Adolf Belka [Sat, 21 Dec 2024 12:55:08 +0000 (13:55 +0100)]
rust: Update to version 1.83.0
- Update from version 1.67.0 to 1.83.0
- Update x86_64, aarch64 & riscv64 rootfiles
- This version of rust hasd the fix to ensure that ruby builds okay with aarch64 &
riscv64. This required a fix to be applied to the LLVM and then for the updated
LLVM to be built into rust. That has occurred with this version.
- Tested out the build on aarch64 and riscv64 and confirmed that ruby built without
any problems with this version of rust.
- The update of rust required a range of updates of other rust crates plus the
inclusion of new crates and the pinning of some crates to older versions. This patch
set includes all the rust crate changes.
- The download-rust-crate script results in source tarballs that have a Cargo.toml.orig
file included in them. This is not allowed in the rust building so the rust-rand file
which is used as a template for the rust crate script has been modified to remove
this .orig file so that the build can complete.
- With this updated version of rust the clamav addon can also now be updated and so is
also included in this patch set.
- There are 29 rust crate changes.
- Changelog is too large to include here. Details can be found at
https://releases.rs/docs/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:17 +0000 (18:51 +0200)]
samba: Modification to disable cups for samba build and install
- As discussed at IPFire conf call on 7th Oct
- disable cups for the samba configure stage
- Update of rootfiles
- Update of samba.cgi to remove the printing of a printer share into the samba
configuration file.
- Tested out on vm system. Installed samba with only avahi, perl-Parse-Yapp, perl-JSON
and wsdd as dependencies. Installed without any problems. Existing share was able
to be accessed without any problems and a new share was created and was also able
to be accessed without problems.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:16 +0000 (18:51 +0200)]
perl-Imager: Removal of all tiff related lines in rootfile
- With removal of libtiff, the perl-Imager rootfile has to have tiff related lines
removed.
- perl-Imager works without the tiff lines in place. Only no tiff images will be able
to be processed by perl-Imager but that is not required for its use in IPFire.
- Tested out creating an OpenVPN connection with OTP enabled and the OTP QR code was
produced and able to be viewed.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:15 +0000 (18:51 +0200)]
make.sh: All removed packages removed from make.sh
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:14 +0000 (18:51 +0200)]
qpdf: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:13 +0000 (18:51 +0200)]
poppler-data: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:12 +0000 (18:51 +0200)]
poppler: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:11 +0000 (18:51 +0200)]
openjpeg: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:10 +0000 (18:51 +0200)]
libtiff: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:09 +0000 (18:51 +0200)]
lcms2: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:08 +0000 (18:51 +0200)]
hplip: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:07 +0000 (18:51 +0200)]
gutenprint: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:06 +0000 (18:51 +0200)]
ghostscript: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:05 +0000 (18:51 +0200)]
foomatic: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:04 +0000 (18:51 +0200)]
epson-inkjet-printer-escpr: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:03 +0000 (18:51 +0200)]
cups-pdf: Removal of cups-pdf
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:02 +0000 (18:51 +0200)]
cups-filters: Removal of cups-filters
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:01 +0000 (18:51 +0200)]
cups: Removal of cups and associated packages
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 2 Jan 2025 16:29:26 +0000 (17:29 +0100)]
miniupnpc: revert the addition of this package due to transmission reversion
- As transmission has been reverted back to version 4.0.5 then miniupnpc is no longer
needed for building or runtime.
- This removes the minupnpc lfs and rootfile files. It also removes miniupnpc from
the make.sh file.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 2 Jan 2025 16:29:25 +0000 (17:29 +0100)]
transmission: revert version back to 4.0.5
- Revert back from 4.0.6 to 4.0.5 due to a bug in 4.0.6 that has resulted in a variety
of torrent mirrors banning transmission-4.0.6
- The update from 4.0.5 to 4.0.6 did not have any security fixes in it so there is no
issue in moving backward to 4.0.5
- A fix has been created but it is unclear when (and if) version 4.0.7 will be released.
