Adolf Belka [Tue, 15 Aug 2023 12:13:00 +0000 (14:13 +0200)]
keepalived: Update to version 2.2.8
- Update from version 2.2.7 to 2.2.8
- Update of rootfile not required
- Changelog
2.2.8 31th May 2023
This release brings improvements and fix some minor issues reported. It add some
new VRRP and BFD features as well.
New
vrrp: Add support for Infiniband over IPv6. Github issue #2100 reported that
attempting to use IPv6 over Infinband was causing keepalived to segfault
It turned out that vrrp_ndisc.c had a comment that it still needed to be
implemented, which we have now been able to do with someone in a position
to test it. With many thanks for Itel Levy of NVIDIA, Israel for
reporting the issue and and testing the patch to confirm that it works.
vrrp: Add no_virtual_ipaddress keyword. This keyword suppresses warnings for
no virtual ipaddresses configured and allows none to be configured when
using VRRPv3.
vrrp: Add –enable-nm configure option. –enable-nm adds support for Keepalived
telling NetworkManager not to manage VMAC interfaces the keepalived
creates. Early versions of NM (i.e. at least up to v1.12, but resolved
at the latest by v1.18) would set the VMAC inerfaces as managed by
NetworkManager, and then if the underlying interface went down, NM
would down the VMAC interface and the VRRP instance would never recover
from fault state.
vrrp: add v3_checksum_as_v2 configuration option. RFC 5798 (the VRRPv3 RFC)
states regarging the checksum:
5.2.8. Checksum
The checksum field is used to detect data corruption in the VRRP
message. The checksum is the 16-bit one’s complement of the one’s
complement sum of the entire VRRP message starting with the
version field and a “pseudo-header” as defined in Section 8.1 of
[RFC2460]. The next header field in the “pseudo-header” should be
set to 112 (decimal) for VRRP. For computing the checksum, the
checksum field is set to zero. See RFC1071 for more detail
Some manufacturers (e.g. Cisco) interpret this to mean that the
pseudo- header is not included in the checksum calculation, since
RFC2460 only defines a pseudo-header for IPv6. RFC3768 (the last
VRRPv2 RFC) did not include a pseudo-header in the checksum.
However, keepalived has always included a pseudo-header in the
VRRPv3 IPv4 checksum, which is also consistent with the default
setting in Wireshark. In order to allow interoperation with
Cisco routers, and possibly other manufacturers, the
“v3_checksum_as_v2” keyword, when configured in global_defs to
set the default for all vrrp_instances, or in individual
vrrp_instances, causes those vrrp_instances to exclude the
pseudo- header from the checksum. The default action of including
the pseudo- header in the checksum remains unchanged.
vrrp: Add option to revert to backup if thread timer expires. If the VRRP
process is not scheduled for sufficiently long, another VRRP instance
may have taken over as master. For some users, minimising the number of
master switches is desired, and so if nopreempt is configured (if it is
not configured the highest priority instance will take over as master
again), and if it is too long after a thread timer expires before
keepalived is scheduled to run so that another instance will probably
have taken over as master, we will just revert to backup state rather
than sending further adverts. The keyword that configures this is
thread_timer_expired.
vrrp: Add optional new JSON format including track_process details. The
original JSON format did not allow for adding additional object types
other than the original vrrp instances. This commit adds a json_version
2, which puts the vrrp instances in a named array and adds an array of
the track_processes.
core: add option to check for malloc’s etc returning NULL. Configure option
–enable-malloc-check will cause the returned value of
malloc/realloc/strdup/strndup to be checked to ensure that they do not
return NULL. If any such call does return NULL a message will be logged
and the process will terminate. Unless sysctl vm.overcommit_memory == 2
(default is usually 0), or the malloc would cause the process virtual
address space to exceed the limit, malloc etc will not return NULL. It
is only once there is a write into the memory block that the memory is
actually allocated, and if there is insufficient memory (including swap
space), then the OOM killer will step in to either kill keepalived, or
kill another process. Consequently checking for NULL being returned is
generally a waste of time and program size.
ipvs: Add option to check OpenSSL mallocs/frees for validity.
ipvs: Add option to let SSL_GET shutdown comply with TLS spec.
bfd: Add multihop option to conform with RFC5883. RFCs 5881 and 5883 state
that port 3784 is used for single hop BFD and port 4784 is used for
multihop. The commit adds configuration option “multihop” to use port
4784 rather than port 3784.
Improvements
vrrp: Don’t adjust vrrp receive timeout during delayed start. The timeout for
a vrrp instance to become master should not be changed if an advert is
received during the delayed start - the timeout is set to include the
delayed start and the (3 to 4) * advert int delay to take over as master.
vrrp: Remove redundant checks of snmp_option.
vrrp: deley freeing vrrp instances until all references are freed. Trackers
etc have lists for vrrp instances that are tracking them. Therefore the
trackers, and their references, must be freed before the vrrp instances
are freed.
vrrp: restore the vmac ipv6 link-local after flapping. The user is not
supposed to shutdown a vmac interface created by keepalived. However,
it can mistakenly happen. When the link is re-established, the
link-local has disappear (the kernel removes all IPv6 addresses on link
down except if keep_addr_on_down sysctl is on) and sending VRRP packet
is no nore possible. Restore the IPv6 Link-Local after a VMAC interface
flapping. A Link-Local is not set when the VRRP packets are sent from
the base interface (vmac-xmit-base). Note that the IPv6 Virtual
Addresses are also removed on link down which is the desired behavior.
Enabling keep_addr_on_down sysctl would keep the link-local without
this patch but would break this behavior.
doc: Man pages and documentation updates. Add explanation of why unicast
VRRPv3 checksum changed.
configure: Add systemd auto option. fix default config file with ${prefix}
use. use back-ticks rather than $(…) for commmands. Improve
checking for ${prefix}.
ipvs: Don’t report HTTP_CHECK when it is an SSL_CHECK.
ipvs: Work around OpenSSL memory leak in versions 3.0.0 to 3.0.4. The memory
leak was observed with OpenSSL 3.0.1, and it is resolved by version
3.0.5. Also the leak is not observed in v1.1.1n.
ipvs: Simplify SSL_GET handling code.
