Adolf Belka [Thu, 3 Mar 2022 11:40:01 +0000 (12:40 +0100)]
aws-cli: Update to version 1.22.64
- Update from 1.18.188 to 1.22.64
- Update of rootfile
- Ran aws in shell and got help response so it is working in principle
- Changelog is too large, with nearly 1700 lines, to include here as there appears to be
a new release nearly every day. so there are a huge number of releases between 1.18.188
from Dec 2nd 2020 to 1.22.64 from Feb 28 2022. It appears that only at weekends no
releases are done. Full changelog can be viewed at
https://github.com/aws/aws-cli/blob/develop/CHANGELOG.rst
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 28 Feb 2022 21:10:42 +0000 (22:10 +0100)]
ntfs-3g: Update to version 2021.8.22
- Update from 2017.3.23 to 2021.8.22
- Update of rootfile
- Added link to mkfs.ntfs in lfs to provide the binary in sbin as the new package places it
in usr/sbin
- Ran find-dependencies and no problems flagged up.
- Changelog
Stable Version 2021.8.22 (August 30, 2021)
Fixed compile error when building with libfuse < 2.8.0
Fixed obsolete macros in configure.ac
Signalled support of UTIME_OMIT to external libfuse2
Fixed an improper macro usage in ntfscp.c
Updated the repository change in the README
Fixed vulnerability threats caused by maliciously tampered NTFS partitions
Stable Version 2017.3.23AR.6 (February 1, 2021)
Used kernel cacheing on read-only mounts or with lowntfs-3g
Avoided information leak when processing garbled compressed data
Defined option posix_nlink to compute a Posix compliant st_nlink
Recovered space when an index root is shortened
Replaced ENODATA with ENOATTR in xattrs functions for macOS
Added support for 'position' argument in macOS xattr functions
Changed default xattr access method to 'openxattr' for macOS builds
Allowed redefining the target location of the ntfsprogs tools
Fixed updating the allocated size when attribute lies in an extent
Enabled actions on directories in reparse plugins
Inserted the reparse tag in the bad reparse symlink
Supported use of WSL special files
Dropped rejecting having both EA and reparse data
Enabled Creating special files the same way as WSL
Checked the locations of MFT and MFTMirr at startup
Stable Version 2017.3.23AR.5 (April 1, 2020)
Processed the request argument of ioctl() as unsigned
Accepted alternative recording of cluster size
Fixed a poorly sized string in ntfsinfo
Fixed ntfsfallocate on a void file
Decoded execlink reparse points
Fixed object type returned in readdir() for reparse points
Exported the translations of Windows paths to current ones
Stable Version 2017.3.23AR.4 (March 1, 2019)
Fixed reporting an error when failed to build the mountpoint
Reverted accessing reparse directory through internal plugins
Cleaned object ids beyond the updated part
Fixed reacting to missing plugin
Returned a low level error when an ioctl fails
Truncated SSD trimming zones to granularity supported by the device
Stable Version 2017.3.23AR.3 (September 1, 2018)
Made sure log file buffers are properly aligned
Made reparse directories visible through internal plugins
Added an option to ntfscp to copy the modification time
Renamed undeleted files to avoid overwriting existing ones
Extended the allowed cluster size to 2MB
Allocated full clusters for reading and rescuing in ntfsclone
Prevented locally defined headers from interfering with ntfs-3g ones
Attempted mounting read-only after failed permission to read-write
Fixed collecting the label argument in mkntfs
Stable Version 2017.3.23AR.2 (March 1, 2018)
Made sure log file buffers are properly aligned
Checked log file blocks more recent than temporary ones
Processed redo log actions associated to undoing a CompensationlogRecord
Allowed setting a file object id without defining its birth ids
Documented read-only mount when Windows is hibernated
Stopped checking matches of MFTMirr against MFT at record 16
Filtered out reparse flags for selecting plugins
Delayed updating the MFT runlist when resizing in read-only mode
Double-checked whether record 15 is an extent of MFT
Checked whether the device to mount was forced read-only
Stable Version 2017.3.23AR.1 (October 1, 2017)
Bypassed cluster allocation errors using --ignore-fs-check in ntfsclone
Upgraded ntfsrecover to support log files for Windows 10
Fixed the computation of highest_vcn when applying a runlist fixup
Fixed updating the vcn of subtree in ntfsrecover
Relaxed checks on security descriptors