The fix has also been included in version 4.1.0 but this is still in beta development
form.
- Version 4.0.6 required minupnpc for building and run time. This reversion is also
removing miniupnpc in an associated patch in this patch set.
- No change required in the rootfile.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Fri, 27 Dec 2024 09:10:00 +0000 (09:10 +0000)]
Tor: Update to 0.4.8.13
Full changelog according to
https://gitlab.torproject.org/tpo/core/tor/-/blob/tor-0.4.8.13/ChangeLog :
Changes in version 0.4.8.13 - 2024-10-24
This is minor release fixing an important client circuit building (Conflux
related) bug which lead to performance degradation and extra load on the
network. Some minor memory leaks fixes as well as an important minor feature
for pluggable transports. We strongly recommend to update as soon as possible
for clients in order to neutralize this conflux bug.
o Major bugfixes (circuit building):
- Conflux circuit building was ignoring the "predicted ports"
feature, which aims to make Tor stop building circuits if there
have been no user requests lately. This bug led to every idle Tor
on the network building and discarding circuits every 30 seconds,
which added overall load to the network, used bandwidth and
battery from clients that weren't actively using their Tor, and
kept sockets open on guards which added connection padding
essentially forever. Fixes bug 40981; bugfix on 0.4.8.1-alpha;
o Minor feature (bridges, pluggable transport):
- Add STATUS TYPE=version handler for Pluggable Transport. This
allows us to gather version statistics on Pluggable Transport
usage from bridge servers on our metrics portal. Closes
ticket 11101.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on October 24, 2024.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2024/10/24.
o Minor bugfixes (memleak, authority):
- Fix a small memleak when computing a new consensus. This only
affects directory authorities. Fixes bug 40966; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (memory):
- Fix memory leaks of the CPU worker code during shutdown. Fixes bug
833; bugfix on 0.3.5.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 20 Dec 2024 10:04:05 +0000 (11:04 +0100)]
backup.pl: Fix Bug13799 - addon restore not working
- This fixes the existence check for the addon .ipf file from a check of existence
of a directory to a check of existence of a file.
Suggested-by: Bernhard Bitsch <bbitsch@ipfire.org> Tested-by: Bernhard Bitsch <bbitsch@ipfire.org> Fixes: Bug13799 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Sat, 21 Dec 2024 10:54:42 +0000 (10:54 +0000)]
make.sh: Explicitely check the source tarballs
The Makefiles do not automatically perform the check that I expected
them to perform when running a build. They check if the source tarballs
are all present, but they don't check whether they match the checksum.
This is only being done when "./make.sh downloadsrc" is being run.
In case of the automated builds, we explicitely run "./make.sh
downloadsrc", so I don't think that this might have introduced any
malicious source into the published builds.
Reported-by: Stephen Cuka <stephen@firemypi.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 20 Dec 2024 11:40:02 +0000 (12:40 +0100)]
libyajl: Removal of addon as no longer required by libvirt
- libyajl is no longer being used by libvirt. libvirt now uses json-c which is a core
package in IPFire. libyajl was stopped being used as it had not been updated and
is considered effectively dead upstream.
- lfs, rootfile and libyajl entry in make.sh removed.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 20 Dec 2024 11:40:01 +0000 (12:40 +0100)]
libvirt: Update to version 10.10.0
- Update from version 10.7.0 to 10.10.0
- Update of rootfile
- version 10.7.0 had a change in it which meant that the script friendly output of
``virsh list --uuid`` was replaced. This change was reverted in version 10.8.0
- In version 10.8.0 libyajl was replaced by json-c for JSON parsing and formatting.
Therefore this patch set also removes libyajl from IPFire as it is no longer
required.
