Adolf Belka [Wed, 24 Aug 2022 07:49:04 +0000 (09:49 +0200)]
efibootmgr: Update to version 18
- Update from version 17 to 18
- Update of rootfile not required
- Changelog
bug fixes
fixed the simple run example by @Katana-Steel in #88
Restore activation error message in efibootmgr by @rbisewski in #89
Android: correct the sources list by @cwhuang in #124
remove-dupes: update error message by @raharper in #127
Fix typo in manual page by @ferivoz in #136
README: Note efivarfs as the current required kernel module by @cjmayo in #145
Fix possible read out of bounds in ucs2_to_utf8 by @dlrobertson in #147
Migrate CI by @frozencemetery in #153
Add code of conduct by @frozencemetery in #154
Fix help messages by @robert-scheck in #156
Add option for insertion location of new entries by @frozencemetery in #166
Full changelog can be found from the github repository comparing versio 17 to 18
https://github.com/rhboot/efibootmgr/compare/17...18
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Sun, 21 Aug 2022 20:01:41 +0000 (22:01 +0200)]
elfutils: Update to version 0.187
- Update from version 0.186 to 0.187
- Update of rootfile
- Changelog
0.187
* NEWS *
debuginfod: Support -C option for connection thread pooling.
debuginfod-client: Negative cache file are now zero sized instead of
no-permission files.
addr2line: The -A, --absolute option, which shows file names including
the full compilation directory is now the default. To get the
old behavior use the new option --relative.
readelf, elflint: Recognize FDO Packaging Metadata ELF notes
libdw, debuginfo-client: Load libcurl lazily only when files need to
be fetched remotely. libcurl is now never
loaded when DEBUGINFOD_URLS is unset. And when
DEBUGINFOD_URLS is set, libcurl is only loaded
when the debuginfod_begin function is called.
* GIT SHORTLOG *
debuginfod: Include "IPv4 IPv6" in server startup message
PR29022: 000-permissions files cause problems for backups
debuginfod: Use the debuginfod-size response header
debuginfod: ensure X-DEBUGINFOD-SIZE contains file size
config: simplify profile.*sh.in
debuginfod/debuginfod-client.c: use long for cache time configurations
readelf: Don't consider padding DT_NULL as dynamic section entry
debuginfod: correct concurrency bug in fdcache metrics
PR28661: debuginfo connection thread pool support
man debuginfod-client-config.7: Elaborate $DEBUGINFOD_URLS
PR28708: debuginfod: use MHD_USE_EPOLL for microhttpd threads
debuginfod: use single ipv4+ipv6 microhttpd daemon configuration
AUTHORS: Use generator script & git mailmap
libebl: recognize FDO Packaging Metadata ELF note
tests: Don't set DEBUGINFOD_TIMEOUT
tests: Add -rdynamic to dwfl_proc_attach_LDFLAGS
debuginfod: Use gmtime_r instead of gmtime to avoid data race
debuginfod: sqlite3_sharedprefix_fn should not compare past end of string
debuginfod: Fix some memory leaks on debuginfod-client error paths.
debuginfod: Clear and reset debuginfod_client winning_headers on reuse
libdwfl: Don't read beyond end of file in dwfl_segment_report_module
debuginfod: Check result of calling MHD_add_response_header.
readelf: Workaround stringop-truncation error
tests: varlocs workaround format-overflow errors
debuginfod: Fix debuginfod_pool leak
configure: Add --enable-sanitize-address
debuginfod: Don't format clog using 'right' or 'setw(20)'.
libdwfl: Don't try to convert too many bytes in dwfl_link_map_report
libdwfl: Make sure we know the phdr entry size before searching phdrs.
libdwfl: Don't trust e_shentsize in dwfl_segment_report_module
libdwfl: Don't install an Elf handle in a Dwfl_Module twice
libdwfl: Don't try to convert too many dyns in dwfl_link_map_report
libdwfl: Don't allocate more than SIZE_MAX in dwfl_segment_report_module.
libelf: Use offsetof to get field of unaligned
libdwfl: Make sure phent is sane and there is at least one phdr
libdwfl: Add overflow check while iterating in dwfl_segment_report_module
tests: Use /bin/sh instead of /bin/ls as always there binary
libdwfl: Make sure there is at least one dynamic entry
libdwfl: Make sure there is at least one phdr
libdwfl: Make sure note data is properly aligned.
