For details see:
https://github.com/squid-cache/squid/releases/tag/SQUID_6_13
"Changes in squid-6.13 (31 Jan 2025):
- Bug 5352: Do not get stuck when RESPMOD is slower than read(2)
- Bug 5405: Large uploads fill request buffer and die
- Bug 5093: List http_port params that https_port/ftp_port lack
- Bug 5311: clarify configuration byte units
- Bug 5091: document that changes to workers require restart
- Bug 5481: Fix GCC v14 build [-Wmaybe-uninitialized]
- Nil request dereference in ACLExtUser and SourceDomainCheck ACLs
- Fix GCC v14 [-Wanalyzer-null-dereference] warnings in Kerberos
- Clarify --enable-ecap failure on missing shared library support
- Fix syntax error in configure.ac
- Remove GNU'ism in release notes Makefile
- Annotate PoolMalloc memory in valgrind builds
- Fix systemd startup sequence to require active Local Filesystem
- Display Linux variant at ./configure time
- Refactor peerRefreshDNS() to clarify its (void*)1 logic
- Portability: remove explicit check for libdl
- ext_time_quota_acl: remove -l option
- ... and some documentation updates
- ... and some CI updates"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 25 Jan 2025 09:32:07 +0000 (10:32 +0100)]
mc: Update to 4.8.33
For details see:
https://midnight-commander.org/wiki/NEWS-4.8.33
"Major changes since 4.8.32
Starting with this release, we will be using language features that require
a C99 compiler to build.
Core
Minimal version of Automake is 1.14 (#4604)
Upgrade C standard to C99 (#4604)
Support ksh variants as subshell (#3748)
Improve fish 4.0 shell support (#4597)
Add support for bash PROMPT_COMMAND being an array (#4599)
Don't override ENV variable for ash/dash subshell (#4605)
Don't disable verbose mode if tty baudrate can't be reliably determined
(#2452)
New keymap for vim users (#4588)
Misc
Code cleanup (#4572, #4593, #4595, #4598)
Adjust mc-wrappers to work with the new MC_TMPDIR creation logic (#4575)
Prefer console players for sound, images and video in non-graphical
sessions (#4479, #4596)
Support TERM=xterm-clear for FreeBSD users (#2633)
mc.ext.ini:
Support for Rust crates file format (#4609)
Support for OpenEmbedded ipk archives (#4626)
ext.d: select browser at runtime (#4615)
Move CI from Travis to GitHub Actions (#4170, #3738, #4602)
Fixes
Segfault if filter makes file panel empty (#4600)
Segfault in built-in help when going to the previous topic (#4627)
Incorrect handling of ext2 attributes of a directory (#4590)
Failed copy/move operations make ETA inaccurate (#3205, #4613, #4623)
Hotlist: use after free (#4621)
mc.ext.ini: typo for apt view command line (#4583)
mcedit: visual glitches if built with aspell, but libraries not
installed (#4576)
mcedit: segfault on new file creation (#4580)
mcedit: PageDown skips lines in edit window (#4617)
mcedit: cursor jumps during PageDown in edit window (#4618)
mvciew: false-positive regex search of BOL (#4587)
mcdiff: segmentation fault on empty files merge (#4608)
tar vfs: double free (#4616)
sftpfs vfs: use after free (#4620)
tests: fix charset-related code on non-glibc platforms (Alpine,
Illumos) (#3972, #4495)
tests: use weak symbols instead of symbol duplication to support
non-GNU linkers / macOS (#4584, #3542)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:15 +0000 (13:43 +0100)]
pango: Update to version 1.56.1
- Update from version 1.54.0 to 1.56.1
- Update of rootfile
- Changelog
1.56.1
- Avoid criticals when there are no fonts
- fontconfig: Handle lack of FC_FONT_WRAPPER in font cache
- fontconfig: Prefer application fonts even if they are older
1.56.0
- Support setting font features in font descriptions
- serialization: Document the tab array format
- serialization: Accept attributes without range
- win32: Improve the pango_font_map_reload_implementation
- win32: Take variations into account for caching
- layout: Fix measuring ellipsis runs with shapes
- build: Require C11
- build: Require GLib 2.80
- build: Require cairo 1.18
1.55
- Support Unicode 16
- Add pango_font_map_add_font_file
- fontconfig: Reject patterns without FC_FILE
- coretext: Actually use .AppleSystemUIFont
- coretext: Keep track of variations
- win32: Use font options for caching
- win32: Keep variations in PangoWin32Font
- build: Require harfbuzz 8.4.0
- build: Require fontconfig 2.15
- build: Require meson 1.2.0
- build: Require Window 10
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:14 +0000 (13:43 +0100)]
openvmtools: Update to version 12.5.0
- Update from version 12.0.5 to 12.5.0
- Update of rootfile not required
- Several CVE's in various updates between 12.0.5 and 12.5.0
- Changelog
12.5.0
The following github.com/vmware/open-vm-tools pull request has been addressed.
Revise settings for vmware-user.desktop
Pull request #668
Accomodate newer releases of libxml2 and xmlsec1.
The configure.ac and VGAuth code updated to avoid deprecated functions
and build options based on OSS product version.
12.4.5
A number of issues flagged by Coverity and ShellCheck have been addressed.
The changes include code fixes and Coverity escapes for reported
false positives. See the details in the open-vm-tools ChangeLog
for specific fix or false positive escape.
Nested logging from RPCChannel error may hang the vmtoolsd process.
This issue has been fixed in this release.
vmtoolsd child processes invoke parent's atexit handler.**
Fixed in this release by terminating child processes with _exit().
Mutexes in lib/libvmtools/vmtoolsLog.c and glib could have been locked at
fork time. The vmtoolsLog.c Debug(), Warning() and Panic() functions
are not safe for child processes.
Fixed in this release by directing child processes' logging to
stdout.
Permission on the vmware-network.log file incorrectly defaults to (0644).
Fixed in this release. The correct default is set to (0600).
The NetworkManager calls in the Linux "network" script have been updated.
Defaults to using the "Sleep" method over the "Enabled" method
used to work around a bug in NetworkManager version 0.9.0.
Resolves:
Pull request #699
Issue #426
Unused header files have been dropped from the current open-vm-tools source.
Accomodate newer releases of libxml2 and xmlsec1.
The configure.ac and VGAuth code updated to avoid deprecated
functions and build options based on OSS product version.
12.4.0
The following github.com/vmware/open-vm-tools pull request has been addressed
Power Ops: Attempt to execute file path only
Pull request #689
A number of issues flagged by Coverity have been addressed.
Add aliasing code to identify Miracle Linux by its former name of "asianux".
The Asianux Linux distribution rebranded itself as Miracle Linux.
Since vSphere infrastructure recognizes "asianux" but not
Miracle Linux, aliasing code was added to open-vm-tools to
continue to identify Miracle Linux systems as "asianux".
12.3.5
This release resolves CVE-2023-34058.
For more information on this vulnerability and its impact on
VMware products, see https://www.vmware.com/security/advisories/VMSA-2023-0024.html.
open-vm-tools contains a SAML token signature bypass vulnerability.
VMware has evaluated the severity of this issue to be in the
Important severity range with a maximum CVSSv3 base score of
7.5 - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
A malicious actor that has been granted Guest Operation Privileges
in a target virtual machine may be able to elevate their
privileges if that target virtual machine has been assigned a
more privileged Guest Alias.
Note: While the description and known attack vectors are very
similar to CVE-2023-20900, CVE-2023-34058 has a different root
cause that must be addressed.
A patch for earlier versions of open-vm-tools is available at
CVE-2023-34058.patch.
This release resolves CVE-2023-34059.
open-vm-tools contains a file descriptor hijack vulnerability in
the vmware-user-suid-wrapper. VMware has evaluated the
severity of this issue to be in the Important severity range
with a maximum CVSSv3 base score of 7.4. -
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
A malicious actor with non-root privileges may be able to hijack
the /dev/uinput file descriptor allowing them to simulate user
inputs.
A patch for earlier versions of open-vm-tools is available at
CVE-2023-34059.patch.
The following github.com/vmware/open-vm-tools issue have been addressed
Better cooperation between deployPkg plugin and cloud-init concerning
location of 'disable_vmware_customization' flag.
Issue #310
12.3.0
This release resolves CVE-2023-20900.
For more information on this vulnerability and its impact on VMware
products, see https://www.vmware.com/security/advisories/VMSA-2023-0019.html.
Linux quiesced snapshot: "SyncDriver: failed to freeze 'filesystem'"
The open-vm-tools 12.2.0 release had an update to the Linux quiesced
snapshot operation that would avoid starting a quiesced snapshot if a
filesystem had already been frozen by another process. See the
Resolved Issues section in the open-vm-tools 12.2.0 Release Notes.
That fix may have been backported into earlier versions of
open-vm-tools by Linux vendors.
It is possible that filesystems are being frozen in custom pre-freeze
scripts to control the order in which those specific filesystems are
to be frozen. The vmtoolsd process must be informed of all such
filesystems with the help of "excludedFileSystems" setting of
tools.conf.
[vmbackup]
excludedFileSystems=/opt/data,/opt/app/project-*,...
A temporary workaround is available (starting from open-vm-tools 12.3.0)
for system administrators to quickly allow a quiescing operation to
succeed until the "excludedFileSystems" list can be configured. Note,
if another process thaws the file system while a quiescing snapshot
operation is ongoing, the snapshot may be compromised. Once the
"excludedFileSystems" list is configured this setting MUST be unset
(or set to false).
[vmbackup]
ignoreFrozenFileSystems = true
This workaround is provided in the source file changes in
https://github.com/vmware/open-vm-tools/commit/60c3a80ddc2b400366ed05169e16a6bed6501da2
and at Linux vendors' discretion, may be backported to earlier versions
of open-vm-tools.
A number of Coverity reported issues have been addressed.
Component Manager / salt-minion: New InstallStatus "UNMANAGED".
Salt-minion added support for "ExternalInstall" (106) to indicate an
older version of salt-minion is installed on the vm and cannot be
managed by the svtminion.* scripts. The Component Manager will track
that as "UNMANAGED" and take no action.
The following pull requests and issues have been addressed
Add antrea and calico interface pattern to GUESTINFO_DEFAULT_IFACE_EXCLUDES
Issue #638
Pull request #639
Invalid argument with "\" in Linux username (Active Directory user)
Issue #641
Improve POSIX guest identification
Issue #647
Issue #648
Remove appUtil library which depends on deprecated "gdk-pixbuf-xlib"
Issue #658
Fix build problems with grpc
Pull request #664
Issue #676
12.2.5
This release resolves CVE-2023-20867.
For more information on this vulnerability and its impact on VMware
products, see https://www.vmware.com/security/advisories/VMSA-2023-0013.html.
12.2.0
A number of Coverity reported issues have been addressed.
The vmtoolsd task is blocked in the uninterruptible state while doing a
quiesced snapshot.
As the ioctl FIFREEZE is done during a quiesced snapshot operation, an
EBUSY could be seen because of an attempt to freeze the same
superblock more than once depending on the OS configuration (e.g.
usage of bind mounts). An EBUSY could also mean another process has
locked or frozen that filesystem. That later could lead to the
vmtoolsd process being blocked and ultimately other processes on the
system could be blocked.
The Linux quiesced snapshot procedure has been updated that when an
EBUSY is received, the filesystem FSID is checked against the list of
filesystems that have already been quiesced. If not previously seen,
a warning that the filesystem is controlled by another process is
logged and the quiesced snapshot request will be rejected.
This fix to lib/syncDriver/syncDriverLinux.c is directly applicable to
previous releases of open-vm-tools and is available at:
https://github.com/vmware/open-vm-tools/commit/9d458c53a7a656d4d1ba3a28d090cce82ac4af0e
Updated the guestOps to handle some edge cases.
When File_GetSize() fails or returns a -1 indicating the user does not
have access permissions:
Skip the file in the output of the ListFiles() request.
Fail an InitiateFileTransferFromGuest operation.
The following pull requests and issues have been addressed.
Detect the proto files for the containerd grpc client in alternate locations.
Pull request #626
FreeBSD: Support newer releases and code clean-up for earlier versions.
Pull request #584
12.1.5
A number of Coverity reported issues have been addressed.
The deployPkg plugin may prematurely reboot the guest VM before cloud-init
has completed user data setup.
If both the Perl based Linux customization script and cloud-init
run when the guest VM boots, the deployPkg plugin may reboot
the guest before cloud-init has finished. The deployPkg plugin
has been updated to wait for a running cloud-init process to
finish before the guest VM reboot is initiated.
This issue is fixed in this release.
A SIGSEGV may be encountered when a non-quiesing snapshot times out.
This issue is fixed in this release.
Unwanted vmtoolsd service error message if not on a VMware hypervisor.
When open-vm-tools comes preinstalled in a base Linux release, the
vmtoolsd services are started automatically at system start
and desktop login. If running on physical hardware or in a
non-VMware hypervisor, the services will emit an error message
to the Systemd's logging service before stopping.
This issue is fixed in this release.
12.1.0
This release resolves CVE-2022-31676. For more information on this
vulnerability and its impact on VMware products, see
https://www.vmware.com/security/advisories/VMSA-2022-0024.html.
A patch for existing open-vm-tools releases is provided in the
CVE-2022-31676 README file.
A number of Coverity reported issues have been addressed.
[FTBFS] Fix the build of the ContainerInfo plugin for a 32-bit Linux release
Reported in open-vm-tools pull request #588, the fix did not make the
code freeze date for open-vm-tools 12.0.5.
This issue is fixed in this release.
Make HgfsConvertFromNtTimeNsec aware of 64-bit time_t on i386 (32-bit)
Reported in open-vm-tools pull request #387, this change incorporates
the support of 64 bit time epoch conversion from Windows NT time to
Unix Epoch time on i386.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:13 +0000 (13:43 +0100)]
monit: Update to version 5.34.4
- Update from version 5.34.3 to 5.34.4
- Update of rootfile not required
- Changelog
5.34.4
Fixed: If the Monit configuration file contains a string with unbalanced
escape sequences, Monit may crash upon startup.
Fixed: If the password in the set mmonit URL contains only binary
characters, syntax check passed (-t), but Monit aborts after start and
reports following error:
AssertException: n >= 0
raised in Str_ndup at src/util/Str.c:315
Aborted
Fixed: If the every <cron> statement contained a syntax error, syntax check
passed (-t), but Monit aborts after start and reports following error:
AssertException: n < 5 && n >= 0
raised in Time_incron at src/system/Time.c:1566
Aborted
Fixed: If the timeout option value was set to 0, the syntax check was
successful (-t), but Monit aborts after starting and reports the
following error:
AssertException: timeout > 0
raised in Socket_create at src/net/socket.c:319
Aborted
Fixed: The set syslog statement's facility option did not permit the
specification of the log_user. Thanks to Lutz Mader for report.
Fixed: Double interpretation of format strings during RETHROW
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:12 +0000 (13:43 +0100)]
lynis: Update to version 3.1.3
- Update from version 3.1.1 to 3.1.3
- Update of rootfile
- Changelog
3.1.3
This release introduces additional documentation in the form of blog articles
to support the (missing) control information on the website.
Added
- Detection of Buildroot, Fedora Linux Asahi Remix, Garden Linux,
Peppermint OS
- Support for blog posts and articles to enhance suggestions
Changed
- BOOT-5264 - Changed output of systemd-analyze test and added link
- FILE-6398 - Test temporarily disabled as on modern kernels JDB
support is built-in
- FIRE-4508 - Several changes to expand the test, make it more generic,
resolve minor issues
- KRNL-5622 - Test if systemctl binary is set
- Several improvements for busybox
- Update of translations: Italian, Russian, Spanish
3.1.2
Added
- Detection of ALT Linux
- Detection of Athena OS
- Detection of Container-Optimized OS from Google
- Detection of Koozali SME Server
- Detection of Nobara Linux
- Detection of Open Source Media Center (OSMC)
- Detection of PostmarketOS
- CRYP-7932 - macOS FileVault encryption test
- FILE-6398 - Check if JBD (Journal Block Device) driver is loaded
- FINT-4344 - Wazuh system running state
- PKGS-7305 - Query macOS Apps in /Applications and CoreServices
- File added: .editorconfig, which is used by editors to standardize
formatting
Changed
- Correction of software EOL database and inclusion of AIX entries
- Support sysctl value perf_event_paranoid -> 2|3
- Update of translations: German, Portuguese, Turkish
- Grammar and spell improvements
- Improved package detection on Alpine Linux
- Slackware support to check installed packges
(functionPackageIsInstalled())
- Added words prosecute/report to LEGAL_BANNER_STRINGS
- Busybox support: Replace newer tr command syntax with older ascii
specific operations
- Added Wazuh as a malware scanner/antivirus and rootkit detection tool
- Updated PHP versions and removed PHP 5 (deprecated)
- AUTH-9262 - Corrected message with advised PAM libary (libpam-passwdqc)
- CONT-8104 - Checking for errors, not only warning in docker info output
- DBS-1826 - PostgreSQL detection improved for AlmaLinux, Rocky Linux,
and FreeBSD
- FILE-6344 - Test kernel version (major/minor)
- INSE-8000 - Added inetd package and service name used in ubuntu 24.04
- KRNL-5622 - Use systemctl get-default instead of following link
- KRNL-5820 - Accept ulimit with -H parameter also
- LOGG-2144 - Check for wazuh-agent presence on Linux systems
- MACF-6234 - Test if semanage binary is available
- MALW-3200 - ESET Endpoint Antivirus added
- MALW-3280 - McAfee Antivirus for Linux deprecated
- MALW-3291 - Check if Microsoft Defender Antivirus is installe
- NETW-3200 - Added regex to allow both /bin/true as /bin/false
- PKGS-7303 - Added version numbers to brew packages
- PKGS-7370 - Cron job check for debsums improved
- PKGS-7392 - Improved filtering of apt-check output (Ubuntu 24.04 may
give an error)
- PKGS-7410 - Added kernel name for Hardkernel odroid XU4
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:11 +0000 (13:43 +0100)]
lvm2: Update to version 2.03.30
- Update from version 2.03.28 to 2.03.30
- Update of rootfile not required
- Changelog
2.03.30
Lvresize reports origin vdo volume cannot be resized.