- Changelog
10.10.0
New features
* qemu: add multi boot device support on s390x
For classical mainframe guests (i.e. LPAR or z/VM installations), you
always have to explicitly specify the disk where you want to boot from (or
"IPL" from, in s390x-speak -- IPL means "Initial Program Load").
In the past QEMU only used the first device in the boot order to IPL from.
With the new multi boot device support on s390x that is available with QEMU
version 9.2 and newer, this limitation is lifted. If the IPL fails for the
first device with the lowest boot index, the device with the second lowest
boot index will be tried and so on until IPL is successful or there are no
remaining boot devices to try.
Limitation: The s390x BIOS will try to IPL up to 8 total devices, any
number of which may be disks or network devices.
* qemu: Add support for versioned CPU models
Updates to QEMU CPU models with -vN suffix can now be used in libvirt just
like any other CPU model.
* qemu: Support for the 'data-file' QCOW2 image feature
The QEMU hypervisor driver now supports QCOW2 images with 'data-file'
feature present (both when probing form the image itself and when specified
explicitly via ``<dataStore>`` element). This can be useful when it's
required to keep data "raw" on disk, but the use case requires features
of the QCOW2 format such as incremental backups.
* swtpm: Add support for profiles
Upcoming swtpm release will have TPM profile support that allows to
restrict a TPM's provided set of crypto algorithms and commands. Users can
now select profile by using ``<profile/>`` in their TPM XML definition.
Improvements
* qemu: Support UEFI NVRAM images on block storage
Libvirt now allows users to use block storage as backend for UEFI NVRAM
images and allows them to be in format different than the template. When
qcow2 is used as the format, the images are now also auto-populated from the
template.
* qemu: Automatically add IOMMU when needed
When domain of 'qemu' or 'kvm' type has more than 255 vCPUs IOMMU with EIM
mode is required. Starting with this release libvirt automatically adds one
(or turns on the EIM mode if there's IOMMU without it).
* ch: allow hostdevs in domain definition
The Cloud Hypervisor driver (ch) now supports ``<hostdev/>``-s.
* ch: Enable callbacks for ch domain events
The Cloud Hypervisor driver (ch) now supports emitting events on domain
define, undefine, start, boot, stop and destroy.
Bug fixes
* qemu: Fix reversion and inactive deletion of internal snapshots with UEFI
NVRAM. In `v10.9.0 (2024-11-01)`_ creation of internal snapshots of VMs
with UEFI firmware was allowed, but certain operations such as reversion
or inactive deletion didn't work properly as they didn't consider the
NVRAM qcow2 file.
* virnetdevopenvswitch: Warn on unsupported QoS settings
For OpenVSwitch vNICs libivrt does not set QoS directly using 'tc' but
offloads setting to OVS. But OVS is not as feature full as libvirt in this
regard and setting different 'peak' than 'average' results in vNIC always
sticking with 'peak'. Produce a warning if that's the case.
10.9.0
New features
* qemu: zero block detection for non-shared-storage migration
Users can now request that all-zero blocks are not transferred when migrating
non-shared disk data without actually enabling zero detection on the disk
itself. This allows sparsifying images during migration where the source
has no access to the allocation state of blocks at the cost of CPU overhead.
This feature is available via the ``--migrate-disks-detect-zeroes`` option
for ``virsh migrate`` or ``VIR_MIGRATE_PARAM_MIGRATE_DISKS_DETECT_ZEROES``
migration parameter. See the documentation for caveats.
Improvements
* qemu: internal snapshot improvements
The qemu internal snapshot handling code was updated to use modern commands
which avoid the problems the old ones had, preventing use of internal
snapshots on VMs with UEFI NVRAM. Internal snapshots of VMs using UEFI are
now possible provided that the NVRAM is in ``qcow2`` format.
The new code also allows better control when deleting snapshots. To prevent
possible regressions no strict checking is done, but in case inconsistent
state is encountered a log message is added::
warning : qemuSnapshotActiveInternalDeleteGetDevices:3841 : inconsistent
internal snapshot state (deletion): VM='snap' snapshot='1727959843'
missing='vda ' unexpected='' extra=''
Users are encouraged to report any occurence of the above message along
with steps they took to the upstream tracker.
