Adolf Belka [Fri, 8 Jul 2022 20:53:43 +0000 (22:53 +0200)]
gnutls: Update to version 3.7.6
- Update from version 3.6.16 to 3.7.6
- Update of rootfile
- find-dependencies run on sobump libs. No dependencies flagged for the old or new libs
- Changelog
* Version 3.7.6 (released 2022-05-27)
** libgnutls: Fixed invalid write when gnutls_realloc_zero()
is called with new_size < old_size. This bug caused heap
corruption when gnutls_realloc_zero() has been set as gmp
reallocfunc (!1592, #1367, #1368, #1369).
** API and ABI modifications:
No changes since last version.
* Version 3.7.5 (released 2022-05-15)
** libgnutls: The GNUTLS_NO_TICKETS_TLS12 flag and %NO_TICKETS_TLS12 priority
modifier have been added to disable session ticket usage in TLS 1.2 because
it does not provide forward secrecy (#477). On the other hand, since session
tickets in TLS 1.3 do provide forward secrecy, the PFS priority string now
only disables session tickets in TLS 1.2. Future backward incompatibility:
in the next major release of GnuTLS, we plan to remove those flag and
modifier, and make GNUTLS_NO_TICKETS and %NO_TICKETS only affect TLS 1.2.
** gnutls-cli, gnutls-serv: Channel binding for printing information
has been changed from tls-unique to tls-exporter as tls-unique is
not supported in TLS 1.3.
** libgnutls: Certificate sanity checks has been enhanced to make
gnutls more RFC 5280 compliant (!1583).
Following changes were included:
- critical extensions are parsed when loading x509
certificate to prohibit any random octet strings.
Requires strict-x509 configure option to be enabled
- garbage bits in Key Usage extension are prohibited
- empty DirectoryStrings in Distinguished name structures
of Issuer and Subject name are prohibited
** libgnutls: Removed 3DES from FIPS approved algorithms (#1353).
According to the section 2 of SP800-131A Rev.2, 3DES algorithm
will be disallowed for encryption after December 31, 2023:
https://csrc.nist.gov/publications/detail/sp/800-131a/rev-2/final
** libgnutls: Optimized support for AES-SIV-CMAC algorithms (#1217, #1312).
The existing AEAD API that works in a scatter-gather fashion
(gnutls_aead_cipher_encryptv2) has been extended to support AES-SIV-CMAC.
For further optimization, new function (gnutls_aead_cipher_set_key) has been
added to set key on the existing AEAD handle without re-allocation.
** libgnutls: HKDF and AES-GCM algorithms are now approved in FIPS-140 mode
when used in TLS (#1311).
** The configure arguments for Brotli and Zstandard (zstd) support
have changed to reflect the previous help text: they are now
--with-brotli/--with-zstd respectively (#1342).
** Detecting the Zstandard (zstd) library in configure has been
fixed (#1343).
** API and ABI modifications:
GNUTLS_NO_TICKETS_TLS12: New flag
gnutls_aead_cipher_set_key: New function
* Version 3.7.4 (released 2022-03-17)
** libgnutls: Added support for certificate compression as defined in RFC8879
(#1301). New API functions (gnutls_compress_certificate_get_selected_method
and gnutls_compress_certificate_set_methods) allow client and server to set
their preferences.
** certtool: Added option --compress-cert that allows user to specify
compression methods for certificate compression.
** libgnutls: GnuTLS can now be compiled with --enable-strict-x509 configure
option to enforce stricter certificate sanity checks that are compliant with
RFC5280.
** libgnutls: Removed IA5String type from DirectoryString within issuer
and subject name to make DirectoryString RFC5280 compliant.
** libgnutls: Added function (gnutls_record_send_file) to send file content from
open file descriptor (!1486). The implementation is optimized if KTLS (kernel
TLS) is enabled.
** libgnutls: Added function (gnutls_ciphersuite_get) to retrieve the name of
current ciphersuite from TLS session (#1291).
** libgnutls: The run-time dependency on tpm2-tss is now re-implemented using
dlopen, so GnuTLS does not indirectly link to other crypto libraries until
TPM2 functionality is utilized (!1544).
** API and ABI modifications:
GNUTLS_COMP_BROTLI: New gnutls_compression_method_t enum member
GNUTLS_COMP_ZSTD: New gnutls_compression_method_t enum member
gnutls_compress_certificate_get_selected_method: Added
gnutls_compress_certificate_set_methods: Added
gnutls_ciphersuite_get: New function
gnutls_record_send_file: New function
libgnutlsxx: Soname bumped due to ABI breakage introduced in 3.7.1
* Version 3.7.3 (released 2022-01-17)
** libgnutls: The allowlisting configuration mode has been added to the system-wide
settings. In this mode, all the algorithms are initially marked as insecure
or disabled, while the applications can re-enable them either through the
[overrides] section of the configuration file or the new API (#1172).
** The build infrastructure no longer depends on GNU AutoGen for generating
command-line option handling, template file parsing in certtool, and
documentation generation (#773, #774). This change also removes run-time or
bundled dependency on the libopts library, and requires Python 3.6 or later
to regenerate the distribution tarball.
Note that this brings in known backward incompatibility in command-line
tools, such as long options are now case sensitive, while previously they
were treated in a case insensitive manner: for example --RSA is no longer a
valid option of certtool. The existing scripts using GnuTLS tools may need
adjustment for this change.
** libgnutls: The tpm2-tss-engine compatible private blobs can be loaded and
used as a gnutls_privkey_t (#594). The code was originally written for the
OpenConnect VPN project by David Woodhouse. To generate such blobs, use the
tpm2tss-genkey tool from tpm2-tss-engine:
https://github.com/tpm2-software/tpm2-tss-engine/#rsa-operations
or the tpm2_encodeobject tool from unreleased tpm2-tools.
** libgnutls: The library now transparently enables Linux KTLS
(kernel TLS) when the feature is compiled in with --enable-ktls configuration
option (#1113). If the KTLS initialization fails it automatically falls back
to the user space implementation.
** certtool: The certtool command can now read the Certificate Transparency
(RFC 6962) SCT extension (#232). New API functions are also provided to
access and manipulate the extension values.
** certtool: The certtool command can now generate, manipulate, and evaluate
x25519 and x448 public keys, private keys, and certificates.
** libgnutls: Disabling a hashing algorithm through "insecure-hash"
configuration directive now also disables TLS ciphersuites that use it as a
PRF algorithm.