Support setting reserved_memory|stack of --config cmdline.
Fix support for disabling memory locking (2.03.27).
Do not extend an LV if FS resize unsupported and '--fs resize' used.
Prevent leftover temporary device when converting in use volume to a pool.
lvconvert detects early volume in use when converting it to a pool.
Handle NVMe with quirk changed WWID not matching WWID in devices file.
2.03.29
Configure --enable/disable-sd-notify to control lvmlockd build with sd-notify.
Allow test mode when lvmlockd is built without dlm support.
Add a note about RAID + integrity synchronization to lvmraid(7) man page.
Add a function for running lvconvert --repair on RAID LVs to lvmdbusd.
Improve option section of man pages for listing commands ({pv,lv,vg}{s,display}).
Fix renaming of raid sub LVs when converting a volume to raid (2.03.28).
Fix segfault/VG write error for raid LV lvextend -i|--stripes -I|--stripesize.
Revert ignore -i|--stripes, -I|--stripesize for lvextend on raid0 LV (2.03.27).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:08 +0000 (13:43 +0100)]
harfbuzz: Update to version 10.2.0
- Update from version 10.1.0 to 10.2.0
- Update of rootfile
- Changelog
10.2.0
- Consider Unicode Variation Selectors when subsetting “cmap” table.
- Guard hb_cairo_glyphs_from_buffer() against malformed UTF-8 strings.
- Fix incorrect “COLR” v1 glyph scaling in hb-cairo.
- Use locale-independent parsing of double numbers is “hb-subset” command line
tool.
- Fix incorrect zeroing of advance width of base glyphs in various “Courier New”
font versions due to incorrect “GDEF” glyph classes.
- Fix handling of long language codes with “HB_LEAN” configuration.
- Update OpenType language system registry.
- Allow all Myanmar tone marks (including visarga) in any order
- Don’t insert U+25CC DOTTED CIRCLE before superscript/subscript digits
- Handle Garay script as right to left script.
- New API for serializing font tables and potentially repacking them in optimal
way. This was a previously experimental-only API.
- New API for converting font variation setting from and to strings.
- Various build fixes
- Various subsetter and instancer fixes.
- New API:
+hb_subset_serialize_link_t
+hb_subset_serialize_object_t
+hb_subset_serialize_or_fail()
+hb_subset_axis_range_from_string()
+hb_subset_axis_range_to_string()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:07 +0000 (13:43 +0100)]
git: Update to version 2.48.1
- Update from version 2.46.0 to 2.48.1
- Update of rootfile
- Changelog
2.48.1
This release merges up the fix that appears in v2.40.4, v2.41.3,
v2.42.4, v2.43.6, v2.44.3, v2.45.3, v2.46.3, and v2.47.2 to address
the security issues CVE-2024-50349 and CVE-2024-52006; see the release
notes for these versions for details.
2.48.0
UI, Workflows & Features
* A new configuration variable remote.<name>.serverOption makes the
transport layer act as if the --serverOption=<value> option is
given from the command line.
* "git rebase --rebase-merges" now uses branch names as labels when
able.
* Describe the policy to introduce breaking changes.
* Teach 'git notes add' and 'git notes append' a new '-e' flag,
instructing them to open the note in $GIT_EDITOR before saving.
* Documentation for "git bundle" saw improvements to more prominently
call out the use of '--all' when creating bundles.
* Drop support for older libcURL and Perl.
* End-user experience of "git mergetool" when the command errors out
has been improved.
* "git bundle --unbundle" and "git clone" running on a bundle file
both learned to trigger fsck over the new objects with configurable
fck check levels.
* When "git fetch $remote" notices that refs/remotes/$remote/HEAD is
missing and discovers what branch the other side points with its
HEAD, refs/remotes/$remote/HEAD is updated to point to it.
* "git fetch" honors "remote.<remote>.followRemoteHEAD" settings to
tweak the remote-tracking HEAD in "refs/remotes/<remote>/HEAD".
* "git range-diff" learned to optionally show and compare merge
commits in the ranges being compared, with the --diff-merges
option.
Performance, Internal Implementation, Development Support etc.
* Document "amlog" notes.
* The way AsciiDoc is used for SYNOPSIS part of the manual pages has
been revamped. The sources, at least for the simple cases, got
vastly more pleasant to work with.
* The reftable library is now prepared to expect that the memory
allocation function given to it may fail to allocate and to deal
with such an error.
* An extra worktree attached to a repository points at each other to
allow finding the repository from the worktree (and vice versa)
possible. Use relative paths for this linkage.
* Enable Windows-based CI in GitLab.
* Commands that can also work outside Git have learned to take the
repository instance "repo" when we know we are in a repository, and
NULL when we are not, in a parameter. The uses of the_repository
variable in a few of them have been removed using the new calling
convention.
* The reftable sub-system grew a new reftable-specific strbuf
replacement to reduce its dependency on Git-specific data
structures.
* The ref-filter machinery learns to recognize and avoid cases where
sorting would be redundant.
* Various platform compatibility fixes split out of the larger effort
to use Meson as the primary build tool.
* Treat ECONNABORTED the same as ECONNRESET in 'git credential-cache'
to work around a possible Cygwin regression. This resolves a race
condition caused by changes in Cygwin's handling of socket
closures, allowing the client to exit cleanly when encountering
ECONNABORTED.
* Demonstrate an assertion failure in 'git mv'.
* Documentation update to clarify that 'uploadpack.allowAnySHA1InWant'
implies both 'allowTipSHA1InWant' and 'allowReachableSHA1InWant'.
* Replace various calls to atoi() with strtol_i() and strtoul_ui(),
and add improved error handling.
* Documentation updates to 'git-update-ref(1)'.
* Update the project's CodingGuidelines to discourage naming functions
with a "_1()" suffix.
* Update '.clang-format' to match project conventions.
* Centralize documentation for repository extensions into a single place.
* Buildfix and upgrade of Clar to a newer version.
* Documentation mark-up updates.
* Renaming a handful of variables and structure fields.
* Fix for clar unit tests to support CMake build.
* C23 compatibility updates.
* GCC 15 compatibility updates.
* We now ensure "index-pack" is used with the "--promisor" option
only during a "git fetch".
* The migration procedure between two ref backends has been optimized.
* "git fsck" learned to issue warnings on "curiously formatted" ref
contents that have always been treated as valid but that Git
wouldn't have written itself (e.g., missing terminating end-of-line
after the full object name).
* Work around Coverity warning that would not trigger in practice.
* Built-in Git subcommands are supplied the repository object to work
with; they learned to do the same when they invoke sub-subcommands.
* Drop support for ancient environments in various CI jobs.
* Isolate the reftable subsystem from the rest of Git's codebase by
using fewer pieces of Git's infrastructure.
* Optimize reading random references out of the reftable backend by
allowing reuse of iterator objects.
* Backport oss-fuzz tests to our codebase.
* Introduce a new repository extension to prevent older Git versions
from mis-interpreting worktrees created with relative paths.
* Yet another "pass the repository through the callchain" topic.
* "git describe" learned to stop digging the history needlessly
deeper.
* Build procedure update plus introduction of Meson based builds.
* Recent reftable updates mistook a NULL return from a request for
0-byte allocation as OOM and died unnecessarily, which has been
corrected.
* Reftable backend adds check for upper limit of log's update_index.
* Start working to make the codebase buildable with -Wsign-compare.
* Regression fix for 'show-index' when run outside of a repository.
* The meson-build procedure is integrated into CI to catch and
prevent bitrotting.
* "git refs migrate" learned to also migrate the reflog data across
backends.
* The developer documentation has been updated to give the latest
info on gitk and git-gui maintainer.
* CI jobs that run threaded programs under LSan has been giving false
positives from time to time, which has been worked around.
* Doc update to clarify how periodical maintenance are scheduled,
spread across time to avoid thundering herds.
* Use after free and double freeing at the end in "git log -L... -p"
had been identified and fixed.
* On macOS, fsmonitor can fall into a race condition that results in
a client waiting forever to be notified about an event that has
already happened. This problem has been corrected.
* "git maintenance start" crashed due to an uninitialized variable
reference, which has been corrected.
* Fail gracefully instead of crashing when attempting to write the
contents of a corrupt in-core index as a tree object.
* A "git fetch" from the superproject going down to a submodule used
a wrong remote when the default remote names are set differently
between them.
* Fixes compile time warnings with 64-bit MSVC.
* Teaches 'shortlog' to explicitly use SHA-1 when operating outside
of a repository.
* Fix 'git grep' regression on macOS by disabling lookahead when
encountering invalid UTF-8 byte sequences.
* The dumb-http code regressed when the result of re-indexing a pack
yielded an *.idx file that differs in content from the *.idx file
it downloaded from the remote. This has been corrected by no longer
relying on the *.idx file we got from the remote.
* When called with '--left-right' and '--use-bitmap-index', 'rev-list'
will produce output without any left/right markers, which has been
corrected.
* More leakfixes.
* Test modernization.
* The "--shallow-exclude=<ref>" option to various history transfer
commands takes a ref, not an arbitrary revision.
* A regression where commit objects missing from a commit-graph can
cause an infinite loop when doing a fetch in a partial clone has
been fixed.
* The MinGW compatibility layer has been taught to support POSIX
semantics for atomic renames when other process(es) have a file
opened at the destination path.
* "git gc" discards any objects that are outside promisor packs that
are referred to by an object in a promisor pack, and we do not
refetch them from the promisor at runtime, resulting an unusable
repository. Work around it by including these objects in the
referring promisor pack at the receiving end of the fetch.
* Avoid build/test breakage on a system without working malloc debug
support dynamic library.
(merge 72ad6dc368 jk/test-malloc-debug-check later to maint).
* Double-free fix.
(merge fe17a25905 jk/fetch-prefetch-double-free-fix later to maint).
* Use of some uninitialized variables in "git difftool" has been
corrected.
* Object reuse code based on multi-pack-index sent an unwanted copy
of object.
(merge e199290592 tb/multi-pack-reuse-dupfix later to maint).
* "git fast-import" can be tricked into a replace ref that maps an
object to itself, which is a useless thing to do.
(merge 5e904f1a4a en/fast-import-avoid-self-replace later to maint).
* The ref-transaction hook triggered for reflog updates, which has
been corrected.
(merge b886db48c6 kn/ref-transaction-hook-with-reflog later to maint).
* Give a bit of advice/hint message when "git maintenance" stops finding a
lock file left by another instance that still is potentially running.
(merge ba874d1dac ps/gc-stale-lock-warning later to maint).
* Use the right helper program to measure file size in performance tests.
(merge 3f97f1bce6 tb/use-test-file-size-more later to maint).
* A double-free that may not trigger in practice by luck has been
corrected in the reference resolution code.
(merge b6318cf23a sj/refs-symref-referent-fix later to maint).
* The sequencer failed to honor core.commentString in some places.
* Describe a case where an option value needs to be spelled as a
separate argument, i.e. "--opt val", not "--opt=val".
(merge 1bc1e94091 jc/doc-opt-tilde-expand later to maint).
* Loosen overly strict ownership check introduced in the recent past,
to keep the promise "cloning a suspicious repository is a safe
first step to inspect it".
(merge 0ffb5a6bf1 bc/allow-upload-pack-from-other-people later to maint).
* "git fast-import" learned to reject paths with ".." and "." as
their components to avoid creating invalid tree objects.
(merge 8cb4c6e62f en/fast-import-verify-path later to maint).
* The --ancestry-path option is designed to be given a commit that is
on the path, which was not documented, which has been corrected.
(merge bc1a980759 kk/doc-ancestry-path later to maint).
* "git tag" has been taught to refuse to create refs/tags/HEAD
since such a tag will be confusing in the context of the UI provided by
the Git Porcelain commands.
(merge bbd445d5ef jc/forbid-head-as-tagname later to maint).
* The advice messages now tell the newer 'git config set' command to
set the advice.token configuration variable to squelch a message.
(merge 6c397d0104 bf/explicit-config-set-in-advice-messages later to maint).
* The syntax ":/<text>" to name the latest commit with the matching
text was broken with a recent change, which has been corrected.
(merge 0ff919e87a ps/commit-with-message-syntax-fix later to maint).
* Fix performance regression of a recent "fatten promisor pack with
local objects" protection against an unwanted gc.
* "git log -p --remerge-diff --reverse" was completely broken.
(merge f94bfa1516 js/log-remerge-keep-ancestry later to maint).
* "git bundle create" with an annotated tag on the positive end of
the revision range had a workaround code for older limitation in
the revision walker, which has become unnecessary.
(merge dd1072dfa8 tc/bundle-with-tag-remove-workaround later to maint).
* GitLab CI updates.
(merge c6b43f663e ps/ci-gitlab-update later to maint).
* Code to reuse objects based on bitmap contents have been tightened
to avoid race condition even when multiple packs are involved.
(merge 62b3ec8a3f tb/bitmap-fix-pack-reuse later to maint).
* An earlier "csum-file checksum does not have to be computed with
sha1dc" topic had a few code paths that had initialized an
implementation of a hash function to be used by an unmatching hash
by mistake, which have been corrected.
(merge 599a63409b ps/weak-sha1-for-tail-sum-fix later to maint).
* Other code cleanup, docfix, build fix, etc.
(merge 77af53f56f aa/t7300-modernize later to maint).
(merge dcd590a39d bf/t-readme-mention-reftable later to maint).
(merge 68e3c69efa kh/trailer-in-glossary later to maint).
(merge 91f88f76e6 tb/boundary-traversal-fix later to maint).
(merge 168ebb7159 jc/doc-error-message-guidelines later to maint).
(merge 18693d7d65 kh/doc-bundle-typofix later to maint).
(merge e2f5d3b491 kh/doc-update-ref-grammofix later to maint).
(merge 8525e92886 mh/doc-windows-home-env later to maint).
2.47.2
This release merges up the fix that appears in v2.40.4, v2.41.3,
v2.42.4, v2.43.6, v2.44.3, v2.45.3 and v2.46.3 to address the
security issues CVE-2024-50349 and CVE-2024-52006; see the release
notes for these versions for details.
2.47.1
This is to flush accumulated fixes since 2.47.0 on the 'master'
front down to the maintenance track.
Fixes since Git 2.47
* Use after free and double freeing at the end in "git log -L... -p"
had been identified and fixed.
* On macOS, fsmonitor can fall into a race condition that results in
a client waiting forever to be notified for an event that have
already happened. This problem has been corrected.
* "git maintenance start" crashed due to an uninitialized variable
reference, which has been corrected.
* Fail gracefully instead of crashing when attempting to write the
contents of a corrupt in-core index as a tree object.
* A "git fetch" from the superproject going down to a submodule used
a wrong remote when the default remote names are set differently
between them.
* The "gitk" project tree has been synchronized again with its new
maintainer, Johannes Sixt.
Also contains minor documentation updates and code clean-ups.
2.47.0
UI, Workflows & Features
* Many Porcelain commands that internally use the merge machinery
were taught to consistently honor the diff.algorithm configuration.
* A few descriptions in "git show-ref -h" have been clarified.
* A 'P' command to "git add -p" that passes the patch hunk to the
pager has been added.
* "git grep -W" omits blank lines that follow the found function at
the end of the file, just like it omits blank lines before the next
function.
* The value of http.proxy can have "path" at the end for a socks
proxy that listens to a unix-domain socket, but we started to
discard it when we taught proxy auth code path to use the
credential helpers, which has been corrected.
* The code paths to compact multiple reftable files have been updated
to correctly deal with multiple compaction triggering at the same
time.
* Support to specify ref backend for submodules has been enhanced.
* "git svn" has been taught about svn:global-ignores property
recent versions of Subversion has.
* The default object hash and ref backend format used to be settable
only with explicit command line option to "git init" and
environment variables, but now they can be configured in the user's
global and system wide configuration.
* "git send-email" learned "--translate-aliases" option that reads
addresses from the standard input and emits the result of applying
aliases on them to the standard output.
* 'git for-each-ref' learned a new "--format" atom to find the branch
that the history leading to a given commit "%(is-base:<commit>)" is
likely based on.
* The command line prompt support used to be littered with bash-isms,
which has been corrected to work with more shells.
* Support for the RUNTIME_PREFIX feature has been added to z/OS port.
* "git send-email" learned "--mailmap" option to allow rewriting the
recipient addresses.
* "git mergetool" learned to use VSCode as a merge backend.
* "git pack-redundant" has been marked for removal in Git 3.0.