Fixes
rpm: Fix RPM spec file to use kmod-lib and kmod-devel rather than libkmod.
vrrp: Fix NFT support to properly handle build with L4PROTO support.
vrrp: Resolve segfault when enable_snmp_vrrp is added at a reload.
vrrp: workaround GCC LTO bug causing incorrect VRRPv3 checksum. The problem
was observed with GCC versions 11.2, 11.3.1 and 12.1.1, on Ubuntu 22.04,
Fedora 34, Fedora 36 and Fedora 37 (Rawhide). The problem did not occur
when not using LTO, nor when using clang, even with LTO.
vrrp: fix ipv6 vrrp in fault state because no ipv4 address. Setting an IPv6
VRRP virtual address on an interface that has no IPv4 address results
in a persistent FAULT state.
core: Fix segfault when receive netlink message for static default route added.
build: Fix order of -lssl -lcrypto. This needs to be correct in order to be
able to use static library linking on Alpine Linux.
build: Fix build with libressl. SSL_set0_rbio is provided by libressl since
version 3.4.0 and libressl/openbsd@c99939f but SSL_set0_wbio is not
provided resulting in build failure.
build: Fix out of tree builds. Fix build error with –disable-track-process.
build: Fix building with –disable-vmac.
build: Fix compiler warning when building without VRRP authentication.
parser: Fix segfault caused by extra ‘}’ and other parser fixes. If there was
a configuration error in a block, e.g. a vrrp_instance, keepalived
would apply the configuration in the rest of the block to the
previous object of that type, e.g. the previous vrrp instance. If
there had been no previous instance, keepalived would probably
segfault. This commit changes the way the parser works. A new
instance of an object, e.g. a VRRP instance or a virtual server, is
only added to the list of those objects once the configuration of
that object is complete. In particular it no longer applies the
configuration to the last entry on the list of the relevant object
type, but keeps a point to the object currently being configured.
parser: Optimise fixing recalculating updated line length.
ipvs: Fix memory leaks when configuration is repeated. Use last entry if
duplicate definition.
lib: Fix malloc check code for CPUs without unaligned memory access.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Michael Tremer [Tue, 15 Aug 2023 09:48:35 +0000 (09:48 +0000)]
mountfs: Remove excessive sync-ing before umount
The system should perform all write operations when sync is called and
only return when the write queues are empty.
There is no additional benefit for calling sync again as the buffers
should be empty. If data is still being lost, then that is a bug in
either the storage device or driver.
As the (re-)boot process is already so slow, I would like to get rid of
any unnecessary delays.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 14 Aug 2023 23:15:00 +0000 (23:15 +0000)]
Tor: Update to 0.4.7.14
Full changelog:
Changes in version 0.4.7.14 - 2023-07-26
This version contains several minor fixes and one major bugfix affecting
vanguards (onion service). As usual, we recommend upgrading to this version
as soon as possible.
o Major bugfixes (vanguards):
- Rotate to a new L2 vanguard whenever an existing one loses the
Stable or Fast flag. Previously, we would leave these relays in
the L2 vanguard list but never use them, and if all of our
vanguards end up like this we wouldn't have any middle nodes left
to choose from so we would fail to make onion-related circuits.
Fixes bug 40805; bugfix on 0.4.7.1-alpha.
o Minor feature (CI):
- Update CI to use Debian Bullseye for runners.
o Minor feature (lzma):
- Fix compiler warnings for liblzma >= 5.3.1. Closes ticket 40741.
o Minor features (directory authorities):
- Directory authorities now include their AuthDirMaxServersPerAddr
config option in the consensus parameter section of their vote.
Now external tools can better predict how they will behave.
Implements ticket 40753.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on July 26, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/07/26.
o Minor bugfix (relay, logging):
- The wrong max queue cell size was used in a protocol warning
logging statement. Fixes bug 40745; bugfix on 0.4.7.1-alpha.
o Minor bugfixes (compilation):
- Fix all -Werror=enum-int-mismatch warnings. No behavior change.
Fixes bug 40824; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (metrics):
- Decrement hs_intro_established_count on introduction circuit
close. Fixes bug 40751; bugfix on 0.4.7.12.
o Minor bugfixes (sandbox):
- Allow membarrier for the sandbox. And allow rt_sigprocmask when
compiled with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 9 Aug 2023 21:16:40 +0000 (23:16 +0200)]
libloc: Update to version 0.9.17
- Update from version 0.9.16 to 0.9.17
- Update of rootfile
- Changelog
0.9.17
* The importer is now parsing Geofeeds where available. This helps us to create a
database with better accuracy for large ISPs or cloud providers.
* The database writer is trying to compress the database harder: It will now look
for any duplicate networks and merge neighbouring networks which will reduce the
size of the database by about half.
* The importer has been improved so that it runs more efficient SQL queries to
create the database faster.
* Temuri Doghonadze contributed a Georgian translation.
* Hans-Christoph Steiner contributed bash-completion for the location(8) command.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Aug 2023 20:51:07 +0000 (22:51 +0200)]
qpdf: Update to version 11.5.0
- Update from version 11.3.0 to 11.5.0
- Update of rootfile
- Changelog
11.5.0: release
* This release consists entirely of changes made by M. Holger.
Mostly this is changes to the private API, performance
enhancements, code cleanup, and reformatting to 100 columns
instead of 80. For qpdf development, we are starting to use
JetBrains CLion, so a lot of the changes are moving us toward a
cleaner development experience in that environment.