libdwfl: Make dwfl_segment_report_module aware of maximum Elf size
libdwfl: Make sure the note len increases each iteration
libelf: Only set shdr state when there is at least one shdr
libdwfl: Make sure that ph_buffer_size has room for at least one phdr
libdwfl: Make sure dyn_filesz has a sane size
libdwfl: Rewrite GElf_Nhdr reading in dwfl_segment_report_module
libdwfl: Handle unaligned Ehdr in dwfl_segment_report_module
libdwfl: Handle unaligned Phdr in dwfl_segment_report_module
libdwfl: Handle unaligned Nhdr in dwfl_segment_report_module
libdwfl: Always clean up build_id.memory
libdwfl: Make sure dwfl_elf_phdr_memory_callback returns at least minread
libdwfl: Call xlatetom on aligned buffers in dwfl_link_map_report
libdwfl: Calculate addr to read by hand in link_map.c read_addrs.
libdwfl: Fix overflow check in link_map.c read_addrs
libdwfl: Handle unaligned Dyns in dwfl_segment_report_module
libdwfl: Declare possible zero sized arrays only when non-zero
backends: Use PTRACE_GETREGSET for ppc_set_initial_registers_tid
configure: Test for _FORTIFY_SOURCE=3 support.
addr2line: Make --absolute the default, add --relative option.
configure: Use AS_HELP_STRING instead of AC_HELP_STRING.
libelf: Take map offset into account for Shdr alignment check in elf_begin
libelf: Make sure ar_size starts with a digit before calling atol.
libelf: Check alignment of Verdef, Verdaux, Verneed and Vernaux offsets
libdwfl: Close ar members when they cannot be processed.
libdwfl: Use memcpy to assign image header field values
libelf: Don't overflow offsets in elf_cvt_Verneed and elf_cvt_Verdef
libelf: Correct alignment of ELF_T_GNUHASH data for ELFCLASS64
tests: Check addsections test binary is 64bit for run-large-elf-file.sh
configure: Don't check whether -m64 works for 32bit host biarch check
libelf: Sync elf.h from glibc.
elflint: Recognize NT_FDO_PACKAGING_METADATA
Introduce error_exit as a noreturn variant of error (EXIT_FAILURE, ...)
libelf: Also copy/convert partial datastructures in xlate functions
libelf: Return already gotten Elf_Data from elf_getdata_rawchunk
config: Add versioned requires on libs/libelf for debuginfod-client
libdw: Add DWARF5 package file section identifiers, DW_SECT_*
tests: Don't try to corrupt sqlite database during test.
libdw: Remove unused atomics.h include from libdwP.h
readelf: Define dyn_mem outside the while loop.
tests: Lower parallel lookups in run-debuginfod-webapi-concurrency.sh
debuginfod: Use MHD_USE_ITC in MHD_start_daemon flags
elfclassify: Fix --no-stdin flag
libelf: Check for mremap, elf_update needs it for ELF_C_RDWR_MMAP
debuginfod, libdwfl: Initialize libcurl and dlopen debuginfod-client lazily
dwfl: fix potential overflow when reporting on kernel modules
debuginfod: fix compilation on platforms without <error.h>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 24 Aug 2022 07:50:34 +0000 (09:50 +0200)]
libarchive: Update to version 3.6.1
- Update from version 3.6.0 to 3.6.1
- Update of rootfile
- Changelog
Libarchive 3.6.1 is a bugfix and security release.
Security fixes:
7zip reader: fix PPMD read beyond boundary (#1671)
ZIP reader: fix possible out of bounds read (OSS-Fuzz 38766 #1672)
ISO reader: fix possible heap buffer overflow in read_children() (OSS-Fuzz 38764, #1685)
RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0)
fix heap use after free in archive_read_format_rar_read_data() (OSS-Fuzz 44547, 52efa50)
fix null dereference in read_data_compressed() (OSS-Fuzz 44843, 1271f77)
fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 24 Aug 2022 07:51:01 +0000 (09:51 +0200)]
openvpn: Update to version 2.5.7
- Update from version 2.5.6 to 2.5.7
- Update of rootfile not required
- Changelog
2.5.7. This is mostly a bugfix release, but adds limited support for OpenSSL 3.0. Full
support will arrive in OpenVPN 2.6.
networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN
networking_iproute2: don't pass M_WARN to openvpn_execve_check()
t_net.sh: delete dummy iface using iproute command
auth-pam.c: add missing include limits.h
Add insecure tls-cert-profile options
Refactor early initialisation and uninitialisation into methods
Allow loading of non default providers
Add ubuntu 22.04 to Github Actions
Add macos OpenSSL 3.0 and ASAN builds
Add --with-openssl-engine autoconf option (auto|yes|no)
Fix allowing/showing unsupported ciphers and digests
Remove dependency on BF-CBC existance from test_ncp
Add message when decoding PKCS12 file fails.
Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names
Fix client-pending-auth error message to say ERROR instead of SUCCESS
cipher-negotiation.rst missing from doc/Makefile.am
vcpkg-ports\pkcs11-helper: shorten patch filename
msvc: adjust build options to harden binaries
vcpkg-ports: remove openssl port
vcpkg: switch to manifest
Fix M_ERRNO behavior on Windows
vcpkg-ports/pkcs11-helper: bump to release 1.29
tapctl: Resolve MSVC C4996 warnings
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 3390000 to 3390200
- Update of rootfile not required
- Changelog
version 3.39.2 (2022-07-21):
Fix a performance regression in the query planner associated with rearranging
the order of FROM clause terms in the presences of a LEFT JOIN.
Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and 1345947, forum post 3607259d3c, and other minor problems discovered by internal testing.
version 3.39.1 (2022-07-13):
Fix an incorrect result from a query that uses a view that contains a
compound SELECT in which only one arm contains a RIGHT JOIN and where the
view is not the first FROM clause term of the query that contains the view.
forum post 174afeae5734d42d.
Fix some harmless compiler warnings.
Fix a long-standing problem with ALTER TABLE RENAME that can only arise if
the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set to a very small value.
Fix a long-standing problem in FTS3 that can only arise when compiled with
the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time option.
Fix the build so that is works when the SQLITE_DEBUG and
SQLITE_OMIT_WINDOWFUNC compile-time options are both provided at the same time.
Fix the initial-prefix optimization for the REGEXP extension so that it works
correctly even if the prefix contains characters that require a 3-byte UTF8
encoding.
Enhance the sqlite_stmt virtual table so that it buffers all of its output.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Matthias Fischer [Sat, 27 Aug 2022 07:02:00 +0000 (09:02 +0200)]
bind: Update to 9.16.32
For details see:
https://downloads.isc.org/isc/bind9/9.16.32/doc/arm/html/notes.html#notes-for-bind-9-16-32
Excerpt from changelog:
"5934. [func] Improve fetches-per-zone fetch limit logging to log
the final allowed and spilled values of the fetch
counters before the counter object gets destroyed.
[GL #3461]
5933. [port] Automatically disable RSASHA1 and NSEC3RSASHA1 in
named on Fedorda 33, Oracle Linux 9 and RHEL9 when
they are disabled by the security policy. [GL #3469]
5932. [bug] Fix rndc dumpdb -expired and always include expired
RRsets, not just for RBTDB_VIRTUAL time window.
[GL #3462]
5929. [bug] The "max-zone-ttl" option in "dnssec-policy" was
not fully effective; it was used for timing key
rollovers but did not actually place an upper limit
on TTLs when loading a zone. This has been
corrected, and the documentation has been clarified
to indicate that the old "max-zone-ttl" zone option
is now ignored when "dnssec-policy" is in use.