* One-line messages to "die" and other helper functions will get LF
added by these helper functions, but many existing messages had an
unnecessary LF at the end, which have been corrected.
* The "scalar clone" command learned the "--no-tags" option.
* The environment GIT_ADVICE has been intentionally kept undocumented
to discourage its use by interactive users. Add documentation to
help tool writers.
* "git apply --3way" learned to take "--ours" and other options.
Performance, Internal Implementation, Development Support etc.
* A build tweak knob has been simplified by not setting the value
that is already the default; another unused one has been removed.
* A CI job that use clang-format to check coding style issues in new
code has been added.
* The reviewing guidelines document now explicitly encourages people
to give positive reviews and how.
* Test script linter has been updated to catch an attempt to use
one-shot export construct "VAR=VAL func" for shell functions (which
does not work for some shells) better.
* Some project conventions have been added to CodingGuidelines.
* In the refs subsystem, implicit reliance of the_repository has been
eliminated; the repository associated with the ref store object is
used instead.
* Various tests in reftable library have been rewritten using the unit test
framework.
* A test that fails on an unusually slow machine was found, and made
less likely to cause trouble by lengthening the expiry value it
uses.
* An existing test of hashmap API has been rewritten with the
unit-test framework.
* A policy document that describes platform support levels and
expectation on platform stakeholders has been introduced.
* The refs API has been taught to give symref target information to
the users of ref iterators, allowing for-each-ref and friends to
avoid an extra ref_resolve_* API call per a symbolic ref.
* Unit-test framework has learned a simple control structure to allow
embedding test statements in-line instead of having to create a new
function to contain them.
* Incremental updates of multi-pack index files is getting worked on.
* Use of API functions that implicitly depend on the_repository
object in the config subsystem has been rewritten to pass a
repository object through the callchain.
* Unused parameters have been either marked as UNUSED to squelch
-Wunused warnings or dropped from many functions..
* The code in the reftable library has been cleaned up by discarding
unused "generic" interface.
* The underlying machinery for "git diff-index" has long been made to
expand the sparse index as needed, but the command fully expanded
the sparse index upfront, which now has been taught not to do.
* More trace2 events at key points on push and fetch code paths have
been added.
* Make our codebase compilable with the -Werror=unused-parameter
option.
* "git cat-file" works well with the sparse-index, and gets marked as
such.
* CI started failing completely for linux32 jobs, as the step to
upload failed test directory uses GitHub actions that is deprecated
and is now disabled.
* Import clar unit tests framework libgit2 folks invented for our
use.
* The error messages from the test script checker have been improved.
* The convention to calling into built-in command implementation has
been updated to pass the repository, if known, together with the
prefix value.
* "git apply" had custom buffer management code that predated before
use of strbuf got widespread, which has been updated to use strbuf,
which also plugged some memory leaks.
* The reftable backend learned to more efficiently handle exclude
patterns while enumerating the refs.
* CI updates. FreeBSD image has been updated to 13.4.
(merge 2eeb29702e cb/ci-freebsd-13-4 later to maint).
* Give timeout to the locking code to write to reftable, instead of
failing on the first failure without retrying.
* The checksum at the tail of files are now computed without
collision detection protection. This is safe as the consumer of
the information to protect itself from replay attacks checks for
hash collisions independently.
2.46.3
This release merges up the fix that appears in v2.40.4, v2.41.3, v2.42.4,
v2.43.6, v2.44.3 and v2.45.3 to address the security issues CVE-2024-50349 and
CVE-2024-52006; see the release notes for these versions for details.
2.46.2
This release is primarily to merge changes to unbreak the 32-bit
GitHub actions jobs we use for CI testing, so that we can release
real fixes for the 2.46.x track after they pass CI.
It also reverts the "git patch-id" change that went into 2.46.1,
as it seems to have got a regression reported (I haven't verified,
but it is better to keep a known breakage than adding an unintended
regression).
Other than that, a handful of minor bugfixes are included.
* In a few corner cases "git diff --exit-code" failed to report
"changes" (e.g., renamed without any content change), which has
been corrected.
* Cygwin does have /dev/tty support that is needed by things like
single-key input mode.
* The interpret-trailers command failed to recognise the end of the
message when the commit log ends in an incomplete line.
2.46.1
This release is primarily to merge fixes accumulated on the 'master'
front to prepare for 2.47 release that are still relevant to 2.46.x
maintenance track.
* "git checkout --ours" (no other arguments) complained that the
option is incompatible with branch switching, which is technically
correct, but found confusing by some users. It now says that the
user needs to give pathspec to specify what paths to checkout.
* It has been documented that we avoid "VAR=VAL shell_func" and why.
* "git add -p" by users with diff.suppressBlankEmpty set to true
failed to parse the patch that represents an unmodified empty line
with an empty line (not a line with a single space on it), which
has been corrected.
* "git rebase --help" referred to "offset" (the difference between
the location a change was taken from and the change gets replaced)
incorrectly and called it "fuzz", which has been corrected.
* "git notes add -m '' --allow-empty" and friends that take prepared
data to create notes should not invoke an editor, but it started
doing so since Git 2.42, which has been corrected.
* An expensive operation to prepare tracing was done in re-encoding
code path even when the tracing was not requested, which has been
corrected.
* Perforce tests have been updated.
* The credential helper to talk to OSX keychain sometimes sent
garbage bytes after the username, which has been corrected.
* A recent update broke "git ls-remote" used outside a repository,
which has been corrected.
* "git config --value=foo --fixed-value section.key newvalue" barfed
when the existing value in the configuration file used the
valueless true syntax, which has been corrected.
* "git reflog expire" failed to honor annotated tags when computing
reachable commits.
* A flakey test and incorrect calls to strtoX() functions have been
fixed.
* Follow-up on 2.45.1 regression fix.
* "git rev-list ... | git diff-tree -p --remerge-diff --stdin" should
behave more or less like "git log -p --remerge-diff" but instead it
crashed, forgetting to prepare a temporary object store needed.
* The patch parser in "git patch-id" has been tightened to avoid
getting confused by lines that look like a patch header in the log
message.
* "git bundle unbundle" outside a repository triggered a BUG()
unnecessarily, which has been corrected.
* The code forgot to discard unnecessary in-core commit buffer data
for commits that "git log --skip=<number>" traversed but omitted
from the output, which has been corrected.
* "git verify-pack" and "git index-pack" started dying outside a
repository, which has been corrected.
* A corner case bug in "git stash" was fixed.
Also contains minor documentation updates and code clean-ups.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:06 +0000 (13:43 +0100)]
gdb: Update to version 16.1
- Update from version 15.2 to 16.1
- Update of rootfile
- Changelog
16.1
* Support for Nios II targets has been removed as this architecture
has been EOL'ed by Intel.
* GDB now supports watchpoints for tagged data pointers (see
https://en.wikipedia.org/wiki/Tagged_pointer) on amd64, such as the
one used by the Linear Address Masking (LAM) feature provided by
Intel.
* Debugging support for Intel MPX has been removed. This includes the
removal of
** MPX register support
** the commands "show/set mpx bound" (deprecated since GDB 15)
** i386 and amd64 implementation of the hooks report_signal_info and
get_siginfo_type.
* GDB now supports printing of asynchronous events from the Intel Processor
Trace during 'record instruction-history', 'record function-call-history'
and all stepping commands. This can be controlled with the new
"set record btrace pt event-tracing" command.
* GDB now supports printing of ptwrite payloads from the Intel Processor
Trace during 'record instruction-history', 'record function-call-history'
and all stepping commands. The payload is also accessible in Python as a
RecordAuxiliary object. Printing is customizable via a ptwrite filter
function in Python. By default, the raw ptwrite payload is printed for
each ptwrite that is encountered.
* For breakpoints that are created in the 'pending' state, any
'thread' or 'task' keywords are parsed at the time the breakpoint is
created, rather than at the time the breakpoint becomes non-pending.
* Thread-specific breakpoints are only inserted into the program space
in which the thread of interest is running. In most cases program
spaces are unique for each inferior, so this means that
thread-specific breakpoints will usually only be inserted for the
inferior containing the thread of interest. The breakpoint will
be hit no less than before.
* For ARM targets, the offset of the pc in the jmp_buf has been fixed to match
glibc 2.20 and later. This should only matter when not using libc probes.
This may cause breakage when using an incompatible libc, like uclibc or
newlib, or an older glibc.
* MTE (Memory Tagging Extension) debugging is now supported on AArch64 baremetal
targets.
* Remove support (native and remote) for QNX Neutrino (triplet
`i[3456]86-*-nto*`).
* In a record session, when a forward emulation reaches the end of the reverse
history, the warning message has been changed to indicate that the end of the
history has been reached. It also specifies that the forward execution can
continue, and the recording will also continue.
* The Ada 'Object_Size attribute is now supported.
* Support for process record/replay and reverse debugging on loongarch*-linux*
targets has been added.
* New bash script gstack uses GDB to print stack traces of running processes.
* Python API
** Added gdb.record.clear. Clears the trace data of the current recording.
This forces re-decoding of the trace for successive commands.
** Added the new event source gdb.tui_enabled.
** New module gdb.missing_objfile that facilitates dealing with
missing objfiles when opening a core-file.
** New function gdb.missing_objfile.register_handler that can
register an instance of a sub-class of
gdb.missing_debug.MissingObjfileHandler as a handler for missing
objfiles.
** New class gdb.missing_objfile.MissingObjfileHandler which can be
sub-classed to create handlers for missing objfiles.
** The 'signed' argument to gdb.Architecture.integer_type() will no
longer accept non-bool types.
** The gdb.MICommand.installed property can only be set to True or
False.
** The 'qualified' argument to gdb.Breakpoint constructor will no
longer accept non-bool types.
** Added the gdb.Symbol.is_artificial attribute.
* Debugger Adapter Protocol changes
** The "scopes" request will now return a scope holding global
variables from the stack frame's compilation unit.
** The "scopes" request will return a "returnValue" scope holding
the return value from the latest "stepOut" command, when
appropriate.
** The "launch" and "attach" requests were rewritten in accordance
with some clarifications to the spec. Now they can be sent at
any time after the "initialized" event, but will not take effect
(or send a response) until after the "configurationDone" request
has been sent.
** The "variables" request will not return artificial symbols.
* New commands
show jit-reader-directory
Show the name of the directory that "jit-reader-load" uses for
relative file names.
set style line-number foreground COLOR
set style line-number background COLOR
set style line-number intensity VALUE
Control the styling of line numbers printed by GDB.
set style command foreground COLOR
set style command background COLOR
set style command intensity VALUE
Control the styling of GDB commands when displayed by GDB.
set style title foreground COLOR
set style title background COLOR
set style title intensity VALUE
This style now applies to the header line of lists, for example the
first line of the output of "info breakpoints". Previous uses of
this style have been replaced with the new "command" style.
set warn-language-frame-mismatch [on|off]
show warn-language-frame-mismatch
Control the warning that is emitted when specifying a language that
does not match the current frame's language.
maintenance info inline-frames [ADDRESS]
New command which displays GDB's inline-frame information for the
current address, or for ADDRESS if specified. The output identifies
inlined frames which start at the specified address.
maintenance info blocks [ADDRESS]
New command which displays information about all of the blocks at
ADDRESS, or at the current address if ADDRESS is not given. Blocks
are listed starting at the inner global block out to the most inner
block.
info missing-objfile-handlers
List all the registered missing-objfile handlers.
enable missing-objfile-handler LOCUS HANDLER
disable missing-objfile-handler LOCUS HANDLER
Enable or disable a missing-objfile handler with a name matching the
regular expression HANDLER, in LOCUS.
LOCUS can be 'global' to operate on global missing-objfile handler,
'progspace' to operate on handlers within the current program space,
or can be a regular expression which is matched against the filename
of the primary executable in each program space.
* Changed commands
remove-symbol-file
This command now supports file-name completion.
remove-symbol-file -a ADDRESS
The ADDRESS expression can now be a full expression consisting of
multiple terms, e.g. 'function + 0x1000' (without quotes),
previously only a single term could be given.
target core
target exec
target tfile
target ctf
compile file
maint print c-tdesc
save gdb-index
These commands now require their filename argument to be quoted if
it contains white space or quote characters. If the argument
contains no such special characters then quoting is not required.
maintenance print remote-registers
Add an "Expedited" column to the output of the command. It indicates
which registers were included in the last stop reply packet received by
GDB.
show configuration
Now includes the version of GNU Readline library that GDB is using.
* New remote packets
vFile:stat
Return information about files on the remote system. Like
vFile:fstat but takes a filename rather than an open file
descriptor.
x addr,length
Given ADDR and LENGTH, fetch LENGTH units from the memory at address
ADDR and send the fetched data in binary format. This packet is
equivalent to 'm', except that the data in the response are in
binary format.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:04 +0000 (13:43 +0100)]
ddrescue: Update to version 1.29
- Update from version 1.28 to 1.29
- Update of rootfile not required
- Changelog
1.29
The new option '--continue-on-errno' has been added.
If ddrescue exits because of a fatal read error, it now prints the value of
the variable 'errno' so that it can be used as argument to
'--continue-on-errno'.
When using '--ask' and '--verbose', print rescue options before asking user.
Option '--log-reads' now records the value of errno if different from EIO.
(The four changes above suggested by Christian Franke).
The effect of option '-O, --reopen-on-error' has been extended to all phases.
It has been documented in the manual that '--reopen-on-error' may be needed
when using '--continue-on-errno'.
A compilation error on FiwixOS 3.3 about an ambiguous call to std::abs has
been fixed. (Reported by Jordi Sanfeliu).
The chapter 'Syntax of command-line arguments' has been added to the manual.
Two examples of combined use with lziprecover have been added to the manual.
(One of them uses the new Forward Error Correction (FEC) feature of
lziprecover).
It has been documented in the manual that option '-b' of ddrescuelog is
position dependent. (Reported by Winston B. E.).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 12:43:05 +0000 (13:43 +0100)]
fontconfig: Update to version 2.16.0
- Update from version 2.15.0 to 2.16.0
- Update of rootfile
- Changelog
2.16.0
Publish docs to GitLab pages
doc: default index for fontconfig-devel to index.html
Update URLs for docs
doc: Fix a typo of the summary for FcFontSetSort
Clean up .uuid files with fc-cache -f too
Fix undesired unref of FcConfig on Win32
meson.build: Fix a typo in POT names
meson.build: Add missing --msgid-bugs-address
Sort out bitmap related config files
Add test cases for 70-no-bitmap-and-emoji.conf and 70-no-bitmap-except-emoji.conf
meson: Add missing checkup
Add a missing dependency for CI on FreeBSD
meson: try to figure out libintl dependency
ci: Fix a typo in build script
ci: Add config.log for artifacts
ci: Add missing dependencies
ci: Disable cache update
meson: Fix build fail with NLS enabled on BSD
meson: Add libxml2 support
ci: Add libxml2 build for meson
meson: Workaround an exception
ci: Workaround an error with libxml2 on Android
meson: Add iconv checkup for all platforms
Fix incompatible pointer type on MinGW
meson: Use c_shared_args to take care of --default-library=both on Win32
ci: Fix a typo
ci: disable iconv for MSVC
ci: build with expat on MSVC
doc: Use sans-serif instead of sans
Do not add merge commits into NEWS file
doc: Fix a typo
meson: Enable run-test.sh for non-Win32
test/wrapper-script.sh: don't add a path when executable already has a path name.
meson: Add missing the unit testing with json-c
test-conf: Fix compiler warnings
Fix test case for reproducible builds
ci: Use md5 if md5sum isn't available.
ci: normalize path to avoid miscalculation of cache name
ci: Add Fedora 40 and remove Fedora 38
More information when no writable cache directories
Fix a memory leak in _get_real_paths_from_prefix
Set FcTypeVoid if no valid types to convert
Add FcConfigSetFontSetFilter
Improve hinting detection for fonthashint object
Accept integer for pixelsize
Fix a memory leak in fc-list/fc-query/fc-scan
Add got.orth for Gothic language
Add cop.orth for Coptic language
Add foreign automake option to avoid an error on autotools bootstrap
ci: rebase ci-templates
ci: Add Fedora 41 and drop 39
ci: run check-merge-request on merge request pipelines only
ci: Add FreeBSD 14.1 and drop 13.2
ci: build mingw on f40 only
meson: Add install_tag for install targets
meson: Add docs into dist
meson: Add autotools files into dist
doc: generate fontconfig-devel.html as one big file
ci: Fix a fail on pages deployment
ci: Fix pages deployment again
fc-case: Correct the license header of fccase.h
Use proper postscriptname for named instance if any
Replace hardcoded path in man pages to url link
Allow comma as a delimiter in postscriptname and ignore it on matching
Deal with glob string properly
Another fix of glob string for Win32
ci: Enable meson dist
Fix misleading-indentation warning
Bump the libtool version
Do not prefix cache_base with a "/". Doing so will lead to FcStrBuildFilename()
composing paths that contain double slashes, e.g. in FcDirCacheProcess(). If
FcDirCacheBasenameMD5() returns a cache_base that is prefixed with a "/", the
call to FcStrBuildFilename() in FcDirCacheProcess() will compose a path that
contains double slashes and this double-slashed path will then be passed to
FcDirCacheOpenFile(). This won't cause any harm on Linux because Linux just
ignores multiple slashes in paths but on other operating systems multiple
slashes in paths are not allowed so FcDirCacheOpenFile() will fail on those
platforms because of the double slash in the path.
