rtl8xxx: remove unused or replaced external modules
rtl8189es and rtl8189fs are used at my knowledge only on 32bit arm boards.
If there is any 64bit board i can restore it.
rtl8822bu and rtl8821cu are both supported in mainline kernel 6.6.x so
no separate module is needed anymore.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Thu, 30 Nov 2023 07:56:04 +0000 (08:56 +0100)]
tor.cgi: Fixes deprecated tor option 'ExitNode' to 'ExitNodes'
If fingerprints in the Exit Node section are in usage, tor.cgi prints the
deprecated option 'ExitNode' into torrc which leads to the following warning
"The abbreviation ‘ExitNode’ is deprecated. Please use ‘ExitNodes’ instead".
Fix has been found and tested in the community for reference please see -->
https://community.ipfire.org/t/the-abbreviation-exitnode-is-deprecated-please-use-exitnodes-instead/10582/10
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Michael Tremer [Mon, 27 Nov 2023 11:24:00 +0000 (11:24 +0000)]
apache2: Properly re-execute Apache on restart
Previously, we sent Apache a signal to relaunch itself which caused
Apache to kill all child processes, and re-execute them.
However, when updating glibc, any newly compiled modules could not be
loaded as Apache was running with the previous version of glibc until
the next reboot.
This change will now properly stop Apache and restart it which solves
this problem.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 27 Nov 2023 11:24:00 +0000 (11:24 +0000)]
apache2: Properly re-execute Apache on restart
Previously, we sent Apache a signal to relaunch itself which caused
Apache to kill all child processes, and re-execute them.
However, when updating glibc, any newly compiled modules could not be
loaded as Apache was running with the previous version of glibc until
the next reboot.
This change will now properly stop Apache and restart it which solves
this problem.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 11 Nov 2023 10:58:44 +0000 (11:58 +0100)]
man: Update to version 2.12.0
- Update from version 2.11.2 to 2.12.0
- Update of rootfile
- Changelog
2.12.0
Fixes:
* Fix some manual page portability issues with groff 1.23.0.
* Fix test failures when a working `iconv` is not available.
* Ensure that timestamps read from the database can go past the year 2038,
even on systems where this is not the default.
* Fix `manpath` not parsing `PATH` entries with trailing slash correctly
for guessing `MANPATH` entries.
* More accurately document the behaviour of passing file names as arguments
to `man` without the `-l`/`--local-file` option.
* Avoid duplicate cleanup of old cat pages by both `man-db.service` and
`systemd-tmpfiles-clean.service`.
Improvements:
* Update system call lists in `seccomp` sandbox from `systemd`.
* Upgrade to Gnulib `stable-202307`.
* Work around the Firebuild accelerator in `seccomp` sandbox: if this is in
use then we need to allow some socket-related system calls.
* `man -K` now deduplicates search results that point to the same page.
* Warn if `mandb` drops to `--user-db` mode due to running as the wrong
user.
* Change section title recommendations in `man(1)` to mention `STANDARDS`
rather than `CONFORMING TO`, in line with `man-pages(7)`.
* Add a `STANDARDS` section to `man(1)` itself.
* Document that `man -K` may suffer from false negatives as well as false
positives.
* Take advantage of newer `groff` facilities to implement `man
--no-hyphenation` and `man --no-justification`, if available.
* `man -f` and `man -k` now pass any `-r`/`--regex` or `-w`/`--wildcard`
options on to `whatis` and `apropos` respectively.
* Always pass a line length to `nroff`, even if we believe that it matches
the default.
* Allow disabling `groff` warnings via `man --warnings`, by prefixing a
warning name with `!`.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
dhcp.cgi: Add column with resolved hostname by IP address
In web interface, on page DHCP Server, in table Current fixed leases, add column with resolved hostname by IP address Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Thu, 9 Nov 2023 08:24:06 +0000 (09:24 +0100)]
connections.cgi: Fix Expires time Heading in Connections cgi page
- The Expires time heading for the Connections WUI page has seconds listed. However the
code is converting the seconds to hours:minutes:seconds.