** libgnutls: PKCS#12 files are now created with modern algorithms by default
(!1499). Previously certtool used PKCS12-3DES-SHA1 for key derivation and
HMAC-SHA1 as an integity measure in PKCS#12. Now it uses AES-128-CBC with
PBKDF2 and SHA-256 for both key derivation and MAC algorithms, and the
default PBKDF2 iteration count has been increased to 600000.
** libgnutls: PKCS#12 keys derived using GOST algorithm now uses
HMAC_GOSTR3411_2012_512 instead of HMAC_GOSTR3411_2012_256 for integrity, to
conform with the latest TC-26 requirements (#1225).
** libgnutls: The library now provides a means to report the status of approved
cryptographic operations (!1465). To adhere to the FIPS140-3 IG 2.4.C., this
complements the existing mechanism to prohibit the use of unapproved
algorithms by making the library unusable state.
** gnutls-cli: The gnutls-cli command now provides a --list-config option to
print the library configuration (!1508).
** libgnutls: Fixed possible race condition in
gnutls_x509_trust_list_verify_crt2 when a single trust list object is shared
among multiple threads (#1277). [GNUTLS-SA-2022-01-17, CVSS: low]
** API and ABI modifications:
GNUTLS_PRIVKEY_FLAG_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_privkey_flags_t
GNUTLS_VERIFY_RSA_PSS_FIXED_SALT_LENGTH: new flag in gnutls_certificate_verify_flags
gnutls_ecc_curve_set_enabled: Added.
gnutls_sign_set_secure: Added.
gnutls_sign_set_secure_for_certs: Added.
gnutls_digest_set_secure: Added.
gnutls_protocol_set_enabled: Added.
gnutls_fips140_context_init: New function
gnutls_fips140_context_deinit: New function
gnutls_fips140_push_context: New function
gnutls_fips140_pop_context: New function
gnutls_fips140_get_operation_state: New function
gnutls_fips140_operation_state_t: New enum
gnutls_transport_is_ktls_enabled: New function
gnutls_get_library_configuration: New function
* Version 3.7.2 (released 2021-05-29)
** libgnutls: The priority string option %DISABLE_TLS13_COMPAT_MODE was added
to disable TLS 1.3 middlebox compatibility mode
** libgnutls: The Linux kernel AF_ALG based acceleration has been added.
This can be enabled with --enable-afalg configure option, when libkcapi
package is installed (#308).
** libgnutls: Fixed timing of early data exchange. Previously, the client was
sending early data after receiving Server Hello, which not only negates the
benefit of 0-RTT, but also works under certain assumptions hold (e.g., the
same ciphersuite is selected in initial and resumption handshake) (#1146).
** certtool: When signing a CSR, CRL distribution point (CDP) is no longer
copied from the signing CA by default (#1126).
** libgnutls: The GNUTLS_NO_EXPLICIT_INIT envvar has been renamed to
GNUTLS_NO_IMPLICIT_INIT to reflect the purpose (#1178). The former is now
deprecated and will be removed in the future releases.
** certtool: When producing certificates and certificate requests, subject DN
components that are provided individually will now be ordered by
assumed scale (e.g. Country before State, Organization before
OrganizationalUnit). This change also affects the order in which
certtool prompts interactively. Please rely on the template
mechanism for automated use of certtool! (#1243)
** API and ABI modifications:
gnutls_early_cipher_get: Added
gnutls_early_prf_hash_get: Added
** guile: Writes to a session record port no longer throw an exception upon
GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED.
* Version 3.7.1 (released 2021-03-10)
** libgnutls: Fixed potential use-after-free in sending "key_share"
and "pre_shared_key" extensions. When sending those extensions, the
client may dereference a pointer no longer valid after
realloc. This happens only when the client sends a large Client
Hello message, e.g., when HRR is sent in a resumed session
previously negotiated large FFDHE parameters, because the initial
allocation of the buffer is large enough without having to call
realloc (#1151). [GNUTLS-SA-2021-03-10, CVSS: low]
** libgnutls: Fixed a regression in handling duplicated certs in a
chain (#1131).
** libgnutls: Fixed sending of session ID in TLS 1.3 middlebox
compatibiltiy mode. In that mode the client shall always send a
non-zero session ID to make the handshake resemble the TLS 1.2
resumption; this was not true in the previous versions (#1074).
** libgnutls: W32 performance improvement with a new sendmsg()-like
transport implementation (!1377).
** libgnutls: Removed dependency on the external 'fipscheck' package,
when compiled with --enable-fips140-mode (#1101).
** libgnutls: Added padlock acceleration for AES-192-CBC (#1004).
** API and ABI modifications:
No changes since last version.
* Version 3.7.0 (released 2020-12-02)
** libgnutls: Depend on nettle 3.6 (!1322).
** libgnutls: Added a new API that provides a callback function to
retrieve missing certificates from incomplete certificate chains
(#202, #968, #1100).
** libgnutls: Added a new API that provides a callback function to
output the complete path to the trusted root during certificate
chain verification (#1012).
** libgnutls: OIDs exposed as gnutls_datum_t no longer account for the
terminating null bytes, while the data field is null terminated.
The affected API functions are: gnutls_ocsp_req_get_extension,
gnutls_ocsp_resp_get_response, and gnutls_ocsp_resp_get_extension
(#805).
** libgnutls: Added a new set of API to enable QUIC implementation (#826, #849,
#850).
** libgnutls: The crypto implementation override APIs deprecated in 3.6.9 are
now no-op (#790).
** libgnutls: Added MAGMA/KUZNYECHIK CTR-ACPKM and CMAC support (!1161).
** libgnutls: Support for padlock has been fixed to make it work with Zhaoxin
CPU (#1079).
** libgnutls: The maximum PIN length for PKCS #11 has been increased from 31
bytes to 255 bytes (#932).
** API and ABI modifications:
gnutls_x509_trust_list_set_getissuer_function: Added
gnutls_x509_trust_list_get_ptr: Added
gnutls_x509_trust_list_set_ptr: Added
gnutls_session_set_verify_output_function: Added
gnutls_record_encryption_level_t: New enum
gnutls_handshake_read_func: New callback type
gnutls_handshake_set_read_function: New function
gnutls_handshake_write: New function
gnutls_handshake_secret_func: New callback type
gnutls_handshake_set_secret_function: New function
gnutls_alert_read_func: New callback type
gnutls_alert_set_read_function: New function
gnutls_crypto_register_cipher: Deprecated; no-op
gnutls_crypto_register_aead_cipher: Deprecated; no-op
gnutls_crypto_register_mac: Deprecated; no-op
gnutls_crypto_register_digest: Deprecated; no-op
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Thu, 7 Jul 2022 19:40:18 +0000 (21:40 +0200)]
openssl: Update to version 1.1.1q
- Update from version 1.1.1p to 1.1.1q
- Update of rootfile not required
- Changelog
Changes between 1.1.1p and 1.1.1q [5 Jul 2022]
(CVE-2022-2097) Severity: Moderate
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised
implementation would not encrypt the entirety of the data under some
circumstances. This could reveal sixteen bytes of data that was
preexisting in the memory that wasn't written. In the special case of
"in place" encryption, sixteen bytes of the plaintext would be revealed.
