This enables creating firewall rules using the special country code "XD"
for hostile networks safe to drop and ipinfo.cgi to display a meaningful
text for IP addresses having this flag set.
At the moment, the "LOC_NETWORK_FLAG_DROP" is not yet populated, but
will be in the future (as soon as libloc 0.9.9 is released and running
in production).
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 29 Oct 2021 17:11:34 +0000 (19:11 +0200)]
avahi: Install backup definition - bug#12714
- Addition of backup definition install into lfs file
- Update of rootfile
Fixes: 12714 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 23 Oct 2021 11:54:51 +0000 (13:54 +0200)]
backup definitions: housekeeping to remove orphaned definitions
- check_mk_agent, client175 & lcr are addons that have been removed so the backup
definitions are no longer required.
- dma is not a package but a core program and has its config backup requirements
built into the core backup include file so the addon backup definition is not
used or needed.
- No issues found in the build after these files were removed.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 23 Oct 2021 16:49:01 +0000 (18:49 +0200)]
git: Update to version 2.33.1
- Update from 2.31.0 to 2.33.1
- Update rootfile
- Changelog is too long to show here. The details can be found in the 2.31.1.txt,
2.32.0.txt, 2.33.0.txt and 2.33.1.txt files in the Documentation/RelNotes
directory in the source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 23 Oct 2021 16:49:32 +0000 (18:49 +0200)]
htop: Update to version 3.1.1
- Update from 3.0.5 to 3.1.1
- Update of rootfile not required
- Changelog is too long to include here. Full details can be found at
https://github.com/htop-dev/htop/blob/main/ChangeLog
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 27 Sep 2021 15:32:40 +0000 (17:32 +0200)]
curl: Update to version 7.79.1
- Update from 7.78.0 to 7.79.1
- Update of rootfile not required
- Changelog
Fixed in 7.79.1 - September 22 2021
Bugfixes:
Curl_http2_setup: don't change connection data on repeat invokes
curl_multi_fdset: make FD_SET() not operate on sockets out of range
dist: provide lib/.checksrc in the tarball
FAQ: add GOPHERS + curl works on data, not files
hsts: CURLSTS_FAIL from hsts read callback should fail transfer
hsts: handle unlimited expiry
http: fix the broken >3 digit response code detection
strerror: use sys_errlist instead of strerror on Windows
test1184: disable
tests/sshserver.pl: make it work with openssh-8.7p1
Fixed in 7.79.0 - September 15 2021
Changes:
bearssl: support CURLOPT_CAINFO_BLOB
http: consider cookies over localhost to be secure
secure transport: support CURLINFO_CERTINFO
Bugfixes:
CVE-2021-22945: clear the leftovers pointer when sending succeeds
CVE-2021-22946: do not ignore --ssl-reqd
CVE-2021-22947: reject STARTTLS server response pipelining
ares: use ares_getaddrinfo()
asyn-ares.c: move all version number checks to the top
auth: do not append zero-terminator to authorisation id in kerberos
auth: properly handle byte order in kerberos security message
auth: use sasl authzid option in kerberos
auth: we do not support a security layer after kerberos authentication
BINDINGS.md: update links to use https where available
build: fix compiler warnings
c-hyper: deal with Expect: 100-continue combined with POSTFIELDS
c-hyper: fix header value passed to debug callback
c-hyper: handle HTTP/1.1 => HTTP/1.0 downgrade on reused connection
c-hyper: initial step for 100-continue support
c-hyper: initial support for "dumping" 1xx HTTP responses
c-hyper: remove the hyper_executor_poll() loop from Curl_http
CI/cirrus: reduce compile time with increased parallism
CI: use GitHub Container Registry instead of Docker Hub
cirrus: Add FreeBSD 13.0 job and disable sanitizer build
cmake: avoid poll() on macOS
cmake: sync CURL_DISABLE options
codeql: fix error "Resource not accessible by integration"
compressed.d: it's a request, not an order
config.d: escape the backslash properly
config.d: note that curlrc is used even when --config
config: get rid of the unused HAVE_SIG_ATOMIC_T et. al.