- This patch is changing the heading to H:M:S in English and the equivalent in the other
languages. I have basewd this on the initial letter for Hours, Minutes & Seconds in
each of the languages.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 8 Nov 2023 21:58:03 +0000 (22:58 +0100)]
iproute2: Update to version 6.6.0
- Update from version 6.4.0 to 6.6.0
- Update of rootfile
- iproute2 has implemented stateless configuration pattern. This now puts all the files
that were in /etc/iproute2 into /usr/lib/iproute2. Therefore command added to lfs to
move /usr/lib/iproute2 to /etc/iproute2 to match the previous situation.
- Changelog is only provided by the git commits.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
this is the first version that support booting linux kernel on
riscv. The release of the final version was delayed again and again
so i have bootstrapped the rc1 from the git and fixed the path in 25_bli.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 340000 to 340100
- Update of rootfile not required
- Changelog
3.44.1
Change the CLI so that it uses UTF-16 for console I/O on Windows. This enables
proper display of unicode text on old Windows7 machines.
Other obscure bug fixes. - more details on these can be found from the list of
commits https://www.sqlite.org/src/timeline?n=100&y=ci
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
the "xxxKVERxxx" placeholder is replaced by the buildsystem with the current build kernel
version. KVER is used a few lines later to build the arm initrd so this is needed.
- Update from version 3430000 to 3440000
- Update of rootfile not required
- Changelog
3.44.0
Aggregate functions can now include an ORDER BY clause after their last parameter.
The arguments to the function are processed in the order specified. This can be
important for functions like string_agg() and json_group_array().
Add support for the concat() and concat_ws() scalar SQL functions, compatible with
PostgreSQL, SQLServer, and MySQL.
Add support for the string_agg() aggregate SQL function, compatible with
PostgreSQL and SQLServer.
New conversion letters on the strftime() SQL function: %e %F %I %k %l %p %P %R %T %u
Add new C-language APIs: sqlite3_get_clientdata() and sqlite3_set_clientdata().
Many errors associated with CREATE TABLE are now raised when the CREATE TABLE
statement itself is run, rather than being deferred until the first time the
table is actually used.
The PRAGMA integrity_check command now verifies the consistency of the content in
various built-in virtual tables using the new xIntegrity method. This works for
the FTS3, FTS4, FTS5, RTREE, and GEOPOLY extensions.
The SQLITE_DBCONFIG_DEFENSIVE setting now prevents PRAGMA writable_schema from
being turned on. Previously writable_schema could be turned on, but would not
actually allow the schema to be writable. Now it simply cannot be turned on.
Tag the built-in FTS3, FTS4, FTS5, RTREE, and GEOPOLY virtual tables as
SQLITE_VTAB_INNOCUOUS so that they can be used inside of triggers in
high-security deployments.
The PRAGMA case_sensitive_like statement is deprecated, as its use when the
schema contains LIKE operators can lead to reports of database corruption by
PRAGMA integrity_check.
SQLITE_USE_SEH (Structured Exception Handling) is now enabled by default whenever
SQLite is built using the Microsoft C compiler. It can be disabled using
-DSQLITE_USE_SEH=0
Query planner optimizations:
In partial index scans, if the WHERE clause implies a constant value for a
table column, replace occurrences of that table column with the constant.
This increases the likelihood of the partial index being a covering index.
Disable the view-scan optimization (added in version 3.42.0 - item 1c) as it
was causing multiple performance regressions. In its place, reduce the
estimated row count for DISTINCT subqueries by a factor of 8.
SQLite now performs run-time detection of whether or not the underlying hardware
supports "long double" with precision greater than "double" and uses appropriate
floating-point routines depending on what it discovered.
The CLI for Windows now defaults to using UTF-8 for both input and output on
platforms that support it. The --no-utf8 option is available to disable UTF8
support.
3.43.2
Fix a couple of obscure UAF errors and an obscure memory leak.
Omit the use of the sprintf() function from the standard library in the CLI, as
this now generates warnings on some platforms.
Avoid conversion of a double into unsigned long long integer, as some platforms
do not do such conversions correctly.
