Adolf Belka [Tue, 6 Jun 2023 10:40:50 +0000 (12:40 +0200)]
update.sh: Fixes bug#13138 - root/host certificate set fails to be created
- The fix applied in vpnmain.cgi only adds the unique_subject = yes to the index.txt.attr
file after the first time that the root/host certificates are attempted to be created.
- Without this line in update.sh, the first attempt to create the root/host certificate set
will still have the original error code. If the creation is attempted again then it will
work because the unique_subject = yes will have then been added into the file.
- This patch ensures that the first attempt to create a root/host certificate set in CU175
will work.
- Confirmed on vm testbed with freshly updated CU175.
Fixes: Bug#13138 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jun 2023 14:21:48 +0000 (16:21 +0200)]
ovpnmain.cgi: Updated fix for Bug#13137
- This now only adds "providers legacy default" to the config files of connections that
have legacy certificates, both for n2n and roadwarrior.
- This new approach also removes the requirement to have code in the update.sh script
or in backup.pl so those earlier modifications are removed in two additional patches
combined with this one in a set.
- The -legacy option has been removed from the pkcs12 creation part of the code as
otherwise this creates a certificate in legacy format, which is not wanted. All new
connection certificates being created will be based on openssl-3.x
Fixes: Bug#13137 Suggested-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 3 Jun 2023 14:05:41 +0000 (16:05 +0200)]
vpnmain.cgi: Fixes bug#13138 - root/host certificate set fails to be created
- The change to openssl-3.x results in the openssl commands that start with ca failing
with the error message
OpenSSL produced an error: <br>40E7B4719B730000:error:0700006C:configuration file
routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:315:group=<NULL>
name=unique_subject
- The fix for this is to include the unique_subject = yes line into
/var/ipfire/certs/index.txt.attr
- Additionally, based on the learnings from bug#13137 on OpenVPN, any openssl commands
dealing with pkcs12 (.p12) files that were created with openssl-1.1.1x fail when being
accessed with openssl-3.x due to the no longer supported algorithm. These can be
accessed if the -legacy option is added to every openssl command dealing with pkcs12
Fixes: Bug#13138 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 5 Jun 2023 11:55:29 +0000 (13:55 +0200)]
backup.pl: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
- This code adds the "providers legacy default" line into OpenVPN N2N Client config files
when restoring them in case it is missing from a backup earlier than CU175.
Only adds the line if it is not already present.
- Tested out on my vm testbed system
Fixes: Bug#13137 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 4 Jun 2023 18:57:09 +0000 (20:57 +0200)]
update.sh: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
- This modification will check if ovpnconfig exists and is not empty. If so then it will
check for all n2n connections and if they are Client configs will check if
"providers legacy default" is not already present and if so will add it.
Fixes: Bug#13137 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 4 Jun 2023 18:57:08 +0000 (20:57 +0200)]
ovpnmain.cgi: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
- With a n2n connection .p12 certificate created wityh openssl-1.1.1x the line
providers legacy default is required in the n2nconf file to enable it to start.
- Any openssl-3.x attempt to open a .p12 file created with openssl-1.1.1x will result in
a failure and an error message. All the openssl commands dealing with pkcs12 (.p12)
files need to have the -legacy option added to them.
Fixes: Bug#13137 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 24 Oct 2022 14:57:56 +0000 (15:57 +0100)]
clwarn.cgi: Remove XSS
Fixes: #12966 Fixes: CVE-2022-44392 Reported-by: Arthur Naullet <arthur.naullet@epita.fr> Reported-by: Rafael Lima <isec-researcher@protonmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 May 2023 12:45:44 +0000 (14:45 +0200)]
ovpnmain.cgi: Fixes Bug#13117 - adds legacy option to openssl commands for cert & key extraction
- Any insecure connections made with openssl-3.x can have the cert and key extracted but
if the insecure connection was made from prior to CU175 Testing then it used
openssl-1.1.1 which causes an error under openssl-3.x due to the old version being able
to accept older ciphers no longer accepted by openssl-3.x
- Adding the -legacy option to the openssl commands enables openssl-3.x to successfully
open them and extract the cert and key
- Successfully tested on a vm system. Confirmed that the downloaded version under
openssl-3.x worked exactly the same as the version downloaded under openssl-1.1.1
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sun, 21 May 2023 12:45:43 +0000 (14:45 +0200)]
openssl: Fix for Bug#13117 - adds legacy option in for openssl extraction of cert & key
- OpenSSL-3.x gives an error when trying to open insecure .p12 files to extract the cert
and key for the insecure package download option.