Fix qsort nullpointer issue
Fix FcSerialize null pointer usage
meson: fix config relocation on Windows
Fix invalid escape character \s
Remove redundant leaf assignment in fcfreetype.c
Move Mac OS image to an up-to-date Mac OS 15 Sequoia image on ARM
Update Windows image to gstreamer image from stable
Allow building Rust targets in CI
[Fontations] Build bindgen targets, basic Rust test
Refactor exclusive language logic into separate file
meson: added default font dirs for android
Unlock on allocation failure in FcCacheInsert
Ensure config is locked during retry in FcConfigReference
Fix wording in README.md
build: detect-and-use `-lm` for `fabs` in fcmatch
fontconfig: mark _FcPatternIter as may_alias
Meson: Fix build with clang-cl by using cc.preprocess()
meson: Add missing dep on generated header
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 19 Jan 2025 22:08:44 +0000 (23:08 +0100)]
traceroute: Update to version 2.1.6
- Update from version 2.1.5 to 2.1.6
- Update of rootfile not required
- Updated version number in name of patch
- Changelog
2.1.6
Let getaddrinfo(3) select the default IPv4 or IPv6 protocol version
when it is not explicitly specified on the command line
(Jan Macku, SF bug #16)
No more mandatory default to IPv4, follow rfc3484 and
the similar ping(1) behaviour. Drop DEF_AF macro.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 19 Jan 2025 22:08:43 +0000 (23:08 +0100)]
tcpdump: Update to version 4.99.5
- Update from version 4.99.4 to 4.99.5
- Update of rootfile not required
- Changelog
4.99.5
Refine protocol decoding for:
Arista: Use the test .pcap file from pull request #955 (HwInfo).
BGP: Fix an undefined behavior when it tries to parse a too-short packet.
CARP: Print the protocol name before any GET_().
CDP: only hex-dump unknown TLVs in verbose mode.
DHCP: parse the SZTP redirect tag.
DHCPv6: client-id/server-id DUID type 2 correction; parse the user class,
boot file URL, and SZTP redirect options; add DUID-UUID printing
(RFC6355).
DNS: Detect and correctly handle too-short URI RRs.
EAP: Assign ndo_protocol in the eap_print() function.
ESP: Don't use EVP_add_cipher_alias() (fixes building on OpenBSD 7.5).
Frame Relay (Multilink): Fix the Timestamp Information Element printing.
ICMPv6: Fix printing the Home Agent Address Discovery Reply Message.
IEEE 802.11: no need for an element ID in the structures for IEs, make
the length in the IE structures a u_int, include the "TA" field while
printing Block Ack Control frame.
IP: Enable TSO (TCP Segmentation Offload) support; fix printing invalid
cases as invalid, not truncated; use ND_ICHECKMSG_ZU() to test the
header length.
IPv6: Fix printing invalid cases as invalid, not truncated; use
ND_ICHECKMSG_U() to print an invalid version.
IPv6: Fix invalid 32-bit versus 64-bit printouts of fragment headers.
ISAKMP: Fix printing Delete payload SPI when size is zero.
Kerberos: Print the protocol name, remove a redundant bounds check.
lwres: Fix an undefined behavior in pointer arithmetic.
OpenFlow 1.0: Fix indentation of PORT_MOD, improve handling of
some lengths, and fix handling of snapend.
TCP: Test ports < 1024 in port order to select the printer.
UDP: Move source port equal BCM_LI_PORT to bottom of long if else chain.
UDP: Test ports < 1024 in port order to select the printer.
LDP: Add missing fields of the Common Session Parameters TLV and fix the
offset for the A&D bits.
NFLOG: Use correct AF code points on all OSes.
NFS: Avoid printing non-ASCII characters.
OSPF: Pad TLVs in LS_OPAQUE_TYPE_RI to multiples of 4 bytes.
OSPF: Update LS-Ack printing not to run off the end of the packet.
OSPF6: Fix an undefined behavior.
pflog: use nd_ types in struct pfloghdr.
PPP: Check if there is some data to hexdump.
PPP: Remove an extra colon before LCP Callback Operation.
Use the buffer stack for de-escaping PPP; fixes CVE-2024-2397;
Note: This problem does not affect any tcpdump release.
PTP: Fix spelling of type SIGNALING, Parse major and minor version
correctly, Print majorSdoId field instead of just the first bit.
RIP: Make a couple trivial protocol updates.
RPKI-Router: Refine length and bounds checks.
RX: Use the "%Y-%m-%d" date format.
smbutil.c: Use the "%Y-%m-%d" date format.
SNMP: Fix two undefined behaviors.
Text protocols: Fix printing truncation if it is not the case.
ZEP: Use the "%Y-%m-%d" date format.
ZMTP: Replace custom code with bittok2str().
User interface:
Print the supported time stamp types (-J) to stdout instead of stderr.
Print the list of data link types (-L) to stdout instead of stderr.
Use symmetrical quotation characters in error messages.
Update --version option to print 32/64-bit build and time_t size.
Improve error messages for invalid interface indexes specified
with -i.
Support "3des" as an alias for "des_ede3_cbc" even if the crypto
library doesn't support adding aliases.
Source code:
tcpdump: Fix a memory leak.
child_cleanup: reap as many child processes as possible.
Ignore failures when setting the default "any" device DLL to LINUX_SLL2.
Fix for backends which doesn't support capsicum.
Update ND_BYTES_BETWEEN() macro for better accuracy.
Update ND_BYTES_AVAILABLE_AFTER() macro for better accuracy.
Introduce new ND_ICHECK*() macros to deduplicate more code.
Skip privilege dropping when using -Z root on --with-user builds.
Add a nd_printjn() function.
Make nd_trunc_longjmp() not static inline.
Include <time.h> from netdissect.h.
Remove init_crc10_table() and the entourage.
Initialize tzcode early.
Capsicum support: Fix a 'not defined' macro error.
Update the "Error converting time" tests for packet times.
Fix warnings when building for 32-bit and defining _TIME_BITS=64.
Free interface list just before exiting where it wasn't being
freed.
Building and testing:
Add a configure option to help debugging (--enable-instrument-functions).
At build time require a proof of suitable snprintf(3) implementation in
libc (and document Solaris 9 as unsupported because of that).
Makefile.in: Add two "touch .devel" commands in the releasecheck target.
Autoconf: Get --with-user and --with-chroot right.
Autoconf: Fix --static-pcap-only test on Solaris 10.
Autoconf: Add some warning flags for clang 13 or newer.
Autoconf: Update config.{guess,sub}, timestamps 2024-01-01.
Autoconf: Add autogen.sh, remove configure and config.h.in and put
these generated files in the release tarball.
Autoconf: Update the install-sh script to the 2020-11-14.01 version.
configure: Apply autoupdate 2.69.
CMake: improve the comment before project(tcpdump C).
Do not require vsnprintf().
tests: Use the -tttt option, by default, for the tests.
Autoconf, CMake: Get the size of a void * and a time_t.
Fix propagation of cc_werr_cflags() output.
Makefile.in: Fix the depend target.
mkdep: Exit with a non-zero status if a command fails.
Autoconf: use V_INCLS to update the list of include search paths.
Autoconf: don't put anything before -I and -L flags for local libpcap.
Autoconf, CMake: work around an Xcode 15+ issue.
Autoconf, CMake: use pkg-config and Homebrew when looking for
libcrypto.
Fix Sun C invocation from CMake.
mkdep: Use TMPDIR if it is set and not null.
Add initial support for building with TinyCC.
Makefile.in: Use the variable MAKE instead of the make command.
Makefile.in: Add instrumentation configuration in releasecheck target.
Make various improvements to the TESTrun script.
Untangle detection of pcap_findalldevs().
Autoconf: don't use egrep, use $EGREP.
Autoconf: check for gethostbyaddr(), not gethostbyname().
Autoconf, CMake: search for gethostbyaddr() in libnetwork.
Make illumos build warning-free.
Documentation:
Fixed errors in doc/README.Win32.md and renamed it to README.windows.md.
Make various improvements to the man page.
Add initial README file for Haiku.
Make various improvements to CONTRIBUTING.md.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 19 Jan 2025 22:08:42 +0000 (23:08 +0100)]
rpcbind: Update to version 1.2.7
- Update from versio0n 1.2.6 to 1.2.7
- Update of rootfile
- Changelog
1.2.7
rpcinfo: try connecting using abstract address.
rpcinfo doesn't use library calls to set up the address for rpcbind. So
to get to it try the new abstract address, we need to explicitly
teach it how.
Listen on an AF_UNIX abstract address if supported.
As RPC is primarily a network service it is best, on Linux, to use
network namespaces to isolate it. However contacting rpcbind via an
AF_UNIX socket allows escape from the network namespace.
If clients could use an abstract address, that would ensure clients
contact an rpcbind in the same network namespace.
systemd can pass in a listening abstract socket by providing an '@'
prefix. However with libtirpc 1.3.3 or earlier attempting this will
fail as the library mistakenly determines that the socket is not bound.
This generates unsightly error messages.
So it is best not to request the abstract address when it is not likely
to work.
A patch to fix this also proposes adding a define for
_PATH_RPCBINDSOCK_ABSTRACT to the header files. We can check for this
and only include the new ListenStream when that define is present.
autotools/systemd: call rpcbind with -w only on enabled warm starts
If rpcbind is configured with --disable-warmstarts it responds on -w
with its usage string. This is not helpful in a systemd service, so pass
-w conditionally.
rpcbind: fix double free in init_transport
$ rpcbind -h 127.0.0.1
free(): double free detected in tcache 2
Aborted
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 19 Jan 2025 22:08:41 +0000 (23:08 +0100)]
nfs: Update to version number 2.8.2
- Update from versionj number 2.7.1 to 2.8.2
- Update of rootfile
- Changelog
2.8.2
exports: Fix referrals when --enable-junction=no
Commit 15dc0bea ("exportd: Moved cache upcalls routines into
libexport.a") caused write_fsloc() to be elided when junction support is
disabled. Remove the not needed #ifdef HAVE_JUNCTION_SUPPORT which
blocks the referrals from working when --enable-junction=no is set.
(only the #ifdef HAVE_JUNCTION_SUPPORT should be around actual
junction code). Fixes: 15dc0bea ("exportd: Moved cache upcalls routines into libexport.a") Link: https://bugs.debian.org/1035908 Link: https://bugs.debian.org/1083098
nfsidmap(v2): Add guards around [nfsidmap] usages of [sysconf].
sysconf(_SC_GETPW_R_SIZE_MAX) and sysconf(_SC_GETGR_R_SIZE_MAX)
return -1 on musl, which causes either segmentation faults or ENOMEM
errors.
Replace all usages of sysconf with dedicated methods that guard against
a result of -1.
libnsm(v2): fix the safer atomic filenames fix
Commit 9f7a91b51ffc ("libnsm: safer atomic filenames") messed up the length
arguement to snprintf() in nsm_make_temp_pathname such that the length is
longer than the computed string. When compiled with "-O
-D_FORTIFY_SOURCE=3", __snprintf_chk will fail and abort statd.
The fix is to correct the original size calculation, then pull one from the
snprintf length for the final "/".
Revert "libnsm: fix the safer atomic filenames fix"
This reverts commit 8fcddae4437510137baf108f477d116ce345ce80.
libnsm: fix the safer atomic filenames fix
Commit 9f7a91b51ffc ("libnsm: safer atomic filenames") messed up the length
arguement to snprintf() in nsm_make_temp_pathname such that the length is
longer than the computed string. When compiled with "-O
-D_FORTIFY_SOURCE=3", __snprintf_chk will fail and abort statd.
The fix is to correct the original size calculation, then pull one from the
snprintf length for the final "/".
nfsd: dump default number of threads to 16
nfsdctl defaults to 16 threads. Since the nfs-server.service file first
tries nfsdctl and then falls back to rpc.nfsd, it would probably be wise
to make the default in rpc.nfsd and nfs.conf 16, for the sake of
consistency and to avoid surprises.
autoconf: don't build nfsdcltrack by default
Now that we've started the process to remove legacy v4 client tracking
methods, let's stop building nfsdcltrack by default.
nfs(5): Update rsize/wsize options
The rsize/wsize values are not multiples of 1024 but multiples of the
system's page size or powers of 2 if < system's page size as defined
in fs/nfs/internal.h:nfs_io_size().
nfsdctl: clarify when versions can be set on the man page
Attempting to make version changes while there are nfsd threads running
fails with -EBUSY, so make note of it on the man page.
nfsdctl: fix up the help text in version_usage()
The help text in version_usage() has examples with a 'v' character in
the version string, but the format string in the sscanf() call in
version_func() doesn't contain a 'v' character.
libnsm: safer atomic filenames
We've gotten a report of reboot notifications being sent to domains that
end in '.new', which can happen if the NSM temporary pathname code leaves a
file behind. Let's fix this up by prepending a single '.' to the temp path
which will never be resolvable as a DNS record.
https://lore.kernel.org/linux-nfs/04D30B5A-C53E-4920-ADCB-C77F5577669E@oracle.com/T/#t
nfs-utils: fixup statd testing simulator host arg
The getopt setup for the host arg was not expecing a value, update it as
expected
reexport.h: Include unistd.h to compile with musl
Makefile.am: allow mount.nfs to be writeable by owner
On Red Hat-based systems, the debug symbol files are built with a
.gdb_index section to speed up gdb initialization. The gdb-add-index
program calls objcopy to merge the index file into the object file.
That fails if the object file isn't writeable by the owner.
mount.nfs: retry NFSv3 mount after NFSv4 failure in auto negotiation
The problem happens when a v3 mount fails with ETIMEDOUT after
the v4 mount failed with EPROTONOSUPPORT, in mount auto negotiation.
It immediately breaks from the "for" loop in nfsmount_fg()
or nfsmount_child() due to EPROTONOSUPPORT, never doing the expected
retries until timeout.
2.8.1
nfs-utils: use getpwuid_r() and getpwnam_r() in gssd
gssd uses getpwuid(3) and getpwnam(3) in a pthreads context but
these functions are not thread safe.
nfsdcld: prevent from accessing /var/lib/nfs/nfsdcld in read-only file system during boot
I saw a VMWare guest that hit a rare condition during boot;
nfsdcld started too early to check access on /var/lib/nfs/nfsdcld which were
still in read-only file system as follows:
nfsdcld[...]: Unexpected error when checking access on /var/lib/nfs/nfsdcld: Read-only file system
systemd[1]: nfsdcld.service: Main process exited, code=exited, status=226/NAMESPACE
systemd[1]: nfsdcld.service: Failed with result 'exit-code'.
nfsdcld.service needs to wait the root file system to be remounted at least.
systemd: use nfsdctl to start and stop the nfs server
Attempt to use nfsdctl to start and stop the nfs-server. If that fails
for any reason, use rpc.nfsd to do it instead.
nfsdctl: asciidoc source for the manpage
Convert to manpage with:
asciidoctor -b manpage nfsdctl.adoc
nfsdctl: add the nfsdctl utility to nfs-utils
This tool is based on Lorenzo's original nfsdctl tool [1]. His original
tool used getopt_long to indicate the command, but that's somewhat
limiting. This converts it to a subcommand-based interface, where each
subcommand can take its own options, in the spirit of commands like
nmcli or virsh.
There are currently 6 different subcommands:
pool-mode get/set current pool mode setting
listener get/set listener info
version get/set supported NFS versions
threads get/set nfsd thread settings
status get current RPC processing info
autostart start server with settings from /etc/nfs.conf
Each can take different options, and we can expand this interface later
with more commands as necessary.
This is based on Lorenzo's original userland tool:
https://github.com/LorenzoBianconi/nfsdctl
rpc.idmapd: nfsopen() failures should not be fatal
dirscancb() loops over all clnt* subdirectories of /run/rpc_pipefs/nfs/.
Some of these directories contain /idmap files, others don't. nfsopen()
returns -1 for the latter; we then want to skip the directory, not abort
the entire scan.
mount.nfs: improve EPROTO error message for RDMA mounts
When mounting NFS shares using RDMA, users may encounter this rather
unclear error message:
mount.nfs: Protocol error
Often there are either no RDMA interfaces existing, or that routing is
being done via other interfaces. This patch enhances the `mount_error`
function to provide a more informative message in such cases.
support/junction/path.c: Fix buld for musl
Fixed:
path.c:164:24: error: implicit declaration of function 'strchrnul'; did you mean 'strchr'? [-Wimplicit-function-declaration]
[snip]
path.c:239:27: error: 'NAME_MAX' undeclared (first use in this function); did you mean 'AF_MAX'?
support/include/junction.h: Define macros for musl
Fixed 1:
In file included from cache.c:1217:
../../support/include/junction.h:128:21: error: expected ';' before 'char'
128 | __attribute_malloc__
| ^
| ;
129 | char **nfs_dup_string_array(char **array);
Fixed 2:
junction.c: In function 'junction_set_sticky_bit':
junction.c:164:39: error: 'ALLPERMS' undeclared (first use in this function)
164 | stb.st_mode &= (unsigned int)~ALLPERMS;
nfsdcld: don't send null client ids to the kernel
It's apparently possible for the sqlite database to get corrupted and
cause one or more rows to have null in the id column.