3.43.1
Fix a regression in the way that the sum(), avg(), and total() aggregate
functions handle infinities.
Fix a bug in the json_array_length() function that occurs when the argument
comes directly from json_remove().
Fix the omit-unused-subquery-columns optimization (introduced in version 3.42.0)
so that it works correctly if the subquery is a compound where one arm is
DISTINCT and the other is not.
Other minor fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 10 Nov 2023 11:00:53 +0000 (12:00 +0100)]
ffmpeg: Fix build problem from updated texinfo
- With the 7.1 version of texinfo function names have changed which caused ffmpeg to fail
to build. There were some unofficial patches to fix ffmpeg to work with the new texinfo
but the simplest solution was to stop the docs being built in the configure command.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 10 Nov 2023 11:00:52 +0000 (12:00 +0100)]
texinfo: Update to version 7.1
- Update from version 7.0.3 to 7.1
- Update of rootfile
- Changelog
7.1 (18 October 2023)
* Language
. new generic definition commands, @defblock, @defline and @deftypeline,
for definitions without automatic index entries
. new @linemacro facility eases use of generic definition commands
. new command @link creates plain links (supported output formats only)
. @cartouche takes an argument to specify the cartouche title
. you can use the new commands @nodedescription and @nodedescriptionblock
to give text to be used in menu descriptions in Info and HTML output
* texi2any
. @itemx at the beginning of a @table is now an error, not a warning
. better validity checking of deeply nested commands
. check that @set and @clear only appear at the start of a line
. warn about missing menu entries even if CHECK_NORMAL_MENU_STRUCTURE is
not set. you can turn this off by setting CHECK_MISSING_MENU_ENTRY to 0.
. no longer use --enable-encoding and --disable-encoding to determine
whether to output encoded characters (instead of entities or commands)
for HTML, XML, DocBook and LaTeX; instead, use the value of the
OUTPUT_CHARACTERS customization variable.
. stricter checks on input encoding, in particular more warnings and
errors with malformed UTF-8
. support any input file encoding if support exists in the operating
system, not just a selected list of encodings
. resolve an alias referring to another alias at definition time
. internally, use "source marks" to keep all Texinfo source information that
is not in the final tree (location of macros, values and included files
expansion, @if* blocks, DEL comment, and @ protecting end of line on @def*
lines)
. HTML output:
. format @subentry and index entries with @seealso or @seeentry in a more
similar way to printed output
. output @shortcontents before @contents by default
. omit colons after index entries by default. this can still be
configured with INDEX_ENTRY_COLON.
. add @example syntax highlighting as a texi2any extension
. no more capitalization of @sc argument in HTML Cross-references
. change @point expansion to U+22C6 in HTML Cross-references
. if a @node is not associated with a sectioning command but is
followed by a heading command not usually associated to nodes
such as @heading and this command appears before other formatted
content, the heading command is assumed to supply the node heading.
you can customize this with USE_NEXT_HEADING_FOR_LONE_NODE.
. Info output:
. new variable ASCII_DASHES_AND_QUOTES, on by default,
outputs ASCII characters for literal quote or hyphen characters
in source, rather than UTF-8. this makes it easier to search
Info files.
. new ASCII_GLYPH variable for using ASCII renditions for glyph
commands (like @bullet)
. ASCII_PUNCTUATION still includes the effect of these new variables.
. new variables AUTO_MENU_DESCRIPTION_ALIGN_COLUMN and AUTO_MENU_MAX_WIDTH
control the format of descriptions in generated menus
. XML output:
. place menu leading text and menu separators in elements instead
of attributes
* texi2dvi
. macro expansion with texi2any requires at least version 5.0 (only
happens with --expand option or with very old texinfo.tex)
* texinfo.tex
. in @code, ` and ' output by default with backtick and undirected
single quote glyphs in the typewriter font. you can still configure
this using the @codequoteundirected/@codequotebacktick commands.