Since OpenSSL does not support OCB based cipher suites for TLS and DTLS,
they are both unaffected.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 7 Jul 2022 13:52:09 +0000 (13:52 +0000)]
Core Update 169: Delete unused initrd on 32-bit ARM to save space in /boot
On 64-bit ARM, this is still needed for booting. Since the initrds were
already shipped with the updater, there is no need to regenerate them
locally again.
Adolf Belka [Tue, 10 May 2022 10:31:40 +0000 (12:31 +0200)]
lsof: Update to version 4.95.0
- Update from version 4.91 to 4.95.0
- version 4.91 was the last version provided bia purdue.edu after which they stopped
maintaining it. It is now taken over ny the lsof-org team at Github.
https://github.com/lsof-org/lsof
- Update of rootfile not required - only one line in the rootfile
- Changelog
lsof-4.95.0-linux
[n+obsd] fix syntax error
Corrected end of comment.
This change closes #138.
@albert-github reported this issue in #138,
and provided the fix in #140
Don't ignore failures in test/Makefile
Tobias Geerinckx-Rice <me@tobias.gr> provides the fix.
Update perl scripts for the past few decades of progress
Generally, perl is available on base systems - people who are manually
installing perl into /usr/local/bin are the exception rather than the
rule. In addition, Perl 5 was release in 1994, so Perl 4 isn't relevant
any more. We've also standardized on the .pl extension, rather than
.perl5 or whatever.
Provided by @dilinger (Andres Salomon) in #149.
A commit in the pull request includes work of Nicholas Bamber.
Drop LSOF_CCDATE across all dialects to ensure reproducible builds
Simplify things for reproducible builds by just getting rid of
the embedded date/time string. With LSOF_CCDATE gone, keeping
SOURCE_DATE_EPOCH around doesn't make much sense, so drop that as
well. Folks doing reproducible builds should still override the
LSOF_HOST, LSOF_LOGNAME, LSOF_SYSINFO, and LSOF_USER variables (as
they were previously doing before SOURCE_DATE_EPOCH).
Provided by @dilinger (Andres Salomon) in #150.
[FreeBSD] get the ISO9660 filesystem working again
The ISO9660 filesystem broke starting with FreeBSD 7 due to the header
location changing. Fix the header search path to get it to be detected
again. Fix the header inclusion order. Also add the new way of finding
dev_t on more recent FreeBSD versions.
Provided by Damjan Jovanovic in #151.
[FreeBSD] add support for msdosfs on FreeBSD
Provided by Damjan Jovanovic in #151.
Fix FD field description.
In 811dc78 the output format was changed to not printf the `f`
field by default, however the field description in `lsof_fields.h`,
as seen in `-F?` output still included the `(always selected)` text.
Provided by @algorythmic (Grisha Levit) in #158.
Adjust alignment of buffer passed to stat().
The original code passes char[] buffer to stat(). This can be cause
a SIGBUS. #160 reported an actual crash on armv7a + glibc-2.33 platform.
See also https://sourceware.org/bugzilla/show_bug.cgi?id=27993.
Reported by @10ne1 in #160.
Clean up source code and documentats.
- remove trailing whitespace,
- fix some issues in scripts found through shellcheck, and
- fix spelling
Provided by @a1346054 in #163.
man page: fix hyphen issues
Properly use '-' and '\-' in the man page, ensuring that users
can cut & paste commandline options without issue. Original
patch from Raoul Gunnar Borenius <borenius@dfn.de>, and
submitted/expanded by @dilinger (Andres Salomon) in #168.
[FreeBSD] update for FreeBSD 13 & 14, and various internal changes
submitted by @DmitryAndric & @emaste.
[FreeBSD] remove various old FreeBSD versions from support
submitted by @emaste
[FreeBSD] configure: suggest variable to set if FreeBSD sys not
found
submitted by @emaste
Fix broken LSOF_CFLAGS_OVERRIDE.
Provided by Fabrice Fontaine in #172.
[linux] Remove sysvlegacy function.
Provided by Fabrice Fontaine in #195.
[linux] use close_range instead of calling close repeatedly
At the starting up, lsof closes its file descriptors greater
than 2 by calling close(2) repeatedly. As reported in #186,
it can take long time. Linux 5.9 introduced close_range(2).
The new system call can close multiple file descriptors faster.
@qianzhangyl reported the original issue (#186).
Add -Q option for adjusting exit status when failed to find a
search item (#129)
In the original code, lsof returned 1 when it failed to find a
search item. With the new option, lsof returns 0 in the case.
Document -Q option in manpage/00QUICKSTART, and adjust -h
output by @dilinger (Andres Salomon) in #129.
Improve readability of complex adverbial clause by adding a
comma.
Provided by Danny Fowler in #156.
lsof-4.94.0-linux
(All changes in this version are ported from
lsof-org/lsof-linux repository at GitHub).
Introduced a new test harness. The harness can run
test cases specific to a dialect. It is designed for
running test cases on CI environment like Travis-CI.
However, it is runnable locally with following command
line:
$ ./check.sh DIALECT
after making lsof executable.
[linux] Fixed a bug +|-E options output for pipe.
If two processes use the same fd number for a pipe
connecting them, the option didn't print the
information about it.
[linux] Fixed a bug +|-E options output for PTY.
If two processes use the same fd number for a PTY
connecting them, the option didn't print the
information about it.
[linux] Fixed a bug +|-E options output for PTY.
The code for detecting a slave device was incorrect.
[linux] Fixed a potential bug +|-E options output for
PTY. A structure field for the feature was not
initialized.
[linux] Added a code for decoding O_PATH flag in +fg
option.
[linux] Added a code for decoding O_CLOEXEC flag as CX
in +fg option.
[linux] Added a code for decoding O_TMPFILE flag as
TMPF in +fg option.
[linux] Added Linux display of INET socket endpoint
information with +|-E option. The option handles
INET sockets using IPC.
[linux] Added support for POSIX MQ of Linux
implementation. A POSIX message queue (MQ) is
represented in a fd on Linux. lsof reported it as a
regular file. lsof with this change reports it as a
file with PSXMQ type if mqueue file system is mounted.