configure.ac: revert bad nghttp2 library detection improvements
configure: error out if both ngtcp2 and quiche are specified
configure: make --disable-hsts work
configure: set classic mingw minimum OS version to XP
configure: tweak nghttp2 library name fix
connect: get local port + ip also when reusing connections
connect: remove superfluous conditional
curl-openssl.m4: check lib64 for the pkg-config file
curl-openssl.m4: show correct output for OpenSSL v3
curl.1: mention "global" flags
curl.1: provide examples for each option
curl: add warning for ignored data after quoted form parameter
curl: add warning for incompatible parameters usage
curl: better error message when -O fails to get a good name
curl: stop retry if Retry-After: is longer than allowed
curl_easy_setopt.3: improve the string copy wording
Curl_hsts_loadcb: don't attempt to load if hsts wasn't inited
curl_setup.h: sync values for HTTP_ONLY
curl_url_get.3: clarify about path and query
CURLMOPT_TIMERFUNCTION.3: remove misplaced "time"
CURLOPT_DOH_URL.3: CURLOPT_OPENSOCKETFUNCTION is not inherited
CURLOPT_SSL_CTX_*.3: tidy up the example
CURLOPT_UNIX_SOCKET_PATH.3: remove nginx reference, add see also
docs/MQTT: update state of username/password support
docs: remove experimental mentions from HSTS and MQTT
docs: the security list is reached at security at curl.se now
easy: use a custom implementation of wcsdup on Windows
examples/*hiperfifo.c: fix calloc arguments to match function proto
examples/cookie_interface: avoid printfing time_t directly
examples/cookie_interface: fix scan-build printf warning
examples/ephiperfifo.c: simplify signal handler
FAQ: add two dev related questions
getparameter: fix the --local-port number parser
happy-eyeballs-timeout-ms.d: polish the wording
hostip: Make Curl_ipv6works function independent of getaddrinfo
http2: Curl_http2_setup needs to init stream data in all invokes
http2: revert a change that broke upgrade to h2c
http2: revert call the handle-closed function correctly on closed stream
http: disallow >3-digit response codes
http: ignore content-length if any transfer-encoding is used
http_proxy: clear 'sending' when the outgoing request is sent
http_proxy: fix the User-Agent inclusion in CONNECT
http_proxy: fix user-agent and custom headers for CONNECT with hyper
http_proxy: only wait for writable socket while sending request
INTERNALS: bump c-ares requirement to 1.16.0
INTERNALS: c-ares has a new home: c-ares.org
lib: don't use strerror()
libcurl-errors.3: clarify two CURLUcode errors
limit-rate.d: clarify base unit
mailing lists: move from cool.haxx.se to lists.haxx.se
mbedtls: avoid using a large buffer on the stack
mbedTLS: initial 3.0.0 support
mbedtls_threadlock: fix unused variable warning
mksymbolsmanpage.pl: Fix showing symbol's last used version
mksymbolsmanpage.pl: match symbols case insenitively
multi: fix compiler warning with `CURL_DISABLE_WAKEUP`
ngtcp2: compile with the latest ngtcp2 and nghttp3
ngtcp2: fix build with ngtcp2 and nghttp3
ngtcp2: remove the acked_crypto_offset struct field init
ngtcp2: replace deprecated functions with nghttp3_conn_shutdown_stream_read
ngtcp2: reset the oustanding send buffer again when drained
ngtcp2: rework the return value handling of ngtcp2_conn_writev_stream
ngtcp2: stop buffering crypto data
ngtcp2: utilize crypto API functions to simplify
openssl: annotate SSL3_MT_SUPPLEMENTAL_DATA
openssl: when creating a new context, there cannot be an old one
opt-docs: make sure all man pages have examples
opt-docs: verify man page sections + order
opts docs: unify phrasing in NAME header
output.d: add method to suppress response bodies
page-header: add GOPHERS, simplify wording in the 1st para
progress: fix a compile warning on some systems
progress: make trspeed avoid floats
runtests: add option -u to error on server unexpectedly alive
schannel: Work around typo in classic mingw macro
scripts: invoke interpreters through /usr/bin/env
setopt: enable CURLOPT_IGNORE_CONTENT_LENGTH for hyper
strerror.h: remove the #include from files not using it
symbols-in-versions: fix CURLSSLBACKEND_QSOSSL last used version
test1138: remove trailing space to make work with hyper
test1173: check references to libcurl options
test1280: CRLFify the response to please hyper
test1565: fix windows build errors
test365: verify response with chunked AND Content-Length headers
tests/*server.pl: flush output before executing subprocess
tests/*server.py: remove pidfile on server termination
tests/runtests.pl: cleanup copy&paste mistakes and unused code
tests/server/*.c: align handling of portfile argument and file
tests: adjust the tftpd output to work with hyper mode
tests: be explicit about using 'python3' instead of 'python'
tests: enable test 1129 for hyper builds
tests: make three tests pass until 2037
tool/tests: fix potential year 2038 issues
tool_operate: Fix --fail-early with parallel transfers
url: fix compiler warning in no-verbose builds
urlapi.c:seturl: assert URL instead of using if-check
vtls: fix typo in schannel_verify.c
winbuild/README.md: clarify GEN_PDB option
wolfssl: clean up wolfcrypt error queue
write-out.d: clarify size_download/upload
x509asn1: fix heap over-read when parsing x509 certificates
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 23 Oct 2021 12:49:52 +0000 (14:49 +0200)]
strongSwan: update to 5.9.4
Release notes as per https://github.com/strongswan/strongswan/releases/tag/5.9.4:
Fixed a denial-of-service vulnerability in the gmp plugin that was caused by an integer overflow when processing RSASSA-PSS signatures with very large salt lengths. This vulnerability has been registered as CVE-2021-41990.
Please refer to our blog for details.
Fixed a denial-of-service vulnerability in the in-memory certificate cache if certificates are replaced and a very large random value caused an integer overflow. This vulnerability has been registered as CVE-2021-41991.
Please refer to our blog for details.
Fixed a related flaw that caused the daemon to accept and cache an infinite number of versions of a valid certificate by modifying the parameters in the signatureAlgorithm field of the outer X.509 Certificate structure.
AUTH_LIFETIME notifies are now only sent by a responder if it can't reauthenticate the IKE_SA itself due to asymmetric authentication (i.e. EAP) or the use of virtual IPs.