The knfsd fix was posted here:
https://lore.kernel.org/linux-nfs/20240903111446.659884-1-lilingfeng3@huawei.com/
nfsdcld should have a similar fix. If we encounter a client record with
a null id, just skip it instead of sending it to the kernel.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 19 Jan 2025 22:08:40 +0000 (23:08 +0100)]
flac: Update to version 1.4.3
- Update from version 1.4.2 to 1.4.3
- Update of rootfile
- Changelog
1.4.3
As there have been additions to the libFLAC interfaces, the libFLAC version
number is incremented to 13. The libFLAC++ version number stays at 10.
* General
* All PowerPC-specific code has been removed, as it turned out those
improvements didn't actually improve anything
* Large improvements in encoder speed for all presets. The largest
change is for the fastest presets and for 24-bit and 32-bit inputs.
* Small improvement in decoder speed for BMI2-capable CPUs
* Various documentation fixes and cleanups (Mark Grassi, Jake Schmidt)
* Various fixes (Ozkan Sezer, Zhipeng Xue, orbea, Sam James, Harish
Mahendrakar)
* Fix building on Universal Windows Platform (Dmitry Kostjučenko)
* flac
* A lot of small fixes for bugs found by fuzzing
* Various improvements to the --keep-foreign-metadata and
--keep-foreign-metadata-if-present options on decoding
* The output format (WAV/AIFF/RF64 etc.) is now automatically
selected based on what kind of foreign metadata is stored
* Decoded file is checked afterwards, to see whether stored
foreign format data agrees with FLAC audio properties
* AIFF-C sowt data can now be restored
* Add --force-legacy-wave-format option, to decode to WAV with
WAVEFORMATPCM where WAVE_FORMAT_EXTENSIBLE would be more appropriate
* Add --force-aiff-c-none-format and --force-aiff-c-sowt-format to
decode to AIFF-C
* The storage of WAVEFORMATEXTENSIBLE_CHANNEL_MASK is no longer
restricted to known channel orderings
* Throw an error when WAV or AIFF files are over 4GiB in length and
the --ignore-chunk-sizes option is not set
* Warn on testing files when ID3v2 tags are found
* Warn when data trails the audio data of a WAV/AIFF/RF64/W64 file
* Fix output file not being deleted after error on Windows
* Removal of the --sector--align option
* metaflac
* A lot of small fixes for bugs found by fuzzing
* Added options --append and --data-format, which makes it possible to
copy metadata blocks from one FLAC file to another
* Added option --remove-all-tags-except
* Added option --show-all-tags (harridu, Martijn van Beurden)
* libFLAC
* No longer write seektables to Ogg, even when specifically asked for.
Seektables in Ogg are not defined
* Add functions FLAC__metadata_object_set_raw and
FLAC__metadata_object_get_raw to convert between blob and
FLAC__StreamMetadata
* Build system
* Autoconf (configure)
* The option --enable-64-bit-words is now on by default
* CMake
* The option ENABLE_64_BIT_WORDS is now on by default
* Testing/validation
* Fuzzers were added for the flac and metaflac command line tools
* Fuzzer coverage was improved
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 19 Jan 2025 12:54:57 +0000 (13:54 +0100)]
strongswan: Update to version 6.0.0
- Update from version 5.9.14 to 6.0.0
- Update of rootfile
- The stroke plugin, which was deprecated in 2014 is no longer enabled by default.
So it is now enabled expolicitly in this patch.
The stroke plugin is recommended to be migrated to using the vici plugin but this
will require a re-write of the ipsec WUI page. Hopefully the removal of the stroke
plugin will also take many years as the time between deprecation and default
disabling.
- Also aes, curve25519, des, fips-prf, gmp, hmac, md5, pkcs12, rc2, sha1 & sha2 are no
longer enabled by default. Most of these don 't need to be enabled as they are
supported by the openssl plugin whicxh we have had explicitly enabled for some time.
The openssl plugin is now enabled by default. After some checks to see which plugins
I needed to enable to match the current set of algorithms I ended up only needing\
to explicitly enable fips-prf, mgf1 & hmac.
- The ml plugin has also been enbabled so that we have the ML_KEM post quantum key
exchange algorithms enabled so they can be made available in the ipsec WUI.
- All existing algorithms are available together with the following new ones.
XOF_MGF1_SHA3_224
XOF_MGF1_SHA3_256
XOF_MGF1_SHA3_384
XOF_MGF1_SHA3_512
ML_KEM_512
ML_KEM_768
ML_KEM_10245
- I also installed the build using 6.0.0 into a vm testbed system and confirmed that my
existing ipsec connection using the default crypto values from the WUI worked without
any problems. So existing connections should all be fine.
- Changelog
6.0.0
New Feature Additions
Support for multiple IKEv2 key exchanges (RFC 9370) has been added
(3a850ae). IKE_INTERMEDIATE exchanges (RFC 9242) are used to transport
additional KE payloads between the IKE_SA_INIT and IKE_AUTH exchanges. To
rekey IKE and Child SAs with multiple key exchanges, IKE_FOLLOWUP_KE
exchanges are used, as defined in RFC 9370.
In proposals, additional key exchange methods are configured via
keX_ prefix, where X is a number between 1 and 7. For example,
ke1_mlkem768 adds ML-KEM-768 as additional KE method (works with any key
exchange method, whether post-quantum or classic). As with regular key
exchanges, peers have to agree on a method for each round unless no
algorithms are defined by both or keX_none is configured to make that
round explicitly optional.
Support for the Module-Lattice-Based Key-Encapsulation Mechanism
(ML-KEM, FIPS 203), a key exchange method that, at present, is believed
to be secure even against adversaries who possess a quantum computer, has
been added via Botan 3.6.0+ (botan plugin), wolfSSL 5.7.4+
(wolfssl plugin), AWS-LC 1.37.0+ (openssl plugin), and the new ml plugin.
The keywords for ML-KEM-512 (128 bits security strength), ML-KEM-768
(192 bits), ML-KEM-1024 (256 bits) are mlkem512, mlkem768 and mlkem1024,
respectively.
AF_VSOCK sockets can be used on Linux to communicate with a daemon that
runs in a VM (e.g. via the vici plugin).
The file logger can optionally log messages as JSON objects (a2fba6d, bea1f11, see the docs for details), and can add timestamps in
microseconds via the new time_precision setting (#2475).
Enhancements and Optimizations
Handling of CHILD_SA rekey collisions has been improved (d2b2e1b). This
makes CHILD_SAs properly trackable via child_rekey() hook and some corner
cases are also handled correctly e.g. if a responder's DELETE for the new
CHILD_SA arrives before its CREATE_CHILD_SA response that creates that SA
in the first place. Also handled properly are responders of rekeyings
that incorrectly send a DELETE for the old CHILD_SA (previously, this
caused both, the new and the old SA, to get deleted).
The behavior when reloading or unloading connections that include start in
their start_action has been improved (#2324, #2418).
If no identity is configured but a certificate is available, the subject
DN is used instead of the IP address (#2353).
The cert-enroll script now supports three generations of CA certificates
(f59ca96).
IKE ports are now considered when matching connections (9228a51, 6928709).
The base address of in-memory IP address pools is now reported as
configured (#2264).
IKE fragment sizes can be configured for each address family explicitly
(84bd011).
The openssl plugin can use the EVP_DigestSqueeze() API for XOFs, which was
introduced with OpenSSL 3.3 (3d0f695).
The kernel-netlink plugin explicitly configures the direction of IPsec SAs
when running on 6.10+ kernels (abdc787).
The Android app was updated for compatibility with Android 14 (740cbb2), a
bug was fixed that affects importing already existing VPN profiles
(9b9cf20).
Fixes
The NetworkManager plugin (charon-nm) now uses a different routing table
than the regular IKE daemon to avoid conflicts if both are running (#2230).
TUN devices can properly handle IPv6 addresses (fccc764) and routes via
them are now correctly installed on FreeBSD (bf165af).
Reassigning a matching online lease is now preferred over an offline lease
by the in-memory IP address pool to avoid conflicts with make-before-break
reauthentication and multiple IKE_SAs per identity (#2472).
To avoid conflicts with other processes when using ephemeral UDP ports,
the socket-default plugin now always opens IPv4 sockets before IPv6
sockets (#2494).
Challenge passwords in PKCS#10 containers are again encoded as
PrintableString if possible to be compatible with older SCEP
implementations (8e88d56).
The vici plugin now uses the same ESP proposals (AEAD before regular) when
configuring default instead of not configuring esp_proposals at all
(8e020bc).
Fixed handling of adopted reqids during IKEv1 rekeying (d02aea9, bug was
introduced in 5.9.12).
A typo in the cert-enroll script prevented successful signalling of a
change of the sub CA certificate (957aae8).
Plugin and Configuration Changes
The legacy stroke plugin is no longer enabled by default and must be
enabled explicitly.
The openssl plugin is now enabled by default, while the following crypto
plugins are no longer enabled by default: aes, curve25519, des, fips-prf,
gmp, hmac, md5, pkcs12, rc2, sha1, sha2.
The following deprecated plugins have been removed: bliss (signature
scheme), newhope (key exchange method), ntru (key exchange method).
charon.make_before_break is now enabled by default, which initiates IKEv2
reauthentication with a make-before-break instead of a break-before-make
scheme. Make-before-break creates overlapping IKE and Child SA during
reauthentication by first recreating all SAs before deleting the old ones.
This behavior can be beneficial to avoid connectivity gaps during
reauthentication (unlike rekeying still not completely without
interruption), but requires support for overlapping SAs by the peer.
strongSwan can handle such overlapping SAs since version 5.3.0.
For Developers
Using the child_rekey() hook now allows tracking CHILD_SAs correctly in
case of rekey collisions. The event is generally only triggered once
after installing the outbound SA for the new/winning CHILD_SA. However,
in some cases the event is triggered twice, but it is now ensured that
listeners can properly transition to the winning SA.
Refer to the documentation of key_exchange_method_t interface to learn how
KEMs can be implemented in plugins.
The format of key exchange test vectors has been changed so they can be
used for KEMs and classic DH methods (4067678).
The NetworkManager frontend's build files have been updated to not rely on
gnome-common. It now also uses gettext directly instead of intltool
(5019e3e).
Performance of running tests in the testing environment has been improved.
Refer to the 6.0.0 milestone for a list of all closed issues and pull requests.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 17 Jan 2025 17:08:38 +0000 (18:08 +0100)]
wpa-supplicant: Update to version 2.11
- Update from version 2.10 to 2.11
- Update of rootfile not required
- Changelog
2.11
* Wi-Fi Easy Connect
- add support for DPP release 3
- allow Configurator parameters to be provided during config exchange
* MACsec
- add support for GCM-AES-256 cipher suite
- remove incorrect EAP Session-Id length constraint
- add hardware offload support for additional drivers
* HE/IEEE 802.11ax/Wi-Fi 6
- support BSS color updates
- various fixes
* EHT/IEEE 802.11be/Wi-Fi 7
- add preliminary support
* support OpenSSL 3.0 API changes
* improve EAP-TLS support for TLSv1.3
* EAP-SIM/AKA: support IMSI privacy
* improve mitigation against DoS attacks when PMF is used
* improve 4-way handshake operations
- discard unencrypted EAPOL frames in additional cases
- use Secure=1 in message 2 during PTK rekeying
* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
to avoid interoperability issues
* support new SAE AKM suites with variable length keys
* support new AKM for 802.1X/EAP with SHA384
* improve cross-AKM roaming with driver-based SME/BSS selection
* PASN
- extend support for secure ranging
- allow PASN implementation to be used with external programs for
Wi-Fi Aware
* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
- this is based on additional details being added in the IEEE 802.11
standard
- the new implementation is not backwards compatible, but PMKSA
caching with FT-EAP was, and still is, disabled by default
* support a pregenerated MAC (mac_addr=3) as an alternative mechanism
for using per-network random MAC addresses
* EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1)
to improve security for still unfortunately common invalid
configurations that do not set ca_cert
* extend SCS support for QoS Characteristics
* extend MSCS support
* support unsynchronized service discovery (USD)
* add support for explicit SSID protection in 4-way handshake
(a mitigation for CVE-2023-52424; disabled by default for now, can be
enabled with ssid_protection=1)
- in addition, verify SSID after key setup when beacon protection is
used
* fix SAE H2E rejected groups validation to avoid downgrade attacks
* a large number of other fixes, cleanup, and extensions
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 17 Jan 2025 13:52:09 +0000 (14:52 +0100)]
jquery: Update to version 3.7.1
- Update from 3.6.3 to 3.7.1
- Update o0f rootfile not required
- Changelog is too large to include all here so links provided to changelogs
3.7.1
https://blog.jquery.com/2023/08/28/jquery-3-7-1-released-reliable-table-row-dimensions/
3.7.0
https://blog.jquery.com/2023/05/11/jquery-3-7-0-released-staying-in-order/
3.6.4
https://blog.jquery.com/2023/03/08/jquery-3-6-4-released-selector-forgiveness/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 17 Jan 2025 11:26:12 +0000 (12:26 +0100)]
tzdata: Update to version 2025a
- Update from version 2024a to 2025a
- Update of rootfile not required
- Changelog
2025a
Briefly:
Paraguay adopts permanent -03 starting spring 2024.
Improve pre-1991 data for the Philippines.
Etc/Unknown is now reserved.
Changes to future timestamps
Paraguay will stop changing its clocks after the spring-forward
transition on 2024-10-06, so it is now permanently at -03.
(Thanks to Heitor David Pinto and Even Scharning.)
This affects timestamps starting 2025-03-22, as well as the
obsolescent tm_isdst flags starting 2024-10-15.
Changes to past timestamps
Correct timestamps for the Philippines before 1900, and from 1937
through 1990. (Thanks to P Chan for the heads-up and citations.)
This includes adjusting local mean time before 1899; fixing
transitions in September 1899, January 1937, and June 1954; adding
transitions in December 1941, November 1945, March and September
1977, and May and July 1990; and removing incorrect transitions in
March and September 1978.
Changes to data
Add zone1970.tab lines for the Concordia and Eyre Bird Observatory
research stations. (Thanks to Derick Rethans and Jule Dabars.)
Changes to code
strftime %s now generates the correct numeric string even when the
represented number does not fit into time_t. This is better than
generating the numeric equivalent of (time_t) -1, as strftime did
in TZDB releases 96a (when %s was introduced) through 2020a and in
releases 2022b through 2024b. It is also better than failing and
returning 0, as strftime did in releases 2020b through 2022a.
strftime now outputs an invalid conversion specifier as-is,
instead of eliding the leading '%', which confused debugging.
An invalid TZ now generates the time zone abbreviation "-00", not
"UTC", to help the user see that an error has occurred. (Thanks
to Arthur David Olson for suggesting a "wrong result".)
mktime and timeoff no longer incorrectly fail merely because a
struct tm component near INT_MIN or INT_MAX overflows when a
lower-order component carries into it.
TZNAME_MAXIMUM, the maximum number of bytes in a proleptic TZ
string's time zone abbreviation, now defaults to 254 not 255.
This helps reduce the size of internal state from 25480 to 21384
on common platforms. This change should not be a problem, as
nobody uses such long "abbreviations" and the longstanding tzcode
maximum was 16 until release 2023a. For those who prefer no
arbitrary limits, you can now specify TZNAME_MAXIMUM values up to
PTRDIFF_MAX, a limit forced by C anyway; formerly tzcode silently
misbehaved unless TZNAME_MAXIMUM was less than INT_MAX.
tzset and related functions no longer leak a file descriptor if
another thread forks or execs at about the same time and if the
platform has O_CLOFORK and O_CLOEXEC respectively. Also, the
functions no longer let a TZif file become a controlling terminal.
'zdump -' now reads TZif data from /dev/stdin.
(From a question by Arthur David Olson.)
Changes to documentation
The name Etc/Unknown is now reserved: it will not be used by TZDB.
This is for compatibility with CLDR, which uses the string
"Etc/Unknown" for an unknown or invalid timezone. (Thanks to
Justin Grant, Mark Davis, and Guy Harris.)
Cite Internet RFC 9636, which obsoletes RFC 8536 for TZif format.
2024b
Briefly:
Improve historical data for Mexico, Mongolia, and Portugal.
System V names are now obsolescent.
The main data form now uses %z.
The code now conforms to RFC 8536 for early timestamps.
Support POSIX.1-2024, which removes asctime_r and ctime_r.
Assume POSIX.2-1992 or later for shell scripts.
SUPPORT_C89 now defaults to 1.
Changes to past timestamps
Asia/Choibalsan is now an alias for Asia/Ulaanbaatar rather than
being a separate Zone with differing behavior before April 2008.
This seems better given our wildly conflicting information about
Mongolia's time zone history. (Thanks to Heitor David Pinto.)
Historical transitions for Mexico have been updated based on
official Mexican decrees. The affected timestamps occur during
the years 1921-1927, 1931, 1945, 1949-1970, and 1981-1997.
The affected zones are America/Bahia_Banderas, America/Cancun,
America/Chihuahua, America/Ciudad_Juarez, America/Hermosillo,
America/Mazatlan, America/Merida, America/Mexico_City,
America/Monterrey, America/Ojinaga, and America/Tijuana.
(Thanks to Heitor David Pinto.)
