Peter Müller [Sat, 4 Nov 2023 17:35:00 +0000 (17:35 +0000)]
firewall: Reject outgoing TCP connections to port 25 by default
This will affect new IPFire installations only, implementing a
long-standing BCP for preemptively combating botnet spam. Reject is
chosen over drop to reduce the likelihood for confusion during network
troubleshooting.
Cc: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Tested-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 3430000 to 3430100
- Update of rootfile not required
- Changelog
3.34.1
Fix a regression in the way that the sum(), avg(), and total() aggregate functions
handle infinities.
Fix a bug in the json_array_length() function that occurs when the argument comes
directly from json_remove().
Fix the omit-unused-subquery-columns optimization (introduced in in version 3.42.0)
so that it works correctly if the subquery is a compound where one arm is
DISTINCT and the other is not.
Other minor fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 13 Sep 2023 10:14:13 +0000 (12:14 +0200)]
qpdf: Update to version 11.6.1
- Update from version 11.5.0 to 11.6.1
- Update of rootfile
- Changelog
11.6.1: release
* Fix a logic error introduced in 11.6.0 in the fix to
copyForeignObject. The bug could result in some pages not being
copied.
11.6.0: release
* ascii85 parser: ignore spaces everywhere including between ~
and >. Fixes #973.
* Bug fix: with --pages, if one of the external files had warnings
but the main file did not, the warning was previously not taken
into consideration when determining the exit status.
* Put quotation marks around the command in completion output to
better handle spaces in paths. It is not a perfect fix (ideally,
full shell-compatible quoting should be used), but it handles more
cases than the old code and should handle all reasonable cases of
qpdf being in a directory with a space in its name, which is
common in Windows. Fixes #1021.
* Move check for random number device to runtime instead of
compile time. Since, by default, the crypto provider provides
random numbers, runtime determination of a random number device is
usually not needed. Fixes #1022.
* Maintain links to foreign pages when copying foreign objects.
This allows hyperlinks in imported files to work. Fixes #1003.
* Bug fix: Return a null object if an attempt is made to to copy a
foreign /Pages object with copyForeignObject. This corrects a
possible crash. Fixes #1010.
* Bug fix: Return a null object if an attempt is made to to copy a
foreign /Pages object with copyForeignObject. Fixes #1003.
* Add /MediaBox to a page if absent. Thanks M. Holger.
* Use std::vector internally for Pl_Buffer to
avoid incompatibility with C++20. Thanks to Zoe Clifford. Fixes #1024.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 13 Sep 2023 10:14:12 +0000 (12:14 +0200)]
jq: Update to version 1.7
- Update from version 1.6 to 1.7
- This project had little happen to it for 5 years but is now going again
https://jqlang.github.io/jq/
- Update of rootfile
- Changelog
1.7
After a five year hiatus we're back with a GitHub organization, with new admins
and new maintainers who have brought a great deal of energy to make a
long-awaited and long-needed new release. We're very grateful for all the new
owners, admins, and maintainers. Special thanks go to Owen Ou (@owenthereal)
for pushing to set up a new GitHub organization for jq, Stephen Dolan (@stedolan)
for transferring the jq repository to the new organization, @itchyny for doing a
great deal of work to get the release done, Mattias Wadman (@wader) and Emanuele
Torre (@emanuele6) for many PRs and code reviews. Many others also contributed
PRs, issues, and code reviews as well, and you can find their contributions in
the Git log and on the [closed issues and PRs page]
(https://github.com/jqlang/jq/issues?q=is%3Aclosed+sort%3Aupdated-desc).
Since the last stable release many things have happened:
- jq now lives at <https://github.com/jqlang>
- New maintainers, admins, and owners have been recruited.
- A list of [current maintainers](https://github.com/jqlang/jq/blob/jq-1.7/AUTHORS#L4-L14)
- NEWS file is replaced by NEWS.md with Markdown format. @wader #2599
- CI, scan builds, release, website builds etc now use GitHub actions. @owenthereal @wader @itchyny #2596 #2603 #2620 #2723
- Lots of documentation improvements and fixes.
