Adolf Belka [Thu, 31 Aug 2023 11:01:08 +0000 (13:01 +0200)]
xinetd: Update to version 2.3.15.4
- This is v2 version of this patch with the locations for the sysconf and binaries
corrected so that all files are in the same locations as they were with version 2.3.15
Added sysconfdir and bindir to the configure options to achieve this.
- Update from version 2.3.15 (2012) to 2.3.15.4 (2018)
- Update of rootfile.
- The original site for xinetd is no longer accessible.
- Version 2.3.15 was the last version from https://github.com/xinetd-org/xinetd
OpenSUSE have forked the repo and have provided 2.3.15.3 and 2.3.15.4 to collect a range
of patches together from openSUSE, Debian, Fedora, Gentoo etc.
Last bug fix was done on this github repo in Sep 2022 and the last commit in Oct 2022.
- This is as up to date as there is currently available.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:40 +0000 (16:17 +0200)]
whois: Update to version 5.5.18
- Update from version 5.5.17 to 5.5.18
- Update of rootfile not required.
- Changelog
5.5.18
* Updated the .ga TLD server. (Closes: #1037288)
* Added new recovered IPv4 allocations.
* Removed the delegation of 43.0.0.0/8 to JPNIC.
* Removed 12 new gTLDs which are no longer active.
* Improved the man page source, courtesy of Bjarni Ingi Gislason.
(Closes: #1040613)
* Added the .edu.za SLD server.
* Updated the .alt.za SLD server.
* Added the -ru and -su NIC handles servers.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:38 +0000 (16:17 +0200)]
tzdata: Update to version 2023c
- Update from version 2023b to 2023c
- Update of rootfile not required.
- Changelog
Release 2023c - 2023-03-28 12:42:14 -0700
Changes to past and future timestamps
Model Lebanon's DST chaos by reverting data to tzdb 2023a.
(Thanks to Rany Hany for the heads-up.)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:37 +0000 (16:17 +0200)]
tshark: Update to version 4.0.8
- Update from version 3.6.3 to 4.0.8 covering 22 releases.
- Update of rootfile
- Ran find-dependencies due to sobump. Everything is linked to tshark files. No additional
bumping required.
- Changelog is too large to cover with 22 releases. For details see the release notes
page on the website - https://www.wireshark.org/docs/relnotes/
4.0.8 Four vulnerabilities fixed.
4.0.7 Two vulnerabilities fixed.
4.0.6 Nine vulnerabilities fixed.
4.0.5 Three vulnerabilities fixed.
4.0.4 One vulnerability fixed.
4.0.3 Seven vulnerabilities fixed.
Didn't check anymore. Based on above this package definitely needs to be regulalrly
updated as it is obviolusly susceptible to vulnerabilities.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:36 +0000 (16:17 +0200)]
transmission: Update to version 4.0.4
- Update from version 4.0.3 to 4.0.4
- Update of rootfile not required.
- Changelog
Transmission 4.0.4
This is a bugfix-only release. Everyone's feedback on 4.0.x has been very helpful -- thanks for all the suggestions, bug reports, and pull requests!
What's New in 4.0.4
All Platforms
* Fixed bug in sending torrent metadata to peers. ([#5460](https://github.com/transmission/transmission/pull/5460))
* Avoid unnecessary heap memory allocations. ([#5520](https://github.com/transmission/transmission/pull/5520), [#5527](https://github.com/transmission/transmission/pull/5527))
* Fixed filename collision edge case when renaming files. ([#5563](https://github.com/transmission/transmission/pull/5563))
* Fixed locale errors that broke number rounding when displaying statistics, e.g. upload / download ratios. ([#5587](https://github.com/transmission/transmission/pull/5587))
* Always use a fixed-length key query in tracker announces. This isn't required by the [spec](https://www.bittorrent.org/beps/bep_0007.html), but some trackers rely on that fixed length because it's common practice by other BitTorrent clients. ([#5652](https://github.com/transmission/transmission/pull/5652))
* Fixed potential Windows crash when [getstdhandle()](https://learn.microsoft.com/en-us/windows/console/getstdhandle) returns `NULL`. ([#5675](https://github.com/transmission/transmission/pull/5675))
* Fixed `4.0.0` bug where the port numbers in LDP announces are sometimes malformed. ([#5825](https://github.com/transmission/transmission/pull/5825))
* Fixed a bug that prevented editing the query part of a tracker URL. ([#5871](https://github.com/transmission/transmission/pull/5871))
* Fixed a bug where Transmission may not announce LPD on its listening interface. ([#5896](https://github.com/transmission/transmission/pull/5896))
* Made small performance improvements in libtransmission. ([#5715](https://github.com/transmission/transmission/pull/5715))
macOS Client
* Updated code that had been using deprecated API. ([#5633](https://github.com/transmission/transmission/pull/5633))
Qt Client
* Fixed torrent name rendering when showing magnet links in compact view. ([#5491](https://github.com/transmission/transmission/pull/5491))
* Fixed bug that broke the "Move torrent file to trash" setting. ([#5505](https://github.com/transmission/transmission/pull/5505))
* Fixed Qt 6.4 deprecation warning. ([#5552](https://github.com/transmission/transmission/pull/5552))
* Fixed poor resolution of Qt application icon. ([#5570](https://github.com/transmission/transmission/pull/5570))
GTK Client
* Fixed missing 'Remove torrent' tooltip. ([#5777](https://github.com/transmission/transmission/pull/5777))
Web Client
* Don't show `null` as a tier name in the inspector's tier list. ([#5462](https://github.com/transmission/transmission/pull/5462))
* Fixed truncated play / pause icons. ([#5771](https://github.com/transmission/transmission/pull/5771))
* Fixed overflow when rendering peer lists and made speed indicators honor `prefers-color-scheme` media queries. ([#5814](https://github.com/transmission/transmission/pull/5814))
* Made the main menu accessible even on smaller displays. ([#5827](https://github.com/transmission/transmission/pull/5827))
transmission-cli
* Fixed "no such file or directory" warning when adding a magnet link. ([#5426](https://github.com/transmission/transmission/pull/5426))
* Fixed bug that caused the wrong decimal separator to be used in some locales. ([#5444](https://github.com/transmission/transmission/pull/5444))
transmission-remote
* Fixed display bug that failed to show some torrent labels. ([#5572](https://github.com/transmission/transmission/pull/5572))
Everything Else
* Ran all PNG files through lossless compressors to make them smaller. ([#5586](https://github.com/transmission/transmission/pull/5586))
* Fixed potential build issue when compiling on macOS with gcc. ([#5632](https://github.com/transmission/transmission/pull/5632))
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:35 +0000 (16:17 +0200)]
traceroute: Update to version 2.1.2
- Update from version 2.1.0 to 2.1.2
- Update of rootfile not required.
- Updated ipfire traceroute patch.