Enabled directory operations in plugins
Decoded more reparse tags in ntfsinfo
Logged falling back to mounting read-only
Fixed compiling on MacOSX (Erik Larsson)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 28 Feb 2022 21:10:29 +0000 (22:10 +0100)]
libdnet: Update to version 1.14
- Update from 1.11 (2005) to 1.14 (2020)
- Update of rootfile
- find-dependencies run and no problems flagged
- Package was originally provided by Dug Song in source forge and with a github repository
No response was received from Dug Song to requests for updates and fixes so Oliver Falk
forked the repository and has been working on it and now the Dug Song repository is no
longer present and the old repoistory url redirects to the new ofalk repository
https://github.com/ofalk/libdnet
- Issues raised in this new repository are being actively responded to
- Changelog comment is
Finally release 1.14 with latest fixes included.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 28 Feb 2022 21:09:56 +0000 (22:09 +0100)]
harfbuzz: Update to version 3.4.0
- Update from 3.1.2 to 3.4.0
- Update of rootfile
- Changelog
3.4.0
Perform sanity checks on shaping results is now part of “harfbuzz” library and can be enabled by setting the buffer flag HB_BUFFER_FLAG_VERIFY. (Behdad Esfahbod)
Arabic Mark Transient Reordering Algorithm have been updated to revision 6. (Khaled Hosny)
ISO 15924 code for mathematical notation, ‘Zmth’, now maps to the OpenType ‘math’ tag. (Alexis King)
It is now possible to get at once all math kerning values for a given glyph at a given corner. (Alexis King)
Fix locale_t portability issues on systems the typedef’s it to a void pointer. (Behdad Esfahbod)
New API:
+HB_BUFFER_FLAG_VERIFY
+HB_OT_TAG_MATH_SCRIPT
+HB_SCRIPT_MATH
+hb_ot_math_kern_entry_t
+hb_ot_math_get_glyph_kernings
Deprecated API
+HB_OT_MATH_SCRIPT
3.3.2
Revert splitting of pair positioning values introduced in 3.3.0 as it proved problematic. (Behdad Esfahbod)
3.3.1
Fix heap-use-after-free in harfbuzz-subset introduced in previous release. (Garret Rieger)
3.3.0
Improved documentation. (Matthias Clasen)
Internal code cleanup, using C++ standard library more. (Behdad Esfahbod)
The low 16-bits of face index will be used by hb_face_create() to select a face inside a font collection file format, while the high 16-bits will be used by hb_font_create() to load the named instance. (Behdad Esfahbod)
Glyph positions and other font metrics now apply synthetic slant set by hb_font_set_synthetic_slant(), for improved positioning for synthetically slanted fonts. (Behdad Esfahbod)
Fixed unintentional locale dependency in hb_variation_to_string() for decimal point representation. (Matthias Clasen)
When applying pair positioning (kerning) the positioning value is split between the two sides of the pair for improved cursor positioning between such pairs. (Behdad Esfahbod)
Introduced new HB_GLYPH_FLAG_UNSAFE_TO_CONCAT, to be used in conjunction with HB_GLYPH_FLAG_UNSAFE_TO_BREAK for optimizing re-shaping during line breaking. Check the documentation for further details. (Behdad Esfahbod)
Improved handling of macrolanguages when mapping BCP 47 codes to OpenType tags. (David Corbett)
New API:
+HB_GLYPH_FLAG_UNSAFE_TO_CONCAT
+hb_segment_properties_overlay()
+hb_buffer_create_similar()
+hb_font_set_synthetic_slant()
+hb_font_get_synthetic_slant()
+hb_font_get_var_coords_design()
3.2.0
harfbuzz library improvements:
Fixed shaping of Apple Color Emoji flags in right-to-left context. (Behdad Esfahbod)
Fixed positioning of CFF fonts in HB_TINY profile. (Behdad Esfahbod)
OpenType 1.9 language tags update. (David Corbett)
Add HB_NO_VERTICAL config option. (Behdad Esfahbod)
Add HB_CONFIG_OVERRIDE_H for easier configuration. (Behdad Esfahbod)
harfbuzz-subset library improvements:
Improved packing of cmap, loca, and Ligature tables. (Garret Rieger)
Significantly improved overflow-resolution strategy in the repacker. (Garret Rieger)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Feb 2022 13:53:17 +0000 (14:53 +0100)]
wireless-regdb: Update to version 2022.02.18
- Update from 2020.11.20 to 2022.02.18
- Update of rootfile not required
- Changelog
There is no changelog provided for this file.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3370200 to 3380000
- Update of rootfile not required
- Changelog
SQLite Release 3.38.0 On 2022-02-22
Added the -> and ->> operators for easier processing of JSON. The new operators are
compatible with MySQL and PostgreSQL.
