Adolf Belka [Sat, 21 Sep 2024 11:06:46 +0000 (13:06 +0200)]
samba: Update to version 4.21.0
- Update from 4.20.4 to 4.21.0
- Update of rootfile for x86_64, aarch64 & riscv64
- Changelog
4.21.0
Hardening of "valid users", "invalid users", "read list" and "write list"
In previous versions of Samba, if a user or group name in either of the
mentioned options could not be resolved to a valid SID, the user (or group)
would be skipped without any notification. This could result in unexpected and
insecure behaviour. Starting with this version of Samba, if any user or group
name in any of the options cannot be resolved due to a communication error with
a domain controller, Samba will log an error and the tree connect will fail.
Non existing users (or groups) are ignored.
LDAP TLS/SASL channel binding support
The ldap server supports SASL binds with
kerberos or NTLMSSP over TLS connections
now (either ldaps or starttls).
Setups where 'ldap server require strong auth = allow_sasl_over_tls'
was required before, can now most likely move to the
default of 'ldap server require strong auth = yes'.
If SASL binds without correct tls channel bindings are required
'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
should be used now, as 'allow_sasl_over_tls' will generate a
warning in every start of 'samba', as well as '[samba-tool ]testparm'.
This is similar to LdapEnforceChannelBinding under
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
on Windows.
All client tools using ldaps also include the correct
channel bindings now.
NEW FEATURES/CHANGES
LDB no longer a standalone tarball
LDB, Samba's LDAP-like local database and the power behind the Samba
AD DC, is no longer available to build as a distinct tarball, but is
instead provided as an optional public library.
If you need ldb as a public library, say to build sssd, then use
./configure --private-libraries='!ldb'
This re-integration allows LDB tests to use the Samba's full selftest
system, including our knownfail infrastructure, and decreases the work
required during security releases as a coordinated release of the ldb
tarball is not also required.
This approach has been demonstrated already in Debian, which is already
building Samba and LDB is this way.
As part of this work, the pyldb-util public library, not known to be
used by any other software, is made private to Samba.
LDB Module API Python bindings removed
The LDB Modules API, which we do not promise a stable ABI or API for,
was wrapped in python in early LDB development. However that wrapping
never took into account later changes, and so has not worked for a
number of years. Samba 4.21 and LDB 2.10 removes this unused and
broken feature.
Changes in LDB handling of Unicode
Developers using LDB up to version 2.9 could call ldb_set_utf8_fns()
to determine how LDB handled casefolding. This is used internally by
string comparison functions. In LDB 2.10 this function is deprecated,
and ldb_set_utf8_functions() is preferred. The new function allows a
direct comparison function to be set as well as a casefold function.
This improves performance and allows for more robust handling of
degenerate cases. The function should be called just after ldb_init(),
with the following arguments:
ldb_set_utf8_functions(ldb, /* the struct ldb_ctx LDB object */
context_variable /* possibly NULL */
casefold_function,
case_insensitive_comparison_function);
The default behaviour of LDB remains to perform ASCII casefolding
only, as if in the "C" locale. Recent versions have become
increasingly consistent in this.
Some Samba public libraries made private by default
The following Samba C libraries are currently made public due to their
use by OpenChange or for historical reasons that are no longer clear.
dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig,
samba-credentials, dcerpc_server, samdb
The libraries used by the OpenChange client now private, but can be
made public (like ldb above) with:
./configure --private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb'
The C libraries without any known user or used only for the OpenChange
server (a dead project) may be made private entirely in a future Samba
version.
If you use a Samba library in this list, please be in touch with the
samba-technical mailing list.
Using ldaps from 'winbindd' and 'net ads'
Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
impacted LDAP connections to active directory domain controllers.
Using the STARTTLS operation on LDAP port 389 connections. Starting
with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
order let to 'ldap ssl = start tls' have any effect on those
connections.
'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
with the whole functionality in Samba 4.14.0, because it didn't support
tls channel bindings required for the sasl authentication.
The functionality is now re-added using the correct channel bindings
based on the gnutls based tls implementation we already have, instead
of using the tls layer provided by openldap. This makes it available
and consistent with all LDAP client libraries we use and implement on
our own.
The 'client ldap sasl wrapping' option gained the two new possible values:
'starttls' (using STARTTLS on tcp port 389)
and
'ldaps' (using TLS directly on tcp port 636).
If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
before, you can now use 'client ldap sasl wrapping = starttls'
in order to get STARTTLS on tcp port 389.
As we no longer use the openldap tls layer it is required to configure the
correct certificate trusts with at least one of the following options:
'tls trust system cas', 'tls ca directories' or 'tls cafile'.
While 'tls verify peer' and 'tls crlfile' are also relevant,
see 'man smb.conf' for further details.
New DNS hostname config option
To get `net ads dns register` working correctly running manually or during a
domain join a special entry in /etc/hosts was required. This not really
documented and thus the DNS registration mostly didn't work. With the new option
the default is [netbios name].[realm] which should be correct in the majority of
use cases.
We will also use the value to create service principal names during a Kerberos
authentication and DNS functions.
This is not supported in samba-tool yet.
Samba AD will rotate expired passwords on smartcard-required accounts
Traditionally in AD, accounts set to be "smart card require for logon"
will have a password for NTLM fallback and local profile encryption
(Windows DPAPI). This password previously would not expire.
Matching Windows behaviour, when the DC in a FL 2016 domain and the
msDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute on the domain
root is set to TRUE, Samba will now expire these passwords and rotate
them shortly before they expire.
Note that the password expiry time must be set to twice the TGT lifetime for
smooth operation, e.g. daily expiry given a default 10 hour TGT
lifetime, as the password is only rotated in the second half of its
life. Again, this matches the Windows behaviour.
Provided the default 2016 schema is used, new Samba domains
provisioned with Samba 4.21 will have this enabled once the domain
functional level is set to 2016.
NOTE: Domains upgraded from older Samba versions will not have this
set, even after the functional level preparation, matching the
behaviour of upgraded Windows AD domains.
Per-user and group "veto files" and "hide files"
"veto files" and "hide files" can optionally be restricted to certain users and
groups. To apply a veto or hide directive to a filename for a specific user or
group, a parametric option like this can be used:
hide files : USERNAME = /somefile.txt/
veto files : GROUPNAME = /otherfile.txt/
For details consult the updated smb.conf manpage.
Automatic keytab update after machine password change
When machine account password is updated, either by winbind doing regular
updates or manually (e.g. net ads changetrustpw), now winbind will also support
update of keytab entries in case you use newly added option
'sync machine password to keytab'.
The new parameter allows you to describe what keytabs and how should be updated.
From smb.conf(5) manpage - each keytab can have exactly one of these four forms:
account_name
sync_spns
spn_prefixes=value1[,value2[...]]
spns=value1[,value2[...]]
The functionaity provided by the removed commands "net ads keytab
add/delete/add_update_ads" can be achieved via the 'sync machine password to
keytab' as in these examples:
"net ads keytab add wurst/brot@REALM"
- this command is not adding <principal> to AD, so the best fit can be specifier
"spns"
- add to smb.conf:
sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password
- run:
"net ads keytab create"
"net ads keytab delete wurst/brot@REALM"
- remove the principal (or the whole keytab line if there was just one)
- run:
"net ads keytab create"
"net ads keytab add_update_ads wurst/brot@REALM"
- this command was adding the principal to AD, so for this case use a keytab
with specifier sync_spns
- add to smb.conf:
sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password
- run:
"net ads setspn add wurst/brot@REALM" # this adds the principal to AD
"net ads keytab create" # this sync it from AD to local keytab
A new parameter 'sync machine password script' allows to specify external script
that will be triggered after the automatic keytab update. If keytabs should be
generated in clustered environments it is recommended to update them on all
nodes. Check in smb.conf(5) the scripts winbind_ctdb_updatekeytab.sh and
46.update-keytabs.script in section 'sync machine password script' for details.
For detailed information check the smb.conf(5) and net(8) manpages.
New cephfs VFS module
Introduce new vfs-to-cephfs bridge which uses libcephfs low-level APIs (instead
of path-based operations in the existing module). It allows users to pass
explicit user-credentials per call (including supplementary groups), as well as
faster operations using inode and file-handle caching on the Samba side.
