using awkward "desired width"/"desired height"
arguments.
- Partial image decompression has been implemented, using a new
function/method (`tj3SetCroppingRegion()`/`TJDecompressor.setCroppingRegion()`)
and a new TJBench option (`-crop`.)
- The JPEG colorspace can now be specified explicitly when compressing,
using a new API parameter (`TJPARAM_COLORSPACE`/`TJ.PARAM_COLORSPACE`.) This
allows JPEG images with the RGB and CMYK colorspaces to be created.
- TJBench no longer generates error/difference images, since identical
functionality is already available in ImageMagick.
- JPEG images with unknown subsampling configurations can now be
fully decompressed into packed-pixel images or losslessly transformed (with the
exception of lossless cropping.) They cannot currently be partially
decompressed or decompressed into planar YUV images.
- `tj3Destroy()` now silently accepts a NULL handle.
- `tj3Alloc()` and `tj3Free()` now return/accept void pointers, as
`malloc()` and `free()` do.
- The C image I/O functions now accept a TurboJPEG instance handle, which
is used to transmit/receive API parameter values and to receive error
information.
5. Added support for 8-bit-per-component, 12-bit-per-component, and
16-bit-per-component lossless JPEG images. A new libjpeg API function
(`jpeg_enable_lossless()`), TurboJPEG API parameters
(`TJPARAM_LOSSLESS`/`TJ.PARAM_LOSSLESS`,
`TJPARAM_LOSSLESSPSV`/`TJ.PARAM_LOSSLESSPSV`, and
`TJPARAM_LOSSLESSPT`/`TJ.PARAM_LOSSLESSPT`), and a cjpeg/TJBench option
(`-lossless`) can be used to create a lossless JPEG image. (Decompression of
lossless JPEG images is handled automatically.) Refer to
[libjpeg.txt](libjpeg.txt), [usage.txt](usage.txt), and the TurboJPEG API
documentation for more details.
6. Added support for 12-bit-per-component (lossy and lossless) and
16-bit-per-component (lossless) JPEG images to the libjpeg and TurboJPEG APIs:
- The existing `data_precision` field in `jpeg_compress_struct` and
`jpeg_decompress_struct` has been repurposed to enable the creation of
12-bit-per-component and 16-bit-per-component JPEG images or to detect whether
a 12-bit-per-component or 16-bit-per-component JPEG image is being
decompressed.
- New 12-bit-per-component and 16-bit-per-component versions of
`jpeg_write_scanlines()` and `jpeg_read_scanlines()`, as well as new
12-bit-per-component versions of `jpeg_write_raw_data()`,
`jpeg_skip_scanlines()`, `jpeg_crop_scanline()`, and `jpeg_read_raw_data()`,
provide interfaces for compressing from/decompressing to 12-bit-per-component
and 16-bit-per-component packed-pixel and planar YUV image buffers.
- New 12-bit-per-component and 16-bit-per-component compression,
decompression, and image I/O functions/methods have been added to the TurboJPEG
API, and a new API parameter (`TJPARAM_PRECISION`/`TJ.PARAM_PRECISION`) can be
used to query the data precision of a JPEG image. (YUV functions are currently
limited to 8-bit data precision but can be expanded to accommodate 12-bit data
precision in the future, if such is deemed beneficial.)
- A new cjpeg and TJBench command-line argument (`-precision`) can be used
to create a 12-bit-per-component or 16-bit-per-component JPEG image.
(Decompression and transformation of 12-bit-per-component and
16-bit-per-component JPEG images is handled automatically.)
2.1.5.1
1. The SIMD dispatchers in libjpeg-turbo 2.1.4 and prior stored the list of
supported SIMD instruction sets in a global variable, which caused an innocuous
race condition whereby the variable could have been initialized multiple times
if `jpeg_start_*compress()` was called simultaneously in multiple threads.
libjpeg-turbo 2.1.5 included an undocumented attempt to fix this race condition
by making the SIMD support variable thread-local. However, that caused another
issue whereby, if `jpeg_start_*compress()` was called in one thread and
`jpeg_read_*()` or `jpeg_write_*()` was called in a second thread, the SIMD
support variable was never initialized in the second thread. On x86 systems,
this led the second thread to incorrectly assume that AVX2 instructions were
always available, and when it attempted to use those instructions on older x86
CPUs that do not support them, an illegal instruction error occurred. The SIMD
dispatchers now ensure that the SIMD support variable is initialized before
dispatching based on its value.