Historical transitions for Portugal, represented by Europe/Lisbon,
Atlantic/Azores, and Atlantic/Madeira, have been updated based on a
close reading of old Portuguese legislation, replacing previous data
mainly originating from Whitman and Shanks & Pottenger. These
changes affect a few transitions in 1917-1921, 1924, and 1940
throughout these regions by a few hours or days, and various
timestamps between 1977 and 1993 depending on the region. In
particular, the Azores and Madeira did not observe DST from 1977 to
1981. Additionally, the adoption of standard zonal time in former
Portuguese colonies have been adjusted: Africa/Maputo in 1909, and
Asia/Dili by 22 minutes at the start of 1912.
(Thanks to Tim Parenti.)
Changes to past tm_isdst flags
The period from 1966-04-03 through 1966-10-02 in Portugal is now
modeled as DST, to more closely reflect how contemporaneous changes
in law entered into force.
Changes to data
Names present only for compatibility with UNIX System V
(last released in the 1990s) have been moved to 'backward'.
These names, which for post-1970 timestamps mostly just duplicate
data of geographical names, were confusing downstream uses.
Names moved to 'backward' are now links to geographical names.
This affects behavior for TZ='EET' for some pre-1981 timestamps,
for TZ='CET' for some pre-1947 timestamps, and for TZ='WET' for
some pre-1996 timestamps. Also, TZ='MET' now behaves like
TZ='CET' and so uses the abbreviation "CET" rather than "MET".
Those needing the previous TZDB behavior, which does not match any
real-world clocks, can find the old entries in 'backzone'.
(Problem reported by Justin Grant.)
The main source files' time zone abbreviations now use %z,
supported by zic since release 2015f and used in vanguard form
since release 2022b. For example, America/Sao_Paulo now contains
the zone continuation line "-3:00 Brazil %z", which is less error
prone than the old "-3:00 Brazil -03/-02". This does not change
the represented data: the generated TZif files are unchanged.
Rearguard form still avoids %z, to support obsolescent parsers.
Asia/Almaty has been removed from zonenow.tab as it now agrees
with Asia/Tashkent for future timestamps, due to Kazakhstan's
2024-02-29 time zone change. Similarly, America/Scoresbysund
has been removed, as it now agrees with America/Nuuk due to
its 2024-03-31 time zone change.
Changes to code
localtime.c now always uses a TZif file's time type 0 to handle
timestamps before the file's first transition. Formerly,
localtime.c sometimes inferred a different time type, in order to
handle problematic data generated by zic 2018e or earlier. As it
is now safe to assume more recent versions of zic, there is no
longer a pressing need to fail to conform RFC 8536 section 3.2,
which requires using time type 0 in this situation. This change
does not affect behavior when reading TZif files generated by zic
2018f and later.
POSIX.1-2024 removes asctime_r and ctime_r and does not let
libraries define them, so remove them except when needed to
conform to earlier POSIX. These functions are dangerous as they
can overrun user buffers. If you still need them, add
-DSUPPORT_POSIX2008 to CFLAGS.
The SUPPORT_C89 option now defaults to 1 instead of 0, fixing a
POSIX-conformance bug introduced in 2023a.
tzselect now supports POSIX.1-2024 proleptic TZ strings. Also, it
assumes POSIX.2-1992 or later, as practical porting targets now
all support that, and it uses some features from POSIX.1-2024 if
available.
Changes to build procedure
'make check' no longer requires curl and Internet access.
The build procedure now assumes POSIX.2-1992 or later, to simplify
maintenance. To build on Solaris 10, the only extant system still
defaulting to pre-POSIX, prepend /usr/xpg4/bin to PATH.
Changes to documentation
The documentation now reflects POSIX.1-2024.
Changes to commentary
Commentary about historical transitions in Portugal and her former
colonies has been expanded with links to relevant legislation.
(Thanks to Tim Parenti.)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 17 Jan 2025 11:26:11 +0000 (12:26 +0100)]
tmux: Update to version 3.5a
- Update from version 3.4 to 3.5a
- Update of rootfile not required
- Changelog
3.5a
* Do not translate BSpace as Unicode with extended keys.
* Fix so that keys with Shift are represented correctly with extended keys.
* Revert to using /bin/sh for #() and run-shell and if-shell; the change to use
default-shell only applies now to popups.
* Fix grey colour without a number suffix in styles.
3.5
* Revamp extended keys support to more closely match xterm and support mode 2
as well as mode 1. This is a substantial change to key handling which changes
tmux to always request mode 2 from parent terminal, changes to an unambiguous
internal representation of keys, and adds an option (extended-keys-format) to
control the format similar to the xterm(1) formatOtherKeys resource.
* Clear an overlay (popup or menu) when command prompt is entered.
* Add copy-mode -d flag to scroll a page down if in copy mode already (matching
-e).
* Display hyperlinks in copy mode and add copy_cursor_hyperlink format to get
the hyperlink under the cursor.
* Add a prefix timeout option.
* Mouse move keys are not useful as key bindings because we do not turn them on
unless the application requests them. Ignore them so they do not cause the
prefix to be canceled
* Add search_count and search_count_partial formats in copy mode.
* Do not reset mouse pane if clicked on status line,
* Add mirrored versions of the main-horizontal and main-vertical layouts where
the main pane is bottom or right instead of top or left.
* Allow REP to work with Unicode characters.
* Fix size calculation of terminators for clipboard escape sequences.
* Treat CRLF as LF in config files where it is easy to do so.
* The Linux console has some bugs with bright colours, so add some workarounds
for it.
* If built with systemd, remove some environment variables it uses.
* Adjust the logic when deleting last buffer to better preserve the selection:
if selecting the element below the deleted one fails (because as the last
one), select the one above it instead.
* Add --enable-jemalloc to build with jemalloc memory allocator (since glibc
malloc is so poor).
* Add a way (refresh-client -r) for control mode clients to provide OSC 10 and
11 responses to tmux so they can set the default foreground and background
colours.
* Add N to search backwards in tree modes.
* Use default-shell for command prompt, #() and popups.
* Revert part of a change intended to improve search performance by skipping
parts of lines already searched, but which in fact skipped the ends of lines
altogether.
* Add a command-error hook when a command fails.
* Add an option allow-set-title to forbid applications from changing the pane
title.
* Correct handling of mouse up events (don't ignore all but the last released
button), and always process down event for double click.
* Fix a crash if focusing a pane that is exiting.
* Pick newest session (as documented) when looking for next session for
detach-on-destroy.
* Reduce default escape-time to 10 milliseconds.
* Add display-menu -M to always turn mouse on in a menu.
* Look for feature code 21 for DECSLRM and 28 for DECFRA in the device
attributes and also accept level 1.
* Fix crash if built with SIXEL and the SIXEL colour register is invalid; also
remove SIXEL images before reflow.
* Do not notify window-layout-changed if the window is about to be destroyed.
* Do not consider a selection present if it is empty for the selection_active
and selection_present format variables.
* Fix split-window -p.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3470200 to 3480000
- Update of rootfile not required
- Changelog 3480000
Refactor the "configure" script used to help build SQLite from canonical
sources, to fix bugs, improve performance, and make the code more maintainable.
This does not affect the "configure" script in the
sqlite3-autoconf-NNNNNNN.tar.gz "amalgamation tarball", only the canonical
sources. The build system for the amalgamation tarball is unchanged. If
you are using the amalgamation tarball, nothing about this change log
entry applies to you.
The key innovation here is that Autosetup is now used instead of GNU
Autoconf. That seems like a big change, but it is really just an
implementation detail. The ./configure script is coded very differently,
but should work the same as before.
One advantage of the new configure is that you no longer need to install
TCL in order to build most SQLite targets. TCL is still required to run
tests or to build accessory programs (like sqlite3_analyzer) that use TCL,
but it is not required for most common targets. Hence, as of this release,
the only build dependencies are a C compiler and "make" or "nmake".
Improved EXPLAIN QUERY PLAN output for covering indexes.
Allow a two-argument version of the iif() SQL function. Also allow if() as an
alternative spelling for iif().
Add the ".dbtotxt" command to the CLI.
Add the SQLITE_IOCAP_SUBPAGE_READ property to the xDeviceCharacteristics method
of the sqlite3_io_methods object.
Add the SQLITE_PREPARE_DONT_LOG option to sqlite3_prepare_v3() that prevents
warning messages being sent to the error log if the SQL is ill-formed. This
allows sqlite3_prepare_v3() to be used to do test compiles of SQL to check for
validity without polluting the error log with false messages.
Increase the minimum allowed value of SQLITE_LIMIT_LENGTH from 1 to 30.
Added the SQLITE_FCNTL_NULL_IO file control.
Extend the FTS5 auxiliary API xInstToken() to work with prefix queries via the
insttoken configuration option and the fts5_insttoken() SQL function.
Increase the maximum number of arguments to an SQL function from 127 to 1000.
Remove vestigial traces of SQLITE_USER_AUTHENTICATION.
Various obscure bug fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 17 Jan 2025 11:26:09 +0000 (12:26 +0100)]
haproxy: Update to version 3.1.2
- Update from version 3.0.3 to 3.1.2
- Update of rootfile not required
- Changelog is very large as there are many entries for the update from 3.0.x to 3.1.x
For details read the CHANGELOG file in the source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 19 Feb 2025 13:30:43 +0000 (14:30 +0100)]
openssh: Update to version 9.9p2
- Update from version 9.9p1 to 9.9p2
- Update of rootfile not required
- Changelog
9.9p2
Security
* Fix CVE-2025-26465 - ssh(1) in OpenSSH versions 6.8p1 to 9.9p1
(inclusive) contained a logic error that allowed an on-path
attacker (a.k.a MITM) to impersonate any server when the
VerifyHostKeyDNS option is enabled. This option is off by default.
* Fix CVE-2025-26466 - sshd(8) in OpenSSH versions 9.5p1 to 9.9p1
(inclusive) is vulnerable to a memory/CPU denial-of-service related
to the handling of SSH2_MSG_PING packets. This condition may be
mitigated using the existing PerSourcePenalties feature.
Both vulnerabilities were discovered and demonstrated to be exploitable
by the Qualys Security Advisory team. We thank them for their detailed
review of OpenSSH.
Bugfixes
* ssh(1), sshd(8): fix regression in Match directive that caused
failures when predicates and their arguments were separated by '='
characters instead of whitespace (bz3739).
* sshd(8): fix the "Match invalid-user" predicate, which was matching
incorrectly in the initial pass of config evaluation.
* ssh(1), sshd(8), ssh-keyscan(1): fix mlkem768x25519-sha256 key
exchange on big-endian systems.
* Fix a number of build problems on particular operating systems /
configurations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
this is needed for booting kvm machines in uEFI mode.
Currently we unpack the firmware from the debain binary package.
Maybee later we wuill compile self, but currently the needed compilers
are missing in the IPFire build environment.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The processes graph was removed some month ago but it was not correct cleaned.
I asume because the updater has cleaned the ramdisk but not the persistant copy.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 13 Jan 2025 21:41:08 +0000 (22:41 +0100)]
protobuf: Update to version 29.3
- Update from version 28.3 to 29.3
- Update of rootfile
- Changelog
29.3
Announcements
Protobuf News may include additional announcements or pre-announcements
for upcoming changes.
C++
Fix cmake installation location of java and go features (#19773) (1dc5842)
Other
Add .bazeliskrc for protobuf repo to tell bazelisk to use 7.1.2 by
default. (#19884) (9a5d2c3)
Update artifact actions to v4 (#19703) (8e7e6b0)
29.2
Announcements
Protobuf News may include additional announcements or pre-announcements
for upcoming changes.
C++
Automated rollback of commit 23aada2. (#19692) (1772657)
Remove unused / invalid C++ lazy repeated field code from OSS. (#19682)
(3649f87)
Java
Automated rollback of commit 23aada2. (#19692) (1772657)
Other
Export environment variables so bazelisk picks them up (#19690) (8b9d76c)
Pin staleness check to Bazel 7 (#19689) (a1c9b6a)
Remove CMake downgrade workaround from Windows CI tests (#19630) (3a7bb4a)
29.1
Announcements
Protobuf News may include additional announcements or pre-announcements
for upcoming changes.
Java
Rename maven to protobuf_maven in MODULE.bazel (#18641) (#19477) (ba6da44)
Kotlin
Rename maven to protobuf_maven in MODULE.bazel (#18641) (#19477) (ba6da44)
Python
Revert "Remove deprecated service.py usages from test". For 29.x only
(#19434) (5864b50)
29.0
Announcements
Protobuf News may include additional announcements or pre-announcements
for upcoming changes.
Bazel
Add missing line to docstring after Args (#19213) (6f310d5)
Fix proto_info_bzl (#18918) (083de5f)
Use rules_cc everywhere in protobuf (ddadd0b)
Upgrade rules_cc to 0.0.13 (3dd4835)
Convert proto toolchain string to Label (aa181e2)
Prepare supporting targets for testing (a748b10)
Support --incompatible_enable_proto_toolchain_resolution (372ddb3)
Move ProtoInfo and ProtoLangToolchainInfo from Bazel (426ca8a)
Move java_{lite_}proto_library from Bazel repository (d77bdac)
Move proto_toolchain from rules_proto to protobuf (9f9cb7a)
Move proto_library from Bazel repository (3ff2cf0)
Move proto_common implementation from Bazel binary (b19fbe6)
Compiler
Begin adding extension numbers to SourceCodeInfo and FileDescriptorSet for
tooling purposes. (07e489d)
Update protoc release to include editions language features proto for Go
(#19013) (63d966b)
Introduce lifetimes for individual feature values. (0b6e768)
Windows - Fix handling of utf8 command line arguments (#17854) (b9d1800)
Limit feature deprecation warnings to reduce noise. (5cd9a46)
C++
Fix C++ ifndef_guard printer to also convert "-" to "_". (7331b77)
Fix C++ codegen namespace printer to print closing namespaces in reverse
order. (3bf9c40)
Fix raw_ptr.cc on exotic architectures (#18193) (63f6262)
Fix cord handling in DynamicMessage and oneofs. (9e8b30c)
Fix packed reflection handling bug in edition 2023. (4c92328)
Add JsonStreamToMessage method (0259cc3)
Introduce lifetimes for individual feature values. (0b6e768)
Insert software prefetches into merge functions. This improves performance
when hardware prefetchers are disabled on AMD machines. (d993365)
Insert software prefetches into proto parsing functions. This improves
performance when hardware prefetchers are disabled on AMD platforms.
(8aa0add)
Add prefetching of subsequent extensions in ExtensionSet::ForEach. (9b019ee)
Remove the AnyMetadata class and use free functions instead. (920d5c3)
Add [[deprecated]] attribute when generating enums and classes. (23aada2)
Use linear search instead of binary search in flat mode of ExtensionSet.
(0ed61f0)
Prepare MessageLite::GetTypeName to be upgraded to return (30a8ef5)
Limit feature deprecation warnings to reduce noise. (5cd9a46)
Add Compiler Condition to use inline assembly optimizations with ARM64 for
Compatibility with MSVC (#17671) (c5f6231)
Enable small object optimization (SOO) for RepeatedField in order to
reduce data indirections. (e2525e6)
Return backing array memory to arena in ExtensionSet. (5ac8ee1)
In edition 2024, Enum_Name(value) functions return absl::string_view by
default. (e3fa6aa)
Add Prefetchers to Proto Copy Construct to help address load misses (cdb7238)
Reduced nesting in GenerateByteSize: slight readability improvements in
generated code. (162a740)
Introduce FieldDescriptor::cpp_string_type() API to replace direct ctype
inspection which will be removed in the next breaking change (d0e49df)
Update the comment of TextFormat::Printer::RegisterMessagePrinter that the
method takes ownerhip of the printer pointer. (d911161)
Prepare the code for migrating return types from const std::string& to
(e13b8e9)
Java
Remove deprecation warnings for Timestamp and Duration add/subtract/between
that we do not yet have alternatives to. (f606c13)
[29.x] Add missing java load (#19016) (bb287be)
Give Kotlin jars an OSGi Manifest (#18812) (0c51eba)
Re-export includingDefaultValueFields in deprecated state for important
Cloud customer. (7321b2f)
Restore compatibility with 3.22 gencode by re-adding mutableCopy helpers
(1b1e90b)
Speed up CodedOutputStream by extracting rarely-executed string formatting
code (f8f5136)
Return constant Value objects for true, false, and "" (4fbb0c5)
Optimise CodedOutputStream.ArrayEncoder.writeFixed32NoTag/writeFixed64NoTag
(a51f98c)
CodedOutputStream: avoid updating position to go beyond end of array.
(76ab5f2)
Convert IndexOutOfBoundsException to OutOfSpaceException in
UnsafeDirectNioEncoder (0e75d92)
Suppress ReturnValueIgnored errorprone issues (bbbc7b9)
Fix packed reflection handling bug in edition 2023. (4c92328)
Move cc_proto_library from Bazel repository (5254448)
Protobuf Lite ArrayLists: Defer allocating backing array until we have
some idea how much to allocate. (05a8a40)
Allocate correct-sized array when parsing packed fixed-width primitives
(4e8469c)
Bugfix: Make extensions beyond n=16 immutable. (ee419f2)
Reserve capacity in ProtobufArrayList when calling
Builder.addAllRepeatedMessage(Collection) (e3cc31a)
Avoid allocating iterators when calling
Message.Builder.addAllFoo(RandomAccess List) (bd1887e)
Remove the AnyMetadata class and use free functions instead.
(https://github.com/protocolbuffers/protobuf/com...