- Changelog
2.1.2
* Fix unprivileged ICMP tracerouting with Linux kernel >= 6.1
(Eric Dumazet, SF bug #14)
2.1.1
* Interpret ipv4-mapped ipv6 addresses (::ffff:A.B.C.D) as true ipv4.
There are no ipv4-mapped addresses in the real network which we
operate on, so use just ipv4 in such cases, but allow users
to specify it this way for convenience.
* Return back more robast poll(2) loop handling.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:34 +0000 (16:17 +0200)]
tor: Update to version 0.4.8.4
- Update from version 0.4.7.14 to 0.4.8.4
- Update of rootfile not required.
- Changelog
Changes in version 0.4.8.4 - 2023-08-23
Finally, this is the very first stable release of the 0.4.8.x series making,
among other features, Proof-of-Work (prop#327) and Conflux (prop#329)
available to the entire network. Several new features and a lot of bugfixes
detailed below.
o Major feature (denial of service):
- Extend DoS protection to partially opened channels and known relays.
Because re-entry is not allowed anymore, we can apply DoS protections
onto known IP namely relays. Fixes bug 40821; bugfix on 0.3.5.1-alpha.
o Major features (onion service, proof-of-work):
- Implement proposal 327 (Proof-Of-Work). This is aimed at thwarting
introduction flooding DoS attacks by introducing a dynamic Proof-Of-Work
protocol that occurs over introduction circuits. This introduces several
torrc options prefixed with "HiddenServicePoW" in order to control this
feature. By default, this is disabled. Closes ticket 40634.
o Major features (conflux):
- Implement Proposal 329 (conflux traffic splitting). Conflux splits
traffic across two circuits to Exits that support the protocol. These
circuits are pre-built only, which means that if the pre- built conflux
pool runs out, regular circuits will then be used. When using conflux
circuit pairs, clients choose the lower-latency circuit to send data to
the Exit. When the Exit sends data to the client, it maximizes
throughput, by fully utilizing both circuits in a multiplexed fashion.
Alternatively, clients can request that the Exit optimize for latency
when transmitting to them, by setting the torrc option 'ConfluxClientUX
latency'. Onion services are not currently supported, but will be in
arti. Many other future optimizations will also be possible using this
protocol. Closes ticket 40593.
o Major features (dirauth):
- Directory authorities and relays now interact properly with directory
authorities if they change addresses. In the past, they would continue to
upload votes, signatures, descriptors, etc to the hard-coded address in
the configuration. Now, if the directory authority is listed in the
consensus at a different address, they will direct queries to this new
address. Implements ticket 40705.
o Major bugfixes (conflux):
- Fix a relay-side crash caused by side effects of the fix for bug
40827. Reverts part of that fix that caused the crash and adds additional
log messages to help find the root cause. Fixes bug 40834; bugfix on
0.4.8.3-rc.
o Major bugfixes (conflux):
- Fix a relay-side assert crash caused by attempts to use a conflux circuit
between circuit close and free, such that no legs were on the conflux
set. Fixed by nulling out the stream's circuit back- pointer when the
last leg is removed. Additional checks and log messages have been added
to detect other cases. Fixes bug 40827; bugfix on 0.4.8.1-alpha.
o Major bugfixes (proof of work, onion service, hashx):
- Fix a very rare buffer overflow in hashx, specific to the dynamic
compiler on aarch64 platforms. Fixes bug 40833; bugfix on 0.4.8.2-alpha.
o Major bugfixes (vanguards):
- Rotate to a new L2 vanguard whenever an existing one loses the Stable or
Fast flag. Previously, we would leave these relays in the L2 vanguard
list but never use them, and if all of our vanguards end up like this we
wouldn't have any middle nodes left to choose from so we would fail to
make onion-related circuits. Fixes bug 40805; bugfix on 0.4.7.1-alpha.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/08/23.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 23, 2023.
o Minor features (testing):
- All Rust code is now linted (cargo clippy) as part of GitLab CI, and
existing warnings have been fixed. - Any unit tests written in Rust now
run as part of GitLab CI.
o Minor feature (CI):
- Update CI to use Debian Bullseye for runners.
o Minor feature (client, IPv6):
- Make client able to pick IPv6 relays by default now meaning
ClientUseIPv6 option now defaults to 1. Closes ticket 40785.
o Minor feature (compilation):
- Fix returning something other than "Unknown N/A" as libc version
if we build tor on an O.S. like DragonFlyBSD, FreeBSD, OpenBSD
or NetBSD.
o Minor feature (cpuworker):
- Always use the number of threads for our CPU worker pool to the
number of core available but cap it to a minimum of 2 in case of a
single core. Fixes bug 40713; bugfix on 0.3.5.1-alpha.
o Minor feature (lzma):
- Fix compiler warnings for liblzma >= 5.3.1. Closes ticket 40741.
o Minor feature (MetricsPort, relay):
- Expose time until online keys expires on the MetricsPort. Closes
ticket 40546.
o Minor feature (MetricsPort, relay, onion service):
- Add metrics for the relay side onion service interactions counting
seen cells. Closes ticket 40797. Patch by "friendly73".
o Minor features (directory authorities):
- Directory authorities now include their AuthDirMaxServersPerAddr
config option in the consensus parameter section of their vote.
Now external tools can better predict how they will behave.
Implements ticket 40753.
o Minor features (directory authority):
- Add a new consensus method in which the "published" times on
router entries in a microdesc consensus are all set to a
meaningless fixed date. Doing this will make the download size for
compressed microdesc consensus diffs much smaller. Part of ticket
40130; implements proposal 275.
o Minor features (network documents):
- Clients and relays no longer track the "published on" time
declared for relays in any consensus documents. When reporting
this time on the control port, they instead report a fixed date in
the future. Part of ticket 40130.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on June 01, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/06/01.
o Minor features (hs, metrics):
- Add tor_hs_rend_circ_build_time and tor_hs_intro_circ_build_time
histograms to measure hidden service rend/intro circuit build time
durations. Part of ticket 40757.
o Minor features (metrics):
- Add a `reason` label to the HS error metrics. Closes ticket 40758.
- Add service side metrics for REND and introduction request
failures. Closes ticket 40755.
- Add support for histograms. Part of ticket 40757.
o Minor features (pluggable transports):
- Automatically restart managed Pluggable Transport processes when
their process terminate. Resolves ticket 33669.
o Minor features (portability, compilation):
- Use OpenSSL 1.1 APIs for LibreSSL, fixing LibreSSL 3.5
compatibility. Fixes issue 40630; patch by Alex Xu (Hello71).
o Minor features (relay):
- Do not warn about configuration options that may expose a non-
anonymous onion service. Closes ticket 40691.
o Minor features (relays):
- Trigger OOS when bind fails with EADDRINUSE. This improves
fairness when a large number of exit connections are requested,
and properly signals exhaustion to the network. Fixes issue 40597;
patch by Alex Xu (Hello71).
o Minor features (tests):
- Avoid needless key reinitialization with OpenSSL during unit
tests, saving significant time. Patch from Alex Xu.
o Minor bugfix (hs):
- Fix compiler warnings in equix and hashx when building with clang.