2.1.5
1. Fixed issues in the build system whereby, when using the Ninja Multi-Config
CMake generator, a static build of libjpeg-turbo (a build in which
`ENABLE_SHARED` is `0`) could not be installed, a Windows installer could not
be built, and the Java regression tests failed.
2. Fixed a regression introduced by 2.0 beta1[15] that caused a buffer overrun
in the progressive Huffman encoder when attempting to transform a
specially-crafted malformed 12-bit-per-component JPEG image into a progressive
12-bit-per-component JPEG image using a 12-bit-per-component build of
libjpeg-turbo (`-DWITH_12BIT=1`.) Given that the buffer overrun was fully
contained within the progressive Huffman encoder structure and did not cause a
segfault or other user-visible errant behavior, given that the lossless
transformer (unlike the decompressor) is not generally exposed to arbitrary
data exploits, and given that 12-bit-per-component builds of libjpeg-turbo are
uncommon, this issue did not likely pose a security risk.
3. Fixed an issue whereby, when using a 12-bit-per-component build of
libjpeg-turbo (`-DWITH_12BIT=1`), passing samples with values greater than 4095
or less than 0 to `jpeg_write_scanlines()` caused a buffer overrun or underrun
in the RGB-to-YCbCr color converter.
4. Fixed a floating point exception that occurred when attempting to use the
jpegtran `-drop` and `-trim` options to losslessly transform a
specially-crafted malformed JPEG image.
5. Fixed an issue in `tjBufSizeYUV2()` whereby it returned a bogus result,
rather than throwing an error, if the `align` parameter was not a power of 2.
Fixed a similar issue in `tjCompressFromYUV()` whereby it generated a corrupt
JPEG image in certain cases, rather than throwing an error, if the `align`
parameter was not a power of 2.
6. Fixed an issue whereby `tjDecompressToYUV2()`, which is a wrapper for
`tjDecompressToYUVPlanes()`, used the desired YUV image dimensions rather than
the actual scaled image dimensions when computing the plane pointers and
strides to pass to `tjDecompressToYUVPlanes()`. This caused a buffer overrun
and subsequent segfault if the desired image dimensions exceeded the scaled
image dimensions.
7. Fixed an issue whereby, when decompressing a 12-bit-per-component JPEG image
(`-DWITH_12BIT=1`) using an alpha-enabled output color space such as
`JCS_EXT_RGBA`, the alpha channel was set to 255 rather than 4095.
8. Fixed an issue whereby the Java version of TJBench did not accept a range of
quality values.
9. Fixed an issue whereby, when `-progressive` was passed to TJBench, the JPEG
input image was not transformed into a progressive JPEG image prior to
decompression.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 9 Aug 2024 10:05:37 +0000 (12:05 +0200)]
libinih: Update to version 58
- Update from version 56 to 58
- Update of rootfile not required
- Changelog
58
[oss-fuzz] fuzzing support by @0x34d in #153
[Fuzzing] fix harness by @0x34d in #156
[Fuzzing] using cifuzz for PR by @0x34d in #154
Specify C++11 std in meson build by @DownerCase in #157
Add ini_ prefix even to static names so inih can be used as an #include by
@benhoyt in #164
57
MSVC throws C4244 by @AbsintheScripting in #142
Added a GetUnsigned function for getting unsigned values. by @jcormier in #147
meson.build: fix start-of-line_comment_prefix variable name by @ihilt in #149
Added GetInteger64 and GetUnsigned64 to read 64-bit integers by @natcat256
in #151
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 9 Aug 2024 10:05:35 +0000 (12:05 +0200)]
libcap-ng: Update to version 0.8.5
- Update from version 0.8.3 to 0.8.5
- Update of rootfile not required
- Changelog
0.8.5
- Remove python global exception handler since it's deprecated
- Make the utilities link against just built libraries
- Remove unused macro in cap-ng.h
0.8.4
- In capng_change_id, clear PR_SET_KEEPCAPS if returning an error
- pscap: add -p option for reporting a specified process (Masatake Yamato)
- Annotate function prototypes to warn if results are unused
- Drop python2 support
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 9 Aug 2024 10:05:36 +0000 (12:05 +0200)]
libgpg-error: Update to version 1.50
- Update from version 1.48 to 1.50
- Update of rootfile
- Changelog
1.50
* New set of process spawn functions. [T6249]
* Fixed return type for gpgrt_b64dec_proc and gpgrt_b64dec_finish to
gpg_err_code_t. This enum return type is in almost all cases
compatible to the formerly used gpg_error_t (i.e. unsigned int).