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 13 Jan 2025 21:41:07 +0000 (22:41 +0100)]
postfix: Update to version 3.9.1
- Update from version 3.9.0 to 3.9.1
- Update of rootfile not required
- Changelog
3.9.1
The mail_version configuration parameter did not have a three-number value
(3.9 instead of 3.9.0; it still had the two-number version from the
development releases postfix-3.9-yyyymmdd). This broke pathnames derived
from the mail_version value, such as shlib_directory. Problem reported by
Michael Orlitzky.
Bugfix (defect introduced: Postfix 2.9, date 20111218): with
"smtpd_sasl_auth_enable = no", the permit_sasl_authenticated feature
ignored information that was received with the XCLIENT LOGIN command, so
that the client was treated as unauthenticated. This was fixed by removing
an unnecessary test. Problem reported by Antonin Verrier.
Bugfix (defect introduced: postfix 3.0): the default master.cf syslog_name
setting for the relay service did not preserve multi-instance information,
which complicated logfile analysis. Found during a support discussion.
Bugfix (defect introduced: Postfix 2.3, date 20051222): file descriptor
leak after failure to connect to a Dovecot auth server. The impact is
limited because Dovecot auth failures are rare, there are limits on the
number of retries (one), on the number of errors per SMTP session
(smtpd_hard_error_limit), on the number of sessions per SMTP server
process (max_use), and on the number of file handles per process (managed
with sysctl). Found during code maintenance.
Bugfix (defect introduced: Postfix 3.4, date 20190121): the postsuper
command failed with "open logfile '/path/to/file': Permission denied" when
the maillog_file parameter specified a filename and Postfix was not
running. This was fixed by opening the maillog_file before dropping root
privileges. Found during code maintenance.
Bugfix (defect introduced Postfix 3.0). No autodetection of UTF8 text when
missing message headers were automatically added by Postfix (for example,
a From: header with UTF8 full name information from the password file).
This caused Postfix to send UTF8 in message headers without using the
SMTPUTF8 protocol. Problem reported by Michael Tokarev.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 13 Jan 2025 21:41:06 +0000 (22:41 +0100)]
frr: Update to version 10.2.1
- Update from version 10.1 to 10.2.1
- Update of rootfile not required
- Changelog
10.2.1
Fixed CVE-2024-55553
More details: https://frrouting.org/security/cve-2024-55553
Bug Fixes
bfdd
retain remote dplane client socket
bgpd
Fix to pop items off zebra_announce FIFO for few EVPN triggers
Check if as_type is not specified when peer is a peer-group member
Do not reset peers on suppress-fib toggling
Fix bgp core with a possible Intf delete
Fix enforce-first-as per peer-group removal
Fix evpn bestpath calculation when path is not established
Fix graceful-restart for peer-groups
Fix memory leak when creating BMP connection with a source interface
Fix memory leak when reconfiguring a route distinguisher
Fix unconfigure asdot neighbor
Fix use single whitespace when displaying flowspec entries
Fix version attribute is an int, not a string
Import allowed routes with self AS if desired
Initialize as_type for peer-group as AS_UNSPECIFIED
Use gracefulRestart JSON field
Validate both nexthop information (NEXTHOP and NLRI)
Validate only affected RPKI prefixes instead of a full RIB
When calling bgp_process, prevent infinite loop
lib
Allow setsockopt functions to return size set
Fix session re-establishment
Take ge/le into consideration when checking the prefix with the prefix-list
Use backoff setsockopt option for freebsd
ospfd
OSPF multi-instance default origination fixes
pimd
Fix access-list memory leak in pimd
Free igmp proxy joins on interface deletion
igmp proxy joins should not be written as part of config
Prevent crash of pim when auto-rp's socket is not initialized
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 13 Jan 2025 21:41:04 +0000 (22:41 +0100)]
fetchmail: Update to version 6.5.2
- Update from version 6.4.39 to 6.5.2
- Update of rootfile not required
- Changelog
6.5.2
ADVANCE WARNING OF FEATURES TO BE REMOVED OR CHANGED IN FUTURE VERSIONS
(There are no plans to remove features from a 6.5.X release, but they may be
removed from a 6.6.0 or newer release.)
* Support for operating systems that are not sufficiently POSIX compliant may be
removed or operation on such systems may be suboptimal for future releases.
* Future fetchmail releases may require compilers and operating systems
that adhere to standards issued 2011 or later. (See README for requirements.)
* Future fetchmail releases may tighten up security and lean towards
it a bit more by, for instance, implementing recommendations from
RFC-7817 or RFC-8314. This may, for instance, require that TLS v1.1
or newer be used.
* The MX and host alias DNS lookups that fetchmail performs in multidrop mode
are based on assumptions that are rarely met in practice, somewhat defective,
deprecated and may be removed from a future fetchmail version.
They have never supported IPv6 (including IPv6-mapped IPv4).
Non-DNS based alias keywords such as "aka" will remain in fetchmail.
* The monitor and interface options may be removed from a future fetchmail
version as they are not reasonably portable across operating systems.
* POP2 is obsolete, support will be removed from a future fetchmail version.
* IMAP2 and IMAP4 (not IMAP4r1) are obsolete, support may be removed from a
future fetchmail version.
* RPOP is obsolete, support will be removed from a future fetchmail release.
* The multidrop To/Cc guessing code along with the fragile duplicate suppressor
is deprecated and may be removed from a future release.
* The "envelope Received" option may be removed from a future release, because
the Received header was never meant to be machine-readable, the format varies
widely, and various other differences in behavior make parsing Received an
unreliable undertaking. The envelope option as such will remain though, in
order to support Delivered-To, X-Envelope-To, X-Original-To and similar.
See also <http://home.pages.de/~mandree/mail/multidrop>.
* The "protocol auto" default inside fetchmail may be removed from a future
fetchmail release. Explicit configuration of the protocol is recommended.
* Kerberos IV support may be removed from a future fetchmail release.
* Kerberos 5 support may be removed from a future fetchmail release.
(Although GSS-API support should remain as long as it's viable.)
* The --principal option may be removed from a future fetchmail release.
* SIGHUP wakeup support may be removed from a future fetchmail release and
cause fetchmail to terminate - it was broken for many years.
* The maintainer may migrate fetchmail to C++, and impose further requirements
(dependencies), such as Boost or other class libraries.
* The softbounce option default will change to "false" in the next release.
* The --bsmtp - mode of operation may be removed in a future release.
* Fetchmailconf is deprecated and will be removed from a future release.
* Fetchmail does not guarantee compatibility with EOL OpenSSL versions. Support
for end-of-life OpenSSL versions may be removed even from patchlevel releases.
* Nonstandard or by today's standards insufficiently secure authentication
schemes (such as OPIE, RPA) may be removed from future fetchmail versions.
* Nonstandard protocol extensions (such as SDPS/*ENV) may be removed from future
fetchmail versions.
* --auth ssh may be removed from future fetchmail versions. Use --auth implicit.
* Future fetchmail releases (even minor ones) may change undocumented parts of
the .netrc parser in incompatible ways to enhance compatibility with typical
ftp(1) .netrc parsers.
KNOWN BUGS AND WORKAROUNDS
* Fetchmail does not handle messages without Message-ID header well
(See sourceforge.net bug #780933)
* Fetchmail currently uses 31-bit signed integers in several places
where unsigned and/or wider types should have been used. Please report
issues with this.
* BSMTP is mostly untested and errors can cause corrupt output.
* Fetchmail does not track pending deletes across crashes.
* The command line interface is sometimes a bit stubborn, for instance,
fetchmail -s doesn't work with a daemon running.
* Linux systems may return duplicates of an IP address in some circumstances if
no or no global IPv6 addresses are configured.
(No workaround. Ubuntu Bug#582585, Novell Bug#606980.)
* Kerberos 5 may be broken, particularly on Heimdal, and provide bogus error
messages. This will not be fixed, because the maintainer has no Kerberos 5
server to test against. Use GSSAPI.
* For IMAP connections, fetchmail will print "will idle after poll" in
verbose mode even though --idle is not given, as an artifact of the 6.4.22
security fixes. Fetchmail means "could idle after poll", but this would
have required another loop through the translators.
* aka ... hostnames are not considered for upstream server X.509 certificate
verification, aka was meant for alias detection with multidrop mailboxes.
* When compiled against wolfSSL, note that it is not a feature-complete
emulation of OpenSSL. Main functionality is given, but some minor details
may not work the same as in OpenSSL builds.
* When compiled against LibreSSL (due to licensing, this only works on OpenBSD
where LibreSSL is part of the OS), note that LibreSSL is somewhat behind
recent OpenSSL versions, so prefer OpenSSL to LibreSSL if you can.
* FreeBSD's OPIE implementation cannot be found when using a C++ compiler.
This should not affect the normal build, which uses a C compiler.
* Using ccache may trigger "implicit fallthrough" warnings because
the comments that, for instance, GCC understands, are removed by ccache's
separate preprocessing. Fixing this portably requires C++17.
* Fetchmail's RFC-2047 encoder (used for localized Subject: lines of locally-
originated e-mail messages) is simplistic and violates the RFC-2047
requirement that multibyte characters must not be split across
encoded-words.
TRANSLATIONS: fetchmail's translations were updated, courtesy of:
* cs: Petr Pisar [Czech]
* sr: Мирослав Николић (Miroslav Nikolić) [Serbian]
CHANGES:
* Minor documentation consistency fixes (versions, dates).
6.5.1
BUG AND PORTABILITY FIXES:
* Drop two wolfSSL compile-time checks that were for older 6.4 or for future
7.0 releases and broke compilation with wolfSSL 5.7.4.
Fixes https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282413#c4
* Use %p instead of non-portable %#p for one wolfSSL-related diagnostic message
(FreeBSD defines %#p to be %p, on many other platforms it's undefined
behavior).
* Add regex_helper.c to list of files that contain translatable strings,
which contains two strings we missed to translate.
CHANGES:
* Simplify EVP_MD_fetch API detection ("like OpenSSL 3" vs. "like OpenSSL 1")
for version switch and base it on the claimed OpenSSL version of the crypto
SSL, which works for LibreSSL (claims OpenSSL 2) and wolfSSL alike.
TRANSLATIONS: fetchmail's messages were translated by these fine people:
* sq: Besnik Bleta [Albanian]
* es: Cristian Othón Martínez Vera [Spanish]
* ro: Remus-Gabriel Chelu [Romanian]
* fr: Frédéric Marchal [French]
* pl: Jakub Bogusz [Polish]
* sv: Göran Uddeborg [Swedish]
* ja: Takeshi Hamasaki [Japanese]
* eo: Keith Bowes [Esperanto]
6.5.0
SECURITY FIX:
* .netrc now may not have more than 0700 permission if it contains passwords,
else fetchmail will warn and ignore the file.
REMOVED FEATURES
* fetchmail no longer supports using an MDA as SMTP fallback. This is required
to make deliveries consistent.
The --enable-fallback configure option is gone.
* fetchmail no longer supports SSLv3. --sslproto ssl3 and ssl3+ options have
been removed and behave as though "--sslproto auto" had been given.
INCOMPATIBLE CHANGES
* fetchmail by default only negotiates TLS v1.2 or higher. (RFC-7525)
* fetchmail can auto-negotiate TLS v1.1 through the --sslproto tls1.1+ option.
* fetchmail can auto-negotiate TLS v1.0 through the --sslproto tls1+ option.
* fetchmailconf now requires Python 3.7.0 or newer.
* fetchmail, with --logfile, now logs time stamps into the file, in localtime
and in the format "Jun 20 23:45:01 fetchmail: ". It will be localized through
the environment variables LC_TIME (or LC_ALL) and TZ.
Contributed by Holger Hoffstätte.
* fetchmail sets the OPENSSL security level to 2 by default.
Override is possible from an environment variable,
see EXPERIMENTAL CHANGES below.
* The ca, da, en_GB, id, it, nl, ru, zh_CN translations have been disabled,
they are too far behind.
CHANGED REQUIREMENTS
* fetchmail 6.5.0 is written in C99 and requires a SUSv3 (Single Unix
Specification v3, a superset of POSIX.1-2001 aka. IEEE Std 1003.1-2001 with
XSI extension) compliant system.
In particular, older fetchmail versions had workarounds or replacement code
for several functions standardized in the Single Unix Specification v3, these
have been removed. Hence:
- The trio/ library has been removed from the distribution.
- The libesmtp/getaddrinfo.? library has been removed from the distribution.
- The KAME/getnameinfo.c file has been removed from the distribution.
* fetchmail 6.5.0 requires a TLSv1.3-capable version of OpenSSL or wolfSSL,
at a minimum OpenSSL v3.0.9 or wolfSSL v5.7.2.
TRANSLATIONS: fetchmail's messages were translated by these fine people:
* cs: Petr Pisar [Czech]
* eo: Keith Bowes [Esperanto]
* es: Cristian Othón Martínez Vera [Spanish]
* fr: Frédéric Marchal [French]
* ja: Takeshi Hamasaki [Japanese]
* ro: Remus-Gabriel Chelu [Romanian]
* sv: Göran Uddeborg [Swedish]
* sq: Besnik Bleta [Albanian]
* pl: Jakub Bogusz [Polish]
BUG FIXES
* fetchmail can now report mailbox sizes of 2^31 octets and beyond (2 GibiB).
This required C99 support (for the long long type).
Fixes Debian Bug#873668, reported by Andreas Schmidt.
* fetchmail now defines its OpenSSL API level to 3.0.0 so as to expose the
3.0.0 APIs from OpenSSL.
* The .netrc parser no longer permits "machine" after "default".
* Add manpage info on the .netrc syntax, as ftp(1) is not standardized and
may not be installed. Fixes Launchpad Bug #1976361 reported by Bill Yikes.
* Received: lines now return GMT time if the tzoffset cannot be represented
as whole minutes. Reported by @rriddicc via Gitlab #49.
* If fetchmail was running localized, generated an error e-mail message locally,
and if the selected translation would require the Subject: line to wrap
inside an RFC-2047 encoded word (=?UTF-8?Q?...?=), the wrapped encoded-word
was not indented, thus not marked as a continuation line.
* SSL error handling was improved, fetchmail now consistently clears the
thread/SSL error queue before SSL I/O operations and checks SSL_get_error
afterwards. The SSL_connect() error handling has been revised to log more
consistently.
CHANGES
* When fetchmail attempts to log out from an IMAP4 server and the server messes
up its responses (it is supposed to send an untagged * BYE and a tagged
A4711 OK) and sends a tagged A4711 BYE response, tolerate that, rather than
reporting a protocol error. We don't intend to chat any more so the protocol
violation is harmless, and we know the server cannot send more untagged
status responses.
Analysis and fix courtesy of Maciej S. Szmigiero, GitLab merge request !20.
* The configure script now spends more effort for getting --with-ssl right, by
running pkg-config in the right environment, and using the AC_LIB_LINKFLAGS
macro to obtain run-time library path setting flags.
* For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option
do not match, emit a warning and continue. Closes Gitlab #31.
* There is now a --idletimeout feature contributed by Eric Durand, to
permit setting a shorter timeout for the --idle option, because many
servers violate the protocol (requiring 30 minutes) and hang up sooner than
the 28 minutes fetchmail waits before refreshing IDLE.
GitLab merge request !35.
* There is now a --forceidle feature to force idle mode even if not advertised
in the server capabilities. This is a dangerous option, use it carefully.
Courtesy of Eric Durand, GitLab merge request !39.
* There is now a --moveto feature (only feasible in IMAP) that, instead of
flushing mail, moves it to a user-specified folder. This is to assist with
archiving, or when providers (G...) break the IMAP model.
Courteously provided by Damjan Jovanovic.
* rcfile parsing errors are now reported in more detail, and with -vv mode,
also lead to a non-importable Python dump of what was obtained, for debugging.
* fetchmail's --auth option ssh was renamed to implicit, to make clear that it
does *NOT* imply any particular type or features of the --plugin. --auth ssh
will be understood for a while for compatibility but fetchmail will report it
as implicit.
* fetchmail no longer warns about port/service mismatches with/without ssl
option when a "plugin" is in use because fetchmail cannot know whether the
plugin talks SSL or STARTTLS/STLS. Fixes Debian Bug#1076604.
* fetchmail re-executes itself if the .netrc file's modification change
is found to be newer at the beginning of a new run.
* fetchmail can now use other digest algorithms than MD5 for the
--sslfingerprint option. To use, specify the algorithm's name in
curly braces as prefix in the finger print, say,
--sslfingerprint '{SHA256}00:01:[...]:1F'. This will also switch the
algorithm for printing. All algorithms supported by the TLS/SSL library
can be specified. Fixes Gitlab issue #19, Debian Bug#700266.
EXPERIMENTAL CHANGES - these are not documented anywhere else, only here:
* fetchmail supports a FETCHMAIL_SSL_SECLEVEL environment variable that
can be used to override the OpenSSL security level. Fetchmail by default
raises the security level to 2 if lower. This variable can be used to lower it.
Use with extreme caution. Note that levels 3 or higher will frequently cause
incompabilities with servers because server-side data sizes are often too low.
Valid range: 0 to 5 for OpenSSL 1.1.1 and 3.0.
* fetchmail supports a FETCHMAIL_SSL_CIPHERS environment variable that
sets the cipher string (through two different OpenSSL functions) for SSL and
TLS versions up to TLSv1.2.