Closes ticket 40800.
o Minor bugfix (FreeBSD, compilation):
- Fix compilation issue on FreeBSD by properly importing
sys/param.h. Fixes bug 40825; bugfix on 0.4.8.1-alpha.
o Minor bugfixes (compression):
- Right after compression/decompression work is done, check for
errors. Before this, we would consider compression bomb before
that and then looking for errors leading to false positive on that
log warning. Fixes bug 40739; bugfix on 0.3.5.1-alpha. Patch
by "cypherpunks".
o Minor bugfixes (compilation):
- Fix all -Werror=enum-int-mismatch warnings. No behavior change.
Fixes bug 40824; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (protocol warn):
- Wrap a handful of cases where ProtocolWarning logs could emit IP
addresses. Fixes bug 40828; bugfix on 0.3.5.1-alpha.
o Minor bugfix (congestion control):
- Reduce the accepted range of a circuit's negotiated 'cc_sendme_inc'
to be +/- 1 from the consensus parameter value. Fixes bug 40569;
bugfix on 0.4.7.4-alpha.
- Remove unused congestion control algorithms and BDP calculation
code, now that we have settled on and fully tuned Vegas. Fixes bug
40566; bugfix on 0.4.7.4-alpha.
- Update default congestion control parameters to match consensus.
Fixes bug 40709; bugfix on 0.4.7.4-alpha.
o Minor bugfixes (compilation):
- Fix "initializer is not a constant" compilation error that
manifests itself on gcc versions < 8.1 and MSVC. Fixes bug 40773;
bugfix on 0.4.8.1-alpha
o Minor bugfixes (conflux):
- Count leg launch attempts prior to attempting to launch them. This
avoids inifinite launch attempts due to internal circuit building
failures. Additionally, double-check that we have enough exits in
our consensus overall, before attempting to launch conflux sets.
Fixes bug 40811; bugfix on 0.4.8.1-alpha.
- Fix a case where we were resuming reading on edge connections that
were already marked for close. Fixes bug 40801; bugfix
on 0.4.8.1-alpha.
- Fix stream attachment order when creating conflux circuits, so
that stream attachment happens after finishing the full link
handshake, rather than upon set finalization. Fixes bug 40801;
bugfix on 0.4.8.1-alpha.
- Handle legs being closed or destroyed before computing an RTT
(resulting in warns about too many legs). Fixes bug 40810; bugfix
on 0.4.8.1-alpha.
- Remove a "BUG" warning from conflux_pick_first_leg that can be
triggered by broken or malicious clients. Fixes bug 40801; bugfix
on 0.4.8.1-alpha.
o Minor bugfixes (KIST):
- Prevent KISTSchedRunInterval from having values of 0 or 1, neither
of which work properly. Additionally, make a separate
KISTSchedRunIntervalClient parameter, so that the client and relay
KIST values can be set separately. Set the default of both to 2ms.
Fixes bug 40808; bugfix on 0.3.2.1-alpha.
o Minor bugfix (relay, logging):
- The wrong max queue cell size was used in a protocol warning
logging statement. Fixes bug 40745; bugfix on 0.4.7.1-alpha.
o Minor bugfixes (logging):
- Avoid ""double-quoting"" strings in several log messages. Fixes
bug 22723; bugfix on 0.1.2.2-alpha.
- Correct a log message when cleaning microdescriptors. Fixes bug
40619; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (metrics):
- Decrement hs_intro_established_count on introduction circuit
close. Fixes bug 40751; bugfix on 0.4.7.12.
o Minor bugfixes (pluggable transports, windows):
- Remove a warning `BUG()` that could occur when attempting to
execute a non-existing pluggable transport on Windows. Fixes bug
40596; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (relay):
- Remove a "BUG" warning for an acceptable race between a circuit
close and considering that circuit active. Fixes bug 40647; bugfix
on 0.3.5.1-alpha.
- Remove a harmless "Bug" log message that can happen in
relay_addr_learn_from_dirauth() on relays during startup. Finishes
fixing bug 40231. Fixes bug 40523; bugfix on 0.4.5.4-rc.
o Minor bugfixes (sandbox):
- Allow membarrier for the sandbox. And allow rt_sigprocmask when
compiled with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha.
- Fix sandbox support on AArch64 systems. More "*at" variants of
syscalls are now supported. Signed 32 bit syscall parameters are
checked more precisely, which should lead to lower likelihood of
breakages with future compiler and libc releases. Fixes bug 40599;
bugfix on 0.4.4.3-alpha.
o Minor bugfixes (state file):
- Avoid a segfault if the state file doesn't contains TotalBuildTimes
along CircuitBuildAbandonedCount being above 0. Fixes bug 40437;
bugfix on 0.3.5.1-alpha.
o Removed features:
- Remove the RendPostPeriod option. This was primarily used in
Version 2 Onion Services and after its deprecation isn't needed
anymore. Closes ticket 40431. Patch by Neel Chauhan.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:33 +0000 (16:17 +0200)]
tcl: Update to version 8.6.13
- Update from version 8.6.12 to 8.6.13
- Update of rootfile
- Changelog
Last changelog in the source tarball is from 2008.
There is no changelog on the tcl website or the tcl github repository. The only option
is the commits log - https://github.com/tcltk/tcl/commits/main
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:32 +0000 (16:17 +0200)]
foomatic: Update engine to 4.0.13 and db to 20230828
- Update foomatic-db-engine from version 4.0.9 (2013) to 4.0.13 (2018)
- Update foomatic-db from version 20131023 to 20230828
- Update of rootfile
- Changelog
foomatic-db
See the ChangeLog file in the foomatic-db source tarball. Too long to include here.
foomatic-db-engine
4.0.13.
* README, USAGE, configure.ac: Updated for release 4.0.13.
* Makefile.in: Add support for LDFLAGS variable (bug #1422).
* configure.ac: Allow user-configurable PERLPREFIX via environment
variable (Bug #1294).
4.0.12.
* README, USAGE, configure.ac: Updated for release 4.0.12.
* foomatic-ppdfile.in: Foomatic doesn't provide some offered PPD
files. Thanks to Marek Kasik for the patch (bug #1238).
* foomatic-ppd-to-xml.in: Let missing XML files be added when to a
PPD with already existing XML files new "*Product:" lines get
added.
4.0.11.
* README, USAGE, configure.ac: Updated for release 4.0.11.
* lib/Foomatic/DB.pm: Do not interpret option default values set to
"0" in PPD files as no default setting defined. Thanks to Deng
Pang from Ricoh (DengPang at rst dot ricoh dot com) for the report.