- Website updated with new section search box, better section ids for linking, dark mode, etc. @itchyny #2628
- Release builds for:
- Linux `amd64`, `arm64`, `armel`, `armhf`, `i386`, `mips`, `mips64`, `mips64el`, `mips64r6`, `mips64r6el`, `mipsel`, `mipsr6`, `mipsr6el`, `powerpc`, `ppc64el`, `riscv64` and `s390x`
- macOS `amd64` and `arm64`
- Windows `i386` and `amd64`
- Docker `linux/386`, `linux/amd64`, `linux/arm64`, `linux/mips64le`, `linux/ppc64le`, `linux/riscv64` and `linux/s390x`
- More details see @owenthereal #2665
- Docker images are now available from `ghcr.io/jqlang/jq` instead of Docker Hub. @itchyny #2652 #2686
- OSS-fuzz. @DavidKorczynski #2760 #2762
Full commit log can be found at <https://github.com/jqlang/jq/compare/jq-1.6...jq-1.7> but here are some highlights:
CLI changes
- Make object key color configurable using `JQ_COLORS` environment variable. @itchyny @haguenau @ericpruitt #2703
- Change the default color of null to Bright Black. @itchyny #2824
- Respect `NO_COLOR` environment variable to disable color output. See <https://no-color.org> for details. @itchyny #2728
- Improved `--help` output. Now mentions all options and nicer order. @itchyny @wader #2747 #2766 #2799
- Fix multiple issues of exit code using `--exit-code`/`-e` option. @ryo1kato #1697
- Add `--binary`/`-b` on Windows for binary output. To get `\n` instead of `\r\n` line endings. @nicowilliams 0dab2b1
- Add `--raw-output0` for NUL (zero byte) separated output. @asottile @pabs3 @itchyny #1990 #2235 #2684
- Fix assert crash and validate JSON for `--jsonarg`. @wader #2658
- Remove deprecated `--argfile` option. @itchyny #2768
- Enable stack protection. @nicowilliams #2801
Language changes
- Use decimal number literals to preserve precision. Comparison operations respects precision but arithmetic operations might truncate. @leonid-s-usov #1752
- Adds new builtin `pick(stream)` to emit a projection of the input object or array. @pkoppstein #2656 #2779
- Adds new builtin `debug(msgs)` that works like `debug` but applies a filter on the input before writing to stderr. @pkoppstein #2710
- Adds new builtin `scan($re; $flags)`. Was documented but not implemented. @itchyny #1961
- Adds new builtin `abs` to get absolute value. This potentially allows the literal value of numbers to be preserved as `length` and `fabs` convert to float. @pkoppstein #2767
- Allow `if` without `else`-branch. When skipped the `else`-branch will be `.` (identity). @chancez @wader #1825 #2481
- Allow use of `$binding` as key in object literals. @nicowilliams 8ea4a55
- Allow dot between chained indexes when using `.["index"]` @nicowilliams #1168
- Allow dot for chained value iterator `.[]`, `.[]?` @wader #2650
- Fix try/catch catches more than it should. @nicowilliams #2750
- Speed up and refactor some builtins, also remove `scalars_or_empty/0`. @muhmuhten #1845
- Now `halt` and `halt_error` exit immediately instead of continuing to the next input. @emanuele6 #2667
- Fix issue converting string to number after previous convert error. @thalman #2400
- Fix issue representing large numbers on some platforms causing invalid JSON output. @itchyny #2661
- Fix deletion using assigning empty against arrays. @itchyny #2133
- Allow keywords to be used as binding name in more places. @emanuele6 #2681
- Allow using `nan` as NaN in JSON. @emanuele6 #2712
- Expose a module's function names in `modulemeta`. @mrwilson #2837
- Fix `contains/1` to handle strings with NUL. @nicowilliams 61cd6db
- Fix `stderr/0` to output raw text without any decoration. @itchyny #2751
- Fix `nth/2` to emit empty on index out of range. @itchyny #2674
- Fix `implode` to not assert and instead replace invalid unicode codepoints. @wader #2646
- Fix `indices/1` and `rindex/1` in case of overlapping matches in strings. @emanuele6 #2718
- Fix `sub/3` to resolve issues involving global search-and-replace (gsub) operations. @pkoppstein #2641
- Fix `significand/0`, `gamma/0` and `drem/2` to be available on macOS. @itchyny #2756 #2775
- Fix empty regular expression matches. @itchyny #2677
- Fix overflow exception of the modulo operator. @itchyny #2629
- Fix string multiplication by 0 (and less than 1) to emit empty string. @itchyny #2142
- Fix segfault when using libjq and threads. @thalman #2546
- Fix constant folding of division and reminder with zero divisor. @itchyny #2797
- Fix `error/0`, `error/1` to throw null error. @emanuele6 #2823
- Simpler and faster `transpose`. @pkoppstein #2758
- Simple and efficient implementation of `walk/1`. @pkoppstein #2795
- Remove deprecated filters `leaf_paths`, `recurse_down`. @itchyny #2666
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 13 Sep 2023 10:14:10 +0000 (12:14 +0200)]
dbus: Update to version 1.14.10
- Update from version 1.14.6 to 1.14.10
- Update of rootfile
- Changelog
dbus 1.14.10 (2023-09-01)
Bug fixes:
• Avoid a dbus-daemon crash if re-creating a connection's policy fails.