* Interface changes relative to the 1.49 release:
gpgrt_process_t CHANGED (never used).
gpgrt_spawn_actions_t NEW type.
gpgrt_process_requests NEW enum.
gpgrt_process_spawn NEW.
gpgrt_process_terminate NEW.
gpgrt_process_get_streams NEW.
gpgrt_process_ctl NEW.
gpgrt_process_wait NEW.
gpgrt_process_release NEW.
gpgrt_spawn_actions_new NEW.
gpgrt_spawn_actions_release NEW.
gpgrt_spawn_actions_set_redirect NEW.
gpgrt_spawn_actions_set_environ NEW (posix only).
gpgrt_spawn_actions_set_inherit_fds NEW (posix only).
gpgrt_spawn_actions_set_atfork NEW (posix only).
gpgrt_spawn_actions_set_envvars NEW (w32 only).
gpgrt_spawn_actions_set_inherit_handles NEW (w32 only).
GPGRT_PROCESS_DETACHED NEW.
GPGRT_PROCESS_NO_CONSOLE NEW.
GPGRT_PROCESS_NO_EUID_CHECK NEW.
GPGRT_PROCESS_STDIN_PIPE NEW.
GPGRT_PROCESS_STDOUT_PIPE NEW.
GPGRT_PROCESS_STDERR_PIPE NEW.
GPGRT_PROCESS_STDINOUT_SOCKETPAIR NEW.
GPGRT_PROCESS_STDIN_KEEP NEW.
GPGRT_PROCESS_STDOUT_KEEP NEW.
GPGRT_PROCESS_STDERR_KEEP NEW.
GPGRT_PROCESS_STDFDS_SETTING NEW.
GPGRT_SPAWN_INHERIT_FILE REMOVED (never used).
GPGRT_SPAWN_NONBLOCK REMOVED (never used).
GPGRT_SPAWN_RUN_ASFW REMOVED (never used).
GPGRT_SPAWN_DETACHED REMOVED (never used).
GPGRT_SPAWN_KEEP_STDIN REMOVED (never used).
GPGRT_SPAWN_KEEP_STDOUT REMOVED (never used).
GPGRT_SPAWN_KEEP_STDERR REMOVED (never used).
1.49
* Two new functions to improve the logging interface. The
gpgrt_logv_domain is currently the same as gpgrt_logv_prefix but
allows to pass a domain string so that in future we will be able to
select log output by domain. It also provide a non yet functional
feature to include a hex dump.
* Add a "trunc" keyword to gpgrt_log_printhex. [rE0a39fbefcb]
* Avoid an endless loop in the argparser due to a conf file read
error. [rE2dc93cfecc]
* Interface changes relative to the 1.48 release:
gpgrt_add_post_log_func NEW.
gpgrt_logv_domain NEW.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 8 Aug 2024 19:32:17 +0000 (21:32 +0200)]
libassuan: Update to version 3.0.1
- Update from version 2.5.5 to 3.0.1
- Update of rootfile
- Changelog
3.0.1
* Change Unix symbol versioning to help the Debian transitioning
process.