Several corner cases with reauthentication have been fixed (48fbe1d, 36161fe, 0d373e2).
Serial number generation in several pki sub-commands has been fixed so they don't start with an unintended zero byte (#631).
Loading SSH public keys via vici has been improved (#467).
Shared secrets, PEM files, vici messages, PF_KEY messages, swanctl configs and other data is properly wiped from memory.
Use a longer dummy key to initialize HMAC instances in the openssl plugin in case it's used in FIPS-mode (#557).
The --enable-tpm option now implies --enable-tss-tss2 as the plugin doesn't do anything without a TSS 2.0.
libtpmtss is initialized in all programs and libraries that use it.
Migrated testing scripts to Python 3.
The testing environment uses images based on Debian bullseye by default (support for jessie was removed).
To my understanding, IPFire is not affected by CVE-2021-41990, as we do
not support creation of IPsec connections using RSASSA-PSS (please
correct me if we do :-). In contrast, CVE-2021-41991 affects IPFire
installations indeed.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 7 Sep 2021 11:03:22 +0000 (13:03 +0200)]
iproute2: Update version to 5.14.0
- Update from 5.13.0 to 5.14.0
- Update rootfile
- Changelog
Alexander Mikhalitsyn (2):
ip route: ignore ENOENT during save if RT_TABLE_MAIN is being dumped
libnetlink: check error handler is present before a call
Andrea Claudi (9):
tc: q_ets: drop dead code from argument parsing
lib: bpf_legacy: avoid to pass invalid argument to close()
dcb: fix return value on dcb_cmd_app_show
dcb: fix memory leak
tipc: bail out if algname is abnormally long
tipc: bail out if key is abnormally long
tc: htb: improve burst error messages
lib: bpf_legacy: fix potential NULL-pointer dereference
lib: bpf_glue: remove useless assignment
Ariel Levkovich (2):
tc: f_flower: Add option to match on related ct state
tc: f_flower: Add missing ct_state flags to usage description
Asbjørn Sloth Tønnesen (2):
tc: pedit: parse_cmd: add flags argument
tc: pedit: add decrement operation
Christian Schürmann (1):
man8/ip-tunnel.8: fix typo, 'encaplim' is not a valid option
David Ahern (6):
Update kernel headers
Update kernel headers
config.mk: Rerun configure when it is newer than config.mk
Update kernel headers
Update kernel headers
Import wwan.h uapi file
Dmytro Linkin (3):
devlink: Add helper function to validate object handler
devlink: Add port func rate support
devlink: Add ISO/IEC switch
Eric Dumazet (1):
tc: fq: add horizon attributes
Feng Zhou (1):
lib/bpf: Fix btf_load error lead to enable debug log
Gal Pressman (2):
rdma: update uapi headers
rdma: Add copy-on-fork to get sys command
Gokul Sivakumar (3):
bridge: reorder cmd line arg parsing to let "-c" detected as "color" option
bridge: fdb: don't colorize the "dev" & "dst" keywords in "bridge -c fdb"
man: bridge: fix the typo to change "-c[lor]" into "-c[olor]" in man page
Guillaume Nault (1):
utils: bump max args number to 512 for batch files
Hangbin Liu (3):
configure: add options ability
configure: convert LIBBPF environment variables to command-line options
ip/bond: add arp_validate filter support
Heiko Thiery (1):
lib/fs: fix issue when {name,open}_to_handle_at() is not implemented
Hoang Le (1):
tipc: call a sub-routine in separate socket
Jacob Keller (1):
devlink: fix infinite loop on flash update for drivers without status
Jakub Kicinski (3):
ip: align the name of the 'nohandler' stat
ip: dynamically size columns when printing stats
ss: fix fallback to procfs for raw sockets
Jethro Beekman (1):
ip: Add nodst option to macvlan type source
Jianguo Wu (1):
mptcp: make sure flag signal is set when add addr with port
Lahav Schlesinger (1):
ipmonitor: Fix recvmsg with ancillary data
Martynas Pumputis (1):
libbpf: fix attach of prog with multiple sections
Neta Ostrovsky (3):
rdma: Update uapi headers
rdma: Add context resource tracking information
rdma: Add SRQ resource tracking information
Paolo Lungaroni (2):
seg6: add counters support for SRv6 Behaviors
seg6: add support for SRv6 End.DT46 Behavior
Parav Pandit (2):
devlink: Add optional controller user input
devlink: Show port state values in man page and in the help command
Peilin Ye (1):
tc/skbmod: Remove misinformation about the swap action
Phil Sutter (1):
tc: u32: Fix key folding in sample option
Roi Dayan (2):
police: Add support for json output
police: Fix normal output back to what it was
Sergey Ryazanov (2):
iplink: add support for parent device
iplink: support for WWAN devices
Stephen Hemminger (6):
lib: remove blank line at eof
uapi: update kernel headers from 5.14-rc1
libnetlink: cosmetic changes
uapi: headers update
uapi: update neighbour.h
v5.14.0
Tyson Moore (1):
tc-cake: update docs to include LE diffserv
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
with core158 was a bug fixed that local hyperV installations wait to long
for the metadata service for azure but it was not shipped to existing
installations.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
speed.cgi: reduce system load by copying two general-functions.
include general-functions.pl load and initialize many subfunctions that are not
needed by speed.cgi which was executed very often.