If it isn't possible to re-create its policy (for example if it belongs
to a user account that has been deleted or if the Name Service Switch is
broken, on a system not supporting SO_PEERGROUPS), we now log a warning,
continue to use its current policy, and continue to reload other
connections' policies. (dbus#343; Peter Benie, Simon McVittie)
• If getting the groups from a user ID fails, report the error correctly,
instead of logging "(null)" (dbus#343, Simon McVittie)
• Return the primary group ID in GetConnectionCredentials()' UnixGroupIDs
field for processes with a valid-but-empty supplementary group list
(dbus!422, cptpcrd)
dbus 1.14.8 (2023-06-06)
Denial-of-service fixes:
• Fix an assertion failure in dbus-daemon when a privileged Monitoring
connection (dbus-monitor, busctl monitor, gdbus monitor or similar)
is active, and a message from the bus driver cannot be delivered to a
client connection due to <deny> rules or outgoing message quota. This
is a denial of service if triggered maliciously by a local attacker.
(dbus#457; hongjinghao, Simon McVittie)
Other fixes:
• Fix compilation on compilers not supporting __FUNCTION__
(dbus!404, Barnabás Pőcze)
• Fix some memory leaks on out-of-memory conditions
(dbus!403, Barnabás Pőcze)
• Documentation:
· Fix syntax of a code sample in dbus-api-design
(dbus!396; Yen-Chin, Lee)
Tests and CI enhancements:
• Fix CI pipelines after freedesktop/freedesktop#540
(dbus!405, dbus#456; Simon McVittie)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 13 Sep 2023 10:14:09 +0000 (12:14 +0200)]
alsa: Update to version 1.2.10
- Update alsa-lib, alsa-utils & alsa-ucn-conf from version 1.2.9 to 1.2.10
- Update of rootfile
- Changelog is too large to include here. Details can be found at
https://www.alsa-project.org/wiki/Changes_v1.2.9_v1.2.10
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Robin Roevens [Fri, 27 Oct 2023 19:49:01 +0000 (21:49 +0200)]
zabbix_agentd: Fix ipfire.net.gateway.ping
Fixes custom IPFire Zabbix Agent userparameter ipfire.net.gateway.ping
returning 1 (success) when fping failed for other reasons (rc 2,3 or 4)
than host unreachable (rc 0).
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Fri, 27 Oct 2023 19:40:55 +0000 (21:40 +0200)]
zabbix_agentd: Update to 6.0.22 (LTS)
- Update from version 6.0.21 to 6.0.22
- Update of rootfile not required
Bugs fixed:
- ZBX-23417: Fixed possible memory leak when checking modbus.get[] item
New Features and Improvements:
- ZBXNEXT-6554: Increased remote command execution limits to 16MB
Full changelogs since 6.0.21:
- https://www.zabbix.com/rn/rn6.0.22
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Fri, 13 Oct 2023 09:03:00 +0000 (09:03 +0000)]
linux: Disable io_uring
This subsystem has been a frequent source of security vulnerabilities
affecting the Linux kernel; as a result, Google announced on June 14,
2023, that they would disable it in their environment as widely as
possible.
IPFire does not depend on the availability of io_uring. Therefore,
disable this subsystem as well in order to preemptively cut attack
surface.
See also: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 19 Oct 2023 18:52:32 +0000 (20:52 +0200)]
apache: Update to 2.4.58
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.58
Excerpt from changelog:
"Changes with Apache 2.4.58
*) SECURITY: CVE-2023-45802: Apache HTTP Server: HTTP/2 stream
memory not reclaimed right away on RST (cve.mitre.org)
When a HTTP/2 stream was reset (RST frame) by a client, there
was a time window were the request's memory resources were not
reclaimed immediately. Instead, de-allocation was deferred to
connection close. A client could send new requests and resets,
keeping the connection busy and open and causing the memory
footprint to keep on growing. On connection close, all resources
were reclaimed, but the process might run out of memory before
that.
This was found by the reporter during testing of CVE-2023-44487
(HTTP/2 Rapid Reset Exploit) with their own test client. During
"normal" HTTP/2 use, the probability to hit this bug is very
low. The kept memory would not become noticeable before the
connection closes or times out.
Users are recommended to upgrade to version 2.4.58, which fixes
the issue.
Credits: Will Dormann of Vul Labs
*) SECURITY: CVE-2023-43622: Apache HTTP Server: DoS in HTTP/2 with
initial windows size 0 (cve.mitre.org)
An attacker, opening a HTTP/2 connection with an initial window
size of 0, was able to block handling of that connection
indefinitely in Apache HTTP Server. This could be used to
exhaust worker resources in the server, similar to the well
known "slow loris" attack pattern.