3.0.0
* API change: For new code, which uses libassuan with nPTH, please
use gpgrt_get_syscall_clamp and assuan_control, instead of the
system_hooks API. Use of ASSUAN_SYSTEM_NPTH is deprecated with new
API version 3. If it's really needed to keep using old
implementation of ASSUAN_SYSTEM_NPTH, you need to change your your
application code, to define
ASSUAN_REALLY_REQUIRE_V2_NPTH_SYSTEM_HOOKS before including
<assuan.h>. For an application which uses version 2 API
(NEED_LIBASSUAN_API=2 in its configure.ac), use of
ASSUAN_SYSTEM_NPTH is still supported. [T5914]
* New function assuan_control. [T6625]
* New function assuan_sock_accept. [T5925]
* New functions assuan_pipe_wait_server_termination and
assuan_pipe_kill_server to support abstraction of process. [T6487]
* Windows support for sendfd/recvfd. [T6236]
* Implement timeout in assuan_sock_connect_byname. [T3302]
* No support for WindowsCE, any more. [T6170]
* New socket flags "linger" and "reuseaddr". [rA87f92fe962]
* Interface changes relative to the 2.5.0 release:
assuan_sock_accept NEW.
assuan_pipe_wait_server_termination NEW.
assuan_pipe_kill_server NEW.
assuan_sock_set_flag EXTENDED.
assuan_sock_get_flag EXTENDED.
2.5.7
New configure option --with-libtool-modification. [T6619]
Change the naming of the 64 bit Windows DLL from libassuan6-0.dll to
libassuan-0.dll to sync this with what we did for libgpg-error.
2.5.6
* Fix logging of confidential data. [rA0fc31770fa]
* Fix memory wiping. [T5977]
* Fix macOS build problem. [T5440,T5610]
* Upgrade autoconf stuff.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 8 Aug 2024 19:32:16 +0000 (21:32 +0200)]
libarchive: Update to version 3.7.4
- Update from version 3.7.0 to 3.7.4
- Update of rootfile
- CVE fix in 3.7.4
- Changelog
3.7.4
Security fixes:
rar: Fix OOB in rar e8 filter (#2135) (CVE-2024-26256)
zip: Fix out of boundary access (#2145)
Important bugfixes:
7zip: Limit amount of properties (#2131)
bsdtar: Fix error handling around strtol() usages (#2110)
passphrase: Improve newline handling on Windows (#2115)
passphrase: Never allow empty passwords (#2116)
rar: Fix "File CRC Error" when extracting specific rar4 archives (#2124)
xar: Avoid infinite link loop (#2123)
zip: Update AppleDouble support for directories (#2108)
zstd: Implement core detection (#2083, #2071)
3.7.3
New features:
PCRE2 support (#2031)
add trailing letter b to bsdtar(1) substitute pattern (#2012)
add support for long options "--group" and "--owner" to tar(1) (#2054)
Security fixes:
Fix possible vulnerability in tar error reporting introduced in f27c173 (#2101)
Important bugfixes:
ISO9660: preserve the natural order of links (#1974)
rar5: fix decoding unicode filenames on Windows (#1978)
rar5: fix infinite loop if during rar5 decompression the last block produced
no data (#2105)
xz filter: fix incorrect eof at the end of an lzip member (#2027)
zip: fix end-of-data marker processing when decompressing zip archives (#2042)
multiple bsdunzip(1) fixes (#2022, #2030)
filetime truncation fix on Windows (#2050)
3.7.2
Security fixes:
Multiple vulnerabilities have been fixed in the PAX writer (1b4e0d0)
Important bugfixes:
bsdunzip(1) now correctly handles arguments following an -x after the zipfile
New features:
bsdunzip(1) now supports the "--version" flag
7-zip reader now translates Windows permissions into UNIX permissions (#1943)
uudecode filter in raw mode now supports file name and file mode
zstd filter now supports the "long" write option (#1962)
3.7.1
Security fixes:
SEGV and stack buffer overflow in verbose mode of cpio (#1934, #1935)
Feature updates:
bsdunzip updated to match latest upstream code (#1926)
Important bugfixes:
miscellaneous functional bugfixes (#1731, #1929, #1930)
build fixes on multiple platforms (Android #1921, older MacOS X #1919, #1933
and others)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Aug 2024 08:22:56 +0000 (10:22 +0200)]
hostapd: Update to version 2_11
- Update from version 2_10 to 2_11
- Update of rootfile not required
- Update of patches to latest source tarball
- Changelog
2_11
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during config exchange
* HE/IEEE 802.11ax/Wi-Fi 6
- various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
- add preliminary support
* SAE: add support for fetching the password from a RADIUS server
* support OpenSSL 3.0 API changes