[linux] Added Linux display of POSIX message queue
endpoint information with +|-E option. mqueue file system
must be mounted to display the information.
[linux] Added Linux display of INET6 socket endpoint
information with +|-E option. The option handles
INET6 sockets using IPC.
[FreeBSD] update to include <sys/_lock.h> on recent -CURRENT
since it is no longer implicitly included via header pollution.
[linux] Added Linux display of eventfd endpoint information
with +|-E option. The option handles eventfd using IPC.
[FreeBSD] include <stdbool.h> for recent change requiring
refcount(9).
Enhanced -r option. With `c<N>' specifier, lsof can stop itself
when the number of iterations reaches at <N>.
[linux] Fixed accessing an uninitialized local variable.
Detected by valgrind.
[linux] fix a crash when printing the endpoint for unaccepted
unix socket with +E option.
This closes the github issue #74 reported by @jolmg.
[linux] abort execution when failing in memory allocation for
socket private data.
[linux] decode the name of DCCP socket type.
[linux] decode more netlink protocol numbers (RDMA, CRYPTO, and
SMC).
[linux] print the connection state of unix domain socket
Lsof can print the state of TCP socket like:
nc 22247 yamato 3u IPv4 471409 0t0 TCP localhost:38802->localhost:9999 (ESTABLISHED)
This change exnteds this feature to support unix domain sockets.
LISTEN, UNCONNECTED, CONNECTING, CONNECTED, DISCONNECTING,
and UNKNOWN can be taken as a state.
An example of output:
evince 17333 yamato 1u unix 0x0000000054183795 0t0 89141 type=STREAM (CONNECTED)
This feature is enabled by default.
To turn off printing state information, use -T option.
Don't display command usage even when a file (or directory) listed
in command line doesn't exist.
This closes the github issue #90 reported by @rowlap.
[FreeBSD] merge all the FreeBSD specific fixes from the FreeBSD sysutils/lsof port
[linux] allow reproducible builds
In a reproducible build all varied information is removed. This
change does so, by checking if the standard SOURCE_DATE_EPOCH
variable is set. If it is, we are attempting a reproducible build
and will strip varying information.
About the standard, see https://reproducible-builds.org/specs/source-date-epoch/
Provided in github pull request #93 by @T4cC0re.
[freebsd] update for r363214
- no user visible changes
Added the way to include (or exclude) all numbered file descriptors
in -d option. "fd" is a pseudo file descriptor name for the purpose.
See the following output on Linux; lsof doesn't print cwd, rtd, txt,
and mem files.
# ./lsof -p $$ -a -d fd
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
bash 866421 root 0u CHR 136,1 0t0 4 /dev/pts/1
bash 866421 root 1u CHR 136,1 0t0 4 /dev/pts/1
bash 866421 root 2u CHR 136,1 0t0 4 /dev/pts/1
bash 866421 root 255u CHR 136,1 0t0 4 /dev/pts/1
docs: fixed minor grammatical error in instructions in Customize file
The change is provided by @hardikpnsp.
man page: improve phrasing and add examples
The change is provided by Martin D Kealey.
man page: improve explanation of -t implying -w
The change is provided by Martin D Kealey.
test cases, [linux]: fix tests for large inode-numbers (i >= 2^32)
The change is provided by Henry Peteet.
[linux] handle ffff:ffff in ipv6 addr correctly
The listen address and port of an AF_INET6 socket were not display if
the socket listened at an ipv6 address including ffff:ffff.
Here is a command session demonstrating the bug:
# ip -6 addr add abcd:ef10:ffff:ffff:ffff:ffff:ffff:ff62 dev lo
# nc -6 -l abcd:ef10:ffff:ffff:ffff:ffff:ffff:ff62 8888 &
[1] 6762
# ./lsof -p 6762 -a -d fd -P -n
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nc 6762 yamato 0u CHR 136,6 0t0 9 /dev/pts/6
nc 6762 yamato 1u CHR 136,6 0t0 9 /dev/pts/6
nc 6762 yamato 2u CHR 136,6 0t0 9 /dev/pts/6
nc 6762 yamato 3u sock 0,9 0t0 5833594 protocol: TCPv6
The last line should be:
nc 6762 yamato 3u IPv6 5833594 0t0 TCP [abcd:ef10:ffff:ffff:ffff:ffff:ffff:ff62]:8888 (LISTEN)
The original code decoding an ipv6 address uses UINT32_MAX constant
incorrect way.
@zhrf2020 reported this bug in #102.
@zhrf2020 provided the initial version of fix, #109.
man page,[linux]: enumerate abbreviated flags printed with '+f g' option
Make -Fo option work
-Fo option is for printing file offset. For regular files,
the option didn't work.
Here is a command session demonstrating the fix:
# ./lsof -Fo -o0| grep ^o | sort | uniq -c
90586 o0t0
87 o0t101
84 o0t103
...
@JustAnotherArchivist reported this bug in #118.
man page: fix definition of the `o` field on programmatic output
The change is provided by @JustAnotherArchivist who reported
the original issue in #118.
[linux]: show the pid monitored by a pidfd
With this change, lsof prints pidfd in the following form:
[pidfd:%d]
where %d represents the pid monitored by the pidfd.
Example output:
# ./lsof -p 12573 -p 12710 | grep pidfd
dbus-brok 12573 jet 11u a_inode 0,13 0 13312 [pidfd:12575]
dbus-brok 12710 jet 10u a_inode 0,13 0 13312 [pidfd:12711]
fd 11 of pid 12573 monitors pid 12575.
fd 10 of pid 12710 monitors pid 12711.
This change closed #116.
Don't select the file descriptor field by default.
The version 4.88 introduced the change for selecting the file
descriptor field by default. However, the change is not
suitable for users who wants to print only PID field.
@po5857 suggests the use case and the way to improve the man page.
[linux]: enumerate fds monitored by an eventpoll fd
With this change, lsof prints an eventpoll fd in the following form:
[eventpoll:<fd0>,<fd1>,...,<fdn>...]
Here fdX is a file descriptor monitored by the eventpoll fd.
If an eventpoll fd monitors too many file descriptors, lsof
truncates the list of fds. "..." at the end of list implies
the truncation.
Example output:
# sudo ./lsof -p 1 -a -d 10,11,12
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd 1 root 10u a_inode 0,13 0 11624 [eventpoll:11,12]
systemd 1 root 11r REG 0,4 0 17680 /proc/1/mountinfo
systemd 1 root 12r a_inode 0,13 0 11624 inotify
systemd monitors fd 11 and fd 12 via eventpoll fd 10.
[linux]: implement "make check"
The target runs check.bash.