If setting the ciphers fails, fetchmail will not connect.
If not given, defaults to Postfix's "medium" list,
"aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH".
* fetchmail supports a FETCHMAIL_TLS13_CIPHERSUITES environment variable
that sets the ciphersuites (a colon-separated list, without + ! -) for
TLSv1.3. If not given, defaults to OpenSSL's built-in list. If setting the
ciphersuites fails, fetchmail refuses to connect.
* NOTE the features above are simplistic. For instance, even though you
configure --sslproto tls1.3, a failure to set tls1.2 ciphers could cause
a connection abort.
* fetchmail can be built with meson 1.30 or newer <https://mesonbuild.com/>.
fetchmail is not currently written in a way that supports unity
(amalgamated) builds.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 13 Jan 2025 21:41:03 +0000 (22:41 +0100)]
dnsdist: Update to version 1.9.8
- Update from version 1.9.7 to 1.9.8
- Update of rootfile not required
- Changelog
1.9.8
Improvements
Add the ability to load a given TLS tickets key
References: pull request 14877
Custom metrics: better error messages, small doc improvements
References: pull request 14978
Add elapsed time to dq object (@phonedph1)
References: pull request 14887
Bug Fixes
setTicketsKeyAddedHook: pass a std::string to the hook to avoid luawrapper
to truncate content at potential null chars
References: pull request 14878
Fix ECS zero-scope caching with incoming DoH queries
References: #14959, pull request 14977
Allow resetting setWeightedBalancingFactor() to zero
References: pull request 14929
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 13 Jan 2025 21:40:30 +0000 (22:40 +0100)]
qemu: Update to version 9.2.0
- Update from version 9.0.2 to 9.2.0
- Update of rootfile
- Changelog
9.2.0
https://wiki.qemu.org/ChangeLog/9.2
9.1.0
https://wiki.qemu.org/ChangeLog/9.1
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 13 Jan 2025 12:24:42 +0000 (13:24 +0100)]
backup-exclude: Add suricata ruleset-sources to backup exclude file
- This will ensure that an old version will no longer be restored back onto a users
system.
- The suricata ruleset-sources file should also be shipped in the CU that this will be
applied to make sure that all usders have the correct version installed, in case they
have done a restore from an old backup after doing a fresh install.
- Tested on my vm testbed system and after making the change, the ruleset-sources file
is no longer added to the backup set but also it is excluded from the restore if it
is included in an old backup.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 11 Jan 2025 14:43:33 +0000 (15:43 +0100)]
tshark: Update to version 4.4.3
- Update from version 4.4.2 to 4.4.3
- Update of rootfile
- Changelog
4.4.3
Bug Fixes
Potential mis-match in GSM MAP dissector for uncertainty radius and its
filter key. Issue 20247.
Macro eNodeB ID and Extended Macro eNodeB ID not decoded by User Location
Information. Issue 20276.
The NFSv2 Dissector appears to be swapping Character Special File and
Directory in mode decoding. Issue 20290.
CMake discovers Strawberry Perl’s zlib DLL when it shouldn’t. Issue 20304.
VOIP Calls call flow displaying hours. Issue 20311.
Fuzz job issue: fuzz-2024-12-26-7898.pcap. Issue 20313.
sFlow: Incorrect length passed to header sample dissector. Issue 20320.
wsutil: Should link against -lm due to missing fabs() when built with
-fno-builtin. Issue 20326.
Updated Protocol Support
ARTNET, ASN.1 PER, BACapp, BBLog, BT BR/EDR RF, CQL, Diameter, DOF,
ECMP, FiveCo RAP, FTDI FT, GSM COMMON, GTPv2, HCI_MON, HSRP, HTTP2,
ICMPv6, IEEE 802.11, Kafka, LTE RRC, MBIM, MMS, Modbus/TCP, MPEG PES,
NAS-EPS, NFS, NGAP, NR RRC, PLDM, PN-DCP, POP, ProtoBuf, PTP, RLC, RPC,
RTCP, sFlow, SIP, SRT, TCP, UCP, USBCCID, Wi-SUN, and ZigBee ZCL
New and Updated Capture File Support
CLLog EMS ERF
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 11 Jan 2025 14:43:32 +0000 (15:43 +0100)]
samba: Update to version 4.21.3
- Update from version 4.21.2 to 4.21.3
- Update of rootfile not required
- Changelog
4.21.3
* BUG 15701: More possible replication loops against Azure AD.
* BUG 15697: Compound rename from Mac clients can fail with
NT_STATUS_INTERNAL_ERROR if the file has a lease.
* BUG 15724: vfs crossrename seems not work correctly.
* BUG 6750: After 'machine password timeout' /etc/krb5.keytab is not updated.
* BUG 15771: Memory leak wbcCtxLookupSid.
* BUG 15765: Fix heap-user-after-free with association groups.
* BUG 15758: Segfault in vfs_btrfs.
* BUG 15755: Avoid event failure race when disabling an event script.
* BUG 15724: vfs crossrename seems not work correctly.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 11 Jan 2025 14:43:31 +0000 (15:43 +0100)]
nettle: Update to version 3.10.1
- Update from version 3.10 to 3.10.1
- Update of rootfile
- Changelog
3.10.1
This is a maintenance release, with only a few bugfixes and
portability improvements.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.10 and libhogweed.so.6.10, with sonames
libnettle.so.8 and libhogweed.so.6.
Bug fixes:
* Fix buffer overread in the new sha256 assembly for
powerpc64, as well as a stack alignment issue.
* Added missing nettle_mac structs for hmac-gosthash.
* Fix configure test for valgrind, to not attempt to run
valgrind on executables built using memory sanitizers.
Optimizations:
* Improved runtime detection of cpu features for OpenBSD and
FreeBSD, using elf_aux_info when available. This also adds
runtime detection for FreeBSD on arm64. Contributed by Brad
Smith.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 11 Jan 2025 14:43:30 +0000 (15:43 +0100)]
nano: Update to version 8.3
- Update from version 8.2 to 8.3
- Update of rootfile not required
- Changelog
8.3
• A build failure with gcc-15 is fixed.
• Several translations were updated.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 11 Jan 2025 14:43:29 +0000 (15:43 +0100)]
mdadm: Update to version 4.4
- Update from version 4.3 to 4.4
- Update of rootfile not required
- mdadm has been formally moved to github.
- Changelog
4.4
Features:
- Remobe custom bitmap file support from Yu Kuai.
- Custom device policies implementation from Mariusz Tkaczyk.
- Self encrypted drives (**SED**) support for IMSM metadata from Blazej Kucman.
- Support more than 4 disks for **IMSM** RAID10 from Mateusz Kusiak.
- Read **IMSM** license information from ACPI tables from Blazej Kucman.
- Support devnode in **--Incremental --remove** from Mariusz Tkaczyk.
- Printing **IMSM** license type in **--detail-platform** from Blazej Kucman.
- README.md from Mariusz Tkaczyk and Anna Sztukowska.
Fixes:
- Tests improvements from Xiao Ni and Kinga Stefaniuk.
- Mdmon's Checkpointing improvements from Mateusz Kusiak.
- Pass mdadm environment flags to systemd-env to enable tests from Mateusz Kusiak.
- Superblock 1.0 uuid printing fixes from Mariusz Tkaczyk.
- Find VMD bus manually if link is not available from Mariusz Tkaczyk.
- Unconditional devices count printing in --detail from Anna Sztukowska.
- Improve SIGTERM handling during reshape, from Mateusz Kusiak.
- **Monitor.c** renamed to **Mdmonitor.c** from Kinga Stefaniuk.
- Mdmonitor service documentation update from Mariusz Tkaczyk.
- Rework around writing to sysfs files from Mariusz Tkaczyk.
- Drop of HOT_REMOVE_DISK ioctl in Manage in favour of sysfs from Mariusz Tkaczyk.
- Delegate disk removal to managemon from Mariusz Tkaczyk.
- Some clean-ups of legacy code and functionalities like **--auto=md** from Mariusz Tkaczyk.
- Manual clean-up, references to old kernels removed from Mariusz Tkaczyk.
- Various static code analysis fixes.
In this release we created github repository and allowed participation through
Github. It allowed us to use Github actions adn create CI. Currently, we have:
- Compilation tests with various gcc.
- **mdadm** tests.
- Checkpatch test.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 11 Jan 2025 14:43:27 +0000 (15:43 +0100)]
libpng: Update to version 1.6.45
- Update from version 1.6.44 to 1.6.45
- Update of rootfile
- Changelog
1.6.45
Added support for the cICP chunk.
(Contributed by Lucas Chollet and John Bowler)
Adjusted and improved various checks in colorspace calculations.
(Contributed by John Bowler)
Rearranged the write order of colorspace chunks for better conformance
with the PNG v3 draft specification.
(Contributed by John Bowler)
Raised the minimum required CMake version from 3.6 to 3.14.
Forked off a development branch for libpng version 1.8.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 11 Jan 2025 14:43:25 +0000 (15:43 +0100)]
fping: Update to version 5.3
- Update from version 5.2 to 5.3
- Update of rootfile not required
- Changelog
5.3
New features
- New option --icmp-timestamp to send ICMP timestamp requests (ICMP type 13)
instead of ICMP Echo requests (#353 #363, thanks @auerswal and @gsnw-sebast)
- New option --print-ttl to print returned TTL value (#354, thanks @nalves599)
- New option --print-tos to print returned TOS value (#335 #346 #347, thanks
@auerswal and @gsnw-sebast)
- New option --check-source (#334, thanks @auerswal)
- Predefined various timestamp formats (#321, thanks @auerswal and @gsnw-sebast)
- Print cumulative stats with -Q SECS,cumulative (#315, thanks @auerswal)
Bugfixes and other changes
- ci: Upgrade actions/upload-artifact to v4 (#360, thanks @gsnw-sebast)
- ci: Azure Pipeline only trigger when changes are made in the development branch
(#359, thanks @gsnw-sebast)
- ci: Upgrade actions/upload-artifact to v3 (#355, thanks @pevik)
- ci: Azure Pipeline YAML add docker build (#354, thanks @gsnw-sebast)
- Dockerfile: change distribution from ubuntu to debian (#350, thanks
@gsnw-sebast)
- Fix warning unused parameter 'reply_timestamp' under macOS (#348, thanks
@gsnw-sebast)
- Fix increase maximum -s value to 65507 (#344, thanks @pevik)
- ci: use File::Temp to create temporary directory (#343, thanks @auerswal)
- Fix -k, --fwmark with setuid fping executable (#342, thanks @auerswal)
- Another batch of additional tests (take 2) (#341, thanks @auerswal)
- Document that -a and -u are overridden by -c and -C (#338, thanks @auerswal)
- Fix macOS build warning sets SEQMAP_TIMEOUT_IN_NSSEQMAP_TIMEOUT_IN_NS as INT64_C
(#336, thanks @gsnw-sebast)
- Fix inconsistent limits for address generation via -g, --generator using either
range or CIDR (#331, thanks @auerswal)
- Some additional tests (#329, thanks @auerswal)
- ci: skip an unreliable test on macOS (#328, thanks @auerswal)
- Fix incorrect return-value check for a scanf like function (CWE-253) (#323,
thanks @gsnw-sebast)
- A few more tests to increase code coverage a little bit (#320, thanks @auerswal)
- Github fix: Change to codeql-action-v2 (#319, thanks @gsnw-sebast)
- Developer function: Debug with Visual Studio Code (#318, thanks @gsnw-sebast)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 11 Jan 2025 14:43:24 +0000 (15:43 +0100)]
e2fsprogs: Update to version 1.47.2
- Update from version 1.47.1 to 1.47.2
- Update of rootfile not required
- Changelog
1.47.2
UI and Features
Drop the tune2fs -r option and replace it with -E revision=<fs-rev>.
Revision 0 file systems are needed for compatibility with pre-1995 Linux
kernels (older that version 1.2). Most of the time, users shouldn't be
using the -r option and they can confuse themselves and end up creating
a file system that is missing most modern ext4 features, including no
online resizing, no support for post-2038 timestamps, etc. (Addresses
Debian Bug #1086603)
Add support for gnu.translator extended attributes in tar files fed to
mke2fs -d. (Addresses Github issue
https://github.com/tytso/e2fsprogs/issues/192)
Add a debugfs command to list all of the inodes in the orphan list.
Fixes
Fix orphan_file support on big endian systems.
Fix resize2fs to update the checksums in blocks belonging to the orphan
file if it needs to move them.
Fix e2fsck to clear the orphan file after processing it so that e2fsck
-E journal_only doesn't leave the file system in a corrupted state.
Avoid a spurious failure in badblocks when -n or -w is specified twice.
(Addresses Debian Bug #1087341)
Fix a bug where e2fsck could skip checking a file systems with the
orphan_file feature if there are orphaned files that need to be cleaned
up. (Addresses Red Hat Bugzilla 2318710, SuSE Bugzilla #1226043)
Tune2fs will now upgrade a revision 0 file system to revision 1 before
trying to change the inode size. Otherwise, this could result in a
corrupted file system.
Fix fuse2fs --helpfull so that it displays the full help message.
Allow resize2fs to perform an offline resize past the 256 TiB boundary
(which the kernel could do as part of an online resize).
Performance, Internal Implementation, Development Support etc.
Fix various Coverity and compiler warnings.
Speed up tune2fs -g when the group is not changed by the command.
Fix build failures on GCC 15 due to it switched to using -std=c23 by
default. (Addresses https://github.com/tytso/e2fsprogs/issues/202)
Fix build failure when linking fuse2fs with old (2.9.9) version of
libfuse2 on aarch64. This hack was needed to fix a regression caused by
another hacky workaround needed to work around a build failure on
mipsel64 thanks to glibc using different struct stat layouts depending
_FILE_OFFSET_BITS is set and this caused failures when dynamic linking
against libarchive on Debian's mipsel64. (Sigh.)
Fix unused parameter warnings for packages which including ext2fs.h.
(Addresses Debian Bug #1082500)
Fix bug where packages including ext2fs.h would get the 32-bit versions
of the timestamp routines even on 64-bit platforms due to a missing
SIZEOF_TIME_T autoconf definiton in public_config.h.
Teach dumpe2fs and e2mmpstatus to support LABEL= and UUID= specifiers
since the e2mmpstatus man page claims that it supports LABEL= and UUID=.
This support was accidentally dropped when e2mmpstatus was reimplemented
in terms of dumpe2fs. (Addresses
https://github.com/tytso/e2fsprogs/issues/106)
Suppress mke2fs's "Creating regular file" message when the -q option is
in force.
Enable Continuous Integration testing in Debian's Salsa forge.
Fix a memory leak in oss-fuzz test programs.
Provide fuseext2 to replace the debian package src:fuse-umfuse-ext2.
(Addresses Debian Bug #1085590, #1088838)
In the Debian package for e2fsprogs, add a suggestion to install the
package libarchive13t64. (Addresses DebianBug #1089085)
In the Debian package for e2fsprogs, decrease the priority from required
to important. (Addresses Debian Bug #897277)
Fix the f_badjour_encrypted test to write the error output from mke2fs
and debugfs to a log file so it doesn't mess up the "make check" output
and to make those error messages available in the case of test failure.
Fix my_llseek() declaration when building against musl libc.
Clean up groff warnings in man pages. (Addresses Debian Bugs #1086892,
#1082787, #1072866, #1087898)
Document the orphan_file feature in the ext4(5) and tune2fs(8) man
pages. (Addresses Debian Bug #1073062)
Allow building e2fsprogs without libarchive-dev installed to make life
easier for bootstrapping for new Debian ports (Addresses Debian Bug
#1078693)
Various man page cleanups.
Update Chinese, Czech, French, Malay, Polish, Romainian, Spanish,
Swedish, and Ukrainian translations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 9 Jan 2025 19:04:38 +0000 (20:04 +0100)]
language files: Updated de, en, es, fr & tr language files
- Changed the phrase in the code from Captive wrong ext to Captive wrong type as it is
now the type and not the extension that is being checked.
Fixes: Bug13795 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 9 Jan 2025 19:04:37 +0000 (20:04 +0100)]
perl-File-LibMagic: New package implemented for content type extraction of a file
- It was placed in make.sh after perl-Config-AutoConf as that package is at least one
build dependency.
Fixes: Bug13795 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 9 Jan 2025 19:04:36 +0000 (20:04 +0100)]
captive.cgi: Update code to check for the image content type not just the extension
- The File-LibMagic used to do this content type check. As this requires the actual
file and path name to access, the CGI::upload command had to be brought to before
the content type check and download the file to /tmp/. Then the content type can be
identified. If it is either image/png or image/jpeg then the logo.tmp file is
moved to replace the existing logo.dat. If the uploaded logo is not a png or jpeg
image content then the logo.tmp file in /tmp/ is deleted by unlinking it.
- I also added the actual content type to the error message if it is not a png or jpeg.
- Tested the code out on my vm testbed and it worked fine. Only png or jpeg content
type is accepted It makes no difference what the extension on the file is. When not
the correct content type the old logo.dat is left alone and not changed and the new
logo stored in /tmp/ is removed. If the content type is correct then the new logo file
in /tmp/ is moved to replace the existing logo.data file.
- When the wrong type of content was in the file, for example html code, then the error
message is shown saying that the content type is not correct and showing the actual
content type, in this case text/html.
Fixes: Bug13795 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
projects / ipfire-2.x.git / log