So this reduce the system load significant if webif was open in browser
and ajax-speed display enabled.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 22 Oct 2021 13:37:27 +0000 (15:37 +0200)]
minidlna: Add backup capability - bug#12710
- Backup definition missing - created ro backup config file
- Update of rootfile
- Addition of backup definition install into lfs file
- Addition of restore and backup statements into install.sh and uninstall.sh pak scripts
Fixes: 12710 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 23 Sep 2021 12:24:51 +0000 (14:24 +0200)]
GD-Graph: Update to version 1.54
- Update from 1.4308 (2006) to 1.54 (2016 - latest version)
- Update of rootfile not required
- Changelog
1.54 21 Nov 2016
- Disable two Y axes alignment when any y[12]_{min,max}_value is defined
RT#62665
1.53 08 Jul 2016
- Fix 'Illegal division by zero' when x_min_value and x_max_value
are defined and x_tick_number set to 'auto' RT#73185
Thanks to Bob Rogers, https://github.com/ruz/GDGraph/pull/12
1.52 28 Jan 2016
- y1_min_range and y2_min_range instead of min_range_1 and min_range_2,
niether were documented before.
- Update documentation in regards to all *_min_range options available.
1.51 27 Dec 2015
- fix shadows rendering on cumulative bar charts
thanks to https://github.com/Tordek
see https://github.com/ruz/GDGraph/pull/4
1.50 27 Dec 2015
- run samples as part of test suite to make sure no sample crashes
thanks to https://github.com/tynovsky
- properly define test requirements using newer MakeMaker
1.49 11 Mar 2015
- fix to Z-axis color filling in 3D pie charts (Debian Bug #489184)
- bump ExtUtils::MakeMaker dependency
- tiny improvement in the code of the samples
1.48 02 Aug 2013
- no code changes, just release enginering cleanup
- adjust MANIFEST.SKIP file so MANIFEST can be generated
once again
- ship sample58.pl file, so `make samples` stop failing
- mention the current and past maintainers in META files
as authors
- use newer CPAN::Meta and ExtUtils::MakeMaker, older
versions generated META files without runtime prerequisites
1.47 28 Jun 2013
- experimental hide_overlapping_values option for bar graphs
1.46 26 Jun 2013
- This release is based on old work by Martien that was sitting
in his repo
- x_last_label_skip option
- new samples and tweaks to old
1.45 21 Jun 2013
- read DISTRIBUTION STATUS in perldoc GD::Graph
- no code changes since 1.44
1.44 25 Apr 2007
- Patched bugs 21610, 20792, 20802, 23755 and 22932
- Updated POD to clarify current maintenance status, and encourage
bug reporting via RT (and to point out some external help resources)
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 23 Sep 2021 12:24:50 +0000 (14:24 +0200)]
ExtUtils-PkgConfig: Build of this required for latest version of perl-GD
- ExtUtils-PkgConfig is required when building perl-GD
- lfs and rootfile created
- All rootfile entries commented out as only required for building of perl-GD
- added to make.sh file just before perl-GD
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 23 Sep 2021 12:24:49 +0000 (14:24 +0200)]
perl-GD: Update to version 2.73
- Update from 2.35 (2006) to 2.73 (2020)
- Update of rootfile
- Updated version of perl-GD required ExtUtils-PkgConfig for build. Seperate patch
to build that is part of this series
- Changelog
2.73 * allow --options override the libgd options. Not recommended.
See GH #33 and RT #130045
2.72 * fix CVE 2019-6977 colorMatch for older unpatched libgd versions.
This is a severe security problem, an exploitable heap-overflow.
See https://nvd.nist.gov/vuln/detail/CVE-2019-6977
2.71 * skip Test::Fork on freebsd (GH #25)
2.70 * fixes for hardened CCFLAGS with -Werror (RT #128167)
2.69 * little spelling error, GH #29 Xavier Guimard
2.68 * fix GD::Polygon->clear, RT #124463 Michael Cain
2.67 * fix thread-safety for GD::Simple %COLORS (#26 melak)
* fix arc start-angle docs, RT #123277 Andrew G Gray
* improve setBrush docs, RT #123194 Andrew G Gray
* improve StringFT docs, RT #123193
* replace MacOSX by darwin, and not by Mac OS X/macOS as suggested
in PR #24
* add GD::Image->_file method as suggested in RT #60488 by Kevin Ryde,
also the helper GD::supportsFileType
2.66 * throw proper error on newFrom* with not-existing file
* add t/transp.t from RT #40525
* Improve RT #54366 multiple gd.h warning
* better doc for GD::Simple->arc
* fix ANIMGIF with libgd 2.3.0-dev
2.65 * fix --gdlib_config_path to accept an argument (fperrad)
2.64 * Update doc for LIBGD_VERSION()
* Fix 5.6.2, which does not have float in its typemap
2.63 * renamed VERSION() to LIBGD_VERSION(), RT #121307.
It was treated magically by "use GD 2.18"
2.62 * fixed wrong <5.14 code generated with ExtUtils::Constants
RT #121297. Don't generate const-xs.inc, only when missing.