4.0.10.
* README, USAGE, configure.ac: Updated for release 4.0.10.
* foomatic-addpjloptions.in: Make foomatic-addpjloptions work with
the system's Foomatic database, too.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Sun, 27 Aug 2023 22:33:55 +0000 (00:33 +0200)]
zabbix_agentd: Update to 6.0.21 (LTS)
- Update from version 6.0.19 to 6.0.21
- Update of rootfile not required
Bugs fixed:
- ZBX-23097:
Fixed use of uninitialised value when verifying subject and issuer with
TLS
- ZBX-22871:
Fixed regular expression crash with invalid utf-8 sequences when pcre2
is used
- ZBX-23221:
Fixed memory leaks when using certificate-based encryption
- ZBX-18168:
Added regexp runtime error logging for log*[] items
Full changelogs since 6.0.19:
- https://www.zabbix.com/rn/rn6.0.20
- https://www.zabbix.com/rn/rn6.0.21
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 13:43:11 +0000 (15:43 +0200)]
wget: Update to version 1.21.4
- Update from version 1.21.3 to 1.21.4
- Update of rootfile not required
- Changelog
Noteworthy changes in release 1.21.4 (2023-05-11)
Document --retry-on-host-error in help text
Increase read buffer size to 64k. This should speed up downloads on gigabit and
faster connections
Update deprecated option '--html-extension' to '--adjust-extension' in
documentation
Update gnulib compatibility layer.
Fixes HSTS test failures on i686. (Thanks to Andreas Enge for ponting it out)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 13:43:10 +0000 (15:43 +0200)]
krb5: Update to version 1.21.2
- Update from version 1.20.1 to 1.21.2
- Update of rootfile
- Changelog
Major changes in 1.21.2 (2023-08-14)
This is a bug fix release.
* Fix double-free in KDC TGS processing [CVE-2023-39975].
Changes by ticket ID
9101 Fix double-free in KDC TGS processing
Major changes in 1.21.1 (2023-07-10)
This is a bug fix release.
* Fix potential uninitialized pointer free in kadm5 XDR parsing
[CVE-2023-36054].
Changes by ticket ID
9099 Ensure array count consistency in kadm5 RPC
Major changes in 1.21 (2023-06-05)
User experience:
* Added a credential cache type providing compatibility with the macOS
11 native credential cache.
Developer experience:
* libkadm5 will use the provided krb5_context object to read
configuration values, instead of creating its own.
* Added an interface to retrieve the ticket session key from a GSS
context.
Protocol evolution:
* The KDC will no longer issue tickets with RC4 or triple-DES session
keys unless explicitly configured with the new allow_rc4 or
allow_des3 variables respectively.
* The KDC will assume that all services can handle aes256-sha1 session
keys unless the service principal has a session_enctypes string
attribute.
* Support for PAC full KDC checksums has been added to mitigate an
S4U2Proxy privilege escalation attack.
* The PKINIT client will advertise a more modern set of supported CMS
algorithms.
Code quality:
* Removed unused code in libkrb5, libkrb5support, and the PKINIT
module.
* Modernized the KDC code for processing TGS requests, the code for
encrypting and decrypting key data, the PAC handling code, and the
GSS library packet parsing and composition code.
* Improved the test framework's detection of memory errors in daemon
processes when used with asan.
Changes by ticket ID
9052 Support macOS 11 native credential cache
9053 Make kprop work for dump files larger than 4GB
9054 Replace macros with typedefs in gssrpc types.h
9055 Use SHA-256 instead of SHA-1 for PKINIT CMS digest
9057 Omit LDFLAGS from krb5-config --libs output
9058 Add configure variable for default PKCS#11 module
9059 Use context profile for libkadm5 configuration
9066 Set reasonable supportedCMSTypes in PKINIT
9069 Update error checking for OpenSSL CMS_verify
9071 Add and use ts_interval() helper
9072 Avoid small read overrun in UTF8 normalization
9076 Use memmove() in Unicode functions
9077 Fix aclocal.m4 syntax error for autoconf 2.72
9078 Fix profile crash on memory exhaustion
9079 Fix preauth crash on memory exhaustion
9080 Fix gic_keytab crash on memory exhaustion
9082 Fix policy DB fallback error handling
9083 Fix kpropd crash with unrecognized option
9084 Add PAC full checksums
9085 Fix read overruns in SPNEGO parsing
9086 Fix possible double-free during KDB creation
9087 Fix meridian type in getdate.y
9088 Use control flow guard flag in Windows builds
9089 Add pac_privsvr_enctype string attribute
9090 Convey realm names to certauth modules
9091 Add GSS_C_INQ_ODBC_SESSION_KEY
9092 Fix maintainer-mode build for binutils 2.37
9093 Add PA-REDHAT-PASSKEY padata type
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 10:17:40 +0000 (12:17 +0200)]
zlib: Update to version 1.3
- Update from version 1.2.13 to 1.3
- Update of rootfile
- Changelog
1.3 (18 Aug 2023)
- Remove K&R function definitions and zlib2ansi
- Fix bug in deflateBound() for level 0 and memLevel 9
- Fix bug when gzungetc() is used immediately after gzopen()
- Fix bug when using gzflush() with a very small buffer
- Fix crash when gzsetparams() attempted for transparent write
- Fix test/example.c to work with FORCE_STORED
- Rewrite of zran in examples (see zran.c version history)
- Fix minizip to allow it to open an empty zip file
- Fix reading disk number start on zip64 files in minizip
- Fix logic error in minizip argument processing
- Add minizip testing to Makefile
- Read multiple bytes instead of byte-by-byte in minizip unzip.c
- Add memory sanitizer to configure (--memory)
- Various portability improvements
- Various documentation improvements
- Various spelling and typo corrections
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 10:17:39 +0000 (12:17 +0200)]
openssh: Update to version 9.4p1
- Update from version 9.3p2 to 9.4p1
- Update of rootfile not required.
- The openssh check for zlib version incorrectly identifies version 1.3 as being older
than the buggy zlib version. This bug was found on the oipenssh github pull request page
but merged after openssh-9.4p1 was issued. Patch implemented to fix zlib version
identification. This and the autoconf line can be removed when the next version of
openssh is released.
- Changelog
9.4p1
This release fixes a number of bugs and adds some small features.
Potentially incompatible changes
* This release removes support for older versions of libcrypto.
OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
Note that these versions are already deprecated by their upstream
vendors.
* ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system
library directories.
New features
* ssh(1): allow forwarding Unix Domain sockets via ssh -W.
* ssh(1): add support for configuration tags to ssh(1).
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.
* ssh(1): add a "match localnetwork" predicate. This allows matching
on the addresses of available network interfaces and may be used to
vary the effective client configuration based on network location.
* ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
extensions. This defines wire formats for optional KRL extensions
and implements parsing of the new submessages. No actual extensions
are supported at this point.
* sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
accept two additional %-expansion sequences: %D which expands to
the routing domain of the connected session and %C which expands
to the addresses and port numbers for the source and destination
of the connection.
* ssh-keygen(1): increase the default work factor (rounds) for the
bcrypt KDF used to derive symmetric encryption keys for passphrase
protected key files by 50%.
Bugfixes
* ssh-agent(1): improve isolation between loaded PKCS#11 modules
by running separate ssh-pkcs11-helpers for each loaded provider.
* ssh(1): make -f (fork after authentication) work correctly with
multiplexed connections, including ControlPersist. bz3589 bz3589
* ssh(1): make ConnectTimeout apply to multiplexing sockets and not
just to network connections.
* ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
modules being loaded by checking that the requested module
contains the required symbol before loading it.
* sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
appears before it in sshd_config. Since OpenSSH 8.7 the
AuthorizedPrincipalsCommand directive was incorrectly ignored in
this situation. bz3574
* sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
signatures When the KRL format was originally defined, it included
support for signing of KRL objects. However, the code to sign KRLs
and verify KRL signatues was never completed in OpenSSH. This
release removes the partially-implemented code to verify KRLs.
All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
KRL files.
* All: fix a number of memory leaks and unreachable/harmless integer
overflows.
* ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
modules; GHPR406
* sshd(8), ssh(1): better validate CASignatureAlgorithms in
ssh_config and sshd_config. Previously this directive would accept
certificate algorithm names, but these were unusable in practice as
OpenSSH does not support CA chains. bz3577
* ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
algorithms that are valid for CA signing. Previous behaviour was
to list all signing algorithms, including certificate algorithms.
* ssh-keyscan(1): gracefully handle systems where rlimits or the
maximum number of open files is larger than INT_MAX; bz3581
* ssh-keygen(1): fix "no comment" not showing on when running
`ssh-keygen -l` on multiple keys where one has a comment and other
following keys do not. bz3580
* scp(1), sftp(1): adjust ftruncate() logic to handle servers that
reorder requests. Previously, if the server reordered requests then
the resultant file would be erroneously truncated.
* ssh(1): don't incorrectly disable hostname canonicalization when
CanonicalizeHostname=yes and ProxyJump was expicitly set to
"none". bz3567
* scp(1): when copying local->remote, check that the source file
exists before opening an SFTP connection to the server. Based on
GHPR#370
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 10:17:38 +0000 (12:17 +0200)]
json-c: Update to version 0.17
- Update from version 0.16 to 0.17
- Update of rootfile
- Changelog
0.17 (up to commit 077661f, 2023-08-08)
Deprecated and removed features:
* None
New features
* json_patch: add first implementation only with patch application
* Add --disable-static and --disable-dynamic options to the cmake-configure
script.
* Add -DBUILD_APPS=NO option to disable app build
* Minimum cmake version is now 3.9
Significant changes and bug fixes
* When serializing with JSON_C_TO_STRING_PRETTY set, keep the opening and
closing curly or square braces on same line for empty objects or arrays.
* Disable locale handling when targeting a uClibc system due to problems
with its duplocale() function.
* When parsing with JSON_TOKENER_STRICT set, integer overflow/underflow
now result in a json_tokener_error_parse_number. Without that flag
values are capped at INT64_MIN/UINT64_MAX.
* Fix memory leak with emtpy strings in json_object_set_string
* json_object_from_fd_ex: fail if file is too large (>=INT_MAX bytes)
* Add back json_number_chars, but only because it's part of the public API.
* Entirely drop mode bits from open(O_RDONLY) to avoid warnings on certain
platforms.
* Specify dependent libraries, including -lbsd, in a more consistent way so
linking against a static json-c works better
* Fix a variety of build problems and add & improve tests
* Update RFC reference to https://www.rfc-editor.org/rfc/rfc8259
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 10:17:35 +0000 (12:17 +0200)]
git: Update to version 2.42.0
- Update from version 2.41.0 to 2.42.0
- Update of rootfile not required
- Changelog is too large to include here. See the contents of
Documentation/RelNotes/2.42.0.txt in the source tar ball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3420000 to 3430000
- Update of rootfile not required.
- Changelog 3430000
Add support for Contentless-Delete FTS5 Indexes. This is a variety of FTS5
full-text search index that omits storing the content that is being indexed while
also allowing records to be deleted.
Enhancements to the date and time functions:
Added new time shift modifiers of the form ±YYYY-MM-DD HH:MM:SS.SSS.
Added the timediff() SQL function.
Added the octet_length(X) SQL function.
Added the sqlite3_stmt_explain() API.
Query planner enhancements:
Generalize the LEFT JOIN strength reduction optimization so that it works for
RIGHT and FULL JOINs as well. Rename it to OUTER JOIN strength reduction.
Enhance the theorem prover in the OUTER JOIN strength reduction optimization
so that it returns fewer false-negatives.
Enhancements to the decimal extension:
New function decimal_pow2(N) returns the N-th power of 2 for integer N between
-20000 and +20000.
New function decimal_exp(X) works like decimal(X) except that it returns the
result in exponential notation - with a "e+NN" at the end.
If X is a floating-point value, then the decimal(X) function now does a full
expansion of that value into its exact decimal equivalent.
Performance enhancements to JSON processing results in a 2x performance
improvement for some kinds of processing on large JSON strings.
New makefile target "verify-source" checks to ensure that there are no
unintentional changes in the source tree. (Works for canonical source code only
- not for precompiled amalgamation tarballs.)
Added the SQLITE_USE_SEH compile-time option that enables Structured Exception
Handling on Windows while working with the memory-mapped shm file that is part of
WAL mode processing. This option is enabled by default when building on Windows
using Makefile.msc.
The VFS for unix now assumes that the nanosleep() system call is available unless
compiled with -DHAVE_NANOSLEEP=0.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 25 Aug 2023 09:42:23 +0000 (09:42 +0000)]
pakfire: Don't give up mirror search on status code 500
The WWW library seems to report status code 500 for issues like DNS
resolving problems and connection timeouts. In that case, we won't go on
searching for another functioning mirror, which we should.
This patch removes that special break clause.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 24 Aug 2023 12:54:13 +0000 (14:54 +0200)]
mpfr: Update to version 4.2.1
- Update from version 4.2.0 to 4.2.1
- Update of rootfile
- Changelog
4.2.1
patches 1 to 12 from 4.2.0 have been built in to 4.2.1
Other bugs fixed in the 4.2 branch for the MPFR 4.2.1 release:
The + and space flags were ignored on NaN and Inf. While this was loosely
documented as such (without an explicit mention of these flags), the MPFR
manual also says that the flags have the same meaning as for the standard
printf function. So this was contradictory and regarded as a bug. Behaving
like the ISO C standard should give less surprise, and this is probably
what is expected (better for alignment purpose). See discussion (only for
NaN and the + flag at that time).