Configuration is identical to existing module, but using 'ceph_new' instead of
'ceph' for the relevant smb.conf entries. This new module is expected to
deprecate and replace the old one in next major release.
Group Managed Service Accounts
Samba 4.21 adds support for gMSAs (Group Managed Service Accounts),
completing support for Functional Level 2012.
The purpose of a gMSA is to allow a single host, or a cluster of
hosts, to share access to an automatically rotating password, avoiding
the weak static service passwords that are often the entrypoint of
attackers to AD domains. Each server has a strong and regularly
rotated password, which is used to access the gMSA account of (e.g.)
the database server.
Samba provides management and client tools, allowing services on Unix
hosts to access the current and next gMSA passwords, as well as obtain
a credentials cache.
Samba 4.20 announced the client-side tools for this feature. To avoid
duplication and provide consistency, the existing commands for
password viewing have been extended, so these commands operate both on
a gMSA (with credentials, over LDAP, specify -H) and locally for
accounts that have a compatible password (e.g. plaintext via GPG,
compatible hash)
samba-tool user getpassword
samba-tool user get-kerberos-ticket
samba-tool domain exportkeytab
An example command, which gets the NT hash for use with NTLM, is
samba-tool user getpassword -H ldap://server --machine-pass \
TestUser1 --attributes=unicodePwd
Kerberos is a better choice (gMSA accounts should not use LDAP simple
binds, for reasons of both security and compatibility). Use
samba-tool user get-kerberos-ticket -H ldap://server --machine-pass \
TestUser1 --output-krb5-ccache=/srv/service/krb5_ccache
gMSAs disclose a current and previous password. To access the previous
NT hash, use:
samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \
--attrs=unicodePwd;previous=1
To access the previous password as UTF8, use:
samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \
--attributes=pwdLastSet,virtualClearTextUTF8;previous=1
However, Windows tools for dealing with gMSAs tend to use Active
Directory Web Services (ADWS) from Powershell for setting up the
accounts, and this separate protocol is not supported by Samba 4.21.
Samba-tool commands for handling gMSA (KDS) root keys
Group managed service accounts rotate passwords based on root keys,
which can be managed using samba-tool, with commands such as
samba-tool domain kds root_key create
samba-tool domain kds root_key list
Samba will create a new root key for new domains at provision time,
but users of gMSA accounts on upgraded domains will need to first
create a root key.
RFC 8070 PKINIT "Freshness extension" supported in the Heimdal KDC
The Heimdal KDC will recognise when a client provides proof that they
hold the hardware token used for smart-card authentication 'now' and
has not used a saved future-dated reply. Samba 4.21 now matches
Windows and will assign an extra SID to the user in this case,
allowing sensitive resources to be additionally protected.
Only Windows clients are known to support the client side of this
feature at this time.
New samba-tool Authentication Policy management command structure
As foreshadowed in the Samba 4.20 release notes, the "samba-tool
domain auth policy" commands have been reworked to be more intuitive
based on user feedback and reflection.
Support for key features of AD Domain/Forest Functional Level 2012R2
Combined with other changes in recent versions (such as claims support
in 4.20), Samba can now claim Functional Level 2012R2 support.
Build system
In previous versions of Samba, packagers of Samba would set their
package-specific version strings using a patch to the
SAMBA_VERSION_VENDOR_SUFFIX line in the ./VERSION file. Now that is
achieved by using --vendor-suffix (at configure time), allowing this
to be more easily scripted. Vendors are encouraged to include their
name and full package version to assist with upstream debugging.
More deterministic builds
Samba builds are now more reproducible, providing better assurance
that the Samba binaries you run are the same as what is expected from
the source code. If locale settings are not changed, the same objects
will be produced from each compilation run. If Samba is built in a
different path, the object code will remain the same, but DWARF
debugging sections will change (while remaining functionally
equivalent).
Improved command-line redaction
There are several options that can be used with Samba tools for
specifying secrets. Although this is best avoided, when these options
are used, Samba will redact the secrets in /proc, so that they won't
be seen in ps or top. This is now carried out more thoroughly,
redacting more options. There is a race inherent in this, and the
passwords will be visible for a short time. The secrets are also not
removed from .bash_history and similar files.
REMOVED FEATURES
Following commands are removed:
net ads keytab add <principal>
net ads keytab delete <principal>
net ads keytab add_update_ads
Changes
smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
client ldap sasl wrapping new values
client use spnego principal removed
ldap server require strong auth new values
tls trust system cas new
tls ca directories new
dns hostname client dns name [netbios name].[realm]
valid users Hardening
invalid users Hardening
read list Hardening
write list Hardening
veto files Added per-user and per-group vetos
hide files Added per-user and per-group hides
sync machine password to keytab keytabs
sync machine password script script
CHANGES SINCE 4.21.0rc4
* BUG 15699: Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated.
* BUG 15702: Bad variable definition for ParseTuple causing test failure for
Smb3UnixTests.test_create_context_reparse.
* BUG 15686: Add new vfs_ceph module (based on low level API).
CHANGES SINCE 4.21.0rc3
* BUG 15698: samba-tool can not load the default configuration file.
* BUG 15700: Crash when readlinkat fails.
CHANGES SINCE 4.21.0rc2
* BUG 15689: Can't add/delete special keys to keytab for nfs, cifs, http etc.
* BUG 15696: Compound SMB2 requests don't return
NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses
MacOSX clients.
* BUG 15689: Can't add/delete special keys to keytab for nfs, cifs, http etc.
CHANGES SINCE 4.21.0rc1
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15686: Add new vfs_ceph module (based on low level API)
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15690: ldb_version.h is missing from ldb public library
* BUG 15689: Can not add/delete special keys to keytab for nfs, cifs, http etc
* BUG 15686: Add new vfs_ceph module (based on low level API)
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15687: undefined reference to winbind_lookup_name_ex
* BUG 15688: per user veto and hide file syntax is to complex
* BUG 15689: Can not add/delete special keys to keytab for nfs, cifs, http etc
* BUG 15688: per user veto and hide file syntax is to complex
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 21 Sep 2024 12:29:30 +0000 (12:29 +0000)]
apr: Update to 1.7.5
Full changelog of this release:
*) SECURITY: CVE-2023-49582: Apache Portable Runtime (APR):
Unexpected lax shared memory permissions (cve.mitre.org)
Lax permissions set by the Apache Portable Runtime library on
Unix platforms would allow local users read access to named
shared memory segments, potentially revealing sensitive
application data.
This issue does not affect non-Unix platforms, or builds with
APR_USE_SHMEM_SHMGET=1 (apr.h)
Users are recommended to upgrade to APR version 1.7.5, which
fixes this issue.
Credits: Thomas Stangner
*) Unix: Implement apr_shm_perms_set() for the "POSIX shm_open()"
and "classic mmap" shared memory implementations. [Joe Orton,
Ruediger Pluem]
*) Fix missing ';' for XML/HTML hex entities from apr_escape_entity().
[Yann Ylavic]
*) Fix crash in apr_pool_create() with --enable-pool-debug=all|owner.
[Yann Ylavic]
*) Improve platform detection by updating config.guess and config.sub.
[Rainer Jung]
*) CMake: Add support for CMAKE_WARNING_AS_ERROR. [Ivan Zhakov]
*) CMake: Enable support for MSVC runtime library selection by abstraction.
[Ivan Zhakov]
Adolf Belka [Fri, 5 Jul 2024 17:18:56 +0000 (19:18 +0200)]
vpnmain.cgi: Add coding to differentiate old and base64 encoded PSK's
- An additional key was defined for a PSK being base64 encoded. All existing PSK's that
are not base64 encoded will have that key empty. This enables base64 encoded PSK's and
non base64 encoded PSK'sd to be differentiated.
- If the PSK connection is disabled and then enabled with a non base64 encoded PSK the PSK
will be left as it is. If the edit page is selected and Save pressed, even if nothing
has been modified, then the PSK will be converted to a base64 encoded PSK.
- The old style and new style PSK was tested out on my vm system and worked without any
issue.
- Using an old non base64 encoded PSK the IPSec connection worked without any problems.