* Bug fix: when a the same page is copied multiple times, copy
the annotations rather than having multiple pages share an
annotation object. Thanks to M. Holger for the fix. Fixes #600.
* Add "FUTURE" build option for enabling experimental APIs. Do not
package qpdf built with the FUTURE option as there are no binary
compatibility or even source compatibility guarantees. The option
is intended for developers who want to ensure that future
potentially breaking changes are compatible with their code or
provide feedback on upcoming changes. At present, the only feature
enabled by FUTURE is a move constructor for QPDFObjectHandle.
While this shouldn't break any code, it would change details about
how many copies of a specific QPDFObjectHandle were in existence,
so it could potentially break code that was relying on internal
shared pointer reference counts. Thanks to M. Holger for the idea
and contribution.
* Add new method Buffer::copy and deprecate Buffer copy
constructor and assignment operator. Buffer copy operations are
expensive as they always involve copying the buffer content. Use
"buffer2 = buffer1.copy();" or "Buffer buffer2{buffer1.copy()};"
to make it explicit that copying is intended. This change was
contributed by M. Holger.
11.4.0: release
* From M. Holger: add QPDF::newReserved as a better alternative to
QPDFObjectHandle::newReserved. The operation of creating a new
reserved object fits better in the QPDF API. The old call just
delegates to the new one.
* When an annotation dictionary's appearance dictionary (`/AP`)
has a key that is a stream, disregard `/AS` (which is supposed to
point to a subkey). This enables qpdf to not ignore annotations
that have incorrect values for `/AS` when the appearance stream is
directly in the `/AP` dictionary instead of in a subkey.
Fixes #949.
* Allow QPDFJob's workflow to be split into a reading phase and a
writing phase to allow the caller to operate on the QPDF object
before it is written. This adds methods QPDFJob::createQPDF and
QPDFJob::writeQPDF and corresponding C API functions
qpdfjob_create_qpdf and qpdfjob_write_qpdf. Thanks to M. Holger
for the contribution.
* From M. Holger: throw a logic error if an uninitialized or
foreign QPDFObjectHandle is added to an array.
* Enhance --optimize-images to support images nested inside of
form XObjects. Thanks to Connor Osborne (github user cdosborn) for
the contribution. Fixes #923.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Aug 2023 20:51:06 +0000 (22:51 +0200)]
qemu: Update to version 8.0.3
- Update from version 7.1.0 to 8.0.3
- Update of rootfile
- Changelog is too large to include here. See the following links for more details
8.0
https://wiki.qemu.org/ChangeLog/8.0
7.2
https://wiki.qemu.org/ChangeLog/7.2
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Aug 2023 20:51:05 +0000 (22:51 +0200)]
popt: Update to version 1.19
- Update from version 1.18 to 1.19
- Update of rootfile
- Changelog
1.19
Clarify license: we are not the X Consortium, use straight MIT license text
Fix build without glob_pattern_p()
Fix missing libiconv dependency for static linkage in popt.pc
Fix segfault regression when NLS is enabled but libintl.h cannot be found (#32)
Fix the handling of superfluous args passed with =
Fix iconv resource leak on errors
Fix POPT_CONTEXT_KEEP_FIRST handling in poptResetContext()
Fix '=' getting shown for short options
Fix memory corruption issues with poptStuffArgs()
Fix handling of large files in poptReadFile() on 32bit systems
Fix build without wchar / mbstate_t
Fix potential memory leak in poptReadConfigFile()
Fix "Usage" string calculated length
Fix memory leak regressions in popt 1.18
Add --enable-werror configure option
Add CREDITS file
Improve random number handling
Various code cleanups, const and type hygiene improvements
Adjust test-suite expectations for libtool changes
Various translation updates
Various documentation improvements
Various test-suite improvements
Appease autoconf 2.70
Update gettext to 1.98.8
Run CI on fixed Fedora version (36 for now), use stricter compiler settings
Drop unmaintained CHANGES file from tarballs
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Aug 2023 20:51:04 +0000 (22:51 +0200)]
poppler: Update to version 23.08.0
- Update from version 23.03.0 to 23.08.0
- Update rootfile
- Changelog
23.08.0:
core:
* Fix GWG 19.2 - DeviceN Overprint (White)
* Splash: avoid bogus memory allocation size in doTilingPatternFill
* Fix use-of-uninitialized-value in XRef
* Fix float-cast-overflow error in Catalog
* Cleanup gpgme backend code
* Version symbols in poppler core
glib:
* Improve poppler_get_available_signing_certificates
* Add new members to PopplerCertificateInfo
utils:
* pdftotext: small improvement to man page
23.07.0:
core:
* Fix reading of utf8-with-bom files
* Fix crash if CERT_ExtractPublicKey doesn't return a public key
* Fix rendering of some malformed documents. Issue #1395
* Allow for stream compression and compress font streams in forms
* Remove method Hints::getPageRanges
qt5:
* Fix crash when overprint preview is enabled
* Don't fail signature basics tests if backend is not configured
qt6:
* Fix crash when overprint preview is enabled
* Don't fail signature basics tests if backend is not configured
utils:
* pdfsig: Allow showung and selecting signature backend
* pdfsig: Describe signature dump format in manual page
glib:
* Add signing API
build system:
* zlib is now mandatory
23.06.0:
core:
* CairoOutputDev: Fix crash when doing type3 rendering
* Fix crash with unknown signature hashing algorithms
* Add gpgme backend for signature handling
* Windows: Fix crash when signing existing signature
* FontInfo: Make it return proper information about font substitution
* FontInfo: Try harder to get Type 3 font name
* Store embedded fonts widths table in a more effective manner
* Skip font lookup for nonprintable characters
* Windows: Look for fonts in both windows font dir and poppler fonts dir
* Windows: symbol.ttf is not a good Symbol font
* Windows: Fix memory leak when looking for fonts
* Fix crash on malformed files
qt5:
* Add API to allow selecting signature backend (nss or gpgme)
* Convert embedded files to bytearray a bit smarter
qt6:
* Add API to allow selecting signature backend (nss or gpgme)
* Convert embedded files to bytearray a bit smarter
23.05.0:
core:
* Fix crash when filling some forms
* Set SigFlags when signing unsigned signature
* Add some infrastructure code to support multiple signing backends
* Fix potential stack overflow in PostScriptFunction::parseCode
* Fix some minor uninitialised memory reads
23.04.0:
core:
* Fix memory issue when signing fails. Issue #1372
* Internal improvements of signature related code
* CairoOutputDev: improve type3 font rendering
* Fix memory leak in GlobalParams::findSystemFontFileForFamilyAndStyle
utils:
* pdftocairo: Fix crash in some special situations
* pdfsig: allow holes in -dump signature list
* pdfsig: Support --help
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Aug 2023 16:45:42 +0000 (18:45 +0200)]
xz: Update to version 5.4.4
- Update from version 5.4.1 to 5.4.4
- Update of rootfile
- Changelog
5.4.4 (2023-08-02)
* liblzma and xzdec can now build against WASI SDK when threading
support is disabled. xz and tests don't build yet.