Corresponding changeset in the 4.2 branch: 3761bee3c.
Huge negative exponents can trigger integer overflows in mpfr_strtofr,
meaning undefined behavior. Two bugs have been identified: 1, 2. In
practice, the consequences may be incorrect results. But for the first bug,
it has been seen that a GCC optimization makes it invisible. There are
other issues with the code for huge exponents, but it is not clear whether
the problematic cases can occur in the context of mpfr_strtofr; such
potential bugs are not fixed yet.
Corresponding changesets in the 4.2 branch: 261d3852b (tests), 06e7b6bc1
(bug fixes).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 23 Aug 2023 15:11:38 +0000 (17:11 +0200)]
mc: Update to 4.8.30
For details see:
http://midnight-commander.org/wiki/NEWS-4.8.30
Summary:
"Major changes since 4.8.29
Core
Support PCRE2 as search engine (via --with-search-engine=pcre2) (#4450)
Implement panelization buffers for both file panels (#4370)
VFS
tar: support extended headers (including long file names and sparse files) (#1952, #2201)
extfs helpers: replace "perl -w" with "use warnings" (MidnightCommander?/mc#174)
extfs/patchfs: be more specific in error message (#4485)
Editor
Add syntax highlighting:
Jenkinsfiles (#4469)
B language (#4470)
Improve syntax highlighting:
ECMAScript (MidnightCommander?/mc#172)
ECMAScript in TypeScript? (MidnightCommander?/mc#172)
use diff syntax highlighting for git commit messages (COMMIT_EDITMSG) (MidnightCommander?/mc#85)
Misc
Code cleanup (#4426, #4438)
Filehighlight:
recognize vsix files as zip files (MidnightCommander?/mc#171)
Skin updates:
julia256 (#4441, #4445)
Fixes
Usage of 'sed' in build system/makefiles is not portable (#4459, #4466)
Unportable '$<' in Makefiles (#4460)
FTBFS if ncurses used without --with-ncurses-includes= configure parameter (#4462)
Ncurses library is duplicated in MCLIBS (#4463, #4465)
FTBFS without ext2fs attributes support (#4464)
Wrong sort order after swapping panels (#4432)
Incorrect time delimiter in the copy/move progress window (#4437)
Incorrect redraw of overlapped file panels (#4408)
Subshell/Command? line prompt is empty/missing (#3121)
Find file: relative ignore directory is applied to the start search directory (#4235)
Diff viewer: options are not applied on second run (#4486)
mc.ext.ini: 'Edit' command from 'Default' section is ignored (#4434)
mc.ext.ini: .md files are not recognized as Markdown ones by extension (#4444)
mcedit: off-by-one error in paragraph formatting (#4446)
ftp: incomplete file listing: block and character devices, pipes, sockets are missed (#4472)
Various typos in the source code (MidnightCommander?/mc#177, MidnightCommander?/mc#178)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 23 Aug 2023 14:43:00 +0000 (14:43 +0000)]
Core Update 179: Only start services if they are enabled
Doing so avoids situations where a service is started without being
configured to do so, thus reducing the potential for confusion and
exposure of services not intended to be exposed by the user.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- This issue was found by Peter Müller in the CU179 Testing evaluation.
- The issue was found to have already been raised and closed on the ppp github issues page.
- Patch for fix downloaded and applied to this submission.
- When ppp-2.5.1 is released then this patch can be removed.
- update of rootfile not required.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 18 Aug 2023 18:46:45 +0000 (20:46 +0200)]
ppp: Bug#13164 - Update configure options to have correct directory for pid
- The original poster of the bug#13164 has already tested out ppp-2.5.0 in CU179 (master)
and identified that the startup could not find the directory /usr/var/run/. This is due
to the change in use of the prefix command in 2.5.0 vs 2.4.9 so --localstatedir set to
/var. runstatedir is then set to localstatedir/run ie /var/run which is then correct
for IPFire.
- This fix needs to be implemented into CU179 so that the bug poster can test out the update
- Updated rootfile to remove additional empty line
Fixes: Bug#13164 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sun, 20 Aug 2023 17:15:23 +0000 (19:15 +0200)]
vnstat: Update to 2.11
For details see:
https://humdi.net/vnstat/CHANGES
"2.11 / 19-Aug-2023
- Fixed
- Database queries worked only if SQLite double-quoted string (DQS)
feature (https://www.sqlite.org/quirks.html#dblquote) was enabled
- Disabling data resolutions in data retention configuration didn't result
in possibly existing database entries getting removed from the database
- Disabling data resolutions in data retention configuration didn't result
in the data resolution getting disabled but instead storing data forever
- "expr: syntax error" during configure in BSD (pull request by namtsui)
- Image output summary would show only "no data available" text in case of
zero total traffic even when the historical data of no traffic could have
been shown instead
- Image output "-o -" content could get corrupted due to info, warning and
error messages also using stdout, configuration file warnings being the
most likely source, now uses stderr in image output
- Configuration validation was too heavily limiting and enforcing image
output 5 minute graph related configuration options for combinations that
would have resulted in usable images
- New
- Database cleanup has been changed to interpret data retention
configuration as number of entries to be kept instead of calendar time,
this restores the behaviour to similar as it was up to version 1.18, the
difference is visible only on systems that aren't powered all the time
- Database is vacuumed during daemon startup and reload, behaviour is
configurable using VacuumOnStartup and VacuumOnHUPSignal configuration
options
- Add configuration option InterfaceOrder for controlling the interface
order in outputs with multiple interfaces
- Used data retention configuration is made visible during daemon startup
and after configuration reloads
- Daemon will no longer start if all data resolutions have been disabled
in the configuration file
- SQLite version is visible in --version outputs
- Notes
- "Not enough data available yet." message has been replaced with
"No data. Timestamp of last update is same YYYY-MM-DD HH:MM:SS as of
database creation." to better explain the reason why there's nothing to
show, this message is expected to disappear within configured
SaveInterval if the interface is active"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 20 Aug 2023 14:11:02 +0000 (16:11 +0200)]
index.cgi: Add warning about reiserfs deprecation and removal if reiserfs used
- Reiserfs was stopped in IPFire in Core Update 167. It has been announced that reiserfs
will be removed from the kernel in 2025.
- This patch gives a warning about this deprecation and removal if reiserfs is used. The
warning also requests that the user does a re-installation using either ext4 or xfs
filesystems.
- Tested out on a vm installation with reiserfs, ext4 and xfs. Messgae shown on system
with reiserfs filesystem but nopt on the other two.