4.93.2 May 8, 2019
Update the version number embedded in lsof executable.
lsof-4.93.1
4.93.0 May 7, 2019
[freebsd] Made FreeBSD 13 adjustment.
[darwin] Fix a typo causing a build error.
Fix a potential memory leak.
[linux] use tirpc for rpc if libc doesn't provide rpc.h.
Fix a typo in man page.
[linux] fix memory leaks detected by valgrind about unix
endpoint information.
Update the description about -fg and -fG options on linux.
4.93.1 May 7, 2019
Fix a broken symbolic link.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Michael Tremer [Wed, 29 Jun 2022 18:27:24 +0000 (18:27 +0000)]
aliases: Don't call arpping to announce new IP addresses
I am not sure what the rationale is here, but we should probably not do
this. Other hosts on the network will be able to update their ARP caches
properly.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org>
Michael Tremer [Wed, 29 Jun 2022 18:27:23 +0000 (18:27 +0000)]
aliases: Add support to assign aliases to multiple RED interfaces
This is a little patch which will extend the aliases page to offer an
interface selection if there are more than one RED interfaces.
This is a little hack to make configuration easier for users who have
manually set up more than one RED interface (e.g. for load balancing or
fail-over) and want to use the UI to configure firewall rules.
As a little benefit on the side, I had to rewrite setaliases.c to use
ip(8) instead of ifconfig(8).
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org>
Robin Roevens [Thu, 30 Jun 2022 10:15:55 +0000 (12:15 +0200)]
zabbix_agentd: Add IPFire specific userparameters
Provide IPFire specific items for the Zabbix server to monitor:
- ipfire.net.gateway.pingtime: Internet Line Quality
- ipfire.net.gateway.ping: Internet connection
- ipfire.net.fw.hits.raw: JSON formatted list of Firewall hits/chain
- ipfire.dhcpd.clients: Number of active DHCP leases
- ipfire.captive.clients: Number of Captive Portal clients
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Robin Roevens [Thu, 30 Jun 2022 10:15:53 +0000 (12:15 +0200)]
zabbix_agentd: Sudoers file reorganization
- Remove sudoers file 'zabbix' in favour of new IPFire managed
'zabbix_agentd' and user managed 'zabbix_agentd_user' which is
included in the backup
- Provide migration of old sudoers file 'zabbix' or 'zabbix.user' to
new zabbix_agentd_user sudoers file if it was modified by user.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Robin Roevens [Thu, 30 Jun 2022 10:15:52 +0000 (12:15 +0200)]
zabbix_agentd: Configfile reorganization
- Restrict default main config to only the bare minimum options
and add upstream provided config as example file.
- Remove /etc/zabbix_agentd from backup and instead add only
zabbix_agentd.conf and subdirs 'scripts' and 'zabbix_agentd.d' to
the backup.
- Move ipfire managed userparameter_pakfire.conf from
user managed dir /etc/zabbix_agentd/zabbix_agent.d to
ipfire managed dir /var/ipfire/zabbix_agentd/userparameters
- Add Include line to existing zabbix_agentd.conf to include
the new ipfire managed config dir /var/ipfire/zabbix_agentd/...
- Add and include mandatory IPFire specific agent configuration
which should never be changed by the user.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Robin Roevens [Thu, 30 Jun 2022 10:15:51 +0000 (12:15 +0200)]
zabbix_agentd: Fix agent modules dir and few minor bugs
- Add agent modules-dir to backup
- Remove original, not used agent modules dir from rootfile
- Create modules-dir during install if it not already exists
- bugfix: Add existence check before creating log-dir, avoiding error
messages if it already exists from a previous install
- bugfix: add extract_backup_includes to update.sh script to make
sure backup includes exist when backup is taken.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Peter Müller [Wed, 29 Jun 2022 20:28:38 +0000 (20:28 +0000)]
Core Update 169: Drop entropy.cgi
Since the kernel now always reports 256 bits of entropy to be available,
this CGI does not show any useful information anymore. To avoid
confusions, it will hereby be removed entirely.
Fixes: #12893 Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Sat, 25 Jun 2022 22:20:48 +0000 (22:20 +0000)]
linux: Amend upstream patch to harden mount points of /dev
This patch, which has been merged into the mainline Linux kernel, but
not yet backported to the 5.15.x tree, precisely addresses our
situation: IPFire does not use systemd, but CONFIG_DEVTMPFS_MOUNT.
The only explanation I have for bug #12889 arising _now_ is that some
component (dracut, maybe) changed its behaviour regarding remounting of
already mounted special file systems. As current dracut won't (re)mount
any file system already found to be mounted, this means that the mount
options decided by the kernel remained untouched for /dev, hence being
weak in terms of options hardening possible.
As CONFIG_DEVTMPFS_SAFE would not show up in "make menuconfig", changes
to kernel configurations have been simulated.
Fixes: #12889 Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Robin Roevens [Wed, 23 Feb 2022 20:21:30 +0000 (21:21 +0100)]
pakfire: Better errorhandling on downloads
- Add true/false return codes to fetchfile, getmetafile and getmirrors
indicating succes or failure.
- Check on those return codes and fail gracefully with clean
error message(s) when downloads fail.
- Replace duplicate meta-file fetching code in dbgetlist with
getmetafile function (fixing possibly missed cariage return
conversion in meta-files).
- Remove pointless 5 retries to download server-list.db in
selectmirror as fetchfile already retries 5 times.
Adolf Belka [Fri, 17 Jun 2022 09:42:38 +0000 (11:42 +0200)]
rust-paste-0.1.18: Required for update of python3-cryptography
- lfs and rootfile created
- python3-cryptography build requires older version than was already installed.
Therefore named version 0.1.18 created, leaving original rust-paste in place
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 17 Jun 2022 09:42:32 +0000 (11:42 +0200)]
rust-indoc-0.3.6: Required for update of python3-cryptography
- lfs and rootfile created
- python3-cryptography build requires older version than was already installed.
Therefore named version 0.3.6 created, leaving original rust-indoc in place
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 17 Jun 2022 09:42:23 +0000 (11:42 +0200)]
rust-pyo3: Update to version 0.15.1 - required for python3-cryptography
- Update from version 0.13.1 to 0.15.1
- Update of rootfile
- Changelog is too long to include here. For details see CHANGELOG.md file in source
tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 17 Jun 2022 09:42:21 +0000 (11:42 +0200)]
python3-cryptography: Update to version 36.0.2
- Update from version 3.4.7 to 36.0.2
After version 3.4.8 the numbering scheme changed to 35.0.0 in Sept 2021
See Chanelog section 35.0.0 below
- New release requires a lot of rust packages - see Changelog sections 35.0.0 & 36.0.0
below. The required rust packages are installed in separate patches in this series
- Update of rootfile
- Changelog
36.0.2 - 2022-03-15¶
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1n.