* add -liconv on hpux also (our pkgconfig parser cannot handle it)
2.61 * add CONFIGURE_REQUIRES META
* add --gdlib_config_path
* add Image Filters: scatter, pixelate, negate, grayscale, brightness,
contrast, color, selectiveBlur, edgeDetectQuick, gaussianBlur, emboss,
meanRemoval, smooth, copyGaussianBlurred
* add palette methods: createPaletteFromTrueColor,
neuQuant (but discouraged), colorMatch.
* add interpolation methods: copyScale, copyRotateInterpolated,
interpolationMethod.
* add double GD::VERSION
* add all gd.h constants
2.60 * add missing methods newFromWBMP, newFromXbm,
(RT #68784) and some missing docs
* Add --lib_fontconfig_path, --fcgi options
* rewrote most of the XS code
* cleanup Makefile.PL #20
2.59 * error on failing libgd calls
* fix colorClosestAlpha, colorAllocateAlpha
* add missing documentation
2.58 * fix VERSION_STRING for 2.0.x
* honor --lib_gd_path specific gdlib-config
* Loosen the comparison tests with GDIMAGETYPE ne gd2
* Improve gdlib-config parsing (PR #17), esp. with 2.0.34
2.57 * fix Jpeg magic number detection RT #26146
* fix RGB - HSV roundtrips: RT #120572 by J2N-FORGET
* fix -print-search-dirs errors RT #106265
* co-maint to rurban
* add hv_fetchs, CI smokers
* add GD::VERSION_STRING api
2.56_03 * add alpha method
* improve option handling
* fix meta data
2.56_02 * fix feature extraction >= 2.2 [RT #119459]
2.56_01 * rm Build.PL, fix permissions, fix for missing gdlib-config
2.56 * Fix Makefile.PL so that it works again.
2.55 * Great simplification of regression framework ought to fix make test problems.
* Replace ExtUtils::MakeMaker script with Module::Build system
(just in time for Module::Build to be deprecated).
* Remove archaic qd.pl (for creating QuickDraw picts) from distribution.
2.54 Patch from yurly@unet.net to fix image corruption in rotate180 when image height is odd.
2.53 Points to Gabor Szabo's GD::Simple tutorial, and fix link to repository.
2.52 Fix regression tests to run on Ubuntu 12.04 64bit.
2.51 Fix misleading warning message about location of gd.h file.
2.50 Fix gdUseFontConfig so that it can be called as a class method.
2.49 Add GitHub information to README.
2.48 Fix compile crash on windows and strawberry (https://rt.cpan.org/Public/Bug/Display.html?id=67990).
2.47 Fix compilation on older perl's without the Newxz macros.
2.46 Added a basic "use" test for GD::Simple
2.45 Clarified the GD license. There is now a formal LICENSE file in the package.
2.44 GD::Group now installed properly.
Quenched compiler warning caused by Newxs() calls.
2.43 Added "transparent" color to GD::Simple.
Fixed Makefile so that GD/Image.pm depends both on GD/Image.pm.PLS and .config.cache
2.42 Fixed magic number detection to autodetect certain missed jpeg files (thanks to Mike Walker)
2.41 Added backend support for grouping features in GD::SVG module.
2.40 ** Do not use - contains a bug **
2.39 Makefile.PL will refuse to run if the proper version of libgd is unavailable.
2.38 Fixed bizarre warning about /usr/include/gd.h != /usr/include/gd.h.
2.37 GD/Image.pm did not bring in croak() properly, meaning that incorrect error messages are printed out when any of the newFromXXX() calls are made.
2.36 Instructions on using gdAntiAliased with palette images.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 23 Sep 2021 12:24:48 +0000 (14:24 +0200)]
gd: Update to version 2.3.3
- Update from 2.0.33 (2006) to 2.3.3 (Sep 2021)
- Updating gd requires GD-Graph and perl-GD to be updated otherwise the png graphs
didn't work so all required changes are part of this patch series
- Update rootfile
- Dependencies checked from library so bump. Nothing found.
- Changelog is too large to include here.
For full details see https://github.com/libgd/libgd/releases
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Wed, 7 Jul 2021 19:49:35 +0000 (21:49 +0200)]
Tell pppd not to ask for IPv6 addresses during dial-up
pppd 2.4.9 supports IPv6 and asks for an IPv6 configuration by default.
Setting the received prefix in the kernel will never work, however, as
the rest of IPFire 2.x does not support IPv6.
pppd notices the ISP about this, and at least Otenet (GR) and British
Telecom (several countries) decide to close a dial-up connection then.
German DTAG seems to ignore such errors silently.
This patch adds an option to the pppd call to prevent asking for an
IPv6 configuration, hence avoiding this errors.
To apply this patch, it is necessary to ship ppp 2.4.9 again. Since I
have no access to a testing machine behind an ISP supporting IPv6, this
patch unfortunately is untested.
Fixes: #12651 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sun, 5 Sep 2021 20:45:05 +0000 (22:45 +0200)]
cups-filters: Update to version 1.28.10
- Update from 1.28.9 to 1.28 10
- Update rootfile
- Changelog
CHANGES IN V1.28.10
- Sample PPDs: Add borderless page size definitions to Generic
PDF Printer, HP Color LaserJet CM3530 MFP PDF, and Ricoh PDF
Printer PPD files.