If the PSK was tehn converted to basse64 encoding by saving from the Edit page without
changing anything, then the client IPSec connection was successfully made without any
indication of a change. The conversion from non base64 to base64 encoded PSK occurred
seamlessly without any hiccup.
Fixes: Bug13029 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 5 Jul 2024 17:18:55 +0000 (19:18 +0200)]
en.pl: Update to explicitly mention single quotation mark being invalid
- As all characters, except for the single quotation mark, are now allowed in the PSK
with the base64 encoding implemented then the error message in the English Lang file
has been changed to explicitly mention the single quotation mark rather than characters
as a generic message.
Fixes: Bug13029 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 5 Jul 2024 17:18:54 +0000 (19:18 +0200)]
vpnmain.cgi: Fix for bug13029 - add base64 encoding to IPSec cgi page
- This adds the base64 encoded PSK into the config file and when the ipsec.secrets file
is created the PSK is base64 decoded to write it to the file. The ipsec.secrets file
surrounds the PSK with single quotation marks so that character is not allowed to be
used in the PSK but anything else can be.
- Tested out on my vm system and shown to be working. New PSK with various characters
characters including commas was base64 encoded before putting into the config file
and therefore was accepted by the code. If a single quotation mark was used in the
PSK then the error message about invalid characters was shown.
Fixes: Bug13029 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- As requested in bug 13074, create a collectd.d directory to enable any addon definitions
to be created.
- Added include statement in conf file to load everything that is stored in the collectd.d
directory.
- collectd.precache and collectd.thermal have been left in their original locations
- Removed the arm section in the initscript as only aarch64 is now used.
- Modified the lfs to create the collectd.d directory
- Removal of collectd.custom file as this was the previous way to define custom collectd
profiles but would have been overwritten by any update of collectd.
- Update of rootfile to take account of new path and removal of collectd.custom
- Tested out in vm testbed with Core Update 188 and all existing graphs were still created
and updated. From my evaluation the changes have not affected anything.
- The creation of the collectd.d directory now allows users to add their own desired
profiles but also if it is decided that an addon should be included in the processes
graph, or if a new graph for addons is created then profiles for that addon can be
placed in the collectd.d directory and will be automatically included by collectd.
Fixes: Bug13074 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 28 Aug 2024 10:04:46 +0000 (12:04 +0200)]
logwatch: Fixes bug13762 - ssh logins not shown on Log Summary page
- Due to the update of openssh to version 9.8 in CU187, logwatch no longer found the sshd
login data from the messages log as the daemon was changed to sshd-session.
- Therefore the daily logwatch files were missing the sshd information in them.
- A patch to add support for openssh-9.8 sshd-session and port info has been merged into
the logwatch git system and will be included into the next released version of logwatch
- Update logwatch from version 7.8 to 7.11 and add patch for openssh-9.8 support.
- Update the previous three logwatch patches for version 7.11
- Tested on my vm testbed. Confirmed that logwatch now includes back the sshd information
into the Log Summary page.
- When logwatch is updated to version 7.12 then the openssh-9.8 support patch will be able
to be removed.
Fixes: bug13762 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 28 Aug 2024 10:04:45 +0000 (12:04 +0200)]
log.dat: Fix bug13762 - ssh logins not shown in system logs
- With the update of openssh to version 9.8 in CU187 the daemon was changed from sshd to
sshd-session. Therefore the log.dat no longer finds any info related to the logins.
- This updates the section regex to look for both sshd and sshd-session.
- Tested out on my vm system and confirmed to work.
- This fix will make available all previous log info for sshd-session in the messages log
as it continued to be stored, just could not be read by the WUI system log.
Fixes: bug13762 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Tested-by: Bernhard Bitsch <bbitsch@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 15 Sep 2024 16:43:42 +0000 (18:43 +0200)]
ninja: Update to version 1.12.1
- Update from version 1.11.1 to 1.12.1
- Update of rootfile not required
- Changelog
1.12.1
Bugfixes:
Screen updates extremely slow on Windows #2435
Dry run error if the build directory does not exist #2431
New critical path scheduler performance improvements #2443
1.12.0
Critical path scheduler which orders the jobs by their runtime history #2177
This may break your build if you haven't specified your dependencies
correctly.
Resiliency against inputs changing during the build #1943
Reliable ETA and progress percentage in status #1963
Support for path lengths over 260 characters on Windows #1900
ARM binaries are now available for Windows and Linux, too
Several bugfixes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 15 Sep 2024 16:43:41 +0000 (18:43 +0200)]
nginx: Update to version 1.26.2
- Update from version 1.26.1 to 1.26.2
- Update of rootfile not required
- CVE Fix in this version
- Changelog
1.26.2
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash
(CVE-2024-7347).
Thanks to Nils Bars.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 15 Sep 2024 16:43:40 +0000 (18:43 +0200)]
nfs: Update to version 2.7.1
- Update from version 2.6.4 to 2.7.1
- Update of rootfile
- Changelog is a list of all the commits and it is made available in the file
2.7.1-Changelog in the sourceforge site
https://sourceforge.net/projects/nfs/files/nfs-utils/2.7.1/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 15 Sep 2024 16:43:39 +0000 (18:43 +0200)]
nettle: Update to version 3.10
- Update from version 3.9 to 3.10
- Update of rootfile
- Changelog
3.10
This is a maintenance release, including a few each of bug
fixes, new features and optimizations.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.9 and libhogweed.so.6.9, with sonames
libnettle.so.8 and libhogweed.so.6.
Bug fixes:
* Add missing hash functions sha512_224 and sha512_256 to the
nettle_get_hashes() list. The name values in the
corresponding nettle_hash structs also changed to use
underscore instead of dash, for consistency.
* Fix a few cases of formally undefined calls to memcpy(dst,
NULL, 0), resulting from valid calls to, e.g.,
sha256_update(ctx, 0, NULL).
New features:
* Support RSA-OAEP encryption. Contributed by Nicolas Mora and
Daiki Ueno.
* New function sha3_256_shake_output, new functions
sha3_128_init, sha3_128_update, sha3_128_shake,
sha3_128_shake_output. Contributed by Daiki Ueno.
* Added DRBG-CTR with AES256, contributed by Simon Josefsson.
Optimizations:
* New combined gcm-aes assembly for powerpc64, contributed by
Danny Tsen.
* New sha256 assembly for powerpc64, contributed by Eric
Richter.
* Improved performance for powerpc64 AES decrypt, by skipping
subkey transformations that don't suit the vncipher
instructions.
* Add arm64 CPU feature detection for Android and for Apple systems,
contributed by Foolbar and Tim Kosse, prespectively.
Miscellaneous:
* New tests for side-channel silence, based on valgrind.
* Delete all md5 assembly code. Delete all sparc32 assembly code.
3.9.1
This is a bugfix release, fixing a few bugs reported for
Nettle-3.9. The bug in the new OCB code may be exploitable for
denial of service or worse, since triggering it leads to
memory corruption. Upgrading from Nettle-3.9 to the new
version is strongly recommended.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.8 and libhogweed.so.6.8, with sonames
libnettle.so.8 and libhogweed.so.6.
Bug fixes:
* Fix OCB loop for processing messages of size 272 bytes or
larger. Reported and fixed by Jussi Kivilinna.
* Fix alignment bug in the new x86_64 non-pclmul assembly
implementation of ghash. Reported by Henrik Grubbström.
* Fix build-time memory leak in eccdata. Reported by Noah
Watkins.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 15 Sep 2024 16:43:38 +0000 (18:43 +0200)]
netatalk: Update to version 3.2.8
- Update from version 3.2.5 to 3.2.8
- Update of rootfile not required
- Changelog
3.2.8
* UPD: Bump bundled WolfSSL library to stable version 5.7.2, GitHub #1433
Resolves CVE-2024-1544, CVE-2024-5288, CVE-2024-5991, CVE-2024-5814
* UPD: Revert local modifications to the bundled WolfSSL library, GitHub #1432
* FIX: Enable building against a shared WolfSSL 5.7.2 library, GitHub #1421
* FIX: meson: Do not define rpath with a linker argument, GitHub #1443
3.2.7
* NEW: meson: Ability to control the run-time linker path config file,
GitHub #1396
New boolean Meson option: `-Dwith-ldsoconf'
When set to false, do not create /etc/ld.so.conf.d/libatalk.conf
* BREAKING: meson: Enable rpath by default, while disabling ldsoconf
by default, GitHub #1417
* FIX: meson: Allow ldconfig to run unprivileged during setup, GitHub #1407
* FIX: docker: Add entry script step to clean up any residual lock file,
GitHub #1412
* NEW: docker: Ship a docker-compose.yml sample file, GitHub #1414
* NEW: docker: Check for AFP_USER and AFP_PASS when launching container,
GitHub #1415
3.2.6
* BREAKING: meson: Refresh the dynamic linker cache when installing on Linux,
GitHub #1386
This fixes the issue of the libatalk.so shared library not being found
when configuring with a non-standard library path, e.g. /usr/local/lib .