The JSON functions are now built-ins. It is no longer necessary to use the
-DSQLITE_ENABLE_JSON1 compile-time option to enable JSON support. JSON is on by
default. Disable the JSON interface using the new -DSQLITE_OMIT_JSON compile-time
option.
Enhancements to date and time functions:
Added the unixepoch() function.
Added the auto modifier and the julianday modifier.
Rename the printf() SQL function to format() for better compatibility. The original
printf() name is retained as an alias for backwards compatibility.
Added the sqlite3_error_offset() interface, which can sometimes help to localize an
SQL error to a specific character in the input SQL text, so that applications can
provide better error messages.
Enhanced the interface to virtual tables as follows:
Added the sqlite3_vtab_distinct() interface.
Added the sqlite3_vtab_rhs_value() interface.
Added new operator types SQLITE_INDEX_CONSTRAINT_LIMIT and
SQLITE_INDEX_CONSTRAINT_OFFSET.
Added the sqlite3_vtab_in() interface (and related) to enable a virtual table to
process IN operator constraints all at once, rather than processing each value of
the right-hand side of the IN operator separately.
CLI enhancements:
Columnar output modes are enhanced to correctly handle tabs and newlines embedded
in text.
Added options like "--wrap N", "--wordwrap on", and "--quote" to the columnar
output modes.
Added the .mode qbox alias.
The .import command automatically disambiguates column names.
Use the new sqlite3_error_offset() interface to provide better error messages.
Query planner enhancements:
Use a Bloom filter to speed up large analytic queries.
Use a balanced merge tree to evaluate UNION or UNION ALL compound SELECT
statements that have an ORDER BY clause.
The ALTER TABLE statement is changed to silently ignores entries in the sqlite_schema
table that do not parse when PRAGMA writable_schema=ON.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Feb 2022 13:52:50 +0000 (14:52 +0100)]
openssh: Update to version 8.9p1
- Update from 8.8p1 to 8.9p1
- Update of rootfile not required
- Changelog
OpenSSH 8.9 was released on 2022-02-23. It is available from the
mirrors listed at https://www.openssh.com/.
OpenSSH is a 100% complete SSH protocol 2.0 implementation and
includes sftp client and server support.
Future deprecation notice
A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path@openssh.com" to support
this.
Security Near Miss
* sshd(8): fix an integer overflow in the user authentication path
that, in conjunction with other logic errors, could have yielded
unauthenticated access under difficult to exploit conditions.
This situation is not exploitable because of independent checks in
the privilege separation monitor. Privilege separation has been
enabled by default in since openssh-3.2.2 (released in 2002) and
has been mandatory since openssh-7.5 (released in 2017). Moreover,
portable OpenSSH has used toolchain features available in most
modern compilers to abort on signed integer overflow since
openssh-6.5 (released in 2014).
Thanks to Malcolm Stagg for finding and reporting this bug.
Potentially-incompatible changes
* sshd(8), portable OpenSSH only: this release removes in-built
support for MD5-hashed passwords. If you require these on your
system then we recommend linking against libxcrypt or similar.
* This release modifies the FIDO security key middleware interface
and increments SSH_SK_VERSION_MAJOR.
Changes since OpenSSH 8.8
This release includes a number of new features.
New features
* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1)
A detailed description of the feature is available at
https://www.openssh.com/agent-restrict.html and the protocol
extensions are documented in the PROTOCOL and PROTOCOL.agent
files in the source release.
* ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
default KEXAlgorithms list (after the ECDH methods but before the
prime-group DH ones). The next release of OpenSSH is likely to
make this key exchange the default method.
