- This is happening due to the use of bgcolor which has been deprecated since HTML4.01 and
is no longer supported in HTML5
- Similar approach used here as was used in the same fix for the dhcp.cgi page
- CSS based approach utilised.
- Partially tested in my vm testbed. The percentage bar works withg no problems.
The table could not be confirmed as in my testbed I don't have updatexlrator running
as my updates are all based on https and not http.
- The table will need to be confirmed by the bug reporter or someone else that uses
updatexlrator
Fixes: Bug#13024 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Matthias Fischer [Sat, 18 Feb 2023 07:59:12 +0000 (08:59 +0100)]
monit: Update to 5.33.0
For details see:
https://mmonit.com/monit/changes/
"New: Added click-jacking protection headers to Monit HTTP GUI (the
SAMEORIGIN iframe is allowed).
Fixed: Issue #1035: If the start, stop or restart program statement
contains the equal sign, which is not followed by a space character,
the configuration is not parsed correctly.
Fixed: Issue #1047: If the MariaDB server doesn't allow access to the
host, from which Monit test is running, Monit reported: Invalid
handshake packet sequence id -- not MySQL protocol.
Fixed: Add the missing responsetime option to the ping test."
For more details see:
https://bitbucket.org/tildeslash/monit/commits/tag/release-5-33-0
Matthias Fischer [Fri, 17 Feb 2023 18:07:08 +0000 (19:07 +0100)]
bind: Update to 9.16.38
For details see:
https://downloads.isc.org/isc/bind9/9.16.38/doc/arm/html/notes.html#notes-for-bind-9-16-38
"Notes for BIND 9.16.38
Bug Fixes
A constant stream of zone additions and deletions via rndc reconfig
could cause increased memory consumption due to delayed cleaning of
view memory. This has been fixed. [GL #3801]
The speed of the message digest algorithms (MD5, SHA-1, SHA-2), and of
NSEC3 hashing, has been improved. [GL #3795]
Building BIND 9 failed when the --enable-dnsrps switch for ./configure
was used. This has been fixed. [GL #3827]"
Jon Murphy [Thu, 16 Feb 2023 22:40:36 +0000 (16:40 -0600)]
pcengines-apu-firmware: Update to version 4.19.0.1
- Update from 4.17.0.3 to 4.19.0.1
- Changelog
v4.19.0.1 - Release date: 2023-02-02
Rebased with official coreboot repository commit 2ccbcc5
Removed configuration and mainboard files for apu1 due to the board being dropped from upstream coreboot
See: https://github.com/pcengines/coreboot/compare/v4.17.0.3...v4.19.0.1
Adolf Belka [Thu, 16 Feb 2023 20:59:04 +0000 (21:59 +0100)]
elinks: Update to version 0.16.0
- Update from version 0.15.1 to 0.16.0
- Update of rootfile
- According to the forked elinks developer if parallel build is required then meson
should be used for the build. With make they don't believe that it ever ran in
parallel mode.
- This patch modifies the build from autotools to meson and updates the version.
- Parallel build option added back in to meson/ninja flow.
- The build requires git to be present so git moved to just before elinks in make.sh
- Changelog
ELinks 0.16.0
* detect xterm on my computer
ELinks 0.16.0rc1
* alternative mujs engine for js
* bump mozjs to 102
* experimental XHR implementation
* macros in exmode #196
* removed infinite loop, which occurred under BSD #197
* optional terminal hyperlinks in dumps #198
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Thu, 16 Feb 2023 12:50:33 +0000 (13:50 +0100)]
freetype: Update to version 2.13.0
- Update from version 2.12.1 to 2.13.0
- Update of rootfile
- Changelog
CHANGES BETWEEN 2.12.1 and 2.13.0 (2023-Feb-09)
I. IMPORTANT CHANGES
- The demo program `ftinspect` has been completely updated and much
enhanced. It now combines the functionality of almost all other
graphical FreeType demo programs into a single application based
on the Qt framework. This was Charlie Jiang's GSoC 2022 project.