This has been fixed in version 2.4.58, so that such connection
are terminated properly after the configured connection timeout.
This issue affects Apache HTTP Server: from 2.4.55 through
2.4.57.
Users are recommended to upgrade to version 2.4.58, which fixes
the issue.
Credits: Prof. Sven Dietrich (City University of New York)
*) SECURITY: CVE-2023-31122: mod_macro buffer over-read
(cve.mitre.org)
Out-of-bounds Read vulnerability in mod_macro of Apache HTTP
Server.This issue affects Apache HTTP Server: through 2.4.57.
Credits: David Shoon (github/davidshoon)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 19 Oct 2023 17:03:24 +0000 (19:03 +0200)]
samba: Update to 4.19.2
For details see:
v4.19.1. => https://www.samba.org/samba/history/samba-4.19.1.html
"
==============================
Release Notes for Samba 4.19.1
October 10, 2023
==============================
This is a security release in order to address the following defects:
o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to
existing unix domain sockets on the file system.
https://www.samba.org/samba/security/CVE-2023-3961.html
o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with
OVERWRITE disposition when using the acl_xattr Samba VFS
module with the smb.conf setting
"acl_xattr:ignore system acls = yes"
https://www.samba.org/samba/security/CVE-2023-4091.html
o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all
attributes, including secrets and passwords. Additionally,
the access check fails open on error conditions.
https://www.samba.org/samba/security/CVE-2023-4154.html
o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
server block for a user-defined amount of time, denying
service.
https://www.samba.org/samba/security/CVE-2023-42669.html
o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
listeners, disrupting service on the AD DC.
https://www.samba.org/samba/security/CVE-2023-42670.html"
v4.19.2 => https://www.samba.org/samba/history/samba-4.19.2.html
"Changes since 4.19.1
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown
after failed IPC FSCTL_PIPE_TRANSCEIVE.
* BUG 15426: clidfs.c do_connect() missing a "return" after a cli_shutdown()
call.
o Ralph Boehme <slow@samba.org>
* BUG 15463: macOS mdfind returns only 50 results.
o Volker Lendecke <vl@samba.org>
* BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with
previous cache entry value.
o Stefan Metzmacher <metze@samba.org>
* BUG 15464: libnss_winbind causes memory corruption since samba-4.18,
impacts sendmail, zabbix, potentially more.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the
Heimdal KDC in Samba 4.19
* BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is
in use."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 15 Oct 2023 16:28:22 +0000 (18:28 +0200)]
backup.pl: Fix for bug#11048 - add script for adding pass/no pass to ovpnconfig from backup
- A script was added to the update.sh script to add pass/no pass to the ovpnconfig entries
but I forgot that this was also needed in the backup.pl file to add those statuses into
any ovpnconfig file restored from a backup before the pass/no pass entries were added.
- This patch corrects that oversight.
- Confirmed by testing on my vm. Before the script added to backup.pl a restore of older
ovpnconfig ended up not showing any icons or status elements. With the script in
backup.pl confirmed that the restored ovpnconfig showed up in the WUI page correctly
with the right icons and with the status elements correctly displayed.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 8 Oct 2023 16:26:00 +0000 (16:26 +0000)]
Tor: Update to 0.4.8.7
Changes in version 0.4.8.7 - 2023-09-25
This version fixes a single major bug in the Conflux subsystem on the client
side. See below for more information. The upcoming Tor Browser 13 stable will
pick this up.
o Major bugfixes (conflux):
- Fix an issue that prevented us from pre-building more conflux sets
after existing sets had been used. Fixes bug 40862; bugfix
on 0.4.8.1-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on September 25, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/09/25.
Changes in version 0.4.8.6 - 2023-09-18
This version contains an important fix for onion service regarding congestion
control and its reliability. Apart from that, uneeded BUG warnings have been
suppressed especially about a compression bomb seen on relays. We strongly
recommend, in particular onion service operators, to upgrade as soon as
possible to this latest stable.
o Major bugfixes (onion service):
- Fix a reliability issue where services were expiring their
introduction points every consensus update. This caused
connectivity issues for clients caching the old descriptor and
intro points. Bug reported and fixed by gitlab user
@hyunsoo.kim676. Fixes bug 40858; bugfix on 0.4.7.5-alpha.
o Minor features (debugging, compression):
- Log the input and output buffer sizes when we detect a potential
compression bomb. Diagnostic for ticket 40739.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on September 18, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/09/18.
o Minor bugfix (defensive programming):
- Disable multiple BUG warnings of a missing relay identity key when
starting an instance of Tor compiled without relay support. Fixes
bug 40848; bugfix on 0.4.3.1-alpha.