36.0.1 - 2021-12-14¶
Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 1.1.1m.
36.0.0 - 2021-11-21¶
FINAL DEPRECATION Support for verifier and signer on our asymmetric key
classes was deprecated in version 2.0. These functions had an extended
deprecation due to usage, however the next version of cryptography will drop
support. Users should migrate to sign and verify.
The entire X.509 layer is now written in Rust. This allows alternate
asymmetric key implementations that can support cloud key management
services or hardware security modules provided they implement the necessary
interface (for example: EllipticCurvePrivateKey).
Deprecated the backend argument for all functions.
Added support for AESOCB3.
Added support for iterating over arbitrary request attributes.
Deprecated the get_attribute_for_oid method on CertificateSigningRequest in
favor of get_attribute_for_oid() on the new Attributes object.
Fixed handling of PEM files to allow loading when certificate and key are in
the same file.
Fixed parsing of CertificatePolicies extensions containing legacy BMPString
values in their explicitText.
Allow parsing of negative serial numbers in certificates. Negative serial
numbers are prohibited by RFC 5280 so a deprecation warning will be raised
whenever they are encountered. A future version of cryptography will drop
support for parsing them.
Added support for parsing PKCS12 files with friendly names for all
certificates with load_pkcs12(), which will return an object of type
PKCS12KeyAndCertificates.
rfc4514_string() and related methods now have an optional attr_name_overrides
parameter to supply custom OID to name mappings, which can be used to match
vendor-specific extensions.
BACKWARDS INCOMPATIBLE: Reverted the nonstandard formatting of email address
fields as E in rfc4514_string() methods from version 35.0.
The previous behavior can be restored with:
name.rfc4514_string({NameOID.EMAIL_ADDRESS: "E"})
Allow X25519PublicKey and X448PublicKey to be used as public keys when
parsing certificates or creating them with CertificateBuilder. These key
types must be signed with a different signing algorithm as X25519 and X448
do not support signing.
Extension values can now be serialized to a DER byte string by calling
public_bytes().
Added experimental support for compiling against BoringSSL. As BoringSSL
does not commit to a stable API, cryptography tests against the latest
commit only. Please note that several features are not available when
building against BoringSSL.
Parsing CertificateSigningRequest from DER and PEM now, for a limited time
period, allows the Extension critical field to be incorrectly encoded. See
the issue for complete details. This will be reverted in a future
cryptography release.
When OCSPNonce are parsed and generated their value is now correctly wrapped
in an ASN.1 OCTET STRING. This conforms to RFC 6960 but conflicts with the
original behavior specified in RFC 2560. For a temporary period for
backwards compatibility, we will also parse values that are encoded as
specified in RFC 2560 but this behavior will be removed in a future release.
35.0.0 - 2021-09-29¶
Changed the version scheme. This will result in us incrementing the major
version more frequently, but does not change our existing backwards
compatibility policy.
BACKWARDS INCOMPATIBLE: The X.509 PEM parsers now require that the PEM
string passed have PEM delimiters of the correct type. For example, parsing
a private key PEM concatenated with a certificate PEM will no longer be
accepted by the PEM certificate parser.
BACKWARDS INCOMPATIBLE: The X.509 certificate parser no longer allows
negative serial numbers. RFC 5280 has always prohibited these.
BACKWARDS INCOMPATIBLE: Additional forms of invalid ASN.1 found during X.509
parsing will raise an error on initial parse rather than when the malformed
field is accessed.
Rust is now required for building cryptography, the
CRYPTOGRAPHY_DONT_BUILD_RUST environment variable is no longer respected.
Parsers for X.509 no longer use OpenSSL and have been rewritten in Rust.
This should be backwards compatible (modulo the items listed above) and
improve both security and performance.
Added support for OpenSSL 3.0.0 as a compilation target.
Added support for SM3 and SM4, when using OpenSSL 1.1.1. These algorithms
are provided for compatibility in regions where they may be required, and
are not generally recommended.
We now ship manylinux_2_24 and musllinux_1_1 wheels, in addition to our
manylinux2010 and manylinux2014 wheels. Users on distributions like Alpine
Linux should ensure they upgrade to the latest pip to correctly receive
wheels.
Added rfc4514_attribute_name attribute to x509.NameAttribute.
Added KBKDFCMAC.
3.4.8 - 2021-08-24¶
Updated Windows, macOS, and manylinux wheels to be compiled with
OpenSSL 1.1.1l.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 22 Jun 2022 07:10:59 +0000 (09:10 +0200)]
sudo: Update to version 1.9.11p3
- Update from version 1.9.10 to 1.9.11p3
- Update of rootfile required
- Changelog
What's new in Sudo 1.9.11p3
* Fixed "connection reset" errors on AIX when running shell scripts
with the "intercept" or "log_subcmds" sudoers options enabled.
Bug #1034.
* Fixed very slow execution of shell scripts when the "intercept"
or "log_subcmds" sudoers options are set on systems that enable
Nagle's algorithm on the loopback device, such as AIX.
Bug #1034.
What's new in Sudo 1.9.11p2
* Fixed a compilation error on Linux/x86_64 with the x32 ABI.
* Fixed a regression introduced in 1.9.11p1 that caused a warning
when logging to sudo_logsrvd if the command returned no output.
What's new in Sudo 1.9.11p1
* Correctly handle EAGAIN in the I/O read/right events. This fixes
a hang seen on some systems when piping a large amount of data
through sudo, such as via rsync. Bug #963.
* Changes to avoid implementation or unspecified behavior when
bit shifting signed values in the protobuf library.
* Fixed a compilation error on Linux/aarch64.
* Fixed the configure check for seccomp(2) support on Linux.
* Corrected the EBNF specification for tags in the sudoers manual
page. GitHub issue #153.
What's new in Sudo 1.9.11
* Fixed a crash in the Python module with Python 3.9.10 on some
systems. Additionally, "make check" now passes for Python 3.9.10.
* Error messages sent via email now include more details, including
the file name and the line number and column of the error.
Multiple errors are sent in a single message. Previously, only
the first error was included.
* Fixed logging of parse errors in JSON format. Previously,
the JSON logger would not write entries unless the command and
runuser were set. These may not be known at the time a parse
error is encountered.
* Fixed a potential crash parsing sudoers lines larger than twice
the value of LINE_MAX on systems that lack the getdelim() function.