- The 'COLR' v1 API is now considered as stable.
https://learn.microsoft.com/en-us/typography/opentype/spec/colr
III. MISCELLANEOUS
- For OpenType Variable Fonts, `avar` table format 2.0 is now
supported. The code was contributed by Behdad Esfahbod.
Note that this is an extension supported on recent Apple platforms
and by HarfBuzz, but not yet in the OpenType standard! See
https://github.com/harfbuzz/boring-expansion-spec/blob/main/avar2.md
for the specification. To deactivate it, define the configuration
macro 'TT_CONFIG_OPTION_NO_BORING_EXPANSION'.
- A new API `FT_GlyphSlot_Slant` to slant a glyph by a given angle
has been added. Note that this function is part of `ftsynth.h`,
which is still considered to be in alpha stage.
- TrueType interpreter version 38 (also known as 'Infinality') that
was first introduced about 10 years ago in FreeType 2.4.11 is now
deprecated and slated to be removed in the next version. TrueType
interpreter version 40 has been FreeType's default version for six
years now and provides an excellent alternative. This is the last
FreeType version with TT_INTERPRETER_VERSION_38 and
TT_INTERPRETER_VERSION_40 treated differently.
- The only referenced but never documented configuration macro
`FT_CONFIG_OPTION_NO_GLYPH_NAMES` has been removed.
- The `ftbench` demo program got a new command line option `-e` to
set a charmap index.
- Specifying a point size is now optional for the demo programs
`ftgrid`, `ftmulti`, `ftstring`, and `ftview`. If not given, a
default size is used.
- For `ftgrid`, `ftstring`, and `ftview`, option `-e` now also
accepts a numeric value to set a charmap index.
- In `ftstring`, it is now possible to set the displayed text
interactively by pressing the 'Enter' key.
- `ftmulti` can now handle up to 16 design axes.
- To avoid reserved identifiers that are globally defined, the
auto-hinter debugging macros (which are only available if
`FT_DEBUG_AUTOFIT` is defined)
```
_af_debug_disable_horz_hints
_af_debug_disable_vert_hints
_af_debug_disable_blue_hints
_af_debug_hints
```
have been renamed to
```
af_debug_disable_horz_hints_
af_debug_disable_vert_hints_
af_debug_disable_blue_hints_
af_debug_hints_
```
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Thu, 16 Feb 2023 12:50:32 +0000 (13:50 +0100)]
dbus: Update to version 1.14.6
- Update from version 1.14.4 to 1.14.6
- Update of rootfile
- The Denial of service issue mentioned first in the changelog is not applicable to IPFire
as the build is done without asserts enabled.
- Changelog
dbus 1.14.6 (2023-02-08)
Denial of service fixes:
• Fix an incorrect assertion that could be used to crash dbus-daemon or
other users of DBusServer prior to authentication, if libdbus was compiled
with assertions enabled.
We recommend that production builds of dbus, for example in OS distributions,
should be compiled with checks but without assertions.
(dbus#421, Ralf Habacker; thanks to Evgeny Vereshchagin)
Other fixes:
• When connected to a dbus-broker, stop dbus-monitor from incorrectly
replying to Peer method calls that were sent to the dbus-broker with
a NULL destination (dbus#301, Kai A. Hiller)
• Fix out-of-bounds varargs read in the dbus-daemon's config-parser.
This is not attacker-triggerable and appears to be harmless in practice,
but is technically undefined behaviour and is detected as such by
AddressSanitizer. (dbus!357, Evgeny Vereshchagin)
• Avoid a data race in multi-threaded use of DBusCounter
(dbus#426, Ralf Habacker)
• Fix a crash with some glibc versions when non-auditable SELinux events
are logged (dbus!386, Jeremi Piotrowski)
• If dbus_message_demarshal() runs out of memory while validating a message,
report it as NoMemory rather than InvalidArgs (dbus#420, Simon McVittie)
• Use C11 _Alignof if available, for better standards-compliance
(dbus!389, Khem Raj)
• Stop including an outdated copy of pkg.m4 in the git tree
(dbus!365, Simon McVittie)
• Documentation:
· Consistently use Gitlab bug reporting URL (dbus!372, Marco Trevisan)
• Tests fixes:
· Fix the test-apparmor-activation test after dbus#416
(dbus!380, Dave Jones)
Internal changes:
• Fix CI builds with recent git versions (dbus#447, Simon McVittie)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 7 Feb 2023 21:52:50 +0000 (22:52 +0100)]
ragel: Update to version 7.0.4
- Update from version 7.0.0.11 to 7.0.4
- Update of rootfile
- Changelog
updated language flags, catch abortcompile throw in non-ragel progs
7.0.3
This version of colm includes a critical fix for big-endian system. Fixes #61.