o Minor bugfixes (bridge authority):
- When reporting a pseudo-networkstatus as a bridge authority, or
answering "ns/purpose/*" controller requests, include accurate
published-on dates from our list of router descriptors. Fixes bug
40855; bugfix on 0.4.8.1-alpha.
o Minor bugfixes (compression, zstd):
- Use less frightening language and lower the log-level of our run-
time ABI compatibility check message in our Zstd compression
subsystem. Fixes bug 40815; bugfix on 0.4.3.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 8 Oct 2023 19:57:37 +0000 (21:57 +0200)]
udev: Update to version 3.2.14
- Update from version 3.2.12 to 3.2.14
- Update of rootfile not required
- This version update includes the patches previously used to add the dummies for tags
and to update to udev version 251 which is bugfix #253
- Changelog
3.2.14
Clear sysattr cache if a null pointer is passed by @NaofumiHonda in #255
Add /usr/local/lib/udev/rules.d by @bbonev in #260
Fix := not preventing further assignments to RUN by @bbonev in #257
Let libudev find hwdb.bin under UDEV_HWDB_BIN by
@vivien-consider-dropping-github in #264
Add a generic --output argument to udevadm hwdb by
@vivien-consider-dropping-github in #263
Dynamically get the udevadm hwdb files with a path variable by
@vivien-consider-dropping-github in #262
More wording fixes for the manual page for udev by
@vivien-consider-dropping-github in #265
Add missing API from 247 by @bbonev in #253
Ensure that standard file descriptors are open by @bbonev in #266
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 8 Oct 2023 19:57:36 +0000 (21:57 +0200)]
sysvinit: Update to version 3.08
- Update from version 3.00 to 3.08
- Update of rootfile
- All the other patches and sed modifications are now built mintyo the source tarball,
except for the mountpoint patch which is stilol needed
- Changelog
3.08
This release focuses on three changes which are basically imports of patches from Gentoo. Special thanks to floppym for supplying these.
Applied a patch from floppm which adds kexec option to the halt command. This can be used as "halt -k".
floppym provided patch which causes the halt command to call "shutdown -h -H" instead of "shutdown -h" when halt is invoked without parameters. This forces the shutdown command to set the INIT_HALT variable and assume, unless other conditions apply, that the "halt" call really wants to halt the machine and INIT_HALT should be set. In other words we assume halt wants to halt unless told otherwise.
Addresses downstream Gentoo bug ID 911257.
Updated halt documentation and help output to display parameters in alphabetical order.
3.07
The 3.07 release of SysV init mostly introduces fixes and improvements for the
killall5 and pidof programs. (These are actually the same program, but are
invoked with two different names, which result in different behaviour. The main
highlights in this release are:
Fixed killall5 so that processes in the omit list are not sent any
signals, including SIGSTOP.
Fixed usage message for killall5 to be more accurate.
pidof was not returning PIDs of programs which were launched using a
symbolic link. This has been fixed so programs run from a symbolic link
show up in process lists.
3.06
Mark Hindley fixed typo in es.po
Mark Hindley cleaned up translation code in src/Makefile.
Drop sulogin from Debian build. Removed libcrypt-dev dependency.
Fixed pt translation pages which were failing due to mis-matched open/close
tags.
Makefile now respects ROOT prefix when setting up pidof-to-killall5 symbolic
link.
Removed redundant translation files from man directory.
Makefile now respects DESTDIR. User can specify either ROOT= or DESTDIR= to
set install prefix.
3.05
This release (3.05) focuses on two things:
Updating the translation framework.
Fixing compiling issues on various systems.
The second point, compiling, encompasses a few minor changes to get SysV init to
build properly on GNU Hurd, systems without certain GNU assumptions, and systems
running the latest glibc library (2.36 at time of writing).
3.04
This release contains one minor fix which allows the bootlogd code to properly
compile on Debian's GNU Hurd branch.
3.03
This release includes two minor changes. One is fixing a typo in the init manual
page (init.8). this fix was offered by Mark hindley.
Mark, and a few other people, also pointed out that a fix in 3.02 for bootlogd
introduced reliance on a defined PATH_MAX constant. This is used elsewhere in
the code, but is not explicitly defined in bootlogd, which caused bootlogd to
not build properly on GNU Hurd and musl C systems. This has been fixed.
3.02
Added q and Q flags to synopsis in shutdown manual page.
Applied fixes for markup and spacing in manual pages.
Patch provided by Mario Blattermann.
Added translation framework (po4a) from Mario Blttermann.
Added Makefile for man/ directory. Will handle translations
and substitutions.
Applied new translations for multiple languages from Mario Blattermann.
Added ability to use "@" symbol in command named in the inittab file. This
treats commands as literal and does not launch a shell to interpret them.
Updated inittab manual page to include overview of symbols which trigger
a shell interpretor and how to disable them using the @ symbol.