* The tests run by "make check" now unset the LANGUAGE environment
variable. Otherwise, localization strings will not match if
LANGUAGE is set to a non-English locale. Bug #1025.
* The "starttime" test now passed when run under Debian faketime.
Bug #1026.
* The Kerberos authentication module now honors the custom password
prompt if one has been specified.
* The embedded copy of zlib has been updated to version 1.2.12.
* Updated the version of libtool used by sudo to version 2.4.7.
* Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE
in the header files (currently only GNU libc). This is required
to allow the use of 64-bit time values on some 32-bit systems.
* Sudo's "intercept" and "log_subcmds" options no longer force the
command to run in its own pseudo-terminal. It is now also
possible to intercept the system(3) function.
* Fixed a bug in sudo_logsrvd when run in store-first relay mode
where the commit point messages sent by the server were incorrect
if the command was suspended or received a window size change
event.
* Fixed a potential crash in sudo_logsrvd when the "tls_dhparams"
configuration setting was used.
* The "intercept" and "log_subcmds" functionality can now use
ptrace(2) on Linux systems that support seccomp(2) filtering.
This has the advantage of working for both static and dynamic
binaries and can work with sudo's SELinux RBAC mode. The following
architectures are currently supported: i386, x86_64, aarch64,
arm, mips (log_subcmds only), powerpc, riscv, and s390x. The
default is to use ptrace(2) where possible; the new "intercept_type"
sudoers setting can be used to explicitly set the type.
* New Georgian translation from translationproject.org.
* Fixed creating packages on CentOS Stream.
* Fixed a bug in the intercept and log_subcmds support where
the execve(2) wrapper was using the current environment instead
of the passed environment pointer. Bug #1030.
* Added AppArmor integration for Linux. A sudoers rule can now
specify an APPARMOR_PROFILE option to run a command confined by
the named AppArmor profile.
* Fixed parsing of the "server_log" setting in sudo_logsrvd.conf.
Non-paths were being treated as paths and an actual path was
treated as an error.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Tue, 21 Jun 2022 18:52:24 +0000 (20:52 +0200)]
xfsprogs: Update to version 5.18.0
- Update from version 5.16.0 to 5.18.0
- Update of rootfile not required
- Changelog
Release v5.18.0
xfsprogs: more autoconf modernisation
Release v5.18.0-rc1
mkfs: Fix memory leak
xfsprogs: autoconf modernisation
xfs_io: add a quiet option to bulkstat
metadump: be careful zeroing corrupt inode forks
metadump: handle corruption errors without aborting
xfs_db: take BB cluster offset into account when using 'type' cmd
xfs_scrub: don't revisit scanned inodes when reprocessing a stale inode
xfs_scrub: balance inode chunk scan across CPUs
xfs_scrub: prepare phase3 for per-inogrp worker threads
xfs_scrub: widen action list length variables
xfs_scrub: in phase 3, use the opened file descriptor for repair calls
xfs_scrub: make phase 4 go straight to fstrim if nothing to fix
xfs_scrub: don't try any file repairs during phase 3 if AG metadata bad
xfs_scrub: fall back to scrub-by-handle if opening handles fails
xfs_scrub: in phase 3, use the opened file descriptor for scrub calls
xfs_scrub: collapse trivial file scrub helpers
xfs_repair: check the ftype of dot and dotdot directory entries
xfs_repair: improve error reporting when checking rmap and refcount btrees
xfs_repair: detect v5 featureset mismatches in secondary supers
mkfs: don't trample the gid set in the protofile
mkfs: round log size down if rounding log start up causes overflow
mkfs: improve log extent validation
mkfs: don't let internal logs bump the root dir inode chunk to AG 1
mkfs: reduce internal log size when log stripe units are in play
mkfs: fix missing validation of -l size against maximum internal log size
xfs_repair: fix sizing of the incore rt space usage map calculation
xfs_db: report absolute maxlevels for each btree type
xfs_db: support computing btheight for all cursor types
xfs_repair: warn about suspicious btree levels in AG headers
xfs_db: warn about suspicious finobt trees when metadumping
xfs: note the removal of XFS_IOC_FSSETDM in the documentation
xfs_db: fix a complaint about a printf buffer overrun
xfs_scrub: move to mallinfo2 when available
debian: support multiarch for libhandle
debian: bump compat level to 11
debian: refactor common options
Release v5.18.0-rc0
mm/fs: delete PF_SWAPWRITElibxfs-5.18-sync
xfs: document the XFS_ALLOC_AGFL_RESERVE constant
xfs: constify xfs_name_dotdot
xfs: constify the name argument to various directory functions
xfs: remove the XFS_IOC_{ALLOC,FREE}SP* definitions
xfs: remove the XFS_IOC_FSSETDM definitions
xfs: pass the mapping flags to xfs_bmbt_to_iomap
Release v5.16.0
libxfs: remove kernel stubs from xfs_shared.h
debian: Generate .gitcensus instead of .census (Closes: #999743)
Release v5.16.0-rc0
xfs: Fix the free logic of state in xfs_attr_node_hasname
xfs: #ifdef out perag code for userspace
xfs: use swap() to make dabtree code cleaner
xfs: remove unused parameter from refcount code
xfs: reduce the size of struct xfs_extent_free_item
xfs: rename xfs_bmap_add_free to xfs_free_extent_later
xfs: create slab caches for frequently-used deferred items
xfs: compact deferred intent item structures
xfs: rename _zone variables to _cache
xfs: remove kmem_zone typedef
xfs: use separate btree cursor cache for each btree type
xfs: compute absolute maximum nlevels for each btree type
xfs: kill XFS_BTREE_MAXLEVELS
xfs_repair: stop using XFS_BTREE_MAXLEVELS
xfs_db: stop using XFS_BTREE_MAXLEVELS
xfs: compute the maximum height of the rmap btree when reflink enabled
xfs: clean up xfs_btree_{calc_size,compute_maxlevels}
xfs: compute maximum AG btree height for critical reservation calculation
xfs: rename m_ag_maxlevels to m_allocbt_maxlevels
xfs: dynamically allocate cursors based on maxlevels
xfs: encode the max btree height in the cursor
xfs: refactor btree cursor allocation function
xfs: rearrange xfs_btree_cur fields for better packing
xfs: prepare xfs_btree_cur for dynamic cursor heights
xfs: reduce the size of nr_ops for refcount btree cursors
xfs: remove xfs_btree_cur.bc_blocklog
xfs: fix perag reference leak on iteration race with growfs
xfs: terminate perag iteration reliably on agcount
xfs: rename the next_agno perag iteration variable
xfs: fold perag loop iteration logic into helper function
xfs: remove the xfs_dqblk_t typedef
xfs: remove the xfs_dsb_t typedef
xfs: remove the xfs_dinode_t typedef
xfs: check that bc_nlevels never overflows
xfs: remove xfs_btree_cur_t typedef
xfs: fix maxlevels comparisons in the btree staging code
xfs: port the defer ops capture and continue to resource capture
xfs: formalize the process of holding onto resources across a defer roll
xfs: use kmem_cache_free() for kmem_cache objects
xfs_repair: fix AG header btree level comparisons
xfs_db: fix metadump level comparisons
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Fri, 24 Jun 2022 21:58:57 +0000 (23:58 +0200)]
general-functions.pl: Fix for bug #12865 - Static IP address pools - Add network - Name wit>
- The fix for bug #12428 removed spaces from the validhostname subroutine as hostnames are
not supposed to have spaces
- This resulted in spaces no longer being allowed for the Static IP Address Pools names
- New subroutine created called validccdname. This allows letters, upper and lower case,
numbers, spaces and dashes
Fixes: Bug #12865 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 24 Jun 2022 21:58:56 +0000 (23:58 +0200)]
ovpnmain.cgi: Fix for bug #12865 - Static IP address pools - Add network - Name with space
- The fix for bug #12428 removed spaces from the validhostname subroutine as hostnames are
not supposed to have spaces
- This resulted in spaces no longer being allowed for the Static IP Address Pools names
- New subroutine created called validccdname in general-functions.pl
Fixes: Bug #12865 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 24 Jun 2022 12:14:26 +0000 (14:14 +0200)]
python3-msgpack: Required for build and execution of borgbackup 1.2.0
- New python module required for borgbackup. In borgbackup version 1.1.18 or 1.1.19
the old bundled msgpack in borgbackup was removed and a specified version range
of python3-msgpack required.