. do not insert a space for @ def line continuation, matching the behavior
of texi2any
. align section titles in table of contents when more than 10 sections
. microtype is off by default, for speed
. page headings generation is no longer linked to the @titlepage command
* info
. when going Up, position cursor on menu entry for current node
. allow mouse scrolling support regardless of termcap entries. this
supports some more xterm configurations.
. do not use "/index" as a possible file extension for Info files
* Distribution
. autoconf 2.71, automake 1.16.5, gettext 0.21
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 8 Nov 2023 21:58:04 +0000 (22:58 +0100)]
libsodium: Update to version 1.0.19
- Update from version 1.0.18 to 1.0.19
- Update of rootfile
- sobump so find-dependencies run. Identified dnsdist and shairport-sync to be shipped.
- Changelog
1.0.19
- New AEADs: AEGIS-128L and AEGIS-256 are now available in the
`crypto_aead_aegis128l_*()` and `crypto_aead_aegis256_*()` namespaces.
AEGIS is a family of authenticated ciphers for high-performance applications,
leveraging hardware AES acceleration on `x86_64` and `aarch64`. In addition
to performance, AEGIS ciphers have unique properties making them easier and
safer to use than AES-GCM. They can also be used as high-performance MACs.
- The HKDF key derivation mechanism, required by many standard protocols, is
now available in the `crypto_kdf_hkdf_*()` namespace. It is implemented for
the SHA-256 and SHA-512 hash functions.
- The `osx.sh` build script was renamed to `macos.sh`.
- Support for android-mips was removed.
1.0.18-stable
- Visual Studio: support for Windows/ARM64 builds has been added.
- Visual Studio: AVX512 implementations are enabled on supported CPUs.
- Visual Studio: an MSVC 2022 solution was added.
- Apple XCFramework: support for VisionOS was added.
- Apple XCFranework: support for Catalyst was added.
- Apple XCFramework: building the simulators is now optional.
- iOS: bitcode is not generated any more, as it was deprecated by Apple.
- watchOS: support for arm64 was added.
- The Zig toolchain can now be used as a modern build system to replace
autoconf/automake/libtool/make/ccache and the compiler. This enables faster
compilation times, easier cross compilation, and static libraries optimized
for any CPU.
- The Zig toolchain is now the recommended way to compile `libsodium`
to WebAssembly/WASI(X).
- libsodium can now be added as a dependency to Zig projects.
- Memory fences were added to remove some gadgets that could be used
alongside speculative loads.
- The AES-GCM implementation was completely rewritten. It is now faster,
and also available on aarch64, including Windows/ARM64.
- Compatibility with CET instrumentation / IBT / Shadow Stack was added.
- Emscripten: the `crypto_pwhash_*()` functions have been removed from Sumo
builds, as they reserve a substantial amount of JavaScript memory, even when
not used.
- Benchmarks now use `CLOCK_MONOTONIC` if possible.
- WebAssembly: tests can now run using Bun, WasmEdge, Wazero, wasm3 and
wasmer-js. Support for WAVM and Lucet have been removed, as these projects
have reached EOL.
- .NET: the minimum supported macOS version is now 1.0.15; this matches
Microsoft guidelines.
- .NET: all the packages are now built using Zig, on all platforms. This
allows us to easily match Microsoft's requirements, including supported glibc
versions. However, on x86_64, targets are expected to support at least the
AVX instruction set.
- .NET: packages for ARM64 are now available.
- C23 `memset_explicit()` is now used, when available.
- Compilation now uses `-Ofast` or `-O3` instead of `-O2` by default.
- Portability improvements to help compile libsodium to modern game consoles.
- JavaScript: a default `unhandledRejection` handler is not set any more.
- Slightly faster 25519 operations.
- OpenBSD: leverage `MAP_CONCEAL`.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Peter Müller [Wed, 22 Nov 2023 15:00:00 +0000 (15:00 +0000)]
Tor: Update to 0.4.8.9
Changes in version 0.4.8.9 - 2023-11-09
This is another security release fixing a high severity bug affecting onion
services which is tracked by TROVE-2023-006. We are also releasing a guard
major bugfix as well. If you are an onion service operator, we strongly
recommend to update as soon as possible.
o Major bugfixes (guard usage):
- When Tor excluded a guard due to temporary circuit restrictions,
it considered *additional* primary guards for potential usage by
that circuit. This could result in more than the specified number
of guards (currently 2) being used, long-term, by the tor client.