* qemu: improve documentation of image format settings
The documentation of the various ``*_image_format`` settings in ``qemu.conf``
imply they can only be used to control compression of the image. The
documentation has been improved to clarify the settings describe the
representation of guest memory blocks on disk, which includes compression
among other possible layouts.
* Report CPU model blockers in domain capabilities
When a CPU model is reported as usable='no' an additional
``<blockers model='...'>`` element is added for that CPU model listing
features required by the CPU model, but not supported on the host.
10.8.0
Improvements
* network: make networks with ``<forward mode='open'/>`` more useful
It is now permissable to have a ``<forward mode='open'>`` network that
has no IP address assigned to the host's port of the bridge. This
is the only way to create a libvirt network where guests are
unreachable from the host (and vice versa) and also 0 firewall
rules are added on the host.
It is now also possible for a ``<forward mode='open'/>`` network to
use the ``zone`` attribute of ``<bridge>`` to set the firewalld zone of
the bridge interface (normally it would not be set, as is done
with other forward modes).
* storage: Lessen dependancy on the ``showmount`` program
Libvirt now automatically detects presence of ``showmount`` during runtime
as we do with other helper programs and also the
``daemon-driver-storage-core`` RPM package now doesn't strongly depend on it
if the users wish for a more minimal deployment.
* Switch from YAJL to json-c for JSON parsing and formatting
The parser and formatter in the libvirt library, as well
as the parsers in the nss plugin were rewritten to use json-c
instead of YAJL, which is effectively dead upstream.
* Relax restrictions for memorytune settings
It should now be possible to use resctrl on AMD CPUs as well as Intel CPUs
when the resctrl filesystem is mounted with ``mba_MBps`` option.
Bug fixes
* virsh: Fix script-friedly output of ``virsh list --uuid``
The script-friendly output of just 1 UUID per line was mistakenly replaced
by the full human-targetted table view full of redundant information
and very hard to parse. Users who wish to see the UUIDs in the tabular
output need to use ``virsh list --table --uuid`` as old behaviour was
reverted.
Note that this also broke the ``libvirt-guests`` script. The bug was
introduced in `v10.7.0 (2024-09-02)`_.
* network/qemu: fix some cases where ``device-update`` of a network
interface was failing:
* If the interface was connected to a libvirt network that was
providing a pool of VFs to be used with macvtap passthrough
mode, then *any* update to the interface would fail, even
changing the link state. Updating (the updateable parts of) a
macvtap passthrough interface will now succeed.
* It previously was not possible to move an interface from a Linux
host bridge to an OVS bridge. This (and the opposite direction)
now works.
* qemu: backup: Fix possible crashes when running monitoring commands during
backup job The qemu monitor code was fixed to not crash in specific cases
when monitoing APIs are called during a backup job.
* Fix various memleaks and overflows
Multiple memory leaks and overflows in corner cases were fixed based on
upstream issues reported.
* network: Better cleanup after disappeared networks
If a network disappeared while virtnetworkd was not running not all clean up
was done properly once the daemon was started, especially when only the
network interface disappeared. This could have in some cases resulted in
the network being shown as inactive, but not being able to start.