* CMake:
- Fixed a bug preventing other projects from including liblzma
multiple times using find_package().
- Don't create broken symlinks in Cygwin and MSYS2 unless
supported by the environment. This prevented building for the
default MSYS2 environment. The problem was introduced in
xz 5.4.0.
* Documentation:
- Small improvements to man pages.
- Small improvements and typo fixes for liblzma API
documentation.
* Tests:
- Added a new section to INSTALL to describe basic test usage
and address recent questions about building the tests when
cross compiling.
- Small fixes and improvements to the tests.
* Translations:
- Fixed a mistake that caused one of the error messages to not
be translated. This only affected versions 5.4.2 and 5.4.3.
- Updated the Chinese (simplified), Croatian, Esperanto, German,
Korean, Polish, Romanian, Spanish, Swedish, Ukrainian, and
Vietnamese translations.
- Updated the German, Korean, Romanian, and Ukrainian man page
translations.
5.4.3 (2023-05-04)
* All fixes from 5.2.12
* Features in the CMake build can now be disabled as CMake cache
variables, similar to the Autotools build.
* Minor update to the Croatian translation.
5.4.2 (2023-03-18)
* All fixes from 5.2.11 that were not included in 5.4.1.
* If xz is built with support for the Capsicum sandbox but running
in an environment that doesn't support Capsicum, xz now runs
normally without sandboxing instead of exiting with an error.
* liblzma:
- Documentation was updated to improve the style, consistency,
and completeness of the liblzma API headers.
- The Doxygen-generated HTML documentation for the liblzma API
header files is now included in the source release and is
installed as part of "make install". All JavaScript is
removed to simplify license compliance and to reduce the
install size.
- Fixed a minor bug in lzma_str_from_filters() that produced
too many filters in the output string instead of reporting
an error if the input array had more than four filters. This
bug did not affect xz.
* Build systems:
- autogen.sh now invokes the doxygen tool via the new wrapper
script doxygen/update-doxygen, unless the command line option
--no-doxygen is used.
- Added microlzma_encoder.c and microlzma_decoder.c to the
VS project files for Windows and to the CMake build. These
should have been included in 5.3.2alpha.
* Tests:
- Added a test to the CMake build that was forgotten in the
previous release.
- Added and refactored a few tests.
* Translations:
- Updated the Brazilian Portuguese translation.
- Added Brazilian Portuguese man page translation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Aug 2023 16:45:41 +0000 (18:45 +0200)]
smartmontools: Update to version 7.4
- Update from version 7.3 to 7.4
- Update of rootfile not required
- Changelog
7.4
- The docker image used for CI and release builds is now based on
Debian 12 instead of Ubuntu 18.04.
- macOS: CI and release builds are now generated for the x86_64 and arm64
targets. 32 bit platforms will require to be compiled from the source.
- smartctl '-t short', '-t long' and '-X': NVMe support.
- smartctl '-l selftest': NVMe support.
- smartctl '-l farm': Prints Seagate's vendor-specific Field Access
Reliability Metrics (FARM) log for ATA and SCSI drives.
- smartctl '-l error': Now also prints an error message for each entry
of NVMe error information log.
- smartctl '-l genstats': Prints SCSI General statistics and performance
log page.
- smartctl '-i' and '--identify': ACS-4/5/6 enhancements.
- smartctl '-c': Added NVMe 2.0 capability flags.
- smartctl '-g security': Added 'ata_security.master_password_id'
to JSON output. Plaintext output shows Master Password ID if set
to a non-default value.
- smartctl '-q noserial': Now also suppresses the output of NVMe Namespace
IEEE EUI-64.
- smartctl '-j': '-l error -l selftest' JSON output for NVMe devices.
- smartctl '-j': Avoid invalid UTF-8 sequences in JSON/YAML strings.
- smartctl '-j': Fixed a bogus exception during SCSI JSON output.
- smartctl '-j': Renamed JSON element 'scsi_temperature' back to
'temperature' (regression).
- smartctl '-a': Now suggests '-x' for ATA devices because '-a' only
provides legacy SMART information.
- smartd: No longer issues LOG_CRIT warnings if new entries of NVMe error
information log do not indicate device problems.
- smartd: Now detects accidental use of smartd_warning script as
'-M exec' parameter.
- smartd: No longer writes the 'Copyright...' line to syslog.
- smartd.conf '-M always': Sends reminder emails without any delay.
- smartd.conf '-M diminishing': Limited email delay to 32 days.
- ATA: Fixed decoding of extended self-test log on big endian hosts.
- ATA: Enhanced LBA range for device types '-d jmb39x-q,...' and
'-d jms56x,...' from 33-62 to 1-255.