New Meson option `-Dwith-install-hooks' controls this behavior,
allowing you to disable the install hook in non-privileged environments.
On Linux systems with glibc, we now install the following config file:
/etc/ld.so.conf.d/libatalk.conf
* BREAKING: meson: Introduce option to control which manual l10n to build,
GitHub #1390
New Meson option `-Dwith-manual-l10n' default to empty, can be set to
`ja' to build the Japanese localization of the html manual.
This changes the default behavior of the build system
to not build the Japanese html manual by default.
* BREAKING: meson: Install htmldocs into htmldocs subdir, GitHub #1391
Previously, the html manual files were installed into the root
of the netatalk doc directory. Now they are put under netatalk/htmldocs .
* BREAKING: meson: Use modern linker flag for rpath, remove dtags override,
GitHub #1384
When configuring with `-Dwith-rpath=true' the linker flags
`-Wl,-rpath,' will be prepended instead of the old `-R' flag.
On Linux platforms, we no longer prepend `-Wl,--enable-new-dtags',
either.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 15 Sep 2024 16:43:37 +0000 (18:43 +0200)]
lvm2: Update to version 2.03.26
- Update from version 2.03.23 to 2.03.26
- Update of rootfile not required
- Changelog
2.03.26
Fix internal error reported by pvmove on a VG with single PV.
Also accept --mknodes --refresh for vgscan.
Fix vgmknodes --refresh to wait for udev before checking /dev content.
Use log/report_command_log=1 config setting by default for JSON output format.
Fix unreleased memory pools on RAID lvextend.
Add --integritysettings option to manipuilate dm-integrity settings.
2.03.25
Utilize more radix_tree instead of dm_hash and btree.
Refactor DM uuid caching from device_mapper directory.
Enhance checking for DM uuid device.
Fix lvm shell command completion on tab key (2.03.24).
Avoid lockd_vg call to lvmlockd for local VGs.
Allow forced change of locktype from none.
Handle OPTIONS defined in /etc/sysconfig/lvmlockd.
2.03.24
Lvconvert supports VDO options for thin-pool with vdo conversion.
Improve placement to .data.rel.ro and .rodata sections.
Fix support for -y and -W when creating thinpool with vdo.
Bettter support for runtime valgrind detection.
Allow command interruption when communicating with dmeventd.
Fix resize of VDO volume used for thin pool data volume.
Use -Wl,-z,now and -Wl,--as-needed for compilation by default.
Require 3.7 as minimal version for sanlock.
Share code for closing opened desriptors on program startup.
Fix memleak in lvmcache.
Add configure --with-default-event-activation=ON setting.
Fix return value from reporter function when hitting internal error.
Skip checking of pools for lvremove and vgremove commands.
VDO modprobes dm-vdo for 6.9 kernel and kvdo for older kernel version.
Fix lvs reporting for VDO volumes with new upstream kernel driver.
Don't import DM_UDEV_DISABLE_OTHER_RULES_FLAG in LVM rules, DM rules cover it.
Fix table line generation for cache snapshots using cachevol.
Enhance lvconvert support for external origins stacking.
When swapping LV names also swap properties like hostname, time and data.
Fix removal of stacked external origins.
Lock filesystem when converting volume to read-only external origin.
Support external origin between different thin-pool.
Improve validation of acceptable volumes for external origins.
Reduce amount of preloaded devices for complex device trees.
Avoid logging problems from monitoring snapshots with inactive origins.
Check for cache policy module presence in kernel's builtin modules file.
Add configure --with-modulesdir to select kernel modules directory.
Support creation of thin-pool with VDO use for its data volume.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 15 Sep 2024 16:43:36 +0000 (18:43 +0200)]
logrotate: Update to version 3.22.0
- Update from version 3.21.0 to 3.22.0
- Update for rootfile not required
- autogen.sh step not required as configure file has been available in source tarball
since version 3.10.0 in 2016
- xz version of logrotate available so changed to that.
- Changelog
3.22.0
- fix calculations for time differences (#516)
- fix extension for zip compression (#545)
- fix omitted copy for logs with `mail` and `rotate 0` (#553)
- fix wrongly skipping copy with `copytruncate` and `compress` (#553)
- fix ambiguities between `mode`, `UID` and `GID` parsing when not specifying all options (#575)
- fix hang when encountering a named pipe (#607)
- on prerotate failure logs are preserved instead of rotated (#506)
- in case a configuration file was skipped due to unsafe permissions the
exit status after rotattion will be `1` (#508)
- the state is no longer written to non-regular files (#529)
- the systemd timer now correctly utilizes load distribution (#574)
- add dateformat specifier `%z` for timezone offsets (#594)
- change default mode for created `olddir` directories to `0755` (#560)
- support quoted user and group names in `su`, `create`, and `createolddir` (#575)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 15 Sep 2024 16:43:35 +0000 (18:43 +0200)]
lmdb: Update to version 0.9.33
- Update from 0.9.31 to 0.9.33
- Update of rootfile not required
- Changelog
0.9.33
ITS#9037 mdb_page_search: fix error code when DBI record is missing
ITS#10198 For win32, stop passing ignored parameter
ITS#10212 Fix meta page usage by read only tools
0.9.32
ITS#9378 - Add ability to replay log and replay log tool
ITS#10095 - partial revert of ITS#9278. The patch was incorrect and introduced numerous race conditions.
ITS#10125 - mdb_load: fix cursor reinit in Append mode
ITS#10137 - Allow users to define MDB_IDL_LOGN
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 15 Sep 2024 16:43:34 +0000 (18:43 +0200)]
libpng: Update to version 1.6.44
- Update from version 1.6.42 to 1.6.44
- Update of rootfile
- Changelog
1.6.44
Hardened calculations in chroma handling to prevent overflows, and
relaxed a constraint in cHRM validation to accomodate the standard
ACES AP1 set of color primaries.
(Contributed by John Bowler)
Removed the ASM implementation of ARM Neon optimizations and updated
the build accordingly. Only the remaining C implementation shall be
used from now on, thus ensuring the support of the PAC/BTI security
features on ARM64.
(Contributed by Ross Burton and John Bowler)
Fixed the pickup of the PNG_HARDWARE_OPTIMIZATIONS option in the
CMake build on FreeBSD/amd64. This is an important performance fix
on this platform.
Applied various fixes and improvements to the CMake build.
(Contributed by Eric Riff, Benjamin Buch and Erik Scholz)
Added fuzzing targets for the simplified read API.
(Contributed by Mikhail Khachayants)
Fixed a build error involving pngtest.c under a custom config.
This was a regression introduced in a code cleanup in libpng-1.6.43.
(Contributed by Ben Wagner)
Fixed and improved the config files for AppVeyor CI and Travis CI.
1.6.43
Fixed the row width check in png_check_IHDR().
This corrected a bug that was specific to the 16-bit platforms,
and removed a spurious compiler warning from the 64-bit builds.
(Reported by Jacek Caban; fixed by John Bowler)
Added eXIf chunk support to the push-mode reader in pngpread.c.
(Contributed by Chris Blume)
Added contrib/pngexif for the benefit of the users who would like
to inspect the content of eXIf chunks.
Added contrib/conftest/basic.dfa, a basic build-time configuration.
(Contributed by John Bowler)
Fixed a preprocessor condition in pngread.c that broke build-time
configurations like contrib/conftest/pngcp.dfa.