expect colm version 0.14.6 and version bump ragel to 7.0.3
7.0.2
Latest colm includes bugfixes for refcounting, which fixes a ragel issue with includes #58.
expect colm 0.14.5 and version bump to 7.0.2
7.0.1
removed accidental commit of ragel/.exrc
7.0.0.12
implemented NfaClear in asm codegen
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 7 Feb 2023 21:52:49 +0000 (22:52 +0100)]
colm: Update to version 0.14.7
- Update from version 0.13.0.6 to 0.14.7
- Update of rootfile
- patch from colm commit fc61ecb required to fix bug of make looking for static and
dynamic libs even if one of them was disabled
- Changelog is not available in source tarball or on website etc. Changes have to be
reviewed by the commits https://github.com/adrian-thurston/colm/commits/0.14.7
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 6 Feb 2023 16:20:43 +0000 (17:20 +0100)]
epson-inkjet-printer-escpr: Update to version 1.7.23
- Update from version 1.6.12 to 1.7.23
- Update of rootfile
- Changelog
Most changes are related to additional printers except for
1.7.10
* Fixed the problem that epson-escpr-wrapper filter would crash
when cupsRasterReadHeader failed.
1.7.7.2
* Supported new model.
* Fixed an issue of filter crash when FIFO I/O was closed.
1.7.0
* Supported new models.
* Applied Privacy Statement.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 6 Feb 2023 16:20:44 +0000 (17:20 +0100)]
fetchmail: Update to version 6.4.36
- Update from version 6.4.34 to 6.4.36
- Update of rootfile nor required
- Changelog
fetchmail-6.4.36 (released 2023-01-28, 31710 LoC):
(in alphabetical order of language codes):
* cs: Petr Pisar [Czech]
* es: Cristian Othón Martínez Vera [Spanish]
* fr: Frédéric Marchal [French]
* ja: Takeshi Hamasaki [Japanese]
* pl: Jakub Bogusz [Polish]
* ro: Remus-Gabriel Chelu [Romanian]
* sq: Besnik Bleta [Albanian]
* sv: Göran Uddeborg [Swedish]
fetchmail-6.4.35 (released 2023-01-04, 31707 LoC):
* Fetchmail now warns about OpenSSL before 1.1.1s or 3.0.7,
and rejects wolfSSL older than 5.5.1.
(in reverse alphabetical order of language codes so as not to prefer people):
* sv: Göran Uddeborg [Swedish]
* eo: Keith Bowes [Esperanto]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 20 Feb 2023 16:30:02 +0000 (17:30 +0100)]
wio-lib.pl: Fixes bug#13040 - Change multipart/mixed to multipart/alternative
- Thunderbird and Roundcube mail clients presume that any mail with Content Type of
multipart/mixed has an attachment included rather than actually checking for
disposition attachment. This means that any mail with multipart/mixed gets the
attachment icon marked up even though there is no attachment.
- Although this is a problem of the clients involved, in this case the simplest solution
is to change multipart/mixed to multipart/alternative as WIO Mail only sends text
without any attachment or other part to indicate that a client is active or inactive.
- Confirmed on my vm testbed
Fixes: Bug#13040 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 20 Feb 2023 16:30:01 +0000 (17:30 +0100)]
mail.cgi: Fixes bug#13040 - Change multipart/mixed to multipart/alternative
- Thunderbird and Roundcube mail clients presume that any mail with Content Type of
multipart/mixed has an attachment included rather than actually checking for
disposition attachment. This means that any mail with multipart/mixed gets the
attachment icon marked up even though there is no attachment.