* ssh-keygen(1): when downloading resident keys from a FIDO token,
pass back the user ID that was used when the key was created and
append it to the filename the key is written to (if it is not the
default). Avoids keys being clobbered if the user created multiple
resident keys with the same application string but different user
IDs.
* ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys
on tokens that provide user verification (UV) on the device itself,
including biometric keys, avoiding unnecessary PIN prompts.
* ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to
perform matching of principals names against an allowed signers
file. To be used towards a TOFU model for SSH signatures in git.
* ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added
to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at
authentication time.
* ssh-keygen(1): allow selection of hash at sshsig signing time
(either sha512 (default) or sha256).
* ssh(1), sshd(8): read network data directly to the packet input
buffer instead of indirectly via a small stack buffer. Provides a
modest performance improvement.
* ssh(1), sshd(8): read data directly to the channel input buffer,
providing a similar modest performance improvement.
* ssh(1): extend the PubkeyAuthentication configuration directive to
accept yes|no|unbound|host-bound to allow control over one of the
protocol extensions used to implement agent-restricted keys.
Bugfixes
* sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and
PubkeyAuthOptions can be used in a Match block. PR277.
* sshd(8): fix possible string truncation when constructing paths to
.rhosts/.shosts files with very long user home directory names.
* ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512
exchange hashes
* ssh(1): don't put the TTY into raw mode when SessionType=none,
avoids ^C being unable to kill such a session. bz3360
* scp(1): fix some corner-case bugs in SFTP-mode handling of
~-prefixed paths.
* ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to
select RSA keys when only RSA/SHA2 signature algorithms are
configured (this is the default case). Previously RSA keys were
not being considered in the default case.
* ssh-keysign(1): make ssh-keysign use the requested signature
algorithm and not the default for the key type. Part of unbreaking
hostbased auth for RSA/SHA2 keys.
* ssh(1): stricter UpdateHostkey signature verification logic on
the client- side. Require RSA/SHA2 signatures for RSA hostkeys
except when RSA/SHA1 was explicitly negotiated during initial
KEX; bz3375
* ssh(1), sshd(8): fix signature algorithm selection logic for
UpdateHostkeys on the server side. The previous code tried to
prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some
cases. This will use RSA/SHA2 signatures for RSA keys if the
client proposed these algorithms in initial KEX. bz3375
* All: convert all uses of select(2)/pselect(2) to poll(2)/ppoll(2).
This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1)
and sftp-server(8), as well as the sshd(8) listen loop and all
other FD read/writability checks. On platforms with missing or
broken poll(2)/ppoll(2) syscalls a select(2)-based compat shim is
available.
* ssh-keygen(1): the "-Y find-principals" command was verifying key
validity when using ca certs but not with simple key lifetimes
within the allowed signers file.
* ssh-keygen(1): make sshsig verify-time argument parsing optional
* sshd(8): fix truncation in rhosts/shosts path construction.
* ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA
keys (we already did this for RSA keys). Avoids fatal errors for
PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B
"cryptoauthlib"; bz#3364
* ssh(1), ssh-agent(1): improve the testing of credentials against
inserted FIDO: ask the token whether a particular key belongs to
it in cases where the token supports on-token user-verification
(e.g. biometrics) rather than just assuming that it will accept it.
Will reduce spurious "Confirm user presence" notifications for key
handles that relate to FIDO keys that are not currently inserted in at
least some cases. bz3366
* ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to
allow for the preceding two ECN bits. bz#3373
* ssh-keygen(1): add missing -O option to usage() for the "-Y sign"
option.
* ssh-keygen(1): fix a NULL deref when using the find-principals
function, when matching an allowed_signers line that contains a
namespace restriction, but no restriction specified on the
command-line
* ssh-agent(1): fix memleak in process_extension(); oss-fuzz
issue #42719
* ssh(1): suppress "Connection to xxx closed" messages when LogLevel
is set to "error" or above. bz3378
* ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing
compressed packet data. bz3372
* scp(1): when recursively transferring files in SFTP mode, create the
destination directory if it doesn't already exist to match scp(1) in
legacy RCP mode behaviour.