(Contributed by John Bowler)
Added CMake build support for LoongArch LSX.
(Contributed by GuXiWei)
Fixed a CMake build error that occurred under a peculiar state of the
dependency tree. This was a regression introduced in libpng-1.6.41.
(Contributed by Dan Rosser)
Marked the installed libpng headers as system headers in CMake.
(Contributed by Benjamin Buch)
Updated the build support for RISCOS.
(Contributed by Cameron Cawley)
Updated the makefiles to allow cross-platform builds to initialize
conventional make variables like AR and ARFLAGS.
Added various improvements to the CI scripts in areas like version
consistency verification and text linting.
Added version consistency verification to pngtest.c also.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Sep 2024 15:28:31 +0000 (17:28 +0200)]
perl-JSON: removal of module as it is now in the perl core modules
- Used in the samba addon.
- With the old separate module removed samba still successfully built, installed and was
able to be run from the WUI.
Fixes: bug13640 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Sep 2024 15:28:30 +0000 (17:28 +0200)]
perl-MIME-Base64: removal of module as it is now in the perl core modules
- Used by the git addon.
- With the old separate module removed git still successfully built, installed and was
able to be run, cloning the ipfire git repo, changing to next, modifying a file and
the running a commit with the change.
Fixes: bug13640 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Sep 2024 15:28:29 +0000 (17:28 +0200)]
perl-Digest-HMAC: removal of module as it is now in the perl core modules
- Used in install-ipfire.sh script that is run by the install of vdradmin.
- With the old separate module removed vdradmin still successfully built and installed.
Fixes: bug13640 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Sep 2024 15:28:28 +0000 (17:28 +0200)]
perl-Compress-Zlib: removal of module as it is now in the perl core modules
- Used in install-ipfire.sh script that is run by the install of vdradmin.
- With the old separate module removed vdradmin still successfully built and installed.
Fixes: bug13640 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 14 Sep 2024 15:28:24 +0000 (17:28 +0200)]
make.sh: Fixes bug13640 - removal of perl modules that are now core modules
- Removed
perl-Archive-Tar
perl-Compress-Zlib
perl-Digest
perl-Digest-HMAC
perl-Digest-SHA1
perl-JSON
perl-MIME-Base64
- Tested out on a vm system and no issues identified.
Fixes: bug13640 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 13 Sep 2024 16:26:11 +0000 (18:26 +0200)]
protobuf-c: Update of protobuf removed SYNTAX_PROTO3 used by protobuf-c-1.5.0
- Addition of patch to enable protobuf-c to be built with protobuf version > 26
- When protobuf-c is upgraded to version 1.5.1 it will include this patch
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 13 Sep 2024 16:26:10 +0000 (18:26 +0200)]
protobuf: Update to version 28.1
- Update from version 25.2 to 28.1
- Update of rootfile
- Changelog is too large to include here. Details can be found at
https://github.com/protocolbuffers/protobuf/releases
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 13 Sep 2024 16:25:20 +0000 (18:25 +0200)]
texinfo: Update to version 7.1.1
- Update from version 7.1 to 7.1.1
- Update of rootfile not required
- Changelog
7.1.1
* texi2any
. fix potential crash when @include is used inside a table
. do not complain about presence of @anchor inside @item in a table
. C source files that are generated from *.xs files are no no longer
distributed, so xsubpp from Perl is needed to build XS modules.
. fix bug that led to memory alignment error on SPARC
. performance improvement and fixes for MinGW
. test failures due to floating point rounding error fixed (observed
on IBM POWER9 processor)
* info
. crash when setting style to invalid value fixed
. potential call of memcpy with null argument fixed
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 13 Sep 2024 16:25:18 +0000 (18:25 +0200)]
nano: Update to version 8.2
- Update from version 8.1 to 8.2
- Update of rootfile not required
- Changelog
8.2
• At a Yes-No prompt, beside Y and the localized initial for "Yes",
also ^Y is accepted. Similarly, ^N for "No", and ^A for "All".
• A text-highlighting bug with Alt+Home/Alt+End is fixed.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 13 Sep 2024 16:25:17 +0000 (18:25 +0200)]
liburcu: Update to version 0.14.1
- Update from version 0.14.0 to 0.14.1
- Update of rootfile
- Changelog
0.14.1
* Fix: missing typename in URCU_FORCE_CAST
* Allow building with GCC >= 13.3 on RISC-V
* pointer.h: Fix the rcu_cmpxchg_pointer documentation
* Adjust shell script to allow Bash in other locations
* fix: handle EINTR correctly in get_cpu_mask_from_sysfs
* Relicense src/compat-smp.h to MIT
* ppc.h: use mftb on ppc
* Fix: allow clang to build liburcu on RISC-V
* Fix -Walloc-size
* urcu/uatomic/riscv: Mark RISC-V as broken
* Fix: urcu-bp: misaligned reader accesses
* LoongArch: Document that byte and short atomics are implemented with LL/SC
* Add LoongArch support
* tests/regression/rcutorture: Add wait state
* urcu-wait: Initialize node in URCU_WAIT_NODE_INIT
* Fix: urcu-wait: add missing futex.h include
* Adjust shell scripts to allow Bash in other locations
* Add support for OpenBSD
* Revert "compiler.h: Introduce caa_unqual_scalar_typeof"
* rculfhash: Use caa_container_of_check_null in cds_lfht_entry
* compiler.h: Introduce caa_container_of_check_null
* compiler.h: Introduce caa_unqual_scalar_typeof
* Avoid calling caa_container_of on NULL pointer in cds_lfht macros
* Fix: revise urcu_read_lock_update() comment
* Fix: uatomic powerpc comment about lwsync
* fix: aarch64: allow RHEL7 gcc 4.8.5-11
* fix: warning 'noreturn' function does return on ppc
* Fix: use __noreturn__ for C11-compatibility
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 13 Sep 2024 16:25:16 +0000 (18:25 +0200)]
curl: Update to version 8.10.0
- Update from vesion 8.9.1 to 8.10.0
- Update of rootfile
- In previous versions if libpsl was not found then the build excluded it. Now it needs
to be explicitly disabled otherwise the build will stop with a warning that it could
not be found.