- Although this is a problem of the clients involved, in this case the simplest solution
is to change multipart/mixed to multipart/alternative as the Mail Service test mail only
sends text without any attachment or other part.
- Confirmed on my vm testbed
Fixes: Bug#13040 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Adolf Belka [Tue, 21 Feb 2023 12:50:11 +0000 (13:50 +0100)]
wio.cgi: Fixes bug#13039 - Input boxes extend outside of WUI boundary with some browsers
- Original poster found this effect with using Vivaldi at 100% zoom.
- I tested it with Vivaldi and Firefox on Arch Linux and was not able to show the effect but
running SeaMonkey and changing the zoom from 100% to lower or higher caused the input
boxes to go outside of the WUI boundary as described by the bug reporter.
- It looks like the effect is dependent on the browser, the zoom setting and the OS
Distribution.
- In all cases the similar three input boxes in a row in the dhcp.cgi code for entering a
fixed lease stayed fixed in ratrio to the WUI page whatever zoom or browser was used.
- This patch changes the wio code for those three input boxes to use the approach from the
dhcp.cgi code.
- Tested on my vm testbed and change confirmed to fix the size of the input boxes
irrespective of the browser or zoom setting.
Fixes: Bug#13039 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 21 Feb 2023 13:55:17 +0000 (14:55 +0100)]
log.dat: Fixes bug#12950 - adding apcupsd to system logs list
- Patch tested out on my production system that has apcupsd running on it. APCUPS was
in the list of options in the system logs and entries from apcupsd were extracted
correctly in the wui.
Fixes: Bug#12950 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Feb 2023 18:06:27 +0000 (19:06 +0100)]
initscripts: Remove rngd from the core package initscripts
- rngd removed from initscripts lfs and rootfiles due to change of rng-tools to addon
Fixes: Bug#12900 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Adolf Belka [Sun, 5 Feb 2023 18:06:26 +0000 (19:06 +0100)]
rng-tools: Move from core package to addon - fixes bug 12900
- This patch is to move the rng-tools package from a core package to an addon. With the
kernel changes from 5.6 rngd is no longer needed to create the required kernel entropy.
- The results from HRNG's via rngd are used with an XOR after the entropy is
collected by the kernel. So the HWRNG output is used to dilute the kernel random number
data, which is already merged from several sources.
- Based on the above and @Paul's request in the bug report to have rng-tools kept as an
addon this patch set is submitted for consideration to keep rng-tools but as an addon.
- move rng-tools rootfile from common to packages
- Modify rng-tools lfs from core package to addon package
- Create rng-tools pak to install and uninstall - creating rc.d links for start & stop.
- Move rngd initscript from system to packages directory.
- Installed into my vm testbed and confirmed that it works. No rngd daemon installed
from iso install. After addon install rngd is present and running. Added various files
to be able to test the services wui page. rngd shows up and can be turned off and on
Fixes: Bug#12900 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Fix two potential null pointer access bug when gethostbyname2()
returns an empty address list
Add support for older automake versions (on e.g. CentOS 7)
Migrate testing scripts and programs to autotools
Extend CI to build on more Linux distros
[linux] Fix handling of empty command name, closing #246.