* scp(1): many improvements in error message consistency between scp(1)
in SFTP mode vs legacy RCP mode.
* sshd(8): fix potential race in SIGTERM handling PR289
* ssh(1), ssh(8): since DSA keys are deprecated, move them to the
end of the default list of public keys so that they will be tried
last. PR295
* ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match
wildcard principals in allowed_signers files
Portability
* ssh(1), sshd(8): don't trust closefrom(2) on Linux. glibc's
implementation does not work in a chroot when the kernel does not
have close_range(2). It tries to read from /proc/self/fd and when
that fails dies with an assertion of sorts. Instead, call
close_range(2) directly from our compat code and fall back if
that fails. bz#3349,
* OS X poll(2) is broken; use compat replacement. For character-
special devices like /dev/null, Darwin's poll(2) returns POLLNVAL
when polled with POLLIN. Apparently this is Apple bug 3710161 -
not public but a websearch will find other OSS projects
rediscovering it periodically since it was first identified in
2005.
* Correct handling of exceptfds/POLLPRI in our select(2)-based
poll(2)/ppoll(2) compat implementation.
* Cygwin: correct checking of mbstowcs() return value.
* Add a basic SECURITY.md that refers people to the openssh.com
website.
* Enable additional compiler warnings and toolchain hardening flags,
including -Wbitwise-instead-of-logical, -Wmisleading-indentation,
-fzero-call-used-regs and -ftrivial-auto-var-init.
* HP/UX. Use compat getline(3) on HP-UX 10.x, where the libc version
is not reliable.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
this chip is the successor of the rtl8189es look some boards has
silently switched to the new chip.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
this chip is the successor of the rtl8189es look some boards has
silently switched to the new chip.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sat, 5 Mar 2022 18:13:39 +0000 (19:13 +0100)]
optionsfw.cgi: Add default settings for newly added options.
If no settings for those features can be obtained from the settings
file, set them to the following defaults.
* DROPSPOOFEDMARTIAN -> on (yes)
* DROPHOSTILE -> off (no - because only fresh installed systems should
do this)
* LOGDROPCTINVALID -> on (yes)
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 4 Mar 2022 10:29:23 +0000 (10:29 +0000)]
backup: Don't restore excluded files
Sometimes, we restore a backup that has been created earlier before
exclude files have been changed. To avoid overwriting those files, we
will consider the exlude list upon restore.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Thu, 3 Mar 2022 04:49:43 +0000 (05:49 +0100)]
update-ids-ruleset: Always drop the lock file if it has been created during runtime.
In some situations or if an error happened, the lock file could be
keep on the system. In such a case the IDS page would be locked forever
until user interaction or reboot of the system.
Now the script checks if it has created such a lock and release it when
the script exists.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The second version of this patch omits bogus directives for restarting a
service, which proxy-accounting is not.
Cc: Michael Tremer <michael.tremer@ipfire.org> Cc: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sat, 5 Mar 2022 18:13:39 +0000 (19:13 +0100)]
optionsfw.cgi: Add default settings for newly added options.
If no settings for those features can be obtained from the settings
file, set them to the following defaults.
* DROPSPOOFEDMARTIAN -> on (yes)
* DROPHOSTILE -> off (no - because only fresh installed systems should
do this)
* LOGDROPCTINVALID -> on (yes)
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sat, 5 Mar 2022 15:27:17 +0000 (16:27 +0100)]
ids-functions.pl: Merge same named rulefiles during extract.
In case a rulestarball contains several same-named rulefiles
they have been overwritten each time and so only contained the content
from the last extracted one.
Now the content of those files will be merged by appending the content
to the first extracted one for each time.
Fixes #12792.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sat, 5 Mar 2022 15:27:17 +0000 (16:27 +0100)]
ids-functions.pl: Merge same named rulefiles during extract.
In case a rulestarball contains several same-named rulefiles
they have been overwritten each time and so only contained the content
from the last extracted one.
Now the content of those files will be merged by appending the content
to the first extracted one for each time.
Fixes #12792.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Stefan Schantl [Sun, 27 Feb 2022 13:49:02 +0000 (14:49 +0100)]
rules.pl: Allow dynamic destory of loaded but unused ipset sets.