This could happen when a Guard was also selected as an Exit node,
but it was exacerbated by the Conflux guard restrictions. Both
instances have been fixed. Fixes bug 40876; bugfix
on 0.3.0.1-alpha.
o Major bugfixes (onion service, TROVE-2023-006):
- Fix a possible hard assert on a NULL pointer when recording a
failed rendezvous circuit on the service side for the MetricsPort.
Fixes bug 40883; bugfix on 0.4.8.1-alpha
o Minor features (fallbackdir):
- Regenerate fallback directories generated on November 09, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/11/09.
Changes in version 0.4.8.8 - 2023-11-03
We are releasing today a fix for a high security issue, TROVE-2023-004, that
is affecting relays. Also a few minor bugfixes detailed below. Please upgrade
as soon as posssible.
o Major bugfixes (TROVE-2023-004, relay):
- Mitigate an issue when Tor compiled with OpenSSL can crash during
handshake with a remote relay. Fixes bug 40874; bugfix
on 0.2.7.2-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on November 03, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/11/03.
o Minor bugfixes (directory authority):
- Look at the network parameter "maxunmeasuredbw" with the correct
spelling. Fixes bug 40869; bugfix on 0.4.6.1-alpha.
o Minor bugfixes (vanguards addon support):
- Count the conflux linked cell as valid when it is successfully
processed. This will quiet a spurious warn in the vanguards addon.
Fixes bug 40878; bugfix on 0.4.8.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 22 Nov 2023 15:04:00 +0000 (15:04 +0000)]
OpenSSH: Update to 9.5p1
Please refer to https://www.openssh.com/releasenotes.html#9.5p1 for the
changelog of this version. The patch for fixing zlib version check has
now been amended upstream and can therefore be deleted from IPFire 2.x's
codebase.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20230804 to 20231030
- Update of rootfile - process defined by Peter Mueller used on rootfile to identify
changes and check if the entries were commented out in previous rootfile.
This is second time that I have used this approach so probably still worthwhile for
Peter to confirm I got it correct.
- Patch for amd family 19h removed as it is now included in the source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 21 Nov 2023 22:37:44 +0000 (23:37 +0100)]
strongswan: Update to version 5.9.12
- Update from version 5.9.11 to 5.9.12
- Update of rootfile
- Changelog
5.9.12
Vulnerabilities
Fixed a vulnerability in charon-tkm (the TKM-backed version of the charon IKE
daemon) related to processing DH public values that can lead to a buffer
overflow and potentially remote code execution. This vulnerability has been
registered as CVE-2023-41913. Please refer to our blog for details.
New Feature Additions
The new pki --ocsp command produces OCSP responses based on certificate status
information provided by implementations of the new ocsp_responder_t interface
(#1958).
Two sources are currently available, the openxpki plugin that directly
accesses the OpenXPKI database and the command's --index argument, which
reads certificate status information from OpenSSL-style index.txt files
(multiple CAs are supported concurrently).
The new cert-enroll script handles the initial enrollment of an X.509 host
certificate with a PKI server via the EST or SCEP protocols.
Run as a systemd timer or via a crontab entry, the script checks the
expiration date of the host certificate daily. When a given deadline is
reached, the host certificate is automatically renewed via EST or SCEP
re-enrollment based on the possession of the old private key and the
matching certificate.
Added a global option (charon.reject_trusted_end_entity) to prevent peers
from authenticating with certificates that are locally trusted, in
particular, our own local certificate, which safeguards against accidental
reuse of certificates on multiple peers. As the name suggests, all trusted
end-entity certificates are rejected if enabled, so peer certificates can't
be configured explicitly anymore (e.g. via remote.certs in swanctl.conf).
The --priv argument for charon-cmd allows the use of any type of private key
(previously, only RSA keys were supported).
The openssl plugin now supports the nameConstraints extension in X.509
certificates (#1990).