Add test from #246, where lsof returns stale command name when the
command name is empty. If getting command name failed, return
NULL instead of empty string
Add --with/without-libtirpc option to autotools-based build
system and automatically detect libtirpc by default
Add -H switch to print human readable size, e.g. 123.4K (#260)
[linux] Fix implicit declaration error when HASPTYEPT is undefined
Add support for musl libc-based Linux distros
Add --enable-security argument to configure to allow only the
root user to list all open files
Add --enable-no-sock-security argument to configure to allow
anyone to list anyone else's socket files when combined with
--enable-security
[linux] Always enable 64 bit off_t in configure.ac
[netbsd] Import patches from pkgsrc and port autotools-based build system to NetBSD
[netbsd] Fix lock status reading"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
For details see:
https://github.com/htop-dev/htop/blob/main/ChangeLog
"What's new in version 3.2.2
* CPUMeter now can show frequency in text mode
* Add option to render distribution path prefixes shadowed
* DiskIOMeter converts to bytes per second (not per interval)
* DiskIOMeter uses complete units, including missing "iB/s"
* DiskIOMeter indicates read and write in meter mode
* NetworkIOMeter converts to packets per second, shows packet rate
* Allow continued process following when changing display settings
* Update the panel header when changing to another tab
* Drop margin around the header if there are no meters
* Use Unicode replacement character for non-printable characters
* Default color preset uses bold blue for better visibility
* Update the Panel header on sort order inversions ('I')
* Toggle the header meters with pound key
* Fix ScreenPanel to handle quitting the panel while renaming
* Add fallback for HOME environment variable using passwd database
* Replace meaningless ID column with FD column in lock screen
* Use device format in the lock screen matching the files screen
* On Linux, improvements to file-descriptor lock detection
* On Linux, further distinguish systemd states in the SystemdMeter
* On Linux, improvements to cgroup and container identification
* On Linux, support openat(2) without readlinkat(2) platforms
* On Darwin, fix current process buffer handling for busy systems
* On DragonFly BSD, fix incorrect processor time of processes
* On FreeBSD, fix an issue with the memory graph not showing correctly
* On FreeBSD, add support for displaying shared memory usage
* On PCP, use pmLookupDescs(3) if available for efficiency
* On PCP, normalize generic columns values for consistent display
* On PCP, changes preparing for configurable, dynamic screens
* Handle invalid process columns from the configuration file
* Avoid undefined behaviour with deeply nested processes
* Fix crash when removing the currently active screen
* Prevent possible crash on a very early error path
* Include automake for Debian/Ubuntu
* Restore non-mouse support
* Reject unsupported command line arguments
* Document idle process state
* Clarify M_TRS/M_DRS columns"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Thu, 2 Mar 2023 14:11:23 +0000 (15:11 +0100)]
dhcp.cgi: Fix bug#10629 - Highlight fixed IP's in dynamic range in red
- This v2 patch has moved the extraHead variable into header.pl
- This patch marks all IP's that are in the Fixed list but are also in the dynamic range
that has been defined, in red.
- Additional function created to check if an ip address is in a defined range.
- Added an additional key item under the Fixed Leases table for Fixed IP in dynamic range
- Added line to English Language file for this key item.
- ./make lang run before commit.
- Tested in vm testbed and confirmed that any ip address in the Fixed Leases table that
is in the defined dynamic range is highlighted in red
- This uses the css background-color appoach from the first patch in this set.
- This patch only highlights those IP's that overlap in red but does nothing more. So a
user can still create new ones if they want but they will all show up in red.
- This patch flags up if people are doing things that they shouldn't be doing but allows
them to continue doing so without changing anything if they don't want to and so will
not break existing setups.
Fixes: Bug#10629 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Tested-by: Bernhard Bitsch <bbitsch@ipfire.org>
Adolf Belka [Thu, 2 Mar 2023 14:11:22 +0000 (15:11 +0100)]
dhcp.cgi: Fix for bug#10629 - update bgcolor to css
- This v2 version moves the extraHead variable to header.pl as many of the css values
will be used in many other WUI cgi pages so makes sense to not define anew in every
location using the bgcolor or other colour variables.
- I will submit patches to follow the same approach in all other WUI cgi pages once this
has been submitted into next
- bgcolor was deprecated in HTML 4.01 and is not supported by HTML 5
- The orange colour for IP's that are outside the IPFire green and blue subnets does not
work on any browser I am using.
- I used the CSS approach that @Leo used in the Zone Configuration cgi page
- This patch changes all existing bgcolor entries to the css based background-color
- Tested on my vm testbed and confirmed to work. The Orange colour for IP's outside of
the subnet now shows up.
Fixes: Bug#10629 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Tested-by: Bernhard Bitsch <bbitsch@ipfire.org>
Matthias Fischer [Fri, 17 Feb 2023 18:00:48 +0000 (19:00 +0100)]
clamav: Update to 1.0.1
For details see:
https://blog.clamav.net/2023/02/clamav-01038-01052-and-101-patch.html
"ClamAV 1.0.1 is a critical patch release with the following fixes:
CVE-2023-20032: Fixed a possible remote code execution
vulnerability in the HFS+ file parser. The issue affects versions
1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier.