- This patch adds the lfs and rootfiles for this module
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 24 Jun 2022 12:14:24 +0000 (14:14 +0200)]
borgbackup: Fix bug #12884 - borgbackup 1.2.0 crashes on running any borg command
- When borgbackup was upgraded from version 1.1.17 to 1.2.0 the build was sucessfully
completed but there was no testing feedback till after full release. It turned out
that it did not successfully run.
- python3-packaging which had been installed for the build of borgbackup needed to also
be available for the execution.
- When borgbackup was upgraded to 1.2.0 it was noticed that the old python3-msgpack was
no longer needed as borgbackup used its own bundled msgpack since around version 1.1.10
What was not seen was that in version 1.1.19 or 1.1.18 the bundled version of msgpack
had been removed and that the newer version of python3-msgpack now needed to be
installed but the version number has to meet the borgbackup requirements which currently
require it to be =<1.0.3
- This patch adds the python3-packaging and python3-msgpack modules as dependencies for
borgbackup
- The egg-info files are uncommented in the rootfile so that the borgbackup metadata can
be found by python.
- The updated borgbackup build together with the python3-packaging and python3-msgpack
modules were installed into a vm system using the .ipfire packages.
Successfully initialised a borgbackup repo and ran two backups to the repo and checked
the stats for the backup. Everything ran fine.
Fixes: Bug #12884 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 22 Jun 2022 20:22:36 +0000 (22:22 +0200)]
ovpnmain.cgi: Fix for bug #12883 - separate .p12 file corrupted
- Patch https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=2feacd989823aa1dbd5844c315a9abfd49060487
from May 2021 put the variable containing the .p12 content into double quotes which
causes the contents to be treated as text whereas the .p12 file is an application file.
- Most people must be downloading the zip package of .p12, ovpn.conf and ta.key files so
the problem was not noticed till now and flagged up in the forum.
https://community.ipfire.org/t/openvpn-p12-password-on-android-problem/8127
- The problem does not occur for the .p12 file in the zip file as the downloading of the
zip file does not have the variable name in double quotes.
- Putting the zip file variable into double quotes caused the downloaded zip file to be
corrupt and not able to be opened as an archive.
- Removing the double quotes from the .p12 variable name caused the separate .p12 file
download to be able to be correctly opened.
- The same quoted variable name is used also for the cacert.pem, cert.pem, servercert.pem
and ta.key file downloads. To be consistent the same change has been applied to these.
Fixes: Bug #2883 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Jon Murphy [Fri, 27 May 2022 00:40:31 +0000 (19:40 -0500)]
Ship NTP changes
- Device time more accurate. (e.g., +/- 10 seconds per day to < 100 ms on some devices)
( I know we don't need the perfect time server )
- NTP and time will be accurate in manual mode (setting on Time Server > NTP Configuration WebGUI)
- Change NTP "prefer" server:
- The current preferred NTP server in an Undisciplined Local Clock.
- This is intended when no outside source of synchronized time is available.
- Change the "prefer" server from 127.127.1.0 to the Primary NTP server specified on
the Time Server > NTP Configuration WebGUI page.
- Change allows the drift file (located at /etc/ntp/drift) to be populated by ntpd.
- The drift file is updated about once per hour which helps correct the device time.
Peter Müller [Sun, 19 Jun 2022 09:41:05 +0000 (09:41 +0000)]
Tor: Update to 0.4.7.8
Changes in version 0.4.7.8 - 2022-06-17
This version fixes several bugfixes including a High severity security issue
categorized as a Denial of Service. Everyone running an earlier version
should upgrade to this version.
o Major bugfixes (congestion control, TROVE-2022-001):
- Fix a scenario where RTT estimation can become wedged, seriously
degrading congestion control performance on all circuits. This
impacts clients, onion services, and relays, and can be triggered
remotely by a malicious endpoint. Tracked as CVE-2022-33903. Fixes
bug 40626; bugfix on 0.4.7.5-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on June 17, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/06/17.
o Minor bugfixes (linux seccomp2 sandbox):
- Allow the rseq system call in the sandbox. This solves a crash
issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
40601; bugfix on 0.3.5.11.
o Minor bugfixes (logging):
- Demote a harmless warn log message about finding a second hop to
from warn level to info level, if we do not have enough
descriptors yet. Leave it at notice level for other cases. Fixes
bug 40603; bugfix on 0.4.7.1-alpha.
- Demote a notice log message about "Unexpected path length" to info
level. These cases seem to happen arbitrarily, and we likely will
never find all of them before the switch to arti. Fixes bug 40612;
bugfix on 0.4.7.5-alpha.
o Minor bugfixes (relay, logging):
- Demote a harmless XOFF log message to from notice level to info
level. Fixes bug 40620; bugfix on 0.4.7.5-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
projects / people / stevee / ipfire-2.x.git / log