- Sample PPDs: From the PDF PPD files removed the unneeded
"*cupsFilters2: ..." line. For CUPS it does not make any
difference.
- libcupsfilters: Fixed pdftopdf filter to correctly support
page ranges without upper limit, like "10-" (Pull request
#399).
- libcupsfilters: Use wildcard tag (IPP_TAG_ZERO) search for
"media-type" and "media-type-supported" in the PPD
generator (Pull request #398).
- implicitclass, parallel: Added missing newlines at error
messages.
- libfontembed: Removed unneeded fontembed/main.c and ttfread
executable. Eliminates the dependency on DejaVuSans.ttf
(Issue #386).
- gstoraster: Refactor the filter a little to clarify handling
of page counts and set job-impressions for TotalPageCount in
PWG-Raster header (Pull request #394).
- cups-browsed: Make NotifLeaseDuration configurable and renew
after half the lease duration not 60 sec before end. The
early renewal improves reliability on busy systems a
lot. For easier development and debugging short durations
from 300 sec on can get selected (Pull request #378).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://mmonit.com/monit/changes/
New: Issue #715: The PostgreSQL protocol test has been improved and
now supports authentication with username, password and database
when testing connection. Example:
if failed port 5432
protocol pgsql username "username" password "12345" database "test"
then alert
Previous Monit versions used hardcoded credentials when testing
connection to postgresql (user=root and database=root). This could
trigger thousands of messages like this in the postgresql log:
root@root FATAL: password authentication failed for user "root"
root@root DETAIL: Role "root" does not exist.
Note: Monit will continue to use the hardcoded credentials (for
backward compatibility) unless username and password are set.
New: Issue #973: You can now test program output using a regular
expression. Syntax:
IF CONTENT [!]= <regex> THEN action
Example:
check program disk0_smart with path "/usr/sbin/nvme smart-log /dev/nvme0"
if content != "critical_warning[ ]+: 0" then alert
New: Issue #974: Monit CLI: Added support for the -g (group) option
to the report command. Example:
monit -g database report
Fixed: Issue #991 (Monit 5.28.1 regression): MacOS: Monit didn't
compile on MacOS 10.13 or older. Thanks to Lutz Mader.
Fixed: Issue #994 (Monit 5.28.1 regression): The check program
statement with every did not work properly.
Fixed: Issue #995: Monit start delay was vulnerable to time jumps
when Monit is waiting for the delay to pass. Thanks to Daniel Crowe.
Fixed: Issue #975: Monit CLI: Monit did not report a warning if -s,
-p, -l, -g or -c command-line options were specified multiple times
and silently used the last value only. Monit will generate a warning
now.
Fixed: Issue #972: Monit GUI: The log view had no size limit when
reading the Monit log file and could block the browser if the log
file was large.
Fixed: Issue #955: If more than one every statement is used in
a check-service context only the last value is (silently) used.
We now report a warning in this case.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 28 Sep 2021 21:21:16 +0000 (23:21 +0200)]
shairport-sync: Update to version 3.3.8
- Update from 3.3.7 to 3.3.8
- Update of rootfile not required
- Changelog
Version 3.3.8
**Enhancements**
* Documentation for the MQTT interface. Many thanks to [minix1234](https://github.com/minix1234)!
**Bug Fixes**
* Fix a bug in the `alsa` back end. In the interval between checking that the alsa
device handle was non-`NULL` and actually using it, the handle could be set to
`NULL`. The interval between check and usage is now protected.
* Fix a bug in the `alsa` precision timing code. Thanks to
[durwin99](https://github.com/durwin99),
[Nicolas Da Mutten](https://github.com/cleverer),
[mistakenideas](https://github.com/mistakenideas),
[Ben Willmore](https://github.com/ben-willmore) and
[giggywithit](https://github.com/giggywithit) for the
[report](https://github.com/mikebrady/shairport-sync/issues/1158).
* Fix a bug that caused Shairport Sync to hang, but not actually crash, if an
`on-...` script failed.
* Fix a crash that occurred if metadata support is enabled during compilation but
turned off in the configuration file. Thanks to
[Tim Curtis](https://github.com/moodeaudio) for the report.
* Fix a crash that occurred playing from AirPower on Android. Thanks to
[Ircama](https://github.com/Ircama) for the report.
* Fix the configure.ac file so that `--without-<feature>` configuration options
are not interpreted as `--with-<feature>` options instead! Thanks to
[David Racine](https://github.com/bassdr) for the report.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 6 Oct 2021 13:48:35 +0000 (15:48 +0200)]
logwatch: mdadm status missing - Fix for Bug 12080
- Addition of mdadm module to logwatch
- Addition of logwatch to sudoers list to run mdadm commands
- patch to change logwatch mdadm.conf to allow scan for raid drives, change mdadm script
to run mdadm scan commands with sudo, allow clean but degraded drives to be listed
in the output.