- To make this work the -legacy option is needed in the openssl command, which requires
the legacy.so library to be available.
- Successfully tested on a vm system.
- Patch set built on Master (CU175 Testing)
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Jon Murphy [Tue, 11 Apr 2023 19:30:58 +0000 (14:30 -0500)]
rsnapshot: New addon
- What is it?
rsnapshot is a filesystem snapshot utility based on
rsync. rsnapshot makes it easy to make periodic snapshots of the
ipfire device. The code makes extensive use of hard links whenever
possible, to greatly reduce the disk space required. See:
https://rsnapshot.org
- Why is it needed?
Rsnapshot backups run multiple times per day
(e.g., once per day up to 24 times per day). Rsnapshot is much easier
to configure, setup and use than the borg backup add-on. (I found
borg somewhat confusing). Rsnapshot completes each backup very fast.
Unlike borg, rsnapshot does not compress each backup before storage.
During a complete rebuild, borg backup need installation of the borg
add-on to recover archived files. Rsnapshot backups can be copied
directly from the backup drive. Current backups (backup.pl or borg)
could corrupt sqlite3 databases by running a backup during a database
write. This add-on includes a script specifically for sqlite backups.
- IPFire Wiki
In process at: https://wiki.ipfire.org/addons/rsnapshot
Thanks to Gerd for creating a first build and a nice template for me!
Adolf Belka [Wed, 17 May 2023 09:56:52 +0000 (11:56 +0200)]
update.sh: Adds code to update an existing ovpnconfig with pass or no-pass
- The code checks first if ovpnconfig exists and is not empty.
- Then it makes all net2net connections no-pass since they do not use encryption
- Then it cycles through all .p12 files and checks with openssl if a password exists or not.
If a password is present then pass is added to index 41 and if not then no-pass is added
to index 41
- This code should be left in update.sh for future Core Updates in case people don't update
with Core Update 175 but leave it till later. This code works fine on code that already
has pass or no-pass entered into index 41 in ovpnconfig
Fixes: Bug#11048 Suggested-by: Erik Kapfer <ummeegge@ipfire.org> Suggested-by: Adolf Belka <adolf.belka@ipfire.org> Tested-by: Erik Kapfer <ummeegge@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 17 May 2023 09:56:51 +0000 (11:56 +0200)]
web-user-interface: Addition of new icon for secure connection certificate download
- This uses a padlock icon from https://commons.wikimedia.org/wiki/File:Encrypted.png
- The license for this image is the following:-
This library is free software; you can redistribute it and/or modify it under the terms
of the GNU Lesser General Public License as published by the Free Software Foundation;
either version 2.1 of the License, or (at your option) any later version. This library
is distributed in the hope that it will be useful, but without any warranty; without
even the implied warranty of merchantability or fitness for a particular purpose. See
version 2.1 and version 3 of the GNU Lesser General Public License for more details.
- Based on the above license I believe it can be used by IPFire covered by the GNU General
Public License that is used for it.
- The icon image was made by taking the existing openvpn.png file and superimposing the
padlock icon on top of it at a 12x12 pixel format and naming it openvpn_encrypted.png
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 17 May 2023 09:56:48 +0000 (11:56 +0200)]
ovpnmain.cgi: Fix for bug#11048 - insecure download icon shown for connections with a password
- The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig
is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the
connection is a host and if the first password entry is a null. Then it adds no-pass
to ovpnconfig.
- The same block of code is also used for when he connection is edited. However at this
stage the password entry is back to null because the password value is only kept until
the connection has been saved. Therefore doing an edit results in the password value
being taken as null even for connections with a password.