- ATA: Device type '-d intelliprop,N' now fails with a deprecation message.
Added '-d intelliprop,N,force' flag to use it anyway.
- ATA/USB: Device type '-d usbasm1352r,N' for ASMedia ASM1352R USB to SATA
RAID bridges
- SCSI: Fixed possible corruption issue with the Error Counter and
Non medium Error log pages.
- SCSI: Added more "Informational Exceptions" strings.
- SCSI: Added initial support for REPORT SUPPORTED OPERATION command.
- SCSI: Initial rework of SCSI debug output.
- NVMe: Added error messages for NVMe status values.
- NVMe: Fixed crash after read of error information log on big endian hosts.
- HDD, SSD and USB additions to drive database.
- update-smart-drivedb: Fixed syntax for 'sed' versions which require
';' before '}' or do not support ';' at all.
- update-smart-drivedb: Replaced a usually not executed bashism.
- configure: Default for '--with-nvme-devicescan' is now 'yes' also on
Darwin and FreeBSD. It is still 'no' on NetBSD only.
- configure: Defines '_FORTIFY_SOURCE=3' if supported and not predefined.
- configure: No longer fails if libsystemd-dev is installed and
'LDFLAGS=-static' is used.
- Compile fix for systems without legacy 'getdtablesize()'.
- Pre-releases from SVN snapshots now show "pre-VERSION" in version
information and 'smartctl.pre_release=true' in JSON output.
- Linux: Device type '-d sssraid' for 3SNIC RAID controllers.
- Linux: Device type '-d marvell' now fails with a deprecation message.
Added '-d marvell,force' flag to use it anyway.
- Linux: The generic SCSI code now defaults to SG_IO_V3 and does no
longer fall back to the deprecated SCSI_IOCTL_SEND_COMMAND
(but this ioctl is still used for '-d 3ware' and '-d marvell,force').
- Linux smartd: Now prevents systemd unit startup timeout when many
devices are registered and then initially checked.
- Linux smartd: Systemd no longer reports a service failure if no device
is present and a '-q *nodev0*' option is used.
- Solaris SPARC: Dropped legacy ATA support. Dropped configure option
'--with-solaris-sparc-ata'.
- Windows: IOCTL_STORAGE_PROTOCOL_COMMAND variant for NVMe self-tests.
- Windows: Installer now defaults to 64-bit executables.
- Windows: No longer prints bogus 'Local Time' if enhanced TZ syntax is used.
- Windows: Workaround to keep backward compatibility with old versions
of Windows if some versions of MinGW-w64 are used.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Aug 2023 16:45:40 +0000 (18:45 +0200)]
lvm2: Update to version 2.03.22
- Update from version 2.03.21 to 2.03.22
- Update of rootfile not required
- Changelog
2.03.22 - 02nd August 2023
Fix pv_major/pv_minor report field types so they are integers, not strings.
Add lvmdevices --delnotfound to delete entries for missing devices.
Always use cachepool name for metadata backup LV for lvconvert --repair.
Make metadata backup LVs read-only after pool's lvconvert --repair.
Improve VDO and Thin support with lvmlockd.
Handle 'lvextend --usepolicies' for pools for all activation variants.
Fix memleak in vgchange autoactivation setup.
Update py-compile building script.
Support conversion from thick to fully provisioned thin LV.
Cache/Thin-pool can use error and zero volumes for testing.
Individual thin volume can be cached, but cannot take snapshot.
Better internal support for handling error and zero target (for testing).
Resize COW above trimmed maximal size is does not return error.
Support parsing of vdo geometry format version 4.
Add lvm.conf thin_restore and cache_restore settings.
Handle multiple mounts while resizing volume with a FS.
Handle leading/trailing spaces in sys_wwid and sys_serial used by deivce_id.
Enhance lvm_import_vdo and use snapshot when converting VDO volume.
Fix parsing of VDO metadata.
Fix failing -S|--select for non-reporting cmds if using LV info/status fields.
Allow snapshots of raid+integrity LV.
Fix multisegment RAID1 allocator to prevent using single disk for more legs.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Aug 2023 16:45:39 +0000 (18:45 +0200)]
harfbuzz: Update to version 8.1.1
- Update from version 8.0.1 to 8.1.1
- Update of rootfile
- Changelog
8.1.1
- Fix shaping of contextual rules at the end of string, introduced in 8.1.0
- Fix stack-overflow in repacker with malicious fonts.
- 30% speed up loading Noto Duployan font.
8.1.0
- Fix long-standing build issue with the AIX compiler and older Apple clang.
- Revert optimization that could cause timeout during subsetting with malicious fonts.
- More optimization work:
- 45% speed up in shaping Noto Duployan font.
- 10% speed up in subsetting Noto Duployan font.
- Another 8% speed up in shaping Gulzar.
- 5% speed up in loading Roboto.
- New API:
+hb_ot_layout_collect_features_map()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Aug 2023 16:45:38 +0000 (18:45 +0200)]
gmp: Update to version 6.3.0
- Update fromn version 6.2.1 to 6.3.0
- Update of rootfile
- Changelog
Changes between GMP version 6.2.* and 6.3.*.
BUGS FIXED
* A possible overflow of type int is avoided for mpz_cmp on huge operands.
* A possible error condition when a malformed file is read with
mpz_inp_raw is now correctly handled.
FEATURES
* New public function mpz_prevprime, companion of the existing
mpz_nextprime.
* New documented pointer types mpz_ptr, mpz_srcptr, and similar for
other GMP types. Refer to the manual for full list and suggested
usage. These types have been present in gmp.h at least since
GMP-4.0, but previously not advertised to users.
* Support for 64-bit Arm under Macos.
* Support for the loongarch64 CPU family.
* Support for building with LTO, link-time optimisations.
SPEEDUPS
* New special code for base = 2 in mpz_powm reduces the average time
for the functions that test primality.