Thank you to Simon Scannell for reporting this issue.
CVE-2023-20052: Fixed a possible remote information leak
vulnerability in the DMG file parser. The issue affects versions
1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier.
Thank you to Simon Scannell for reporting this issue.
Fix an allmatch detection issue with the preclass bytecode hook."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 8 Feb 2023 20:04:16 +0000 (21:04 +0100)]
make: Update to version 4.4
- Update from version 4.3 to 4.4
- Update of rootfile
- the $(MAKETUNING) option does not work with the elinks build with version 4.4 A linked
patch has been created for the removal of that option from the elinks lfs file.
- Changelog
Version 4.4 (31 Oct 2022)
A complete list of bugs fixed in this version is available here:
https://sv.gnu.org/bugs/index.php?group=make&report_id=111&fix_release_id=109&set=custom
* WARNING: Deprecation!
The following systems are deprecated in this release:
- OS/2 (EMX)
- AmigaOS
- Xenix
- Cray
In the NEXT release of GNU Make, support for these systems will be removed.
If you want to see them continue to be supported, contact <bug-make@gnu.org>.
* WARNING: Future backward-incompatibility!
In the NEXT release of GNU Make, pattern rules will implement the same
behavior change for multiple targets as explicit grouped targets, below: if
any target of the rule is needed by the build, the recipe will be invoked if
any target of the rule is missing or out of date. During testing some
makefiles were found to contain pattern rules that do not build all targets;
this can cause issues so we are delaying this change for one release cycle
to allow these makefiles to be updated. GNU Make shows a warning if it
detects this situation: "pattern recipe did not update peer target".
* WARNING: Backward-incompatibility!
GNU Make now uses temporary files in more situations than previous releases.
If your build system sets TMPDIR (or TMP or TEMP on Windows) and deletes the
contents during the build, or uses restrictive permissions, this may cause
problems. You can choose an alternative temporary directory only for use by
GNU Make by setting the new MAKE_TMPDIR environment variable before invoking
make. Note that this value CANNOT be set inside the makefile, since make
needs to find its temporary directory before the makefiles are parsed.
* WARNING: Backward-incompatibility!
Previously each target in a explicit grouped target rule was considered
individually: if the targets needed by the build were not out of date the
recipe was not run even if other targets in the group were out of date. Now
if any of the grouped targets are needed by the build, then if any of the
grouped targets are out of date the recipe is run and all targets in the
group are considered updated.
* WARNING: Backward-incompatibility!
Previously if --no-print-directory was seen anywhere in the environment or
command line it would take precedence over any --print-directory. Now, the
last setting of directory printing options seen will be used, so a command
line such as "--no-print-directory -w" _will_ show directory entry/exits.
* WARNING: Backward-incompatibility!
Previously the order in which makefiles were remade was not explicitly
stated, but it was (roughly) the inverse of the order in which they were
processed by make. In this release, the order in which makefiles are
rebuilt is the same order in which make processed them, and this is defined
to be true in the GNU Make manual.
* WARNING: Backward-incompatibility!
Previously only simple (one-letter) options were added to the MAKEFLAGS
variable that was visible while parsing makefiles. Now, all options are
available in MAKEFLAGS. If you want to check MAKEFLAGS for a one-letter
option, expanding "$(firstword -$(MAKEFLAGS))" is a reliable way to return
the set of one-letter options which can be examined via findstring, etc.
* WARNING: Backward-incompatibility!
Previously makefile variables marked as export were not exported to commands
started by the $(shell ...) function. Now, all exported variables are
exported to $(shell ...). If this leads to recursion during expansion, then
for backward-compatibility the value from the original environment is used.
To detect this change search for 'shell-export' in the .FEATURES variable.
* WARNING: New build requirement
GNU Make utilizes facilities from GNU Gnulib: Gnulib requires certain C99
features in the C compiler and so these features are required by GNU Make:
https://www.gnu.org/software/gnulib/manual/html_node/C99-features-assumed.html
The configure script should verify the compiler has these features.