- This fix enters no-pass if the connection type is host and the password is null, pass if
the connection type is host and the password has characters. If the connection type is
net then no-pass is used as net2net connections dop not have encrypted certificates.
- The code has been changed to show a different icon for unencrypted and encrypted
certificates.
- Separate patches are provided for the language file change, the provision of a new icon
and the code for the update.sh script for the Core Update to update all existing
connections, if any exist, to have either pass or no-pass in index 41.
- This patch set was a joint collaboration between Erik Kapfer and Adolf Belka
- Patch set, including the code for the Core Update 175 update.sh script has been tested
on a vm testbed
Fixes: Bug#11048 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Tested-by: Erik Kapfer <ummeegge@ipfire.org> Suggested-by: Adolf Belka <adolf.belka@ipfire.org> Suggested-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 5 Apr 2023 12:28:35 +0000 (14:28 +0200)]
wio: remove unneeded or incorrect commands
- the helper programs in misc-progs get the correct permissions and ownerships
automatically so adjustment not required in this script.
- permissions of menus in menu.d are provided automatically. Historically, these were
root:root but were changed a while back but did not get applied to wio as it was
modified by this script.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 5 Apr 2023 12:28:25 +0000 (14:28 +0200)]
wio: This is a patch series relocating wio into the standard ipfire directories
- This patch is the changes to the wio lfs file related to the relocations
- The modified patch series was built and the generated wio-1.3.2-17.ipfire file was
used to install wio on a testbed vm system. Everything worked. Tested out with various
hosts on the system, tested the graphs, tested adding hosts from a network scan and
from the arp table and everything worked fine. So all the relocations look to have
worked.
- Files were only relocated, the wio code was not modified in any way.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
As the list of symbolic links was not sorted at all I sorted it now by
the order of start or stop.
This seems to be the most useful way as you can now understand the
startup sequence from this file and add/remove scripts at a useful
place.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 10 May 2023 13:04:22 +0000 (15:04 +0200)]
make.sh: Fixes Bug#13076
- Adds borgbackup run time dependency - python3-exceptiongroup
- Adds python3-exceptiongroup build time dependency - python3-flit_scm
- Removes python3-attr that is no longer required in borgbackup dependency chain
Fixes: Bug#13076 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 10 May 2023 13:04:16 +0000 (15:04 +0200)]
python3-trio: Fixes Bug#13076 - allows fuse mount to work again
- In Core 173 python3-trio was updated to version 0.22.0 when python was upgraded to 3.10.8
Although the build of python3-trio was successful it was missed that there was a new
run-time dependency of python3-exceptiongroup for python3-pyfuse3 to work.
python2-flit_scm is required as a build dependency for python3-exceptiongroup.
- The modified packages were installed in my vm testbed and confirmed that borg mount then
worked again.
- It was also noted that python3-attr was no longer needed neither as a runtime
dependency nor as a build time dependency.
- Dependencies line of python3-trio updated for these two changes.
Fixes: Bug#13076 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
this lower the compression ratio sligtly (the ramdlisk is 100kb
larger) and use only a single thread now. (it's still faster than
before on a dual core.)
fixes: #13091
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 May 2023 12:39:42 +0000 (14:39 +0200)]
mpfr: Update to include the latest four bug patches
- The base version has not changed but patches to fix 4 bugs have been released.
- Update to rootfile not required.
- Bug fix changelog
1 A test of the thousands separator in tsprintf.c is based on the output from
the GNU C Library up to 2.36, which is incorrect. The output has changed in
2.37 (partly fixed), so that tsprintf fails with glibc 2.37. The
tsprintf-thousands patch modifies the test to conform to POSIX and also
avoid the buggy case in 2.36 and below. However, this new test, which was
expected to succeed, triggers a serious bug in 2.37
(bug 30068 / CVE-2023-25139). We did not modify the test again since this
bug affects MPFR's mpfr_sprintf function, with a possible buffer overflow
in particular cases. This bug has been fixed in the 2.37 branch. In short,
this patch is useful (and needed) for a fixed glibc 2.37 and some other
libraries, depending on the current locales.