* Speedup for the function mpz_nextprime on large operands.
* Speedup for multiplications (some sizes only) thanks to new
internal functions to compute small negacyclic products.
* Special assembly code for IBM z13 and later "mainframe" CPUs, resulting in
a huge speedup.
* Improved assembly for several 64-bit x86 CPUs, Risc-V, 64-bit Arm.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 4 Jul 2023 09:04:46 +0000 (11:04 +0200)]
red: Fixes bug#13164 adjust pppoe plugin name in red initscript
- This patch goes together with the patch for the ppp update to 2.5.0
- The rp-pppoe.so option is no longer available. There is only the pppoe.so available now
Fixes: Bug#13164 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 2 Jul 2023 09:54:32 +0000 (11:54 +0200)]
ppp: Fixes bug#13164 - Update to version 2.5.0
- Update from version 2.4.9 to 2.5.0
This includes breaking changes for third-party plugins but as far as I can see IPFire
is not using any third party plugins
- Update of rootfile
- Update of patches and sed commands
- pcap-int.h and if_pppol2tp.h files have not been in source file since at least 2014
- Some of the patches required updates as additional lines needing to be patched are
now present. nThis was related to the O_CLOEXEC & SOCK_CLOEXEC related patches
- connect-errors file location is now defined by a configure command --with-logfile-dir
- install-etcppp is no longer provided. However the install command in this version still
has the same files available in /etc/ppp as previously. There is a new file,
openssl.cnf, which I have commented out. If it is required in future it can always be
uncommented in future releases.
- Build went without any problems with the updated patches.
- I cannot test this as I don't use ppp, however the original bug reporter has agreed to
test this out when it is released into Testing unless anyone else is capable of testing
it.
- Changelog
What's new in ppp-2.5.0.
The 2.5.0 release is a major release of pppd which contains breaking
changes for third-party plugins, a complete revamp of the build-system
and that allows for flexibility of configuring features as needed.
In Summary:
* Support for PEAP authentication by Eivind Næss and Rustam Kovhaev
* Support for loading PKCS12 certificate envelopes
* Adoption of GNU Autoconf / Automake build environment, by Eivind Næss
and others.
* Support for pkgconfig tool has been added by Eivind Næss.
* Bunch of fixes and cleanup to PPPoE and IPv6 support by Pali Rohár.
* Major revision to PPPD's Plugin API by Eivind Næss.
- Defines in which describes what features was included in pppd
- Functions now prefixed with explicit ppp_* to indicate that
pppd functions being called.
- Header files were renamed to better align with their features,
and now use proper include guards
- A pppdconf.h file is supplied to allow third-party modules to use
the same feature defines pppd was compiled with.
- No extern declarations of internal variable names of pppd,
continued use of these extern variables are considered
unstable.
* Lots of internal fixes and cleanups for Radius and PPPoE by Jaco Kroon
* Dropped IPX support, as Linux has dropped support in version 5.15
for this protocol.
* Many more fixes and cleanups.
* Pppd is no longer installed setuid-root.
* New pppd options:
- ipv6cp-noremote, ipv6cp-nosend, ipv6cp-use-remotenumber,
ipv6-up-script, ipv6-down-script
- -v, show-options
- usepeerwins, ipcp-no-address, ipcp-no-addresses, nosendip
* On Linux, any baud rate can be set on a serial port provided the
kernel serial driver supports that.
Note that if you have built and installed previous versions of this
package and you want to continue having configuration and TDB files in
/etc/ppp, you will need to use the --sysconfdir option to ./configure.
For a list of the changes made during the 2.4 series releases of this
package, see the Changes-2.4 file.
Compression methods.
This package supports two packet compression methods: Deflate and
BSD-Compress. Other compression methods which are in common use
include Predictor, LZS, and MPPC. These methods are not supported for
two reasons - they are patent-encumbered, and they cause some packets
to expand slightly, which pppd doesn't currently allow for.
BSD-Compress and Deflate (which uses the same algorithm as gzip) don't
ever expand packets.
Fixes: bug#13164 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 2 Aug 2023 20:09:55 +0000 (22:09 +0200)]
fwhosts.cgi: Fixes bug#13206 - no validation of location group name
- Added validation code for the location group name. This is only validated when edited
and not when created.
- The code was copied from the section for creating the Services Group Name or the
Network/Host Group Name.
Fixes: Bug#13206 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 26 Jul 2023 21:03:59 +0000 (23:03 +0200)]
samba.cgi: Fixes bug#13193 - disables smb1 unix extensions in smb.conf
- Around three years ago the samba wui page was simplified and several parts were removed
including the ability to set either wide links or unix extensions to be enabled
- When the above was done wide links = yes was defined in the samba.cgi code
- unix extenstions was not defined and therefore took the default value which was/is yes
- unix extensions is now called smb1 unix extensions and has the same default value of yes
- With both wide links = yes and smb1 unix extensions = yes means that when there is a
wide symlink (one that goes outside the share directory tree) then wide links is disabled
because smb1 unix extensions is enabled. This is even though the smb1 protocol is disabled
by default.
- This patch sets smb1 unix extensions = no in the configuration.
- This has been tested in my vm testbed and confirmed that the error message is no longer
shown and that any wide links are able to be accessed from the share mounted on a client
Fixes: Bug#13193 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 29 Jul 2023 16:16:18 +0000 (18:16 +0200)]
tar: Update to version 1.35
- Update from version 1.34 to 1.35
- Update of rootfile not required
- Changelog
1.35 - Sergey Poznyakoff, 2023-07-18
* Fail when building GNU tar, if the platform supports 64-bit time_t
but the build uses only 32-bit time_t.
* Leave the devmajor and devminor fields empty (rather than zero) for
non-special files, as this is more compatible with traditional tar.
* Bug fixes
** Fix interaction of --update with --wildcards.
** When extracting archives into an empty directory, do not create
hard links to files outside that directory.