Introduced change which adds error checking in bootlogd when performing
chdir(). - Provided by Alexander Vickberg
Add check for console using TIOCGDEV on Linux systems in bootlogd to
make finding console more robust. - Provided by Alexander Vickberg
3.01
Default to showing processes in the uninterruptable state (D).
The -z flag no longer affects whether processes in D state are shown.
The -z flag does still toggle whether zombie (Z) processes are shown.
Removed unnecessary check which is always true from init tab parsing.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 8 Oct 2023 16:31:00 +0000 (16:31 +0000)]
Lynis: Update to 3.0.9
Changelog according to https://cisofy.com/changelog/lynis/#309:
- DBS-1820 - Added newer style format for Mongo authorization setting
- FILE-6410 - Locations added for plocate
- SSH-7408 - Only test Compression if sshd version < 7.4
- Improved fetching timestamp
- Minor changes such as typos
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 8 Oct 2023 16:29:00 +0000 (16:29 +0000)]
Postfix: Update to 3.8.2
Refer to https://www.postfix.org/announcements/postfix-3.8.2.html for
the changelog of this version.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sat, 23 Sep 2023 10:54:55 +0000 (12:54 +0200)]
extrahd.cgi: Add support for LVM and MDADM devices
This commit adds support for using LVM and mdadm based RAID devices
for the CGI page.
In case one or more drives/partitions are used by such a "grouped"
volume they still will displayed on the page, but can not be
configured/used. Instead the "master" volume of which the
drive/partition is part of is shown in the "mountpoint" input box.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sat, 23 Sep 2023 10:54:55 +0000 (12:54 +0200)]
extrahd.cgi: Add support for LVM and MDADM devices
This commit adds support for using LVM and mdadm based RAID devices
for the CGI page.
In case one or more drives/partitions are used by such a "grouped"
volume they still will displayed on the page, but can not be
configured/used. Instead the "master" volume of which the
drive/partition is part of is shown in the "mountpoint" input box.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 28 Sep 2023 10:37:01 +0000 (12:37 +0200)]
libslirp: Add the slirp library as this is required for the net user backend in qemu
- Looking through some of the changelog and some mail list communications it looks like
qemu decided they did noty want to maintain their own bundled version of libslirp when
the majority of OS's had their own version now in place. Ubuntu 18.04 did not have
libslirp but qemu stopped supporting that version from qemu-7.1
- So it looks like all OS's have a standard libslirp available now and qemu have taken
the decision to no longer have their own version but to use the system version. That
was always possible to do if use of the system version was explicitly defined but
the default was to use the bundled version.
- No evidence that libslirp is deprecated.
- The last version of libslirp was released a year ago but it looks like every month or
so there are a couple of commits merged. The last was a month ago.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 28 Sep 2023 10:36:59 +0000 (12:36 +0200)]
qemu: Update to version 8.1.1 and add libslirp for net user backend
- Update from version 8.0.3 to 8.1.1
- In CU179 the update of qemu caused at least one user to have a problem starting his
qemu system as the qemu bundled slirp library used for the net user backend was removed
in version 7.2. Unfortunately no user tested qemu in the CU179 Testing phase, or if they
did they are not using the net user backend.
- This patch adds the --enable-slirp option to configure and installs libslirp in a
separate patch.
- I can't test if this now works as I don't use qemu anywhere.
- Changelog is too large to include here.
8.1
https://wiki.qemu.org/ChangeLog/8.1
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 26 Sep 2023 14:07:01 +0000 (16:07 +0200)]
urlfilter.cgi: Fixes bug#10649 - calls urlfilterctrl with remove option if update disabled
- When the url filter update enable checkbox is unchecked then this patch calls
urlfilterctrl with the remove option added in the otrher patch of this series.
- Tested on my vm testbed that this change does remove the urlfilter symlink from the
fcron directories when the update is disabled.
Fixes: Bug#10649 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 26 Sep 2023 14:07:00 +0000 (16:07 +0200)]
urlfilterctrl: Fix bug#10649 - add option to remove urlfilter from fcron directories
- Currently if the urlfilter update is enabled then autoupdate.pl is renamed urlfilter and
added into either the daily, weekly or monthly fcron directoiries. If the update is
disabled then the urlfilter update script stays in the directory and is not removed.
- This patch adds in the option of remove to the urlfilterctrl program. The first part
of the urlfilterctrl.c code removes any existing symlinks so all that needs to be done
for the remove option is to not add any symlinks to the fcron directories.
- Confirmed in a vm testbed that the current approach leaves the symlink in place. Installed
the changes from this and the previous patch and confirmed that when the url update is
disabled the symlink is removed.