Corresponding changesets in the 4.2 branch: 4f03d40b5, 78ff7526d, e66bb7121.
2 The mpfr_ui_pow_ui function has infinite loop in case of overflow. This can
affect mpfr_log10, which uses this function (this is how this bug was
found). This bug is fixed by the ui_pow_ui-overflow patch (with testcases).
Corresponding changeset in the 4.2 branch: 0216f40ed.
3 The tfprintf and tprintf tests may fail in locales where decimal_point has
several bytes, such as ps_AF. This is fixed by the multibyte-decimal_point
patch, which makes the tests aware of the length of decimal_point.
Corresponding changeset in the 4.2 branch: 0383bea85.
4 In particular cases that are very hard to round, mpfr_rec_sqrt may yield a
stack overflow due to many small allocations in the stack, based on alloca().
This is due to the fact that the working precision is increased each step
(Ziv loop) by 32 or 64 bits only, until the approximate result can be
rounded (thus we have an arithmetic progression here, while a geometric
progression is used for the other functions), and that at each iteration,
the previous allocations in the stack cannot be freed. Individual
allocations in the stack are limited to 16384 bytes, so that the issue can
occur only when there are many iterations in working precisions that are
not too large, which is possible with an arithmetic progression. This bug
is fixed by the rec_sqrt-zivloop patch, which changes the Ziv loop to use
the standard MPFR_ZIV_* macros; the patch also provides a testcase obtained
by a function that constructs a hard-to-round case involving large enough
precisions (this function is commonly used in the MPFR testsuite, but not
with so large precisions). This bug was originally reported by Fredrik
Johansson.
Corresponding changeset in the 4.2 branch: 934dd8842.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Since lvmetad was removed then the configure option --enable-lvmetad is no longer valid.
A warning is now shown - configure: WARNING: unrecognized options: --enable-lvmetad
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 10 May 2023 20:41:10 +0000 (22:41 +0200)]
libcap: Adjust the lfs file to place pkg-config files in the correct place
- libcap places the files by default in /lib and not /usr/lib etc. To fix this libcap made
a symlink for the library file from /lib to /usr/lib. However the .pc files were left
in /lib/pkgconfig and not /usr/lib/pkgconfig and were therefore not found by the update
of rng-tools which now required libcap to be found.
- Changed the prefix settings for libcap which placed the libraries and .pc files in the
correct locations while keeping the executables in their existing location.
- This removed the need for symlinking /usr/lib/libcap.so to /lib/libcap.so.2.67 as the
libraries are now placed in /usr/lib
- Installed the ipfire build with these changes into a vm system and confirmed that
everything worked. Input from Michael Tremer that if ping worked then libcap was
functioning correctly.
- The prefixes have to be applied to both make and make install to end up with the files
in the correct places.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 10 May 2023 20:41:09 +0000 (22:41 +0200)]
rng-tools: Update to version 2.16
- This v2 version corrects an error where a debug echo statement was left in the lfs file
- Update from version 2.14 to 2.16
- Update of rootfile not required
- Version 2.16 required libcap to be available, which it is, but it could not be found by
rng-tools. This is because rng-tools is using pkg-config and the required libcap.pc file
was not stored in the standard directory location for .pc files. Therefore a patch for
libcap is bundled together with this update to fix this.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 10 May 2023 17:17:46 +0000 (19:17 +0200)]
initscripts: removal of lvmetad initscript
- With the last update of lvm2 lvmetad was removed from lvm2. I did not recognise that
lvmetad had been setup as an automatic initscript, so it no longer works as the
binary is no longer provided.
- This patch removes the lvmetad initscript, the reference to lvmetad in the initscript
lfs file and the lvmetad initscript entries in the rootfile for each architecture.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 8 May 2023 17:07:23 +0000 (19:07 +0200)]
alsa: Uncomment the conf file names in the rootfile
- Based on input from Arne Fitzenreiter there are conf files that alsa complains about if
they are not present. This patch uncomments all the default conf files
- The backup include file is also added to the rootfile.