Fixes: 12080 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 20 Oct 2021 20:28:43 +0000 (22:28 +0200)]
ghostscript: Update to version 9.55.0
- Update from 9.54 to 9.55.0
- Update rootfile
- Changelog
Version 9.55.0 (2021-09-27)
Highlights in this release include:
This release includes the fix for the %pipe% security issue (CVE-2021-3781).
New PDF Interpreter: This is an entirely new implementation written in C (rather
than PostScript, as before). For a full discussion of this change and reasons for
it see: Changes Coming to the PDF Interpreter.
In this (9.55.0) release, the new PDF interpreter is disabled by default in
Ghostscript, but can be used by specifying -dNEWPDF. We hope to make it the
default in 9.56.0, and fully deprecate the PostScript implementation shortly
after that (depending on the feedback we get).
This also allows us to offer a new executable (gpdf, or gpdfwin??.exe on Windows)
which is purely for PDF input. For this release, those new binaries are not
included in the "install" make targets, nor in the Windows installers (they will
be from 9.56.0 onwards).
We would ask that as many users as possible take the opportunity to test with the
new PDF implementation (i.e. using -dNEWPDF on your gs command line), and discuss
any problems with us, before the new implementation becomes the default.
The pdfwrite device now supports "passthrough" for JPX/JPG2000 data images (as
well as the already supported JPEG/DCT Encoded). That means that if no rescaling
or color conversion of the image data is required, the encoded/compressed image
data from the input file will be written unchanged to the output, preventing
potential image degradation caused by decompressing and recompressing.
The Ghostscript/GhostPDL demo apps for C, C#, Java and Python have all had
improvements and the C#/Java/Python language bindings have now been documented,
see Ghostscript Language Bindings
The Zugferd compliant PDF generating definitions (lib/zugferd.ps) have been
updated and expanded to support the current version (2.1.1) of the Zugferd spec,
and optionally different versions of the specification.
The PCL/m output devices now support Duplex/Tumble.
The internal support for "n-up" style simple imposition (introduced in 9.54.0) has
been extended and improved for better support across all input formats.
Ghostscript now supports object specific halftone - for example, different
halftones can be specified for text and images, reflecting the differing needs of
rendering those two types of object.
Our efforts in code hygiene and maintainability continue.
The usual round of bug fixes, compatibility changes, and incremental improvements.
(9.53.0) We have added the capability to build with the Tesseract OCR engine. In
such a build, new devices are available (pdfocr8/pdfocr24/pdfocr32) which render
the output file to an image, OCR that image, and output the image "wrapped" up as
a PDF file, with the OCR generated text information included as "invisible" text
(in PDF terms, text rendering mode 3).
Mainly due to time constraints, we only support including Tesseract from source
included in our release packages, and not linking to Tesseract/Leptonica shared
libraries. Whether we add this capability will be largely dependent on community
demand for the feature.
See Enabling OCR for more details.
For a list of open issues, or to report problems, please visit bugs.ghostscript.com.
Incompatible changes
(9.55.0) Changes to the device API. This will affect developers and maintainers of
Ghostscript devices. Firstly, and most importantly, the way device-specific
"procs" are specified has been rewritten to make it (we think!) clearer and less
confusing. See The Interface between Ghostscript and Device Drivers and The Great
Device Rework Of 2021 for more details.
(9.55.0) The command line options -sGraphicsICCProfile=___, -dGraphicsIntent=#,
-dGraphicsBlackPt=#, -dGraphicsKPreserve=# have been changed to
-sVectorICCProfile=___, -dVectorIntent=#, -dVectorBlackPt=#,
-dVectorKPreserve=#.
From 9.55.0 onwards, in recognition of how unwieldy very large HTML files can become
(History9.html had reached 8.1Mb!), we intend to only include the summary
highlights (above).
For anyone wanting the full details of the changes in a release, we ask them to look
at the history in our public git repository: ghostpdl-9.55.0 log.
If this change does not draw negative feedback, History?.htm file(s) will be removed
from the release archives.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 8 Oct 2021 13:43:49 +0000 (15:43 +0200)]
pcengines-apu-firmware: Update to version 4.14.0.4
- Update from 4.14.0.2 to 4.14.0.4
- Update of rootfile
- Changelog
v4.14.0.4 Release date: 2021-09-17
Changed:
Rebased with official coreboot repository commit d9f5d90
Enabled EHCI controller by default on apu3-apu6 platforms
Updated sortbootorder to v4.6.22
Added:
Safeguard against setting watchdog timeout too low
Known issues:
apuled driver doesn't work in FreeBSD. Check the GPIOs document for workaround.
Some PCIe cards are not detected on certain OSes and/or in certain mPCIe slots.
Check the mPCIe modules document for solution/workaround.
Booting with 2 USB 3.x sticks plugged in apu4 sometimes results in detecting
only 1 stick
Certain USB 3.x sticks happen to not appear in boot menu
Booting Xen is unstable
v4.14.0.3 Release date: 2021-08-06
Changed:
Rebased with official coreboot repository commit c049c80
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 25 Sep 2021 09:41:29 +0000 (11:41 +0200)]
update ca-certificates CA bundle
Update the CA certificates list to what Mozilla NSS ships currently.