Support for nameConstraints of type iPAddress are now supported by the x509,
openssl and constraints plugins (#1991).
Support for encoding subjectAlternativeName extensions of type
uniformResourceIdentifier in X.509 certificates has been added via the uri:
prefix (e.g. for URNs, #1983).
Support for password-less PKCS#12 and PKCS#8 files has been added (#1955).
Enhancements and Optimizations
Because of a relatively recent NIAP requirement (TD0527, Test 8b), loading of
certificates with ECDSA keys that explicitly encode the curve parameters is
rejected if possible. Explicit encoding is pretty rare to begin with and
e.g. wolfSSL already rejects such keys, by default. All crypto plugins that
support ECDSA enforce this by rejecting such public keys, except when using
older versions of OpenSSL (< 1.1.1h) or Botan (< 3.2.0) (#1949).
Make the NetworkManager plugin (charon-nm) actually use the XFRM interface it
creates since 5.9.10. This involves setting interface IDs on SAs and
policies, and installing routes via the interface. To avoid routing loops if
the remote traffic selectors include the VPN server, IKE and ESP packets are
marked to bypass the routing table that contains the routes via XFRM
interface (69e0c11).
If available, the plugin now also adopts the interface name configured in
connection.interface-name in a *.nmconnection file as name for the XFRM
interface instead of generating one randomly (e8f8d32).
The resolve plugin tries to maintain the order of DNS servers it installs via
resolvconf or resolv.conf (6440975, 8238ad4).
The kernel-libipsec plugin now always installs routes to remote networks even
if no address is found in the local traffic selectors, which allows
forwarding traffic from networks the VPN host is not part of (190d8cb).
Increased the default receive buffer size for Netlink sockets to 8 MiB
(doubled by the kernel to account for overhead) and simplified the
configuration (no need for a separate option to force overriding rmem_max).
It's now also set for event sockets, which previously could cause issues on
hosts with e.g. lots of route changes (#1757).
When issuing certificates, the subjectKeyIdentifier of the issuing
certificate, if available, is now copied as authorityKeyIdentifier, instead
of always generating a SHA-1 hash of the issuer's subjectPublicKey
(#1992, 6941dcb).
Explicitly request permission to display notifications on Android 13+
(ddf84c1), also enabled hardware acceleration for the Android-specific
OpenSSL build.
Fixes
Fixed issues while reestablishing multiple CHILD_SAs (e.g. after a DPD
timeout) that could cause a reqid to get assigned to multiple CHILD_SAs with
unrelated traffic selectors (#1855).
Fixed an issue in watcher_t with handling errors on sockets (e.g. if the
receive buffer is full), which caused an infinite loop if poll() only
signaled POLLERR as event (#1757).
Fixed an issue in the IKE_SA_INIT tracking code that was added with 5.9.6,
which did not correctly untrack invalid messages with non-zero message IDs
or SPIs (0b47357).
Fixed a regression introduced with 5.9.8 when handling IKE redirects during
IKE_AUTH (595fa07).
Fixed adding the XFRMA_REPLAY_ESN_VAL attribute twice when updating SAs in
the kernel-netlink plugin, which prevented MOBIKE updates if a large
anti-replay window was used (#1967).
Fixed a race condition in the kernel-pfroute plugin when adding virtual IPs
if the TUN device is activated after the address was already added
internally, which caused the installed route not to go via TUN device in
order to force the virtual IP as source address (#1807).
Fixed an issue in libtls that could cause the wrong ECDH group to get
instantiated (b5e4bf4).
Fixed the encoding of the CHILD_SA_NOT_FOUND notify if a CHILD_SA is not
found during rekeying. It was previously empty, now contains the SPI and
sets the protocol to the values received in the REKEY_SA notify (849c2c9).
Fixed a possible issue with MOBIKE in the Android client on certain devices
(#1691).
For Developers
The new ocsp_responder_t interface can be implemented to provide certificate
status information to the pki --ocsp command. Responders can be
(un-)registered via the ocsp_responders_t instance at lib->ocsp.