Suggested-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- start_service added to install.sh and stop_service to uninstall.sh
This ensures that the modules are loaded after install
- The /etc/asound.state file was touched by the install.sh cript but the alsactl store and
restore commands have default location of /var/lib/alsa/ so the touch command created
an asound.state file that was then not used subsequently. It also meant that the first
start of alsa would fail as it would try and restore from /var/lib/alsa/asound.state
but the file did not exist.
- This patch corrects the path for the touch command for asound.state
- The install.sh script also checks if /etc/asound.state, that was never used, exists and
if it does removes it.
- Uninstalling alsa left the sound modules installed until a reboot was carried out.
Uninstallation should unload the alsa kernel modules.
This patch adds the modprobe -r commands to the uninstall.sh file to unload all the snd
modules when alsa is uninstalled.
- make_backup and restore_backup commands added to ther install.sh and uninstall.sh scripts
Fixes: Bug#13087 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 8 May 2023 17:07:21 +0000 (19:07 +0200)]
alsa: Add in a backup include file for alsa specifying the asound.state file
- This will backup the sound card status with the asound.state file when the addon is
uninstalled so that if it is re-installed in the future the status can be rerstored.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 8 May 2023 17:07:20 +0000 (19:07 +0200)]
alsa: Fix bug#13087 remove services entry
- alsa has an initscript but it is not starting and stopping a traditional daemon service.
The initscript loads some alsa modules and then restores the asound.state file
- This patch updates the PAK_VER number and removes the services entry and explicitly
adds alsa in for the initscript installation.
- Additionally this patch also adds the installation of a backup include file for alsa
which savces the soundcards status file asound.state
Fixes: Bug#13087 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Peter Müller [Tue, 18 Apr 2023 20:52:00 +0000 (20:52 +0000)]
linux: Compile "Intel XHCI USB Role Switch" as a module on x86_64
From the kernel documentation:
> Driver for the internal USB role switch for switching the USB data
> lines between the xHCI host controller and the dwc3 gadget controller
> found on various Intel SoCs. [...]
This may unblock USB-LAN-adaptor usage on certain boards, as reported
once in #12750. Overall affected devices seem to be scanty;
nevertheless, enabling this as a module only is highly unlikely to cause
any harm, so let's give it a try.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Robin Roevens [Tue, 18 Apr 2023 18:45:12 +0000 (20:45 +0200)]
Add Zabbix Agent to logviewer
- Configure Zabbix Agent to log to syslog instead of its own logs.
- Remove old zabbix log-dir and logrotate settings from rootfile, lfs
and install-script.
- Update log.dat to view Zabbix Agent logging from syslog.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Robin Roevens [Tue, 18 Apr 2023 18:45:11 +0000 (20:45 +0200)]
Bugfix: compatibility with grep 3.8+
Fix "grep: warning: stray \ before /" message on
Zabbix Agent ipfire.net.fw.hits item introduced by
grep 3.8 in
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=40b5df3942149738529c22c9cfcd067cd672b605
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Robin Roevens [Tue, 18 Apr 2023 18:45:10 +0000 (20:45 +0200)]
zabbix_agentd: Update to 6.0.16 (LTS)
- Update from version 6.0.6 to 6.0.16
- Update of rootfile not required
- Changelog
No substantial changes for Agent Linux version
Changelogs since 6.0.6:
- https://www.zabbix.com/rn/rn6.0.7
- https://www.zabbix.com/rn/rn6.0.8
- https://www.zabbix.com/rn/rn6.0.9
- https://www.zabbix.com/rn/rn6.0.10
- https://www.zabbix.com/rn/rn6.0.11
- https://www.zabbix.com/rn/rn6.0.12
- https://www.zabbix.com/rn/rn6.0.13
- https://www.zabbix.com/rn/rn6.0.14
- https://www.zabbix.com/rn/rn6.0.15
- https://www.zabbix.com/rn/rn6.0.16
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
For details see:
https://github.com/OISF/libhtp/releases/tag/0.5.43
"htp: do not log content-encoding: none
htp: do not error on multiple 100 Continue
readme: remove note on libhtp not being stable
uri: fix compile warning strict-prototypes
bstr: fix compile warning strict-prototypes
fuzz_diff: Free the rust test object.