** Handle partial reads from regular files.
** Warn "file changed as we read it" less often.
Formerly, tar warned if the file's size or ctime changed.
However, this generated a false positive if tar read a file
while another process hard-linked to it, changing its ctime.
Now, tar warns if the file's size, mtime, user ID, group ID,
or mode changes. Although neither heuristic is perfect,
the new one should work better in practice.
** Fix --ignore-failed-read to ignore file-changed read errors
as far as exit status is concerned. You can now suppress file-changed
issues entirely with --ignore-failed-read --warning=no-file-changed.
** Fix --remove-files to not remove a file that changed while we read it.
** Fix --atime-preserve=replace to not fail if there was no need to replace,
either because we did not read the file, or the atime did not change.
** Fix race when creating a parent directory while another process is
also doing so.
** Fix handling of prefix keywords not followed by "." in pax headers.
** Fix handling of out-of-range sparse entries in pax headers.
** Fix handling of --transform='s/s/@/2'.
** Fix treatment of options ending in / in files-from list.
** Fix crash on 'tar --checkpoint-action exec=\"'.
** Fix low-memory crash when reading incremental dumps.
** Fix --exclude-vcs-ignores memory allocation misuse.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 2 Aug 2023 09:52:02 +0000 (09:52 +0000)]
openssl: Update to 3.1.2
* Fix excessive time spent checking DH q parameter value.
The function DH_check() performs various checks on DH parameters. After
fixing CVE-2023-3446 it was discovered that a large q parameter value can
also trigger an overly long computation during some of these checks.
A correct q value, if present, cannot be larger than the modulus p
parameter, thus it is unnecessary to perform these checks if q is larger
than p.
If DH_check() is called with such q parameter value,
DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally
intensive checks are skipped.
([CVE-2023-3817])
*Tomáš Mráz*
* Fix DH_check() excessive time with over sized modulus.
The function DH_check() performs various checks on DH parameters. One of
those checks confirms that the modulus ("p" parameter) is not too large.
Trying to use a very large modulus is slow and OpenSSL will not normally use
a modulus which is over 10,000 bits in length.
However the DH_check() function checks numerous aspects of the key or
parameters that have been supplied. Some of those checks use the supplied
modulus value even if it has already been found to be too large.
A new limit has been added to DH_check of 32,768 bits. Supplying a
key/parameters with a modulus over this size will simply cause DH_check() to
fail.
([CVE-2023-3446])
*Matt Caswell*
* Do not ignore empty associated data entries with AES-SIV.
The AES-SIV algorithm allows for authentication of multiple associated
data entries along with the encryption. To authenticate empty data the
application has to call `EVP_EncryptUpdate()` (or `EVP_CipherUpdate()`)
with NULL pointer as the output buffer and 0 as the input buffer length.
The AES-SIV implementation in OpenSSL just returns success for such call
instead of performing the associated data authentication operation.
The empty data thus will not be authenticated. ([CVE-2023-2975])
Thanks to Juerg Wullschleger (Google) for discovering the issue.
The fix changes the authentication tag value and the ciphertext for
applications that use empty associated data entries with AES-SIV.
To decrypt data encrypted with previous versions of OpenSSL the application
has to skip calls to `EVP_DecryptUpdate()` for empty associated data
entries.
*Tomáš Mráz*
* When building with the `enable-fips` option and using the resulting
FIPS provider, TLS 1.2 will, by default, mandate the use of an extended
master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will
not operate with truncated digests (FIPS 140-3 IG G.R).
*Paul Dale*
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 31 Jul 2023 20:36:54 +0000 (22:36 +0200)]
mpd: Update to version 0.23.13
- Update from version 0.23.12 to 0.23.13
- Update of rootfile not required
- mpd needs version 0.23.13 to build with fmt-10.0.0
- Changelog
0.23.13 (2023/05/22)
* input
- curl: fix busy loop after connection failed
- curl: hide "404" log messages for non-existent ".mpdignore" files
* archive
- zzip: fix crash bug
* database
- simple: reveal hidden songs after deleting containing CUE
* decoder
- ffmpeg: reorder to a lower priority than "gme"
- gme: require GME 0.6 or later
* output
- pipewire: fix corruption bug due to missing lock
* Linux
- shut down if parent process dies in --no-daemon mode
- determine systemd unit directories via pkg-config
* support libfmt 10
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 31 Jul 2023 20:36:53 +0000 (22:36 +0200)]
fmt: Update to version 10.0.0
- Update from version 9.1.0 to 10.0.0
- Update of rootfile
- sobump so ran ./make find dependencies. This highlighted mpd but that needs to be
updated anyway as the existing version does not build with fmt-10.0.0
- Changelog is too large to include here. See the file ChangeLog.rst in the source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 31 Jul 2023 16:15:43 +0000 (18:15 +0200)]
procps: Add patch to fix errors that prevent build with gettext-0.22
- Gettext earlier than 0.21 would still build when it found errors in language files etc.
With gettext-0.22 if it finds any errors it now stops.
- There were two lines in the french po file in procps that had erros in them. procps have
raised a commit to fix those. The patch included here carries out that commit.
- Update of rootfile not required.
- This patch will not be needed when the next update of procps occurs.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 31 Jul 2023 16:15:42 +0000 (18:15 +0200)]
gettext: Update to version 0.22
- Update from version 0.21 to 0.22
- Update of rootfile
- Changelog
0.22 - June 2023
* PO file format:
- When a #: line contains references to file names that contain spaces,
these file names are surrounded by Unicode characters U+2068 and U+2069.
This makes it possible to parse such references correctly.
* Improvements for maintainers:
- The AM_GNU_GETTEXT macro now defines two variables localedir_c and
localedir_c_make, that can be used in C code or in Makefiles,
respectively, for representing the value of the --localedir configure
option.