* qemu: Remember memory backing directory for domains
If ``memory_backing_dir`` is changed during the lifetime of a domain with
file backed memory, files in the old directory would not be cleaned up once
the domain is shut down. Now the directory that was used during startup is
remembered for each running domain.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Robin Roevens [Tue, 5 Nov 2024 22:36:18 +0000 (23:36 +0100)]
zabbix_agentd: Add IPS throughput and guardian blocked IP count items
- Adds Zabbix Agent userparameter `ipfire.ips.throughput.get` for the agent to get details about IPS throughput bypassed/scanned/whitelisted in bytes (JSON)
- Adds Zabbix Agent userparameter `ipfire.guardian.blocked.count` for the agent to get the number of currently blocked IP's by Addon: Guardian.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 14 Dec 2024 12:49:04 +0000 (13:49 +0100)]
fr.pl: Update to French translations for the optionsfw.cgi page
Reported-by: Phil SCAR <p27m@orange.fr> Fixes: Bug13800 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Matthias Fischer [Wed, 11 Dec 2024 16:33:21 +0000 (17:33 +0100)]
monit: Update to 5.34.3
For details see:
https://mmonit.com/monit/changes/
"Fixed: If the ping statement did not explicitly specify an outgoing
address but a previous ping statement did, the same address was
shared by both statements.
Fixed: Monit may crash upon stopping if the ping statement is used
in conjunction with the address option.
Fixed: If a directory is set in the allow option of the set httpd
statement, instead of a file or string, Monit hangs on startup."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 11 Dec 2024 11:51:44 +0000 (12:51 +0100)]
en.pl: Update the wording for the check on the CA Name for upload
- This changes the wording to allowing characters and spaces.
Fixes: Bug10595 part 2 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 11 Dec 2024 11:51:43 +0000 (12:51 +0100)]
vpnmain.cgi: Fix for 2nd part of bug10595
- Bug10595 had two parts in it and was closed after the first part was fixed. The second
part was still unfixed at that time. I cam across it when checking out an open bug on
a similar issue with OpenVPN.
- I found the section that checks on the CA Name and modified it to also allow spaces.
- Having modified that then the subroutines getsubjectfromcert and getCNfromcert required
to have quotation marks put around the parameter that had the CA Name with spaces in it
otherwise the openssl statement only got a filename with the first portion of the ca
name until the first space was encountered.
- Tested this change out on my vm and it worked fine. I was able to upload a ca
certificate into IPSec and use spaces in the CA Name.
Fixes: Bug10595 part 2 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 10 Dec 2024 14:11:21 +0000 (15:11 +0100)]
samba: Update to version 4.21.2
- Update from version 4.21.0 to 4.21.2
- Update of the rootfiles for x86_64, aarch64 & riscv64
- Version 4.21.0 mentioned that LDB is no longer available to build as a distinct
tarball. However version 4.21.0 previously built without any problem so it looks like
it was still available. Now with version 4.21.2 the lmdb package needs to be available
or you have to disable all ldb options. As these options were uncommented in the
previous versions of samba, it looks like they are intended to be present. To make
this version support in the same way the lmdb package had to be moved so it was built
before samba is built. Hence the shift of lmdb in make.sh
- Changelog
4.21.2
* BUG 15732: smbd fails to correctly check sharemode against OVERWRITE
dispositions.
* BUG 15754: Panic in close_directory.
* BUG 15752: winexe no longer works with samba 4.21.
* BUG 14356: protocol error - Unclear debug message "pad length mismatch" for
invalid bind packet.
* BUG 15425: NetrGetLogonCapabilities QueryLevel 2 needs to be implemented.
* BUG 15740: gss_accept_sec_context() from Heimdal does not imply
GSS_C_MUTUAL_FLAG with GSS_C_DCE_STYLE.
* BUG 15749: winbindd should call process_set_title() for locator child.
* BUG 15320: Update CTDB to track all TCP connections to public IP addresses.
4.21.1
* BUG 15624: DH reconnect error handling can lead to stale sharemode entries.
* BUG 15695: "inherit permissions = yes" triggers assert() in vfs_default
when creating a stream.
* BUG 15715: Samba 4.21.0 broke FreeIPA domain member integration.
* BUG 15692: Missing conversion for msDS-UserTGTLifetime, msDS-
ComputerTGTLifetime and msDS-ServiceTGTLifetime on "samba-tool
domain auth policy modify".
* BUG 15280: irpc_destructor may crash during shutdown.