* support background radar detection and CAC with some additional
drivers
* support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
* EAP-SIM/AKA: support IMSI privacy
* improve 4-way handshake operations
- use Secure=1 in message 3 during PTK rekeying
* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
to avoid interoperability issues
* support new SAE AKM suites with variable length keys
* support new AKM for 802.1X/EAP with SHA384
* extend PASN support for secure ranging
* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
- this is based on additional details being added in the IEEE 802.11
standard
- the new implementation is not backwards compatible
* improved ACS to cover additional channel types/bandwidths
* extended Multiple BSSID support
* fix beacon protection with FT protocol (incorrect BIGTK was provided)
* support unsynchronized service discovery (USD)
* add preliminary support for RADIUS/TLS
* add support for explicit SSID protection in 4-way handshake
(a mitigation for CVE-2023-52424; disabled by default for now, can be
enabled with ssid_protection=1)
* fix SAE H2E rejected groups validation to avoid downgrade attacks
* use stricter validation for some RADIUS messages
* a large number of other fixes, cleanup, and extensions
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 21 May 2024 14:56:21 +0000 (16:56 +0200)]
openssl: Update to version 3.3.0
- Update from version 3.2.1 to 3.3.0
- Update of rootfile
- Changelog
3.3
This release adds the following new features:
* Support for qlog for tracing QUIC connections has been added
* Added APIs to allow configuring the negotiated idle timeout for QUIC
connections, and to allow determining the number of additional streams
that can currently be created for a QUIC connection.
* Added APIs to allow disabling implicit QUIC event processing for QUIC SSL
objects
* Added APIs to allow querying the size and utilisation of a QUIC stream's
write buffer
* New API `SSL_write_ex2`, which can be used to send an end-of-stream (FIN)
condition in an optimised way when using QUIC.
* Limited support for polling of QUIC connection and stream objects in a
non-blocking manner.
* Added a new EVP_DigestSqueeze() API. This allows SHAKE to squeeze multiple
times with different output sizes.
* Added exporter for CMake on Unix and Windows, alongside the pkg-config
exporter.
* The BLAKE2s hash algorithm matches BLAKE2b's support for configurable
output length.
* The EVP_PKEY_fromdata function has been augmented to allow for the
derivation of CRT (Chinese Remainder Theorem) parameters when requested
* Added API functions SSL_SESSION_get_time_ex(), SSL_SESSION_set_time_ex()
using time_t which is Y2038 safe on 32 bit systems when 64 bit time
is enabled
* Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms
config options and the respective calls to SSL[_CTX]_set1_sigalgs() and
SSL[_CTX]_set1_client_sigalgs() that start with `?` character are
ignored and the configuration will still be used.
* Added `-set_issuer` and `-set_subject` options to `openssl x509` to
override the Issuer and Subject when creating a certificate. The `-subj`
option now is an alias for `-set_subject`.
* Added several new features of CMPv3 defined in RFC 9480 and RFC 9483
* New option `SSL_OP_PREFER_NO_DHE_KEX`, which allows configuring a TLS1.3
server to prefer session resumption using PSK-only key exchange over PSK
with DHE, if both are available.
* New atexit configuration switch, which controls whether the OPENSSL_cleanup
is registered when libcrypto is unloaded.
* Added X509_STORE_get1_objects to avoid issues with the existing
X509_STORE_get0_objects API in multi-threaded applications.
This release incorporates the following potentially significant or incompatible
changes:
* Applied AES-GCM unroll8 optimisation to Microsoft Azure Cobalt 100
* Optimized AES-CTR for ARM Neoverse V1 and V2
* Enable AES and SHA3 optimisations on Applie Silicon M3-based MacOS systems
similar to M1/M2.
* Various optimizations for cryptographic routines using RISC-V vector crypto
extensions
* Added assembly implementation for md5 on loongarch64
* Accept longer context for TLS 1.2 exporters
* The activate and soft_load configuration settings for providers in
openssl.cnf have been updated to require a value of [1|yes|true|on]
(in lower or UPPER case) to enable the setting. Conversely a value
of [0|no|false|off] will disable the setting.