* New feature: The .WAIT special target
If the .WAIT target appears between two prerequisites of a target, then
GNU Make will wait for all of the targets to the left of .WAIT in the list
to complete before starting any of the targets to the right of .WAIT.
This feature is available in some other versions of make, and it will be
required by an upcoming version of the POSIX standard for make.
Different patches were made by Alexey Neyman <alex.neyman@auriga.ru> (2005)
and Steffen Nurpmeso <steffen@sdaoden.eu> (2020) that were useful but the
result is a different implementation (closer to Alexey's idea).
* New feature: .NOTPARALLEL accepts prerequisites
If the .NOTPARALLEL special target has prerequisites then all prerequisites
of those targets will be run serially (as if .WAIT was specified between
each prerequisite).
* New feature: The .NOTINTERMEDIATE special target
.NOTINTERMEDIATE disables intermediate behavior for specific files, for all
files built using a pattern, or for the entire makefile.
Implementation provided by Dmitry Goncharov <dgoncharov@users.sf.net>
* New feature: The $(let ...) function
This function allows user-defined functions to define a set of local
variables: values can be assigned to these variables from within the
user-defined function and they will not impact global variable assignments.
Implementation provided by Jouke Witteveen <j.witteveen@gmail.com>
* New feature: The $(intcmp ...) function
This function allows conditional evaluation controlled by a numerical
comparison.
Implementation provided by Jouke Witteveen <j.witteveen@gmail.com>
* New feature: Improved support for -l / --load-average
On systems that provide /proc/loadavg (Linux), GNU Make will use it to
determine the number of runnable jobs and use this as the current load,
avoiding the need for heuristics.
Implementation provided by Sven C. Dack <sdack@gmx.com>
* New feature: The --shuffle command line option
This option reorders goals and prerequisites to simulate non-determinism
that may be seen using parallel build. Shuffle mode allows a form of "fuzz
testing" of parallel builds to verify that all prerequisites are correctly
described in the makefile.
Implementation provided by Sergei Trofimovich <siarheit@google.com>
* New feature: The --jobserver-style command line option and named pipes
A new jobserver method is used on systems where mkfifo(3) is supported.
This solves a number of obscure issues related to using the jobserver
and recursive invocations of GNU Make. This change means that sub-makes
will connect to the jobserver even if they are not marked as recursive.
It also means that other tools that want to participate in the jobserver
will need to be enhanced as described in the GNU Make manual.
You can force GNU Make to use the simple pipe-based jobserver (perhaps if
you are integrating with other tools or older versions of GNU Make) by
adding the '--jobserver-style=pipe' option to the command line of the
top-level invocation of GNU Make, or via MAKEFLAGS or GNUMAKEFLAGS.
To detect this change search for 'jobserver-fifo' in the .FEATURES variable.
* Some POSIX systems (*BSD) do not allow locks to be taken on pipes, which
caused the output sync feature to not work properly there. Also multiple
invocations of make redirecting to the same output file (e.g., /dev/null)
would cause hangs. Instead of locking stdout (which does have some useful
performance characteristics, but is not portable) create a temporary file
and lock that. Windows continues to use a mutex as before.
* GNU Make has sometimes chosen unexpected, and sub-optimal, chains of
implicit rules due to the definition of "ought to exist" in the implicit
rule search algorithm, which considered any prerequisite mentioned in the
makefile as "ought to exist". This algorithm has been modified to prefer
prerequisites mentioned explicitly in the target being built and only if
that results in no matching rule, will GNU Make consider prerequisites
mentioned in other targets as "ought to exist".
Implementation provided by Dmitry Goncharov <dgoncharov@users.sf.net>
* GNU Make was performing secondary expansion of all targets, even targets
which didn't need to be considered during the build. In this release
only targets which are considered will be secondarily expanded.
Implementation provided by Dmitry Goncharov <dgoncharov@users.sf.net>
* If the MAKEFLAGS variable is modified in a makefile, it will be re-parsed
immediately rather than after all makefiles have been read. Note that
although all options are parsed immediately, some special effects won't
appear until after all makefiles are read.