* BUG 15624: DH reconnect error handling can lead to stale sharemode entries.
* BUG 15649: Durable handle is not granted when a previous OPEN exists with
NoOplock.
* BUG 15651: Durable handle is granted but reconnect fails.
* BUG 15708: Disconnected durable handles with RH lease should not be purged
by a new non conflicting open.
* BUG 15714: net ads testjoin and other commands use the wrong secrets.tdb in
a cluster.
* BUG 15726: 4.21 using --with-system-mitkrb5 requires MIT krb5 1.16 as rfc
8009 etypes are used.
* BUG 15730: VFS_OPEN_HOW_WITH_BACKUP_INTENT breaks shadow_copy2.
* BUG 15643: Samba 4.20.0 DLZ module crashes BIND on startup.
* BUG 15721: Cannot build libldb lmdb backend on a build without AD DC.
* BUG 15706: Consistent log level for sighup handler.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 10 Dec 2024 13:23:55 +0000 (14:23 +0100)]
suricata.yaml: Fix bug13646 - Adjust the include syntax to use array format
- Suricata-8.x will only accept include statements in array format and not in multiple
single lines. Suricata-7.x still accepts the multiple single lines but flags up that
the format is deprecated and will be removed in suricata-8.x
- This patch adjusts the address-groups include into the array format.
- This change has been tested out on my vm and the IPS started up and from the logs you
can see that all the include files were taken on board and the derprecation message
is no longer shown.
- This change can be implemented with Suricata-7.x and will make sure that IPFire has
the include syntax that Suricata-8.x will require.
Fixes: Bug13646 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 9 Dec 2024 11:42:51 +0000 (12:42 +0100)]
update.sh: Remove the lines related to FEODO_RECOMMENDED
- This removes the lines related to removing any time entries in the modified file for
FEODO_RECOMMENDED.
- This also removes the lines realted to removing the blocklists for the
FEODO_RECOMMENDED sources from the /var/lib/ipblocklist directory.
- This patch will ensure that FEODO_RECOMMENDED stays in place if it was being used.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 9 Dec 2024 11:42:50 +0000 (12:42 +0100)]
sources: Replacement of Feodo Recommended Tracker list to ipblocklist sources file
- FEODO_RECOMMENDED list is still being updated but the number of events can be very
low. However as it is still active then it has been added back in as discussed in
the Dev Conf Call on Nov 4th.
- FEODO_IP list covers any IP that has been detected as a botnet in the last 30 days.
This could lead to false positives if the botnet has been fixed within one day of
being detected. So it was agreed that this list would stay removed.
- FEODO_AGGRESSIVE list contains all IP's that havce ever been detected as botnets since
the list was started. It is not intended to be used for blocking as it would have a
huge false positive effect. This list will also stay removed as it should not have
been included originally.
- This patch set adds back in the FEODO_RECOMMENDED list into the sources file and in the
associated patch for the update.sh file removes the lines that removed the files
related to FEODO_RECOMMENDED.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from version 3460100 to 3470200
- Update of rootfile not required
- Changelog 3470200
Fix a problem in text-to-floating-point conversion for SQLite that can cause
values between '1.8446744073709550592eNNN' and '1.8446744073709551609eNNN'
for any exponent NNN to be rendered incorrectly. In other words, some numeric
text values where the first 16 significant digits are '1844674407370955'
might be converted into the wrong floating-point value. See forum thread 569a7209179a7f5e. This problem only arises on x64 and i386 hardware. The
problem was introduced in 3.47.0.
Other minor bug fixes. 3470100
Fix the makefiles so that they once again honored DESTDIR for the "install"
target.
Add the SQLITE_IOCAP_SUBPAGE_READ capability to the VFS, to work around issues
on some non-standard VFSes caused by making SQLITE_DIRECT_OVERFLOW_READ the
default in version 3.45.0.
Fix problems with line endings in the new sqlite3_rsync.exe utility on Windows.