* In `openssl speed`, changed the default hash function used with `hmac` from
`md5` to `sha256`.
* The `-verify` option to the `openssl crl` and `openssl req` will make the
program exit with 1 on failure.
* The d2i_ASN1_GENERALIZEDTIME(), d2i_ASN1_UTCTIME(), ASN1_TIME_check(), and
related functions have been augmented to check for a minimum length of
the input string, in accordance with ITU-T X.690 section 11.7 and 11.8.
* OPENSSL_sk_push() and sk_<TYPE>_push() functions now return 0 instead of -1
if called with a NULL stack argument.
* New limit on HTTP response headers is introduced to HTTP client. The
default limit is set to 256 header lines.
This release incorporates the following bug fixes and mitigations:
* The BIO_get_new_index() function can only be called 127 times before it
reaches its upper bound of BIO_TYPE_MASK and will now return -1 once its
exhausted.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Suggested-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://github.com/oetiker/rrdtool-1.x/releases/tag/v1.9.0
"RRDtool 1.9.0 — 2024-07-29
Bugfixes
Fix ytop and ybase adjustments for overlaping area issue on transparent areas @turban
Suppress warnings of implicit fall through @youpong
Update tarball download link in doc @c72578
Fix unsigned integer overflow in rrdtool first. Add test for rrd_first() @c72578
Fix tests under MSYS2 (Windows) @c72578
Fix BUILD_DATE in rrdtool help output @c72578
acinclude.m4: Include <stdlib.h> when using exit @ryandesign
rrdtool-release: Create NUMVERS from VERSION file @c72578
Avoids leaking of file descriptors in multi threaded programs by @ensc
Avoids potential unterminated string because of fixed PATH_MAX buffer
Fix extra reference of parameters of rrd_fetch_dbi_{long,double} @jamborm"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 26 Jul 2024 12:32:24 +0000 (14:32 +0200)]
bird: Update to version 2.15.1
- Update from version 2.14 to 2.15.1
- Update of rootfile not required
- Changelog
2.15.1
o OSPF: Fix regression in handling PtP links
o RPKI: Handle connection resets properly
o Static: Reject invalid combination of options
o Fix builds with limited set of protocols
2.15
o BGP: Send hold timer
o BGP: New options to specify required BGP capabilities
o BFD: Improvements to 'show bfd sessions' command
o RPKI: New 'local address' configuration option
o Linux: Support for more route attributes, including
TCP congestion control algorithm
o Support for UDP logging
o Static routes can have both nexthop and interface specified
o Completion of command options in BIRD client
o Many bugfixes and improvements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 2 Aug 2024 16:49:15 +0000 (16:49 +0000)]
vectorscan: Fix check for CPU support
According to the documentation, Vectorscan checks whether the CPU is
supporting the minimum requirement of SSE4.2. However the check is still
checking for SSSE3 which makes the library fail on systems without
SSE4.2.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jul 2024 11:41:22 +0000 (13:41 +0200)]
nginx: Update to version 1.26.1
- Update from version 1.24.0 to 1.26.1
- Update of rootfile not required
- Version 1.24.0 is now a legacy version, no longer being supported. Stable version has
changed to 1.26.x series.
- Various CVE fixes in 1.26.1 and in 1.25.4, the development branch that became 1.26.0,
that the legacy version 1.24.0 is also vulnerable to.
- Changelog
1.26.1
*) Security: when using HTTP/3, processing of a specially crafted QUIC
session might cause a worker process crash, worker process memory
disclosure on systems with MTU larger than 4096 bytes, or might have
potential other impact (CVE-2024-32760, CVE-2024-31079,
CVE-2024-35200, CVE-2024-34161).
*) Bugfix: reduced memory consumption for long-lived requests if "gzip",
"gunzip", "ssi", "sub_filter", or "grpc_pass" directives are used.
*) Bugfix: nginx could not be built by gcc 14 if the --with-atomic
option was used.
*) Bugfix: in HTTP/3.
1.26.0
*) 1.26.x stable branch.
1.25.5
*) Feature: virtual servers in the stream module.
*) Feature: the ngx_stream_pass_module.