- Changelog
8.10.0
changes:
o autotools: add `--enable-windows-unicode` option [103]
o curl: --help [option] displays documentation for given cmdline option [19]
o curl: add --skip-existing [54]
o curl: for -O, use "default" as filename when the URL has none [34]
o curl: make --rate accept "number of units" [4]
o curl: make --show-headers the same as --include [6]
o curl: support --dump-header % to direct to stderr [31]
o curl: support embedding a CA bundle and --dump-ca-embed [20]
o curl: support repeated use of the verbose option; -vv etc [35]
o curl: use libuv for parallel transfers with --test-event [82]
o getinfo: add CURLINFO_POSTTRANSFER_TIME_T [87]
o mbedtls: add CURLOPT_TLS13_CIPHERS support [78]
o rustls: add support for setting TLS version and ciphers [113]
o vtls: stop offering alpn http/1.1 for http2-prior-knowledge [53]
o wolfssl: add CURLOPT_TLS13_CIPHERS support [76]
o wolfssl: add support for ssl cert blob / ssl key blob options [50]
bugfixes:
o asyn-thread: stop using GetAddrInfoExW on Windows [241]
o autotools: fix MS-DOS builds [249]
o autotools: fix typo in tests/data target [30]
o aws_sigv4: fix canon order for headers with same prefix [74]
o bearssl: fix setting tls version [203]
o bearssl: improve shutdown handling [45]
o BINDINGS: add zig binding [100]
o build: add `iphlpapi` lib for libssh on Windows [166]
o build: add `poll()` detection for cross-builds [244]
o build: add options to disable SHA-512/256 hash algo [239]
o build: check OS-native IDN first, then libidn2 [223]
o build: delete unused `REQUIRE_LIB_DEPS` [226]
o build: drop unused `NROFF` reference [253]
o build: drop unused feature-detection code for Apple `poll()` [227]
o build: generate `buildinfo.txt` for test logs [256]
o build: improve compiler version detection portability
o build: make `CURL_FORMAT_CURL_OFF_T[U]` work with mingw-w64 <=7.0.0 [207]
o build: silence C4232 MSVC warnings in vcpkg ngtcp2 builds [137]
o build: use -Wno-format-overflow [195]
o buildconf.bat: fix tool_hugehelp.c generation [173]
o cf-socket: fix pollset for listening [179]
o cf-socket: prevent KEEPALIVE_FACTOR being set to 1000 for Windows [185]
o cfilters: send flush [13]
o CHANGES: rename to CHANGES.md, no longer generated [40]
o CI: enable parallel testing in CI builds [18]
o ci: Update actions/upload-artifact digest to 89ef406 [24]
o cmake: `Libs.private` improvements [215]
o cmake: add `CURL_USE_PKGCONFIG` option [138]
o cmake: add Linux CI job, fix pytest with cmake [71]
o cmake: add math library when using wolfssl and ngtcp2 [66]
o cmake: add missing `pkg-config` hints to Find modules [158]
o cmake: add missing version detection to Find modules [170]
o cmake: add rustls [116]
o cmake: add support for versioned symbols option [51]
o cmake: add wolfSSH support [117]
o cmake: allow `pkg-config` in more envs [147]
o cmake: cleanup header paths [59]
o cmake: default `CURL_DISABLE_LDAPS` to the value of `CURL_DISABLE_LDAP` [231]
o cmake: delete MSVC warning suppression for tests/server [101]
o cmake: detect `nghttp2` via `pkg-config`, enable by default [21]
o cmake: detect and show VCPKG in platform flags [84]
o cmake: distcheck for files in CMake subdir [9]
o cmake: drop custom `CMakeOutput.log`/`CMakeError.log` logs [27]
o cmake: drop libssh CONFIG-style detection [167]
o cmake: drop no-op `tests/data/CMakeLists.txt` [26]
o cmake: drop reference to undefined variable [25]
o cmake: drop unused `HAVE_IDNA_STRERROR` [62]
o cmake: drop unused internal variable [22]
o cmake: exclude tests/http/clients builds by default [110]
o cmake: fix `GSS_VERSION` for Heimdal found via pkg-config [77]
o cmake: fix `pkg-config`-based detection in `FindGSS.cmake` [94]
o cmake: fix and tidy up c-ares builds, enable in more CI jobs [156]
o cmake: fix find rustls [148]
o cmake: fixup linking libgsasl when detected via CMake-native
o cmake: honor custom `CMAKE_UNITY_BUILD_BATCH_SIZE` [163]
o cmake: limit `pkg-config` to UNIX and MSVC+vcpkg by default [188]
o cmake: limit libidn2 `pkg-config` detection to `UNIX` [109]
o cmake: migrate dependency detections to Find modules [183]
o cmake: more small tidy-ups and fixes [80]
o cmake: rename wolfSSL and zstd config variables to uppercase [151]
o cmake: respect cflags/libdirs of native pkg-config detections [175]
o cmake: show CMake platform/compiler flags [63]
o cmake: show warning if libpsl is not found [154]
o cmake: sync code between test/example targets [234]
o cmake: sync up formatting in Find modules [129]
o cmake: TLS 1.3 warning only for bearssl and sectranp [118]
o cmake: update `curl-config.cmake.in` template var list
o cmake: update list of "advanced" variables [119]
o cmake: use numeric comparison for `HAVE_WIN32_WINNT` [69]
o cmdline-opts: language fix for expect100-timeout.md and max-time.md [192]
o configure: delete unused `CURL_DEFINE_UNQUOTED` function [224]
o configure: delete unused `HAVE_OPENSSL3` macro [225]
o configure: delete unused `m4/xc-translit.m4` [114]
o configure: detect AppleIDN [70]
o configure: fail if PSL is not disabled but not found [46]
o configure: fix WinIDN builds targeting old Windows [210]
o configure: remove USE_EXPLICIT_LIB_DEPS [199]
o configure: replace nonportable grep -o with awk [111]
o connect: always prefer ipv6 in IP eyeballing [209]
o connect: limit update IP info [191]
o cookie.md: try to articulate the two different uses this option has [92]
o curl: allow 500MB data URL encode strings [38]
o curl: find curlrc in XDG_CONFIG_HOME without leading dot [186]
o curl: fix --proxy-pinnedpubkey [91]
o curl: fix the -w urle.* variables [153]
o curl: make the progress bar detect terminal width changes [169]
o curl: warn on unsupported SSL options [106]
o Curl_rand_bytes to control env override [17]
o curl_sha512_256: fix symbol collisions with nettle library [131]
o CURLMOPT_SOCKETFUNCTION.md: expand on the easy argument [216]
o CURLOPT_XFERINFOFUNCTION: clarify the callback return codes [141]
o dist: add missing `docs/examples/CMakeLists.txt` [58]
o dist: add missing `FindNettle.cmake` [11]
o dist: add missing `lib/optiontable.pl` [115]
o dist: add missing `test_*.py` scripts [102]
o dist: drop buildconf [65]
o dist: fix reproducible build from release tarball [36]
o dmaketgz: only run 'make distclean' if Makefile exists
o docs/SSLCERTS: rewrite [174]
o docs: add description of effect of --location-trusted on cookie [157]
o docs: document the (weak) random value situation in rustls builds [252]
o docs: fix some examples in man pages
o docs: improve cipher options documentation [159]
o docs: mention "@-" in more places [67]
o docs: remove ALTSVC.md, HSTS.md, HTTP2.md and PARALLEL-TRANSFERS.md [105]
o docs: update CIPHERS.md [140]
o doh-url.md: point out DOH server IP pinning [37]
o doh: remove redundant checks [242]
o easy: fix curl_easy_upkeep for shared connection caches [52]
o escape: allow curl_easy_escape to generate 3*input length output [39]
o FEATURES.md: fix typo [180]
o ftp: always offer line end conversions [219]
o ftp: flush pingpong before response [73]
o getinfo: return zero for unsupported options (when disabled) [189]
o GHA/windows: enable MulitSSL in an MSVC job [2]
o GHA: scan git repository and detect unvetted binary files [3]
o gnutls/wolfssl: improve error message when certificate fails [125]
o gnutls: send all data [230]
o gtls: fix OCSP stapling management [206]
o haproxy: send though next filter [222]
o hash: provide asserts to verify API use [96]
o http/2: simplify eos/blocked handling [90]
o http2+h3 filters: fix ctx init [142]
o http2: fix GOAWAY message sent to server [171]
o http2: improve rate limiting of downloads [33]
o http2: improved upload eos handling [41]
o http3.md: mention how the fallback can be h1 or h2 [194]
o hyper: call Curl_req_set_upload_done() [126]
o idn: more strictly check AppleIDN errors [98]
o idn: support non-UTF-8 input under AppleIDN [99]
o INSTALL.md: MultiSSL and QUIC are mutually exclusive [7]
o KNOWN_BUGS: "special characers" in URL works with aws-sigv4 [81]
o krb5: add Linux/macOS CI tests, fix cmake GSS detection [83]
o krb5: fix `-Wcast-align` [95]
o lib: add eos flag to send methods [14]
o lib: avoid macro collisions between wolfSSL and GnuTLS headers [133]
o lib: convert some debugf()s into traces [8]
o lib: delete stray undefs for `vsnprintf`, `vsprintf` [152]
o lib: fix AIX build issues [112]
o lib: fix building with wolfSSL without DES support [134]
o lib: make SSPI global symbols use Curl_ prefix [251]
o lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name [132]
o lib: remove the final strncpy() calls [240]
o lib: remove use of RANDOM_FILE [235]
o libcurl.def: move from / into lib [238]
o libcurl.pc: add `Cflags.private` [10]
o libcurl.pc: add reference to `libgsasl` [150]
o libcurl/docs: expand on redirect following and secrets to other hosts [85]
o llist: remove direct struct accesses, use only functions [72]
o Makefile.dist: fix `ca-firefox` target [254]
o Makefile.mk: fixup enabling libidn2 [61]
o Makefile: remove 'scripts' duplicate from DIST_SUBDIRS
o maketgz: accept option to include latest commit hash [5]
o maketgz: fix RELEASE-TOOLS.md for daily tarballs [243]