Fix incorrect answers to certain obscure IN queries caused by new query
optimizations added in the 3.47.0 release.
Other minor bug fixes. 3470000
Allow arbitrary expressions in the second argument to the RAISE function.
If the RHS of the ->> operator is negative, then access array elements counting
from the right.
Fix a problem with rolling back hot journal files in the seldom-used
unix-dotfile VFS.
FTS5 tables can now be dropped even if they use a non-standard tokenizer that
has not been registered.
Fix the group_concat() aggregate function so that it returns an empty string,
not a NULL, if it receives a single input value which is an empty string.
Enhance the generate_series() table-valued function so that it is able to
recognize and use constraints on its output value.
Preupdate hooks now recognize when a column added by ALTER TABLE ADD COLUMN has
a non-null default value.
Performance optimizations:
Improved reuse of subqueries associated with the IN operator, especially
when the IN operator has been duplicated due to predicate push-down.
Use a Bloom filter on subqueries on the right-hand side of the IN operator,
in cases where that seems likely to improve performance.
Ensure that queries like "SELECT func(a) FROM tab GROUP BY 1" only invoke
the func() function once per row.
No attempt is made to create automatic indexes on a column that is known to
be non-selective because of its use in other indexes that have been
analyzed.
Adjustments to the query planner so that it produces better plans for star
queries with a large number of dimension tables.
Add the "order-by-subquery" optimization, that seeks to disable sort
operations in outer queries if the desired order is obtained naturally due
to ORDER BY clauses in subqueries.
The "indexed-subtype-expr" optimization strives to use expressions that are
part of an index rather than recomputing the expression based on table
values, as long as the query planner can prove that the subtype of the
expression will never be used.
Miscellaneous coding tweaks for faster runtimes.
Enhancements to SQLite-related command-line programs:
Add the experimental sqlite3_rsync program.
Add extension functions median(), percentile(), percentile_cont(), and
percentile_disc() to the CLI.
Add the .www dot-command to the CLI.
The sqlite3_analyzer utility now provides a break-out of statistics for
WITHOUT ROWID tables.
The sqldiff utility avoids creating an empty database if its second
argument does not exist.
Enhance the sqlite_dbpage table-valued function such that INSERT can be used to
increase or decrease the size of the database file.
SQLite no longer makes any use of the "long double" data type, as hardware
support for long double is becoming less common and long double creates
challenges for some compiler tool chains. Instead, SQLite uses Dekker's
algorithm when extended precision is needed.
The TCL Interface for SQLite supports TCL9. Everything probably still works for
TCL 8.5 and later, though this is not guaranteed. Users are encouraged to
upgrade to TCL9.
JavaScript/WASM:
Fix a corruption-causing bug in the JavaScript "opfs" VFS.
Correct "mode=ro" handling for the "opfs" VFS.
Work around a couple of browser-specific OPFS quirks.
FTS5 Changes:
Add the fts5_tokenizer_v2 API and the locale=1 option, for creating custom
locale-aware tokenizers and fts5 tables that may take advantage of them.
Add the contentless_unindexed=1 option, for creating contentless fts5
tables that store the values of any UNINDEXED columns persistently in the
database.
Allow an FTS5 table to be dropped even if it uses a custom tokenizer whose
implementation is not available.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 6 Dec 2024 16:44:14 +0000 (16:44 +0000)]
connections.cgi: Fix colour of destination country
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 6 Dec 2024 16:42:17 +0000 (16:42 +0000)]
initscripts: readhash: Fix handling = signs
The function expected that a line only contains exactly one equals sign
(=) which is not fit for purpose. In the WireGuard code we hold key
material that is encoded in base64 and therefore contains padding that
uses =.
This patch fixes that we expect exactly one equals sign immediately
after the key and we will then accept more = in the value - which was
already permitted.
Furthermore, this patch fixes the splitting if the key and value at the
first =.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
projects / people / ms / ipfire-2.x.git / log