*) Feature: the "deferred", "accept_filter", and "setfib" parameters of
the "listen" directive in the stream module.
*) Feature: cache line size detection for some architectures.
*) Feature: support for Homebrew on Apple Silicon.
*) Bugfix: Windows cross-compilation bugfixes and improvements.
*) Bugfix: unexpected connection closure while using 0-RTT in QUIC.
1.25.4
*) Security: when using HTTP/3 a segmentation fault might occur in a
worker process while processing a specially crafted QUIC session
(CVE-2024-24989, CVE-2024-24990).
*) Bugfix: connections with pending AIO operations might be closed
prematurely during graceful shutdown of old worker processes.
*) Bugfix: socket leak alerts no longer logged when fast shutdown was
requested after graceful shutdown of old worker processes.
*) Bugfix: a socket descriptor error, a socket leak, or a segmentation
fault in a worker process (for SSL proxying) might occur if AIO was
used in a subrequest.
*) Bugfix: a segmentation fault might occur in a worker process if SSL
proxying was used along with the "image_filter" directive and errors
with code 415 were redirected with the "error_page" directive.
*) Bugfixes and improvements in HTTP/3.
1.25.3
*) Change: improved detection of misbehaving clients when using HTTP/2.
*) Feature: startup speedup when using a large number of locations.
Thanks to Yusuke Nojima.
*) Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2 without SSL; the bug had appeared in 1.25.1.
*) Bugfix: the "Status" backend response header line with an empty
reason phrase was handled incorrectly.
*) Bugfix: memory leak during reconfiguration when using the PCRE2
library.
*) Bugfixes and improvements in HTTP/3.
1.25.2
*) Feature: path MTU discovery when using HTTP/3.
*) Feature: TLS_AES_128_CCM_SHA256 cipher suite support when using
HTTP/3.
*) Change: now nginx uses appname "nginx" when loading OpenSSL
configuration.
*) Change: now nginx does not try to load OpenSSL configuration if the
--with-openssl option was used to built OpenSSL and the OPENSSL_CONF
environment variable is not set.
*) Bugfix: in the $body_bytes_sent variable when using HTTP/3.
*) Bugfix: in HTTP/3.
1.25.1
*) Feature: the "http2" directive, which enables HTTP/2 on a per-server
basis; the "http2" parameter of the "listen" directive is now
deprecated.
*) Change: HTTP/2 server push support has been removed.
*) Change: the deprecated "ssl" directive is not supported anymore.
*) Bugfix: in HTTP/3 when using OpenSSL.
1.25.0
*) Feature: experimental HTTP/3 support.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.62
"Changes with Apache 2.4.62
*) SECURITY: CVE-2024-40898: Apache HTTP Server: SSRF with
mod_rewrite in server/vhost context on Windows (cve.mitre.org)
SSRF in Apache HTTP Server on Windows with mod_rewrite in
server/vhost context, allows to potentially leak NTML hashes to
a malicious server via SSRF and malicious requests.
Users are recommended to upgrade to version 2.4.62 which fixes
this issue.
Credits: Smi1e (DBAPPSecurity Ltd.)
*) SECURITY: CVE-2024-40725: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org)
A partial fix for CVE-2024-39884 in the core of Apache HTTP
Server 2.4.61 ignores some use of the legacy content-type based
configuration of handlers. "AddType" and similar configuration,
under some circumstances where files are requested indirectly,
result in source code disclosure of local content. For example,
PHP scripts may be served instead of interpreted.
Users are recommended to upgrade to version 2.4.62, which fixes
this issue.
*) mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
"balancer:" URLs set via SetHandler, also allowing for "unix:" sockets
with BalancerMember(s). PR 69168. [Yann Ylavic]
Adolf Belka [Tue, 16 Jul 2024 11:00:05 +0000 (13:00 +0200)]
mpd: Patch mpd to deal with format function being const in fmt-11.0.0 onwards
- Commit has been made in mpd but no release has yet been made with the change. When the
next version release of mpd occurs this patch can be removed.
- The patch changes all format calls to be const . Without this patch mpd will not build
with fmt-11.0.0 or newer.
- Update of rootfile not required.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / people / mfischer / ipfire-2.x.git / log