- Warning message added into the English language file and ./make.sh lang run.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 20 Aug 2023 14:11:01 +0000 (16:11 +0200)]
dhcpcd: Update to version 10.0.2
- Update from version 10.0.1 to 10.0.2
- Update of rootfile not required
- Changelog
10.0.2
Major changes listed as:-
chore: Link to GitHub for the updated commit log by @frazar in #203
Additional DHCP options by @rrobgill in #214
risc-v fix vendor error by @Im-0xea in #213
compat sync by @tobhe in #226
Commit list can be seen at
https://github.com/NetworkConfiguration/dhcpcd/compare/v10.0.1...v10.0.2
This includes two bug fixes for two situations causing segfaults
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 19 Aug 2023 15:45:28 +0000 (17:45 +0200)]
clamav: Update to 1.1.1
For details see:
https://blog.clamav.net/2023/07/2023-08-16-releases.html
Excerpts from changelog:
"ClamAV 1.1.1 is a critical patch release with the following fixes:
CVE-2023-20197 Fixed a possible denial of service vulnerability
in the HFS+ file parser. This issue affects versions 1.1.0,
1.0.1 through 1.0.0, 0.105.2 through 0.105.0, 0.104.4 through
0.104.0, and 0.103.8 through 0.103.0.
Fixed a build issue when using the Rust nightly toolchain, which
was affecting the oss-fuzz build environment used for regression tests.
Fixed a build issue on Windows when using Rust version 1.70 or newer.
CMake build system improvement to support compiling with OpenSSL 3.x on
macOS with the Xcode toolchain. The official ClamAV installers and
packages are now built with OpenSSL 3.1.1 or newer.
Removed a warning message showing the HTTP response codes during the
Freshclam database update process."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 18 Aug 2023 18:46:45 +0000 (20:46 +0200)]
ppp: Bug#13164 - Update configure options to have correct directory for pid
- The original poster of the bug#13164 has already tested out ppp-2.5.0 in CU179 (master)
and identified that the startup could not find the directory /usr/var/run/. This is due
to the change in use of the prefix command in 2.5.0 vs 2.4.9 so --localstatedir set to
/var. runstatedir is then set to localstatedir/run ie /var/run which is then correct
for IPFire.
- This fix needs to be implemented into CU179 so that the bug poster can test out the update
- Updated rootfile to remove additional empty line
Fixes: Bug#13164 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 16 Aug 2023 12:35:30 +0000 (14:35 +0200)]
openvpn: Update to version 2.5.9
- Update from version 2.5.8 to 2.5.9 which is the last version in the 2.5 series
- Update of rootfile not required
- Tested openvpn-2.5.9 in my vm testbed. OpenVPN RW connection worked fine. Also tested
OpenVPN N2N connection with CU179 & OpenVPN version 2.5.9 at one end and CU177 &
OpenVPN version 2.5.8 at the other end. N2N connection worked with no problemns.
- Changelog
2.5.9
Implement optional cipher in --data-ciphers prefixed with ?
Fix handling an optional invalid cipher at the end of data-ciphers
Ensure that argument to parse_line has always space for final sentinel
Improve documentation on user/password requirement and unicodize function
Remove unused gc_arena
Fix corner case that might lead to leaked file descriptor
msvc: always call git-version.py
git-version.py: proper support for tags
Check if pkcs11_cert is NULL before freeing it
Do not add leading space to pushed options
pull-filter: ignore leading "spaces" in option names
Do not include auth-token in pulled option digest
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 15 Aug 2023 12:13:00 +0000 (14:13 +0200)]
keepalived: Update to version 2.2.8
- Update from version 2.2.7 to 2.2.8
- Update of rootfile not required
- Changelog
2.2.8 31th May 2023
This release brings improvements and fix some minor issues reported. It add some
new VRRP and BFD features as well.
New
vrrp: Add support for Infiniband over IPv6. Github issue #2100 reported that
attempting to use IPv6 over Infinband was causing keepalived to segfault
It turned out that vrrp_ndisc.c had a comment that it still needed to be
implemented, which we have now been able to do with someone in a position
to test it. With many thanks for Itel Levy of NVIDIA, Israel for
reporting the issue and and testing the patch to confirm that it works.
vrrp: Add no_virtual_ipaddress keyword. This keyword suppresses warnings for
no virtual ipaddresses configured and allows none to be configured when
using VRRPv3.
vrrp: Add –enable-nm configure option. –enable-nm adds support for Keepalived
telling NetworkManager not to manage VMAC interfaces the keepalived
creates. Early versions of NM (i.e. at least up to v1.12, but resolved
at the latest by v1.18) would set the VMAC inerfaces as managed by
NetworkManager, and then if the underlying interface went down, NM
would down the VMAC interface and the VRRP instance would never recover
from fault state.
vrrp: add v3_checksum_as_v2 configuration option. RFC 5798 (the VRRPv3 RFC)
states regarging the checksum:
5.2.8. Checksum
The checksum field is used to detect data corruption in the VRRP
message. The checksum is the 16-bit one’s complement of the one’s
complement sum of the entire VRRP message starting with the
version field and a “pseudo-header” as defined in Section 8.1 of
[RFC2460]. The next header field in the “pseudo-header” should be
set to 112 (decimal) for VRRP. For computing the checksum, the
checksum field is set to zero. See RFC1071 for more detail
Some manufacturers (e.g. Cisco) interpret this to mean that the
pseudo- header is not included in the checksum calculation, since
RFC2460 only defines a pseudo-header for IPv6. RFC3768 (the last
VRRPv2 RFC) did not include a pseudo-header in the checksum.
However, keepalived has always included a pseudo-header in the
VRRPv3 IPv4 checksum, which is also consistent with the default
setting in Wireshark. In order to allow interoperation with
Cisco routers, and possibly other manufacturers, the
“v3_checksum_as_v2” keyword, when configured in global_defs to
set the default for all vrrp_instances, or in individual
vrrp_instances, causes those vrrp_instances to exclude the
pseudo- header from the checksum. The default action of including
the pseudo- header in the checksum remains unchanged.
vrrp: Add option to revert to backup if thread timer expires. If the VRRP
process is not scheduled for sufficiently long, another VRRP instance
may have taken over as master. For some users, minimising the number of
master switches is desired, and so if nopreempt is configured (if it is
not configured the highest priority instance will take over as master
again), and if it is too long after a thread timer expires before
keepalived is scheduled to run so that another instance will probably
have taken over as master, we will just revert to backup state rather
than sending further adverts. The keyword that configures this is
thread_timer_expired.
vrrp: Add optional new JSON format including track_process details. The
original JSON format did not allow for adding additional object types
other than the original vrrp instances. This commit adds a json_version
2, which puts the vrrp instances in a named array and adds an array of
the track_processes.
core: add option to check for malloc’s etc returning NULL. Configure option
–enable-malloc-check will cause the returned value of
malloc/realloc/strdup/strndup to be checked to ensure that they do not
return NULL. If any such call does return NULL a message will be logged
and the process will terminate. Unless sysctl vm.overcommit_memory == 2
(default is usually 0), or the malloc would cause the process virtual
address space to exceed the limit, malloc etc will not return NULL. It
is only once there is a write into the memory block that the memory is
actually allocated, and if there is insufficient memory (including swap
space), then the OOM killer will step in to either kill keepalived, or
kill another process. Consequently checking for NULL being returned is
generally a waste of time and program size.
ipvs: Add option to check OpenSSL mallocs/frees for validity.
ipvs: Add option to let SSL_GET shutdown comply with TLS spec.
bfd: Add multihop option to conform with RFC5883. RFCs 5881 and 5883 state
that port 3784 is used for single hop BFD and port 4784 is used for
multihop. The commit adds configuration option “multihop” to use port
4784 rather than port 3784.