o maketgz: move from / into scripts [237]
o managen: fix superfluous leading blank line in quoted sections [211]
o managen: in man output, remove the leading space from examples [198]
o managen: wordwrap long example lines in ASCII output [143]
o manpage: ensure a maximum width for the text version [75]
o max-filesize.md: mention zero disables the limit [93]
o mbedtls: add more informative logging [162]
o mbedtls: fix setting tls version [200]
o mbedtls: no longer use MBEDTLS_SSL_VERIFY_OPTIONAL [181]
o mime: avoid inifite loop in client reader [155]
o mk-ca-bundle.pl: include a link to the caextract webpage [68]
o multi: make the "general" list of easy handles a Curl_llist [97]
o multi: on socket callback error, remove socket hash entry nonetheless [149]
o ngtcp2/osslq: remove NULL pointer dereferences [213]
o ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks [79]
o openssl quic: fix memory leak [229]
o openssl: certinfo errors now fail correctly [250]
o openssl: fix the data race when sharing an SSL session between threads [221]
o openssl: improve shutdown handling [44]
o pingpong: drain the input buffer when reading responses [193]
o POP3: fix multi-line responses [168]
o pop3: use the protocol handler ->write_resp [220]
o printf: fix mingw-w64 format checks [228]
o progress: ratelimit/progress tweaks [32]
o pytests: add tests for HEAD requests in all HTTP versions [42]
o rand: only provide weak random when needed [233]
o runtests: if DISABLED cannot be read, error out [56]
o runtests: log ignored but passed tests [130]
o runtests: remove "has_textaware" [217]
o rustls: fix setting tls version [202]
o rustls: make all tests pass [1]
o schannel: avoid malloc for CAinfo_blob_digest [247]
o scorecard: tweak request measurements [139]
o sectransp: fix setting tls version [204]
o SECURITY: mention OpenSSF best practices gold badge [161]
o setopt: allow CURLOPT_INTERFACE to be set to NULL [165]
o setopt: let CURLOPT_ECH set to NULL reset to default [187]
o setopt: make CURLOPT_TFTP_BLKSIZE accept bad values [184]
o sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL [135]
o share: don't reinitialize conncache [214]
o sigpipe: init the struct so that first apply ignores [49]
o smb: convert superflous assign into assert [246]
o smtp: add tracing feature [120]
o splay: use access functions, add asserts, use Curl_timediff [121]
o spnego_gssapi: implement TLS channel bindings for openssl [146]
o src: delete `curlx_m*printf()` aliases [197]
o src: fix potential macro confusion in cmake unity builds [208]
o src: namespace symbols clashing with lib [248]
o src: replace copy of printf mappings with an include [190]
o ssh: deduplicate SSH backend includes (and fix libssh cmake unity build) [177]
o system_win32: fix typo
o test httpd: tweak cipher list [124]
o test1521: verify setting options to NULL better [182]
o test1707: output diff more for debugging differences in CI outputs
o test556: improve robustness [64]
o test579: improve robustness [60]
o test587: improve robustness [123]
o test649: improve robustness [122]
o test677: improve robustness [47]
o tests/runner: only allow [!A-Za-z0-9_-] in %if feature names [55]
o tests: constrain http pytest to tests/http directory [205]
o tests: don't mangle output if hostname or type unknown
o tests: ignore QUIT from FTP protocol comparisons [108]
o tests: provide docs as curldown, not nroff [12]
o tidy-up: misc build, tests, `lib/macos.c` [172]
o tidy-up: OS names [57]
o tool_operhlp: fix "potentially uninitialized local variable 'pc' used" [48]
o tool_paramhlp: bump maximum post data size in memory to 16GB [128]
o transfer: Curl_sendrecv() and event related improvements [164]
o transfer: remove comments, add asserts [218]
o transfer: skip EOS read when download done [196]
o url: dns_entry related improvements [16]
o url: fix connection reuse for HTTP/2 upgrades [236]
o urlapi: verify URL *decoded* hostname when set [160]
o urldata: introduce `data->mid`, a unique identifier inside a multi [127]
o urldata: remove 'scratch' from the UrlState struct [86]
o urldata: remove crlf_conversions counter [232]
o urldata: remove proxy_connect_closed bit [178]
o verify-release: shell script that verifies a release tarball [29]
o version: fix shadowing a `libssh.h` symbol [176]
o vtls: add SSLSUPP_CIPHER_LIST [107]
o vtls: fix MSVC 'cast truncates constant value' warning [23]
o vtls: fix static function name collisions between TLS backends [136]
o vtls: init ssl peer only once [15]
o websocket: introduce blocking sends [145]
o wolfssl: avoid taking cached x509 store ref if sslctx already using it [88]
o wolfssl: fix CURLOPT_SSLVERSION [144]
o wolfssl: fix setting tls version [201]
o wolfssl: improve shutdown handling [43]
o ws: flags to opcodes should ignore CURLWS_CONT flag [104]
o x509asn1: raise size limit for x509 certification information [28]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20240813 to 20240910
- Update of rootfile not required
- Changelog 20240910
Security updates for INTEL-SA-01103
Security updates for INTEL-SA-01097
Update for functional issues. Refer to Intel® Core™ Ultra Processor for details.
Update for functional issues. Refer to 13th Generation Intel® Core™ Processor
Specification Update for details.
Update for functional issues. Refer to 12th Generation Intel® Core™ Processor
Family for details.
Update for functional issues. Refer to Intel® Processors and Intel® Core™ i3
N-Series for details.
For information on New Platforms and Updated Platforms see
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Tue, 10 Sep 2024 21:32:32 +0000 (23:32 +0200)]
header.pl: only get memory consumption when service is running
It probably doesn't matter much as the get_memory_consumption function just returns 0 when no pids are found. But it shouldn't even try as the mem var is never used when the service is not running.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Tue, 10 Sep 2024 21:12:31 +0000 (23:12 +0200)]
zabbix_agentd: Add IPFire services.get item
- Adds Zabbix Agent userparameter `ipfire.services.get` for the agent to get details about configured IPFire services (builtin and addon-services)
- Includes `ipfire_services.pl` script in sudoers for Zabbix Agent as it needs root permission to call addonctrl for addon service states.
- Adapts lfs install script to install new script
- Adds new script to rootfiles
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Tue, 10 Sep 2024 18:25:59 +0000 (20:25 +0200)]
zabbix_agentd: Update to 6.0.33 (LTS)
- Update from version 6.0.30 to 6.0.33
- Update of rootfile not required
Bugs fixed:
- ZBX-20766: Fixed confusing port binding error message
- ZBX-24391: Fixed Zabbix agent to return net.tcp.socket.count result without error if IPv6 is disabled
Full changelogs since 6.0.30:
- https://www.zabbix.com/rn/rn6.0.31
- https://www.zabbix.com/rn/rn6.0.32
- https://www.zabbix.com/rn/rn6.0.33
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 11 Sep 2024 09:31:43 +0000 (09:31 +0000)]
make.sh: Bind-mount all loop devices
There seems to be a different way how to create loop devices. On my
Debian system, the first loop device is a block device with major=7 and
minor=0, the second device is major=7 and minor=1, and so on.
On a system running Grml, the second loop device has major=7 and
minor=32, and all following ones are increasing their minor by 32
as well instead of one.
Since I don't have an easy way to detect this, we will simply bind-mount
all available loop devices in to the build environment.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 7 Sep 2024 17:29:27 +0000 (19:29 +0200)]
openvpn: Update to version 2.5.10
- Update from version 2.5.9 to 2.5.10
- Update of rootfile not required
- 3 CVE Fixes in this version but all are for Windows installations.
- Changelog
2.5.10
Security fixes
- CVE-2024-27459: Windows: fix a possible stack overflow in the
interactive service component which might lead to a local privilege
escalation. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
- CVE-2024-24974: Windows: disallow access to the interactive service
pipe from remote computers. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
- CVE-2024-27903: Windows: disallow loading of plugins from untrusted
installation paths, which could be used to attack openvpn.exe via
a malicious plugin. Plugins can now only be loaded from the OpenVPN
install directory, the Windows system directory, and possibly from
a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
User visible changes
- License amendment: all NEW commits fall under a modified license that
explicitly permits linking with Apache2 libraries (mbedTLS, OpenSSL) -
see COPYING for details. Existing code in the release/2.5 branch
will not been relicensed (only in release/2.6 and later branches).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Sep 2024 13:28:50 +0000 (15:28 +0200)]
sudo: Update to version 1.9.16
- Update from version 1.9.15p5 to 1.9.16
- Update of rootfile
- Changelog
1.9.16
* Added the "cmddenial_message" sudoers option to provide additional
information to the user when a command is denied by the sudoers
policy. The default message is still displayed.