* Programming languages support:
- C, C++:
o xgettext now supports gettext-like functions that take wide strings
(of type 'const wchar_t *', 'const char16_t *', or 'const char32_t *')
as arguments.
o xgettext now recognizes numbers with digit separators, as defined by
ISO C 23, as tokens.
o xgettext and msgfmt now recognize the format string directive %b
(for binary integer output, as defined by ISO C 23) in format strings.
o xgettext and msgfmt now recognize the argument size specifiers
w8, w16, w32, w64, wf8, wf16, wf32, wf64 (as defined by ISO C 23)
in format strings.
o xgettext and msgfmt now recognize C++ format strings, as defined by
ISO C++ 20. They are marked as 'c++-format' in POT and PO files.
A new example has been added, 'hello-c++20', that illustrates how
to use these format strings with gettext.
- Java:
o The build system and tools now also support Java versions newer than
Java 11. This is known to work up to Java 20, at least. On the other
hand, support for old versions of Java (Java 1.5 and GCJ) has been
dropped.
- Tcl: xgettext now supports the \x, \u, and \U escapes as defined in
Tcl 8.6.
* Portability:
- On systems with musl libc, the *gettext() functions in libc now work
with MO files generated from PO files with an encoding other than UTF-8.
To this effect, the msgfmt program now converts the messages to UTF-8
encoding before storing them in a MO file. You can prevent this by
using the msgfmt --no-convert option.
- On systems with musl libc, the *gettext() functions in libc now work
with MO files generated from PO files with ISO C 99 <inttypes.h> format
string directive macros. To this effect, the msgfmt program pre-expands
strings with such macros. You can prevent this by using the msgfmt
--no-redundancy option.
* xgettext:
- The xgettext option '--sorted-output' is now deprecated.
- xgettext input files of type PO that are not all ASCII and not UTF-8
encoded are now handled correctly.
* The base Unicode standard is now updated to 15.0.0.
* Emacs PO mode:
Fix an incompatibility with Emacs version 29 or newer.
0.21.1 - October 2022
* Runtime behaviour:
- On AIX, locale names with a script or with an uppercase language are now
supported.
For example, sr_Cyrl_RS.UTF-8 is treated like sr_RS.UTF-8@cyrillic, and
EN_US.UTF-8 is treated like en_US.UTF-8.
* The base Unicode standard is now updated to 14.0.0.
* Portability:
- Building on macOS 11/arm64 is now supported.
- Building on Linux/powerpc64le with glibc ≥ 2.35 is now supported.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Tue, 1 Aug 2023 15:48:36 +0000 (17:48 +0200)]
extrahd.cgi: Drop select for FS selection.
This feature does not have any benefit because the linux kernel
knows best which filesystem a device/partition has.
So there is no need for a user to specify this by-hand. This also
prevents from choosing a wrong fs type and as a direct result in a
not mountable device.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Tue, 1 Aug 2023 15:48:28 +0000 (17:48 +0200)]
extrahd.cgi: Add various perl functions deal with block devices
This functions are going to replace the former used scan/write to file/read from
file approach by directly collecting the required informations from the
kernel sysfs and devfs.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 31 Jul 2023 13:43:47 +0000 (13:43 +0000)]
udev: Drop hwrng rules
This is another fragment of rngd - the gift that keeps giving.
The udev rules file contains a lot of stuff for a prototype which never
went into production. So, that can be dropped.
It would have been left with one rule that starts rngd whenever a HWRNG
is being found. That is however no longer needed as rngd is being
started in the init process. We no longer need to initialize it as early
as possible to seed the kernel's PRNG.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 13 Jul 2023 17:03:49 +0000 (19:03 +0200)]
pmacct: Fix for Bug#13163 - no such column: vlan_in [CU 175]
- This problem occurred with pmacct-1.7.8 and was raised with upstream. They identified a
bug and provided a commit with a fix.
- Unfortunately the commit can not be used on version 1.7.8 from Dec 2022 as it depends on
other commits applied in the period from Dec 2022 to July 2023.
- The next version release is likely to come out around Dec 2023 to Mar 2024 based on the
previous release frequency (6 to 9 months)
- The only alternative was to make a release from the commit stage of the fix. In Github
this only provides a zip file. So I extracted the zip file and then re-archived it
as a .tar.gz file
- Build went successfully and the .ipfire package file was tested successfully by @Jon
Fixes: Bug#13163 Tested-by: Jon Murphy <jon.murphy@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 10 Jul 2023 09:23:49 +0000 (11:23 +0200)]
glib: Update to version 2.77.0
- Update from 2.71.1 to 2.77.0
- Update of rootfile
- Changelog is too large to include here. Details can be found in the NEWS file in the
source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 10 Jul 2023 09:23:50 +0000 (11:23 +0200)]
groff: Update to version 1.23.0
- Update from version 1.22.4 to 1.23.0
- Update of rootfile
- Changelog is too large to show here.
See the NEWS file in the source tarball for user visible changes. This does not
include any bug fixes.
For bug fixes and all commits see the ChangeLog file in the source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 27 Jul 2023 13:57:25 +0000 (15:57 +0200)]
ovpnmain.cgi: Fixes bug#13190 - connection status shows disconnected for connected client
- If the certificate name has underscores in it then the status always shows as DISCONNECTED
alothough the actual connection is working and can be used.
- The certificate with underscores works fine. RFC5280 accepts underscores in the name.
- The code for checking the status splits up the status message and takes the first part
as the common name for the connection. Then there is a regex command which rerplaces
any underscores in the status common name with spaces. This results in the connection
with underscores in the certificate name never matching any status feedback common
name as the underscores have been replaced by spaces.
- This has been tested to work with my vm test bed. With existing code the connection with
underscores in the certificate name permanently showed DISCONNECTED. With the code change
the connection shows as CONNECTED very quickly.
Fixes: Bug#13190 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>