* The -I option accepts an argument "-" (e.g., "-I-") which means "reset the
list of search directories to empty". Among other things this can be used
to prevent GNU Make from searching in its default list of directories.
* New debug option "print" will show the recipe to be run, even when silent
mode is set, and new debug option "why" will show why a target is rebuilt
(which prerequisites caused the target to be considered out of date).
Implementation provided by David Boyce <David.S.Boyce@gmail.com>
* The existing --trace option is made equivalent to --debug=print,why
* Target-specific variables can now be marked "unexport".
* Exporting / unexporting target-specific variables is handled correctly, so
that the attribute of the most specific variable setting is used.
* Special targets like .POSIX are detected upon definition, ensuring that any
change in behavior takes effect immediately, before the next line is parsed.
* When the pipe-based jobserver is enabled and GNU Make decides it is invoking
a non-make sub-process and closes the jobserver pipes, it will now add a new
option to the MAKEFLAGS environment variable that disables the jobserver.
This prevents sub-processes that invoke make from accidentally using other
open file descriptors as jobserver pipes. For more information see
https://savannah.gnu.org/bugs/?57242 and https://savannah.gnu.org/bugs/?62397
* A long-standing issue with the directory cache has been resolved: changes
made as a side-effect of some other target's recipe are now noticed as
expected.
* GNU Make can now be built for MS-Windows using the Tiny C tcc compiler.
Port provided by Christian Jullien <eligis@orange.fr>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 8 Feb 2023 11:05:34 +0000 (12:05 +0100)]
libtirpc: Update to version 1.3.3
- Update from version 1.3.1 to 1.3.3
- Update of rootfile not required
- Changelog or News files in source tarball are from 2008 or earlier. The only source for
the changes is the commits from the git repository
http://git.linux-nfs.org/?p=steved/libtirpc.git;a=shortlog;h=refs/heads/master
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Michael Tremer [Wed, 8 Feb 2023 11:13:30 +0000 (11:13 +0000)]
openssl: Update to 1.1.1t
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Security #5804: Suricata crashes while processing FTP (6.0.x backport)
Bug #5815: detect: config keyword prevents tx cleanup (6.0.x backport)
Bug #5812: nfs: debug validation triggered on nfs2 read
Bug #5810: smb/ntlmssp: parser incorrectly assumes fixed field order (6.0.x backport)
Bug #5806: exceptions: midstream flows are dropped if midstream=true && stream.midstream-policy=drop-flow (6.0.x backport)
Bug #5796: TLS Handshake Fragments not Reassembled (6.0.x backport)
Bug #5795: detect/udp: different detection from rules when UDP/TCP header is broken (6.0.x backport)
Bug #5793: decode: Padded packet to minimal Ethernet length marked with invalid length event (6.0.x backport)
Bug #5791: smb: unbounded file chunk queuing after gap (6.0.x backport)
Bug #5763: libbpf: Use of legacy code in eBPF/XDP programs (6.0.x backport)
Bug #5762: detect/pcre: JIT not disabled when OS doesn't allow RWX pages
Bug #5760: nfs: ASSERT: attempt to subtract with overflow (compound) (6.0.x backport)
Bug #5749: iprep/ipv6: warning issued on valid reputation input (6.0.x backport)
Bug #5744: netmap: 6.0.9 v14 backport causes known packet stalls from v14 implementation in "legacy" mode too
Bug #5738: smb: failed assertion (!((f->alproto == ALPROTO_SMB && txd->files_logged != 0))), function CloseFile, file output-file.c (6.0.x backport)
Bug #5735: smtp: quoted-printable encoding skips empty lines in files (6.0.x backport)
Bug #5723: eve: missing common fields like community id for some event types like RFB
Bug #5601: detect: invalid hex character in content leads to bad debug message (6.0.x backport)
Bug #5565: Excessive qsort/msort time when large number of rules using tls.fingerprint (6.0.x backport)
Bug #5299: YAML warning from default config on 6.0.5
Optimization #5797: tls: support incomplete API to replace internal buffering
Optimization #5790: smb: set defaults for file chunk limits (6.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>