* The time stamp used for file-based logs is now more consistent
with the time stamp produced by syslog. GitHub issues #327.
* Sudo will now warn the user if it can detect the user's terminal
but cannot determine the path to the terminal device. The sudoers
time stamp file will now use the terminal device number directly.
GitHub issue #329.
* The embedded copy of zlib has been updated to version 1.3.1.
* Improved error handling if generating the list of signals and signal
names fails at build time.
* Fixed a compilation issue on Linux systems without process_vm_readv().
* Fixed cross-compilation with WolfSSL.
* Added a "json_compact" value for the sudoers "log_format" option
which can be used when logging to a file. The existing "json"
value has been aliased to "json_pretty". In a future release,
"json" will be an alias for "json_compact". GitHub issue #357.
* A new "pam_silent" sudoers option has been added which may be
negated to avoid suppressing output from PAM authentication modules.
GitHub issue #216.
* Fixed several cvtsudoers JSON output problems.
GitHub issues #369, #370, #371, #373, #381.
* When sudo runs a command in a pseudo-terminal and the user's
terminal is revoked, the pseudo-terminal's foreground process
group will now receive SIGHUP before the terminal is revoked.
This emulates the behavior of the session leader exiting and is
consistent with what happens when, for example, an ssh session
is closed. GitHub issue #367.
* Fixed "make test" with Python 3.12. GitHub issue #374.
* In schema.ActiveDirectory, fixed the quoting in the example command.
GitHub issue #376.
* Paths specified via a Chdir_Spec or Chroot_Spec in sudoers may
now be double-quoted.
* Sudo insults are now included by default, but disabled unless
the --with-insults configure option is specified or the "insults"
sudoers option is enabled.
* The default sudoers file now enables the "secure_path" option by
default and preserves the EDITOR, VISUAL, and SUDO_EDITOR environment
variables when running visudo. The new --with-secure-path-value
configure option can be used to set the value of "secure_path" in
the default sudoers file. GitHub issue #387.
* A sudoers schema for IBM Directory Server (aka IBM Tivoli Directory
Server, IBM Security Directory Server, and IBM Security Verify
Directory) is now included.
* When cross-compiling sudo, the configure script now assumes that
the snprintf() function is C99-compliant if the C compiler
supports the C99 standard. Previously, configure would use
sudo's own snprintf() when cross-compiling. GitHub issue #386.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Sep 2024 08:44:49 +0000 (10:44 +0200)]
dhcpcd: Update to version 10.0.10
- Update from version 10.0.8 to 10.0.10
- Update of rootfile not required
- Patch for free selection of MTU has been removed as in version 10.0.9 the MTU code
was changed to not apply limits to it.
- Changelog
10.0.10
Reversion of commit "linux: make if_getnetworknamespace static"
10.0.9
Option 2: Fix stdin parsing by @holmanb in #289
IPv4LL: Restart ARP probling on address conflict by @LeoRuan in #340
DHCP: Handle option 108 correctly when receiving 0.0.0.0 OFFER by @taoyl-g
in #342
DHCP: No longer set interface mtu by @rsmarples in #346
Update privsep-linux.c to allow statx by @Jabrwock in #349
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Sep 2024 08:31:53 +0000 (10:31 +0200)]
clamav: Update to version 1.3.2
- Update from version 1.3.1 to 1.3.2
- Update of rootfile
- 2 CVE Fixes
- Changelog
1.3.2
- [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506):
Changed the logging module to disable following symlinks on Linux and Unix
systems so as to prevent an attacker with existing access to the 'clamd' or
'freshclam' services from using a symlink to corrupt system files.
This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to Detlef for identifying this issue.
- [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505):
Fixed a possible out-of-bounds read bug in the PDF file parser that could
cause a denial-of-service (DoS) condition.
This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to OSS-Fuzz for identifying this issue.
- Removed unused Python modules from freshclam tests including deprecated
'cgi' module that is expected to cause test failures in Python 3.13.
- Fix unit test caused by expiring signing certificate.
- Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1305)
- Fixed a build issue on Windows with newer versions of Rust.
Also upgraded GitHub Actions imports to fix CI failures.
Fixes courtesy of liushuyu.
- Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1307)
- Fixed an unaligned pointer dereference issue on select architectures.
Fix courtesy of Sebastian Andrzej Siewior.
- Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1293)
- Fixes to Jenkins CI pipeline.
For details, see [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1330)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 4 Sep 2024 21:49:24 +0000 (23:49 +0200)]
expat: Update to version 2.6.3
- Update from version 2.6.2 to 2.6.3
- Update of rootfile
- 3 CVE Fixes in this release.
- Changelog
2.6.3
Security fixes:
#887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with
len < 0 without noticing and then calling XML_GetBuffer
will have XML_ParseBuffer fail to recognize the problem
and XML_GetBuffer corrupt memory.
With the fix, XML_ParseBuffer now complains with error
XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
has been doing since Expat 2.2.1, and now documented.
Impact is denial of service to potentially artitrary code
execution.
#888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an
integer overflow for nDefaultAtts on 32-bit platforms
(where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
#889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can
have an integer overflow for m_groupSize on 32-bit
platforms (where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
Other changes:
#851 #879 Autotools: Sync CMake templates with CMake 3.28
#853 Autotools: Always provide path to find(1) for portability
#861 Autotools: Ensure that the m4 directory always exists.
#870 Autotools: Simplify handling of SIZEOF_VOID_P
#869 Autotools: Support non-GNU sed
#856 Autotools|CMake: Fix main() to main(void)
#865 Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM
#863 Autotools|CMake: Stop requiring dos2unix
#854 #855 CMake: Fix check for symbols size_t and off_t
#864 docs|tests: Convert README to Markdown and update
#741 Windows: Drop support for Visual Studio <=15.0/2017
#886 Drop needless XML_DTD guards around is_param access
#885 Fix typo in a code comment
#894 #896 Version info bumped from 10:2:9 (libexpat*.so.1.9.2)
to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/
for what these numbers do
Infrastructure:
#880 Readme: Promote the call for help
#868 CI: Fix various issues
#849 CI: Allow triggering GitHub Actions workflows manually
#851 #872 ..
#873 #879 CI: Adapt to breaking changes in GitHub Actions
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 4 Sep 2024 18:51:24 +0000 (20:51 +0200)]
dtc: update to version 1.7.1 and move to before qemu build
- Update from version 1.6.1 to 1.7.1
- Move to before qemu build as it now requires a system libfdt for build as the bundled
version has been removed.
- Change HOME= to HOME=/usr so that the include files are placed in /usr/include which
is where qemu is looking for them when it checks that libfdt is available.
- Update disable_Werror patch to take account of differences in the source tarball
- Update of architectures from only aarch64 to all.
- Move rootfile from common/aarch64 to common/
- The previous fdt python files were commented out, hence not used at runtime and are
not needed at buildtime. From 9.0.1 onwards they require swig and python to be built
but as they are not needed there was no point to move swig to before dtc
- Changelog
1.7.1
* dtc
* Fix -Oasm output on PA-RISC by avoiding ';' separators
* Put symbolic label references in -Odts output when possible
* Add label relative path references
* Don't incorrectly attempt to create fixups for reference to path
in overlays
* Warning rather than hard error if integer expression results are
truncated due to cell size
* libfdt
* Add fdt_get_property_by_offset_w() function
* pylibfdt
* Fixed to work with Python 3.10
* A number of extra methods
* Fix out of tree build
* fdtget
* Add raw bytes output mode
* General
* Fixes for mixed-signedness comparison warnings
* Assorted other warning fixes
* Assorted updates to checks
* Assorted bugfixes
* Fix scripts to work with dash as well as bash
* Allow static builds
* Formalize Signed-off-by usage
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / people / ms / ipfire-2.x.git / log