For the watcher_t component, WATCHER_EXCEPT has been removed as there is no
way to explicitly listen for errors on sockets and poll() actually can
return POLLERR for any FD and it might even be the only signaled event
(which caused an infinite loop previously). Now we simply notify the
registered callbacks. The error is then reported by e.g. recvfrom(), which
was already the case before if POLLERR was returned together with
e.g. POLLIN.
The reqids allocated for CHILD_SAs (including trap policies) via
kernel_interface_t::alloc_reqid() are now refcounted. When recreating a
CHILD_SA, a reference to the reqid can be requested via
child_sa_t::get_reqid_ref(). If another reference is required afterwards,
one can be acquired directly via kernel_interface_t::ref_reqid(). Each
reference has to be released via kernel_interface_t::release_reqid(), whose
interface was simplified.
The testing environment is now based on Debian 12 (bookworm), by default.
Also, when copying files to guests, the guest-specific files are now copied
after the default files, which allows overriding files per guest (fixes an
issue with winnetou's /etc/fstab and mounting the test results).
Refer to the 5.9.12 milestone for a list of all closed issues and pull requests.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 11 Nov 2023 10:58:50 +0000 (11:58 +0100)]
mpd: Update to version 0.23.14
- Update from version 0.24.13 to 0.24.14
- Update of rootfile not required
- Changelog
0.23.14 (2023/10/08)
* decoder
- flac: fix scanning files with non-ASCII names on Windows
- mad: fix calculation of LAME peak values
* mixer
- wasapi: fix problem setting volume
* more libfmt 10 fixes
* fix auto-detected systemd unit directory
* Android
- require Android 7 or newer
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sat, 11 Nov 2023 10:58:49 +0000 (11:58 +0100)]
minicom: Update to version 2.9
- Update from version 2.8 to 2.9
- Update of rootfile
- Changelog
This file (NEWS) lists the most important changes to
the previous released version. For a full list of changes
please refer to the ChangeLog file.
New for version 2.9:
- Change Hardware Flow Control Default to No.
- Timestamping mode is now saved and restored.
- Split "Screen and Keyboard" menu into two menus.
- Update to gettext-0.21.
- Change return values of --help and --version to success.
- Support higher baud rates on MacOS
- Save character send delay to config file
- Save newline send delay to config file
- Update translations: Romanian, German, French, Norwegian/Bookmal, Polish,
Serbian, Swedish
- New translation: Georgian, Korean
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sat, 11 Nov 2023 10:58:48 +0000 (11:58 +0100)]
mindlna: Update to version 1.3.3
- Update from version 1.3.2 to 1.3.3
- Update of rootfile not required
- Changelog
1.3.3 - Released 1-Jun-2023
- Fixed HTTP chunk length parsing.
- Improved Dutch and Swedish translations.
- Fixed directory symlink deletion handling.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sat, 11 Nov 2023 10:58:47 +0000 (11:58 +0100)]
meson: Update to version 1.2.3
- Update from version 1.2.0 to 1.2.3
- Update of rootfile
- Changelog
The meson changelog is defined only at the 1.2 level. So what changes are related in
going from 1.2.0 to 1.2.3 can not be determined.
The changes have to be reviewed from the 1.2 branch of commits
https://github.com/mesonbuild/meson/commits/1.2
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sat, 11 Nov 2023 10:58:46 +0000 (11:58 +0100)]
mdns-repeater: Update to version 1.11
- Update from version 1.10 to 1.11
- Update of rootfile not required
- Previous versions of this package used to be on bitbucket but that link no longer exists.
The new git repo https://github.com/geekman/mdns-repeater was started by someone else as
a fork but the original developer then moved to it. However all the history was not moved
to the new repo so that repo starts now with version 1.11. It is being worked on as the
last commit was Aug 2023 however version 1.11 was released in 2016. There are 11 commits
between version 1.11 and present time.
- Changelog
1.11
Blacklist feature added (16 blacklisted subnets allowed).
Socket limit increased to 16 sockets, moved to #define.