[GL #2918]
5924. [func] When it's necessary to use AXFR to respond to an
IXFR request, a message explaining the reason
is now logged at level info. [GL #2683]
5923. [bug] Fix inheritance for dnssec-policy when checking for
inline-signing. [GL #3438]
5922. [bug] Forwarding of UPDATE message could fail with the
introduction of netmgr. This has been fixed. [GL #3389]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Sun, 21 Aug 2022 20:01:56 +0000 (22:01 +0200)]
udev: Update to version 3.2.11
- Update from version 3.2.6 to 3.2.11
- Update of rootfile
- Changelog
Release 3.2.11 Latest
add actions workflows to check compilation on glibc and musl (devuan, alpine) by @ArsenArsen in #206
Add build instructions by @slicer69 in #207
src/libudev/conf-files.c: fix bug of using basename by @xfan1024 in #198
Permit eudev to work with rules which include escaped double-quotes by @slicer69 in #208
sync src/ata_id/ata_id.c by @bbonev in #201
sync src/v4l_id/v4l_id.c by @bbonev in #202
sync src/scsi_id/scsi_id.c by @bbonev in #203
sync src/mtd_probe/*.[ch] by @bbonev in #204
sparse: avoid clash with __bitwise and __force from 4.10 linux/types.… by @bbonev in #209
Silence deprecation warnings by @bbonev in #210
update CONTRIBUTING to reflect updated governance, clarify systemd commit hash requirements by @kaniini in #211
hashmap: don't initialize devt_hash_ops in the header by @kaniini in #212
Update to latest Devuan stable by @wwuck in #213
hwdb: sync with systemd/main by @bbonev in #215
Add getrandom(2) system call number for PowerPC by @Low-power in #216
No changelog for versions prior to 3.2.11 found. Looks like they are in nthe systemd
releases and not easily extracted.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Aug 2022 20:01:18 +0000 (22:01 +0200)]
curl: Update to version 7.84.0
- Update from version 7.83.1 to 7.84.0
- Update of rootfile
- Changelog
7.84.0 - June 27 2022
Changes:
curl: add --rate to set max request rate per time unit
curl: deprecate --random-file and --egd-file
curl_version_info: add CURL_VERSION_THREADSAFE
CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
lib: make curl_global_init() threadsafe when possible
libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
opts: deprecate RANDOM_FILE and EGDSOCKET
socks: support unix sockets for socks proxy
Bugfixes:
aws-sigv4: fix potentional NULL pointer arithmetic
bindlocal: don't use a random port if port number would wrap
c-hyper: mark status line as status for Curl_client_write()
ci: avoid `cmake -Hpath`
CI: bump FreeBSD 13.0 to 13.1
ci: update github actions
cmake: add libpsl support
cmake: do not add libcurl.rc to the static libcurl library
cmake: enable curl.rc for all Windows targets
cmake: fix detecting libidn2
cmake: support adding a suffix to the OS value
configure: skip libidn2 detection when winidn is used
configure: use the SED value to invoke sed
configure: warn about rustls being experimental
content_encoding: return error on too many compression steps
cookie: address secure domain overlay
cookie: apply limits
copyright.pl: parse and use .reuse/dep5 for skips
copyright: make repository REUSE compliant
curl.1: add a few see also --tls-max
curl.1: mention exit code zero too
curl: re-enable --no-remote-name
curl_easy_pause.3: remove explanation of progress function
curl_getdate.3: document that some illegal dates pass through
Curl_parsenetrc: don't access local pwbuf outside of scope
curl_url_set.3: clarify by default using known schemes only
CURLOPT_ALTSVC.3: document the file format
CURLOPT_FILETIME.3: fix the protocols this works with
CURLOPT_HTTPHEADER.3: improve comment in example
CURLOPT_NETRC.3: document the .netrc file format
CURLOPT_PORT.3: We discourage using this option
CURLOPT_RANGE.3: remove ranged upload advice
digest: added detection of more syntax error in server headers
digest: tolerate missing "realm"
digest: unquote realm and nonce before processing
DISABLED: disable 1021 for hyper again
docs/cmdline-opts: add copyright and license identifier to each file
docs/CONTRIBUTE.md: document the 'needs-votes' concept
docs: clarify data replacement policy for MIME API
doh: remove UNITTEST macro definition
examples/crawler.c: use the curl license
examples: remove fopen.c and rtsp.c
FAQ: Clarify Windows double quote usage
fopen: add Curl_fopen() for better overwriting of files
ftp: restore protocol state after http proxy CONNECT
ftp: when failing to do a secure GSSAPI login, fail hard
GHA/hyper: enable debug in the build
gssapi: improve handling of errors from gss_display_status
gssapi: initialize gss_buffer_desc strings
headers api: remove EXPERIMENTAL tag
http2: always debug print stream id in decimal with %u