github: add CIFuzz workflow"
Security #5947: byte_math: Division by zero possible. (6.0.x backport)
Bug #5970: detect: reload can stall if flow housekeeping takes too long (6.0.x backport)
Bug #5967: flowworker: Assertion in CheckWorkQueue (6.0.x backport)
Bug #5953: http: multipart data is not filled up to request.body-limit (6.0.x backport)
Bug #5951: detect: multi-tenancy crash (6.0.x backport)
Bug #5950: http2: quadratic complexity when reducing dynamic headers table size (6.0.x backport)
Bug #5949: smtp: quadratic complexity for tx iterator with linked list (6.0.x backport)
Bug #5948: fast_pattern assignment of specific content in combination with urilen results in FN (6.0.x backport)
Bug #5946: flow/manager: fix unhandled division by 0 (prealloc: 0) (6.0.x backport)
Bug #5942: exception/policy: flow action doesn't fall back to packet action when there's no flow (6.0.x backports)
Bug #5933: smb: tx logs sometimes have duplicate `tree_id` output (6.0.x backport)
Bug #5932: rfb/eve: depth in pixel format logged twice (6.0.x backport)
Bug #5906: dns: unused events field can overflow as an integer
Bug #5903: UBSAN: undefined shift in DetectByteMathDoMatch (6.0.x backport)
Bug #5899: smb: no consistency check between NBSS length and length field for some SMB operations (6.0.x backport)
Bug #5898: smb: possible evasion with trailing nbss data (6.0.x backport)
Bug #5896: base64_decode not populating up to an invalid character (6.0.x backport)
Bug #5895: stream: connections time out too early (6.0.x backport)
Bug #5889: stream: SYN/ACK timestamp checking blocks valid traffic (6.0.x backport)
Bug #5888: false-positive drop event_types possible on passed packets (6.0.x backport)
Bug #5887: stream: overlap with different data false positive (6.0.x backport)
Bug #5886: mime: debug assertion on fuzz input (6.0.x backport)
Bug #5879: netmap: Module registration displays whether info about new API usage
Bug #5863: netmap: packet stalls (6.0.x backport)
Bug #5854: SMTP does not handle LF post line limit properly (6.0.x backport)
Bug #5852: tcp/stream: session reuse on tcp flows w/o sessions (6.0.x backport)
Feature #5853: yaml: set suricata version in generated config (6.0.x backport)
Task #5985: libhtp 0.5.43 (6.0.x backport)"
For details see:
https://downloads.isc.org/isc/bind9/9.16.40/doc/arm/html/notes.html#notes-for-bind-9-16-40
"Notes for BIND 9.16.40
Bug Fixes
Logfiles using timestamp-style suffixes were not always correctly
removed when the number of files exceeded the limit set by versions.
This has been fixed for configurations which do not explicitly specify
a directory path as part of the file argument in the channel
specification. [GL #3959] [GL #3991]
Performance of DNSSEC validation in zones with many DNSKEY records has
been improved. [GL #3981]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://blog.clamav.net/2023/05/clamav-110-released.html
"Major changes
Added the ability to extract images embedded in HTML CSS <style> blocks.
Updated to Sigtool so that the --vba option will extract VBA code from
Microsoft Office documents the same way that libclamav extracts VBA.
This resolves several issues where Sigtool could not extract VBA.
Sigtool will also now display the normalized VBA code instead of the
pre-normalized VBA code.
Added a new ClamScan and ClamD option: --fail-if-cvd-older-than=days.
Additionally, we introduce FailIfCvdOlderThan as a clamd.conf synonym
for --fail-if-cvd-older-than. When passed, it causes ClamD to exit on
startup with a non-zero return code if the virus database is older than
the specified number of days.