The original file can be retrieved from:
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Sat, 25 Sep 2021 07:07:58 +0000 (09:07 +0200)]
Tor: Enable syscall sandbox
This makes post-exploitation activities harder, in case the local Tor
instance has been compromised. It is worth noticing that Tor won't
respond to a "GETINFO address" command on the control port if sandboxed,
but our CGI does not make use of it, and neither is any legitimate
service on IPFire doing so.
Tested on a small middle relay running on an IPFire machine.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 11 Sep 2021 10:57:09 +0000 (12:57 +0200)]
krb5: Update to version 1.19.2
- Update from 1.19.1 to 1.19.2
- Update of rootfile not required
- Changelog
Major changes in 1.19.2 (2021-07-22)
This is a bug fix release.
* Fix a denial of service attack against the KDC encrypted challenge
code [CVE-2021-36222].
* Fix a memory leak when gss_inquire_cred() is called without a
credential handle.
krb5-1.19.2 changes by ticket ID
8989 Fix typo in enctypes.rst
8992 Avoid rand() in aes-gen test program
9005 Fix argument type errors on Windows
9006 doc build fails with Sphinx 4.0.2
9007 Fix KDC null deref on bad encrypted challenge
9014 Using locking in MEMORY krb5_cc_get_principal()
9015 Fix use-after-free during krad remote_shutdown()
9016 Memory leak in krb5_gss_inquire_cred
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 9 Sep 2021 11:53:30 +0000 (13:53 +0200)]
exfatprogs: Provide package to work with exfat formats
- Create lfs and rootfile
- Add exfatprogs to make.sh
- exfat is supported as a native kernel module since kernel 5.7
- This package requires CONFIG_EXFAT_FS=m to be set for the kernel module for each
architecture that will be supported. Currently that is only i586
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 8 Sep 2021 21:21:14 +0000 (23:21 +0200)]
dosfstools: Update to version 4.2
- Update from 3.0.9 (2013) to 4.2 (2021)
- Update rootfile
- Program names changed in version 2.0.18
dosfslabel became fatlabel
dosfsck became fsck.fat
and mkdosfs became mkfs.fat
- Added --enable-compat-symlinks to ./configure command to maintain original names as
symlinks
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Stefan Schantl [Mon, 18 Oct 2021 19:09:58 +0000 (21:09 +0200)]
pakfire.cgi: Implement logic to lock the page until pakfire has been fully launched.
When performing any action which requires pakfire, the page gets locked
with an message informing the user that pakfire is working. The page
will be reloaded when pakfire has been launched and is doing the
requested operation - showing the well known log output. This also
happens when pakfire has been launched via any kind of terminal or SSH
session and the CGI gets accessed.
Internally before pakfire gets started a variable called page_lock will
be set to lock the page. An while loop will keep the page locked until
pakfire is launched fully and has written it's lock_file.
This approach will prevent us from any kind of required time intervall
or race conditions.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Mon, 18 Oct 2021 20:36:02 +0000 (22:36 +0200)]
squid-asnbl: update to 0.2.3
Upstream commit 500b9137d0a9dd31e40f0d1effdba0aafeb94ca4 changes the
behaviour of this script in case of invalid or unresolvable FQDNs,
preventing Squid from eventually shutting down due to too many BH's per
time.
Since this allows (authenticated) users to run a DoS against the Squid
instance, it is considered to be security relevant.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:22 +0000 (10:10 +0000)]
firewall: Keep REPEAT bit when saving rest to CONNMARK
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:21 +0000 (10:10 +0000)]
suricata: Introduce IPSBYPASS chain
NFQUEUE does not let the packet continue where it was processed, but
inserts it back into iptables at the start. That is why we need an
extra IPSBYPASS chain which has the following tasks:
* Make the BYPASS bit permanent for the entire connection
* Clear the REPEAT bit
The latter is more of cosmetic nature so that we can identify packets
that have come from suricata again and those which have bypassed the IPS
straight away.
The IPS_* chain will now only be sent traffic to, when none of the two
relevant bits has been set. Otherwise the packet has already been
processed by suricata in the first pass or suricata has decided to
bypass the connection.
This massively reduces load on the IPS which allows many common
connections (TLS connections with downloads) to bypass the IPS bringing
us back to line speed.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:20 +0000 (10:10 +0000)]
suricata: Store bypass flag in connmark and restore
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:19 +0000 (10:10 +0000)]
suricata: Add rule to skip IPS if a packet has the bypass bit set
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:18 +0000 (10:10 +0000)]
suricata: Always append rules instead of inserting them
This allows us to add rules in a consistent order like they are in the
script.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:17 +0000 (10:10 +0000)]
suricata: Enable bypassing unhandled streams
If a stream cannot be identified or if suricata has decided that it
cannot do anything useful any more (e.g. TLS sessions after the
handshake), we will allow suricata to bypass any following packets in
that flow
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:16 +0000 (10:10 +0000)]
suricata: Define bypass mark
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:15 +0000 (10:10 +0000)]
suricata: Rename MARK/MASK to REPEAT_MARK/REPEAT_MASK
This should avoid confusion when we add more marks
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 18 Oct 2021 10:10:14 +0000 (10:10 +0000)]
suricata: Set most significant bit as repeat marker
I have no idea why some odd value was chosen here, but one bit should be
enough.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Tested-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>