Instead of stupidly destroying all ipsets, we now grab the already loaded sets
and compare them with the loaded sets during runtime of the script.
So we are now able to determine which sets are not longer required and
safely can destroy (unload) at a later time.
This saves us from taking care about dropping/flushing rules which are
based on ipset before we can destroy them - because only unused sets are
affected.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Inspired-by: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 2 Mar 2022 21:01:57 +0000 (21:01 +0000)]
update ca-certificates CA bundle
Update the CA certificates list to what Mozilla NSS ships currently.
The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
Please note that the certdata.txt file only appears to drop MD5
checksums in favour of SHA256, so there is no need in shipping
ca-certificates with the next Core Update.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Wed, 2 Mar 2022 21:12:54 +0000 (21:12 +0000)]
Tor: Update to 0.4.6.10
Full changelog as per https://gitweb.torproject.org/tor.git/plain/ChangeLog?h=tor-0.4.6.10 :
Changes in version 0.4.6.10 - 2022-02-04
This version contains minor bugfixes but one in particular is that relays
don't advertise onion service v2 support at the protocol version level.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on February 04, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/02/04.
o Minor bugfix (logging):
- Update a log notice dead URL to a working one. Fixes bug 40544;
bugfix on 0.3.5.1-alpha.
o Minor bugfix (relay):
- Remove the HSDir and HSIntro onion service v2 protocol versions so
relay stop advertising that they support them. Fixes bug 40509;
bugfix on 0.3.5.17.
o Minor bugfixes (MetricsPort, Prometheus):
- Add double quotes to the label values of the onion service
metrics. Fixes bug 40552; bugfix on 0.4.5.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Stefan Schantl [Thu, 3 Mar 2022 04:49:43 +0000 (05:49 +0100)]
update-ids-ruleset: Always drop the lock file if it has been created during runtime.
In some situations or if an error happened, the lock file could be
keep on the system. In such a case the IDS page would be locked forever
until user interaction or reboot of the system.
Now the script checks if it has created such a lock and release it when
the script exists.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org>
Michael Tremer [Fri, 4 Mar 2022 10:29:23 +0000 (10:29 +0000)]
backup: Don't restore excluded files
Sometimes, we restore a backup that has been created earlier before
exclude files have been changed. To avoid overwriting those files, we
will consider the exlude list upon restore.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stéphane Pautrel [Tue, 22 Feb 2022 12:39:06 +0000 (12:39 +0000)]
fr: Update French translation
- 24 strings have been added (drop hostile and spoofed martians, fw red,
ids options and provider, pakfire update messages...)
- 3 strings have been inproved
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 22 Feb 2022 12:51:32 +0000 (12:51 +0000)]
suricata: Fix check for level one cache line size
riscv64 does not return any value on our machine (maybe because it is
emulated?). "undefined" is however seen as a valid value, which makes
the build fail.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 22 Feb 2022 12:51:30 +0000 (12:51 +0000)]
kernel: Add a basic configuration for riscv64
This kernel configuration is a copy of our kernel configuration for
x86_64 on which I ran "make olddefconfig" which will set any unknown
values to their defaults.
This exists so that we have some kernel (which I did not try to boot) to
complete the build process.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 22 Feb 2022 12:51:25 +0000 (12:51 +0000)]
gcc: Compile without ZSTD
GCC can use ZSTD to compress debugging/LTO information in binary
objects. However, on riscv64, compiling zstd requires libatomic which is
not available at this point.
In order to make the build work, we explicitely disable ZSTD in GCC and
build ZSTD after libatomic is available.
Although ZSTD offers great compression, we won't have any disadvantages
through this change since we do not ship any debugging information and
at this point in time to not use LTO.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 22 Feb 2022 12:51:24 +0000 (12:51 +0000)]
strip: Make this work when cross-compiling
The host might not have the correct tools to strip a foreign
architecture, therefore we need to use the cross tools.
The crosstools might be built in an architecture that they
cannot strip themselves and since they are not being part of the
packaged toolchain, we will just skip them.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 21 Feb 2022 17:24:56 +0000 (17:24 +0000)]
oci: user-data: Try to decode base64 content
Terraform only supports sending any shell scripts encoded in base64
which is however not required by Oracle. Therefore we have to test if
the script is encoded or not.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>