Improvements
vrrp: Don’t adjust vrrp receive timeout during delayed start. The timeout for
a vrrp instance to become master should not be changed if an advert is
received during the delayed start - the timeout is set to include the
delayed start and the (3 to 4) * advert int delay to take over as master.
vrrp: Remove redundant checks of snmp_option.
vrrp: deley freeing vrrp instances until all references are freed. Trackers
etc have lists for vrrp instances that are tracking them. Therefore the
trackers, and their references, must be freed before the vrrp instances
are freed.
vrrp: restore the vmac ipv6 link-local after flapping. The user is not
supposed to shutdown a vmac interface created by keepalived. However,
it can mistakenly happen. When the link is re-established, the
link-local has disappear (the kernel removes all IPv6 addresses on link
down except if keep_addr_on_down sysctl is on) and sending VRRP packet
is no nore possible. Restore the IPv6 Link-Local after a VMAC interface
flapping. A Link-Local is not set when the VRRP packets are sent from
the base interface (vmac-xmit-base). Note that the IPv6 Virtual
Addresses are also removed on link down which is the desired behavior.
Enabling keep_addr_on_down sysctl would keep the link-local without
this patch but would break this behavior.
doc: Man pages and documentation updates. Add explanation of why unicast
VRRPv3 checksum changed.
configure: Add systemd auto option. fix default config file with ${prefix}
use. use back-ticks rather than $(…) for commmands. Improve
checking for ${prefix}.
ipvs: Don’t report HTTP_CHECK when it is an SSL_CHECK.
ipvs: Work around OpenSSL memory leak in versions 3.0.0 to 3.0.4. The memory
leak was observed with OpenSSL 3.0.1, and it is resolved by version
3.0.5. Also the leak is not observed in v1.1.1n.
ipvs: Simplify SSL_GET handling code.
Fixes
rpm: Fix RPM spec file to use kmod-lib and kmod-devel rather than libkmod.
vrrp: Fix NFT support to properly handle build with L4PROTO support.
vrrp: Resolve segfault when enable_snmp_vrrp is added at a reload.
vrrp: workaround GCC LTO bug causing incorrect VRRPv3 checksum. The problem
was observed with GCC versions 11.2, 11.3.1 and 12.1.1, on Ubuntu 22.04,
Fedora 34, Fedora 36 and Fedora 37 (Rawhide). The problem did not occur
when not using LTO, nor when using clang, even with LTO.
vrrp: fix ipv6 vrrp in fault state because no ipv4 address. Setting an IPv6
VRRP virtual address on an interface that has no IPv4 address results
in a persistent FAULT state.
core: Fix segfault when receive netlink message for static default route added.
build: Fix order of -lssl -lcrypto. This needs to be correct in order to be
able to use static library linking on Alpine Linux.
build: Fix build with libressl. SSL_set0_rbio is provided by libressl since
version 3.4.0 and libressl/openbsd@c99939f but SSL_set0_wbio is not
provided resulting in build failure.
build: Fix out of tree builds. Fix build error with –disable-track-process.
build: Fix building with –disable-vmac.
build: Fix compiler warning when building without VRRP authentication.
parser: Fix segfault caused by extra ‘}’ and other parser fixes. If there was
a configuration error in a block, e.g. a vrrp_instance, keepalived
would apply the configuration in the rest of the block to the
previous object of that type, e.g. the previous vrrp instance. If
there had been no previous instance, keepalived would probably
segfault. This commit changes the way the parser works. A new
instance of an object, e.g. a VRRP instance or a virtual server, is
only added to the list of those objects once the configuration of
that object is complete. In particular it no longer applies the
configuration to the last entry on the list of the relevant object
type, but keeps a point to the object currently being configured.
parser: Optimise fixing recalculating updated line length.
ipvs: Fix memory leaks when configuration is repeated. Use last entry if
duplicate definition.
lib: Fix malloc check code for CPUs without unaligned memory access.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Michael Tremer [Tue, 15 Aug 2023 09:48:35 +0000 (09:48 +0000)]
mountfs: Remove excessive sync-ing before umount
The system should perform all write operations when sync is called and
only return when the write queues are empty.
There is no additional benefit for calling sync again as the buffers
should be empty. If data is still being lost, then that is a bug in
either the storage device or driver.
As the (re-)boot process is already so slow, I would like to get rid of
any unnecessary delays.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 14 Aug 2023 23:15:00 +0000 (23:15 +0000)]
Tor: Update to 0.4.7.14
Full changelog:
Changes in version 0.4.7.14 - 2023-07-26
This version contains several minor fixes and one major bugfix affecting
vanguards (onion service). As usual, we recommend upgrading to this version
as soon as possible.
o Major bugfixes (vanguards):
- Rotate to a new L2 vanguard whenever an existing one loses the
Stable or Fast flag. Previously, we would leave these relays in
the L2 vanguard list but never use them, and if all of our
vanguards end up like this we wouldn't have any middle nodes left
to choose from so we would fail to make onion-related circuits.
Fixes bug 40805; bugfix on 0.4.7.1-alpha.
o Minor feature (CI):
- Update CI to use Debian Bullseye for runners.
o Minor feature (lzma):
- Fix compiler warnings for liblzma >= 5.3.1. Closes ticket 40741.
o Minor features (directory authorities):
- Directory authorities now include their AuthDirMaxServersPerAddr
config option in the consensus parameter section of their vote.
Now external tools can better predict how they will behave.
Implements ticket 40753.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on July 26, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/07/26.
o Minor bugfix (relay, logging):
- The wrong max queue cell size was used in a protocol warning
logging statement. Fixes bug 40745; bugfix on 0.4.7.1-alpha.
o Minor bugfixes (compilation):
- Fix all -Werror=enum-int-mismatch warnings. No behavior change.
Fixes bug 40824; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (metrics):
- Decrement hs_intro_established_count on introduction circuit
close. Fixes bug 40751; bugfix on 0.4.7.12.
o Minor bugfixes (sandbox):
- Allow membarrier for the sandbox. And allow rt_sigprocmask when
compiled with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>