Fixes: Bug#10649 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 25 Sep 2023 16:41:56 +0000 (18:41 +0200)]
update.sh: Adds code to update an existing ovpnconfig with pass or no-pass
- The code checks first if ovpnconfig exists and is not empty.
- Then it makes all net2net connections no-pass since they do not use encryption
- Then it cycles through all .p12 files and checks with openssl if a password exists or not.
If a password is present then pass is added to index 41 and if not then no-pass is added
to index 41
- I had to add a blank line to the top of the ovpnconfig file otherwise the awk code
treated the first line as a blank line and missed it out of the update. This was the
problem that was discovered during the previous Testing Release evaluation.
Tested out this time with several existing entries both encrypted and insecure and with
additional entries of both added in afterwards and all connection entries were
maintained - road warrior and net2net.
- This code should be left in update.sh for future Core Updates in case people don't update
with Core Update 175 but leave it till later. This code works fine on code that already
has pass or no-pass entered into index 41 in ovpnconfig
Fixes: Bug#11048 Suggested-by: Erik Kapfer <ummeegge@ipfire.org> Suggested-by: Adolf Belka <adolf.belka@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 25 Sep 2023 16:41:55 +0000 (18:41 +0200)]
web-user-interface: Addition of new icon for secure connection certificate download
- This uses a padlock icon from https://commons.wikimedia.org/wiki/File:Encrypted.png
- The license for this image is the following:-
This library is free software; you can redistribute it and/or modify it under the terms
of the GNU Lesser General Public License as published by the Free Software Foundation;
either version 2.1 of the License, or (at your option) any later version. This library
is distributed in the hope that it will be useful, but without any warranty; without
even the implied warranty of merchantability or fitness for a particular purpose. See
version 2.1 and version 3 of the GNU Lesser General Public License for more details.
- Based on the above license I believe it can be used by IPFire covered by the GNU General
Public License that is used for it.
- The icon image was made by taking the existing openvpn.png file and superimposing the
padlock icon on top of it as a 12x12 pixel format and naming it openvpn_encrypted.png
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 25 Sep 2023 16:41:51 +0000 (18:41 +0200)]
ovpnmain.cgi: Fix for bug#11048 - insecure download icon shown for connections with a password
- At long last I have re-visited the patch submission for bug #11048 and fixed the issues
that caused the problems last time I evaluated it in Testing.
- The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig
is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the
connection is a host and if the first password entry is a null. Then it adds no-pass
to ovpnconfig.
- The same block of code is also used for when he connection is edited. However at this
stage the password entry is back to null because the password value is only kept until
the connection has been saved. Therefore doing an edit results in the password value
being taken as null even for connections with a password.
- This fix enters no-pass if the connection type is host and the password is null, pass if
the connection type is host and the password has characters. If the connection type is
net then no-pass is used as net2net connections dop not have encrypted certificates.
- The code has been changed to show a different icon for unencrypted and encrypted
certificates.
- Separate patches are provided for the language file change, the provision of a new icon
and the code for the update.sh script for the Core Update to update all existing
connections, if any exist, to have either pass or no-pass in index 41.
- This patch set was a joint collaboration between Erik Kapfer and Adolf Belka
- Patch set, including the code for the Core Update 180 update.sh script has been tested
on a vm testbed
Fixes: Bug#11048 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Suggested-by: Adolf Belka <adolf.belka@ipfire.org> Suggested-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.44/doc/arm/html/notes.html#notes-for-bind-9-16-44
Changes since 9.16.40:
9.16.44:
"Previously, sending a specially crafted message
over the control channel could cause the packet-parsing
code to run out of available stack memory, causing named
to terminate unexpectedly. This has been fixed. (CVE-2023-3341)"
9.16.43:
"Processing already-queued queries received over TCP could cause
an assertion failure, when the server was reconfigured at the
same time or the cache was being flushed. This has been fixed."
9.16.42:
"The overmem cleaning process has been improved, to prevent the
cache from significantly exceeding the configured max-cache-size
limit. (CVE-2023-2828)
A query that prioritizes stale data over lookup triggers a fetch
to refresh the stale data in cache. If the fetch is aborted for
exceeding the recursion quota, it was possible for named to enter
an infinite callback loop and crash due to stack overflow. This
has been fixed. (CVE-2023-2911)
Previously, it was possible for a delegation from cache to be
returned to the client after the stale-answer-client-timeout
duration. This has been fixed."
9.16.41:
"When removing delegations from an opt-out range, empty-non-terminal
NSEC3 records generated by those delegations were not cleaned up.