The first is most interesting. Say you have two networks bound together
with site-to-site tunnels, repeating mDNS over the tunnel... And there
are Chromecasts, or Apple TV's at both ends. Even if you had firewall
rules to block traffic, the devices would still show up (albeit be
defective) on the opposite network.
The new blacklist flag allows you to filter such devices out by specifying
their subnet (or individual addresses, although having such "private"
devices on their own subnet might be a good idea).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sat, 11 Nov 2023 10:58:45 +0000 (11:58 +0100)]
mcelog: Update to version 196
- Update from version 181 to 196
- Update of rootfile not required
- Fix python call patch removed as correct python call now in the source tarball
- Changelog file is no longer used. Review of changes has to be done via the git repo.
https://git.kernel.org/pub/scm/utils/cpu/mce/mcelog.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sat, 11 Nov 2023 10:58:43 +0000 (11:58 +0100)]
lua: Update to version 5.4.6
- Update from version 5.4.4 to 5.4.6
- Update of rootfile
- Updated version number in shared library patch
- Changelog
5.4.6
read overflow in 'l_strcmp'. Reported by Xmilia Hermit on 09 Jun 2023. existed
since 5.0 (at least). fixed in github.
Call hook may be called twice when count hook yields. Reported by G.k Ray on
20 Jul 2023. existed since 5.4.0 (at least). fixed in github.
Wrong line number for function calls. Reported by Thadeu de Paula on 20 Aug 2023.
existed since 5.2. fixed in github.
5.4.5
Changing the signature of 'lua_resetthread' broke ABI. Reported by Andrew Gierth
on 29 Apr 2023. fixed in 5.4.6. fixed in github
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 10 Nov 2023 10:59:10 +0000 (11:59 +0100)]
xz: Update to version 5.4.5
- Update from version 5.4.0 to 5.4.5
- Update of rootfile
- Changelog
5.4.5 (2023-11-01)
* liblzma:
- Use __attribute__((__no_sanitize_address__)) to avoid address
sanitization with CRC64 CLMUL. It uses 16-byte-aligned reads
which can extend past the bounds of the input buffer and
inherently trigger address sanitization errors. This isn't
a bug.
- Fixed an assertion failure that could be triggered by a large
unpadded_size argument. It was verified that there was no
other bug than the assertion failure.
- Fixed a bug that prevented building with Windows Vista
threading when __attribute__((__constructor__)) is not
supported.
* xz now properly handles special files such as "con" or "nul" on
Windows. Before this fix, the following wrote "foo" to the
console and deleted the input file "con_xz":
echo foo | xz > con_xz
xz --suffix=_xz --decompress con_xz
* Build systems:
- Allow builds with Windows win95 threading and small mode when
__attribute__((__constructor__)) is supported.
- Added a new line to liblzma.pc for MSYS2 (Windows):
Cflags.private: -DLZMA_API_STATIC
When compiling code that will link against static liblzma,
the LZMA_API_STATIC macro needs to be defined on Windows.
- CMake specific changes:
* Fixed a bug that allowed CLOCK_MONOTONIC to be used even
if the check for it failed.
* Fixed a bug where configuring CMake multiple times
resulted in HAVE_CLOCK_GETTIME and HAVE_CLOCK_MONOTONIC
not being set.
* Fixed the build with MinGW-w64-based Clang/LLVM 17.
llvm-windres now has more accurate GNU windres emulation
so the GNU windres workaround from 5.4.1 is needed with
llvm-windres version 17 too.
* The import library on Windows is now properly named
"liblzma.dll.a" instead of "libliblzma.dll.a"
* Fixed a bug causing the Ninja Generator to fail on
UNIX-like systems. This bug was introduced in 5.4.0.
* Added a new option to disable CLMUL CRC64.
* A module-definition (.def) file is now created when
building liblzma.dll with MinGW-w64.
* The pkg-config liblzma.pc file is now installed on all
builds except when using MSVC on Windows.
* Added large file support by default for platforms that
need it to handle files larger than 2 GiB. This includes
MinGW-w64, even 64-bit builds.
* Small fixes and improvements to the tests.
* Updated translations: Chinese (simplified) and Esperanto.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>