http2: reject overly many push-promise headers
http: restore header folding behavior
hyper: use 'alt-used'
krb5: return error properly on decode errors
lib: make more protocol specific struct fields #ifdefed
libcurl-security.3: add "Secrets in memory"
libcurl-security.3: document CRLF header injection
libssh: skip the fake-close when libssh does the right thing
links: update dead links to the curl-wiki
log2changes: do not indent empty lines [ci skip]
macos9: remove partial support
Makefile.am: fix portability issues
Makefile.m32: delete obsolete options, improve -On [ci skip]
Makefile.m32: delete two obsolete OpenSSL options [ci skip]
Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
max-time.d: clarify max-time sets max transfer time
mprintf: ignore clang non-literal format string
netrc: check %USERPROFILE% as well on Windows
netrc: support quoted strings
ngtcp2: allow curl to send larger UDP datagrams
ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types
ngtcp2: enable Linux GSO
ngtcp2: extend QUIC transport parameters buffer
ngtcp2: fix alert_read_func return value
ngtcp2: fix typo in preprocessor condition
ngtcp2: handle error from ngtcp2_conn_submit_crypto_data
ngtcp2: send appropriate connection close error code
ngtcp2: support boringssl crypto backend
ngtcp2: use helper funcs to simplify TLS handshake integration
ntlm: provide a fixed fake host name
projects: fix third-party SSL library build paths for Visual Studio
quic: add Curl_quic_idle
quiche: support ca-fallback
rand: stop detecting /dev/urandom in cross-builds
remote-name.d: mention --output-dir
runtests.pl: add the --repeat parameter to the --help output
runtests: fix skipping tests not done event-based
runtests: skip starting the ssh server if user name is lacking
scripts/copyright.pl: fix the exclusion to not ignore man pages
sectransp: check for a function defined when __BLOCKS__ is undefined
select: return error from "lethal" poll/select errors
server/sws: support spaces in the HTTP request path
speed-limit/time.d: mention these affect transfers in either direction
strcase: some optimisations
test 2081: add a valid reply for the second request
test 675: add missing CR so the test passes when run through Privoxy
test414: add the '--resolve' keyword
test681: verify --no-remote-name
tests 266, 116 and 1540: add a small write delay
tests/data/test1501: kill ftp server after slow LIST response
tests/getpart: fix getpartattr to work with "data" and "data2"
tests/server/sws.c: change the HTTP writedelay unit to milliseconds
test{440,441,493,977}: add "HTTP proxy" keywords
tool_getparam: fix --parallel-max maximum value constraint
tool_operate: make sure --fail-with-body works with --retry
transfer: fix potential NULL pointer dereference
transfer: maintain --path-as-is after redirects
transfer: upload performance; avoid tiny send
url: free old conn better on reuse
url: remove redundant #ifdefs in allocate_conn()
url: URL encode the path when extracted, if spaces were set
urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts
urlapi: support CURLU_URLENCODE for curl_url_get()
urldata: reduce size of a few struct fields
urldata: remove three unused booleans from struct UserDefined
urldata: store tcp_keepidle and tcp_keepintvl as ints
version: allow stricmp() for sorting the feature list
vtls: make curl_global_sslset thread-safe
wolfssh.h: removed
wolfssl: correct the failf() message when a handle can't be made
wolfSSL: explicitly use compatibility layer
x509asn1: mark msnprintf return as unchecked
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Michael Tremer [Tue, 6 Sep 2022 12:15:54 +0000 (14:15 +0200)]
proxy.cgi: Correctly validate domain lists
Fixes: #12925 - JVN#15411362 Inquiry on vulnerability found in IPFire Reported-by: Noriko Totsuka <vuls@jpcert.or.jp> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 6 Sep 2022 11:58:22 +0000 (13:58 +0200)]
mail.cgi: Validate email recipient
The email recipient was not correctly validated which allowed for some
stored cross-site scripting vulnerability.
Fixes: #12925 - JVN#15411362 Inquiry on vulnerability found in IPFire Reported-by: Noriko Totsuka <vuls@jpcert.or.jp> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 1 Sep 2022 20:30:18 +0000 (20:30 +0000)]
configroot: Create "settings" and "modify" files for ipblocklist
The third version of this patch conducts the necessary changes in
configroot. Previously, they took place in ipblocklist itself, which
would have caused user settings to be overwritten, should ipblocklist be
shipped in future Core Updates.
Fixes: #12917 Cc: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>