This has been fixed."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Security #6289: Crash in SMTP parser during parsing of email (6.0.x backport)
Security #6196: process exit in hyperscan error handling (6.0.x backport)
Security #6156: dcerpc: max-tx config parameter, also for UDP (6.0.x backport)
Bug #6285: community-id: Fix IPv6 address sorting not respecting byte order (6.0.x backport)
Bug #6248: Multi-tenancy: crash under test mode when tenant signature load fails (6.0.x backport)
Bug #6245: tcp: RST with data used in reassembly (6.0.x backport)
Bug #6236: if protocol dcerpc first packet type is Alter_context, it will not parse dcerpc (6.0.x backport)
Bug #6228: ips/af-packet: crash when copy-iface is the same as the interface (6.0.x backport)
Bug #6227: windows: lua script path truncated (6.0.x backport)
Bug #6226: Decode-events of IPv6 GRE are not triggered (6.0.x backport)
Bug #6224: base64: complete support for RFC2045 (6.0.x backport)
Bug #6220: Backport tenant_id conversion to uint32_t
Bug #6213: file.magic: rule reload can lead to crashes (6.0.x backport)
Bug #6193: smtp: Attachment not being md5 matched (6.0.x backport)
Bug #6192: smtp: use every byte to compute email.body_md5 (6.0.x backport)
Bug #6182: log-pcap: fix segfault on lz4 compressed pcaps (6.0.x backport)
Bug #6181: eve/alert: deprecated fields can have unexpected side affects (6.0.x backport)
Bug #6174: FTP bounce detection doesn't work for big-endian platforms (6.0.x backport)
Bug #6166: http2: fileinfo events log http2 object instead of http object as alerts and http2 do (6.0.x backport)
Bug #6139: smb: wrong offset when parse SMB_COM_WRITE_ANDX record (6.0.x backport)
Bug #6082: pcap: device reopen broken (6.0.x backport)
Bug #6068: pcap: memory leaks (6.0.x backport)
Bug #6045: detect: multi-tenancy leaks memory if more than 1 tenant registered (6.0.x backport)
Bug #6035: stream.midstream: if enabled breaks exception policy (6.0.x backport)
Bug #5915: rfb: parser returns error on unimplemented record types (6.0.x backport)
Bug #5794: eve: if alert and drop rules match for a packet, "alert.action" is ambigious (6.0.x backport)
Bug #5439: Invalid certificate when Issuer is not present.
Optimization #6229: Performance impact of Cisco Fabricpath (6.0.x backport)
Optimization #6203: detect: modernize filename fileext filemagic (6.0.x backport)
Optimization #6153: suricatasc: Gracefully handle unsupported commands (6.0.x backport)
Feature #6282: dns/eve: add 'HTTPS' type logging (6.0.x backport)
Feature #5935: ips: add 'master switch' to enable dropping on traffic (handling) exceptions (6.0.x backport)
Documentation #6234: userguide: add installation from Ubuntu PPA section (6.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
extrahd: use udev rule to mount extrahd partitions
the previous patches for
https://bugzilla.ipfire.org/show_bug.cgi?id=12863
introduce a new bug that slow devices are not mounted
at boot. So now udev calls the extrahd script with
the uuid.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Thu, 14 Sep 2023 17:45:12 +0000 (17:45 +0000)]
Tor: Do not attempt to establish connections via IPv6
To quote from the changelog of Tor 0.4.8.4:
o Minor feature (client, IPv6):
- Make client able to pick IPv6 relays by default now meaning
ClientUseIPv6 option now defaults to 1. Closes ticket 40785.
In order to avoid any malfunctions on IPFire installations,
set this option to "0" explicitly.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 14 Sep 2023 17:45:11 +0000 (17:45 +0000)]
Tor: Update to 0.4.8.5
Changes in version 0.4.8.5 - 2023-08-30
Quick second release after the first stable few days ago fixing minor
annoying bugfixes creating log BUG stacktrace. We also fix BSD compilation
failures and PoW unit test.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 30, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/08/30.
o Minor bugfix (NetBSD, compilation):
- Fix compilation issue on NetBSD by avoiding an unnecessary
dependency on "huge" page mappings in Equi-X. Fixes bug 40843;
bugfix on 0.4.8.1-alpha.
o Minor bugfix (NetBSD, testing):
- Fix test failures in "crypto/hashx" and "slow/crypto/equix" on
x86_64 and aarch64 NetBSD hosts, by adding support for
PROT_MPROTECT() flags. Fixes bug 40844; bugfix on 0.4.8.1-alpha.
o Minor bugfixes (conflux):
- Demote a relay-side warn about too many legs to ProtocolWarn, as
there are conditions that it can briefly happen during set
construction. Also add additional set logging details for all
error cases. Fixes bug 40841; bugfix on 0.4.8.1-alpha.
- Prevent non-fatal assert stacktrace caused by using conflux sets
during their teardown process. Fixes bug 40842; bugfix
on 0.4.8.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>