Added a new function cl_cvdgetage() to the libclamav API. This function
will retrieve the age in seconds of the youngest file in a database
directory, or the age of a single CVD (or CLD) file.
Added a new function cl_engine_set_clcb_vba() to the libclamav API. Use
this function to set a cb_vba callback function. The cb_vba callback
function will be run whenever VBA is extracted from office documents.
The provided data will be a normalized copy of the extracted VBA. This
callback was added to support Sigtool so that it can use the same VBA
extraction logic that ClamAV uses to scan documents.
Other improvements
Removed the vendored TomsFastMath library in favor of using OpenSSL to
perform "big number"/multiprecision math operations. Work courtesy of
Sebastian Andrzej Siewior.
Build system: Added CMake option DO_NOT_SET_RPATH to avoid setting
RPATH on Unix systems. Feature courtesy of Sebastian Andrzej Siewior.
Build system: Enabled version-scripts with CMake to limit symbol
exports for libclamav, libfreshclam, libclamunrar_iface, and
libclamunrar shared libraries on Unix systems, excluding macOS.
Improvement courtesy of Orion Poplawski and Sebastian Andrzej Siewior.
Build system: Enabled users to pass in custom Rust compiler flags using
the RUSTFLAGS CMake variable. Feature courtesy of Orion Poplawski.
Removed a hard-coded alert for CVE-2004-0597. The CVE is old enough
that it is no longer a threat and the detection had occasional
false-positives.
Set Git attributes to prevent Git from altering line endings for Rust
vendored libraries. Third-party Rust libraries are bundled in the
ClamAV release tarball. We do not commit them to our own Git
repository, but community package maintainers may now store the tarball
contents in Git. The Rust build system verifies the library manifest,
and this change ensures that the hashes are correct. Improvement
courtesy of Nicolas R.
Fixed compile time warnings. Improvement courtesy of Razvan Cojocaru.
Added a minor optimization when matching domain name regex signatures
for PDB, WDB and CDB type signatures.
Build system: Enabled the ability to select a specific Python version.
When building, you may use the CMake option -D
PYTHON_FIND_VER=<version> to choose a specific Python version. Feature
courtesy of Matt Jolly.
Added improvements to the ClamOnAcc process log output so that it is
easier to diagnose bugs.
Windows: Enabled the MSI installer to upgrade between feature versions
more easily when ClamAV is installed to a location different from the
default (i.e., not C:\Program Files\ClamAV). This means that the MSI
installer can find a previous ClamAV 1.0.x installation to upgrade to
ClamAV 1.1.0.
Sigtool: Added the ability to change the location of the temp directory
using the --tempdir option and added the ability to retain the temp
files created by Sigtool using the --leave-temps option.
Other minor improvements.
Bug fixes
Fixed the broken ExcludePUA / --exclude-pua feature. Fix courtesy of
Ged Haywood and Shawn Iverson.
Fixed an issue with integer endianness when parsing Windows executables
on big-endian systems. Fix courtesy of Sebastian Andrzej Siewior.
Fixed a possible stack overflow read when parsing WDB signatures. This
issue is not a vulnerability.
Fixed a possible index out of bounds when loading CRB signatures. This
issue is not a vulnerability.
Fixed a possible use after free when reading logical signatures. This
issue is not a vulnerability.
Fixed a possible heap overflow read when reading PDB signatures. This
issue is not a vulnerability.
Fixed a possible heap overflow read in javascript normalizer module.
This issue is not a vulnerability.
Fixed two bugs that would cause Freshclam to fail update when applying
a CDIFF database patch if that patch adds a file to the database
archive or removes a file from the database archive. This bug also
caused Sigtool to fail to create such a patch.
Fixed an assortment of complaints identified by Coverity static analysis.
Fixed one of the Freshclam tests that was failing on some Fedora
systems due to a bug printing debug-level log messages to stdout. Fix
courtesy of Arjen de Korte.
Correctly remove temporary files generated by the VBA and XLM
extraction modules so that the files are not leaked in patched versions
of ClamAV where temporary files are written directly to the
temp-directory instead of writing to a unique subdirectory."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>