Adolf Belka [Thu, 9 Jan 2025 19:04:38 +0000 (20:04 +0100)]
language files: Updated de, en, es, fr & tr language files
- Changed the phrase in the code from Captive wrong ext to Captive wrong type as it is
now the type and not the extension that is being checked.
Fixes: Bug13795 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 9 Jan 2025 19:04:37 +0000 (20:04 +0100)]
perl-File-LibMagic: New package implemented for content type extraction of a file
- It was placed in make.sh after perl-Config-AutoConf as that package is at least one
build dependency.
Fixes: Bug13795 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 9 Jan 2025 19:04:36 +0000 (20:04 +0100)]
captive.cgi: Update code to check for the image content type not just the extension
- The File-LibMagic used to do this content type check. As this requires the actual
file and path name to access, the CGI::upload command had to be brought to before
the content type check and download the file to /tmp/. Then the content type can be
identified. If it is either image/png or image/jpeg then the logo.tmp file is
moved to replace the existing logo.dat. If the uploaded logo is not a png or jpeg
image content then the logo.tmp file in /tmp/ is deleted by unlinking it.
- I also added the actual content type to the error message if it is not a png or jpeg.
- Tested the code out on my vm testbed and it worked fine. Only png or jpeg content
type is accepted It makes no difference what the extension on the file is. When not
the correct content type the old logo.dat is left alone and not changed and the new
logo stored in /tmp/ is removed. If the content type is correct then the new logo file
in /tmp/ is moved to replace the existing logo.data file.
- When the wrong type of content was in the file, for example html code, then the error
message is shown saying that the content type is not correct and showing the actual
content type, in this case text/html.
Fixes: Bug13795 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 9 Jan 2025 19:04:35 +0000 (20:04 +0100)]
logo.cgi: Fix for bug13795 - captive portal not displaying uploaded logo
- This v2 version now includes the use of File-LibMagic to identify the specific
content type and apply that to the modified header command so that image/png or
image/jp[eg are used depending on the type of image provided.
- Something changed in some package in CU188 that means that the existing method of
printing the content type to the browser no longer worked.
- I tested it in some stand alone code and even if using text/txt for the content-type
print statement the File::Copy::copy then resulted in an Internal Server Error with
the same message as with the image file which was "malformed header from script
'logo.cgi': Bad header:".
- I tested it with text, html, image and application. In all cases the error message
about a bad header was provided.
- Did some searching and found an alternative way to explicitly print the header info
which is what I have used in this patch change.
- With this approach, in the stand alone code, I was able to get an image, html code or
text shown in the browser correctly and without any error message.
- I then used this new method in the logo.cgi code as submitted here and tested the
change in my vm testbed and the image was shown in the captive portal correctly.
- So this change fixes the problem with the logo not being shown but I have been unable
to identify what changed to stop the method that worked prior to CU188 from working
any more.
Fixes: Bug13795 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 6 Jan 2025 09:52:08 +0000 (10:52 +0100)]
root.hints: Update to version Dec 18, 2024
- Update from version Jul 3, 2019 to Dec 18, 2024
- Not sure if there have been other version in between or not as no history is stored
anywhere on this.
- No changelog for any changes to the root.hints file but the diff in the file shows that
just one change has been done to the B.ROOT-SERVERS.NET. entry with a change in IP.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Tested-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 3 Jan 2025 14:21:22 +0000 (15:21 +0100)]
ppp: Update to version 2.5.2
- Update from version 2.5.1 to 2.5.2
- Update of rootfile
- Changelog
2.5.2
Some old and probably unused code has been removed, notably the pppgetpass program and the passprompt plugin, and some of the files in the sample and
scripts directories.
If a remote number has been set, it is available to scripts in the REMOTENUMBER
environment variable.
The Solaris port has been updated, including updated installation instructions
in README.sol2.
Various other bug fixes and minor enhancements.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 3 Jan 2025 14:21:21 +0000 (15:21 +0100)]
liburcu: Update to version 0.15.0
- Update from version 0.14.1 to 0.15.0
- Update of rootfile
- Changelog
0.15.0
* Fix compilation errors
* Document cmm_cast_volatile
* Honor URCU_DEREFERENCE_USE_VOLATILE
* arm: Use atomic builtins for xchg if supported
* Introduce _CMM_TOOLCHAIN_SUPPORT_C11_MM
* Seperate uatomic and uatomic_mo
* uatomic: Fix header guard comment
* Fix: missing typename in URCU_FORCE_CAST
* Allow building with GCC >= 13.3 on RISC-V
* pointer.h: Fix the rcu_cmpxchg_pointer documentation
* rculfhash: make cds_lfht_iter_get_node argument const
* lfstack: make cds_lfs_empty argument const
* wfcqueue: make cds_wfcq_empty arguments const
* wfstack: make cds_wfs_empty argument const
* cds_list: make cds_list_replace @old argument const
* cds_list: make cds_list_empty const
* Adjust shell script to allow Bash in other locations
* futex.h: Indent preprocessor directives
* futex.h: Use urcu_posix_assert to validate unused values
* Use futex on OpenBSD
* fix: handle EINTR correctly in get_cpu_mask_from_sysfs
* Relicense src/compat-smp.h to MIT
* uatomic/x86: Remove redundant memory barriers
* cleanup: move rand_r compat code to tests
* ppc: Document cache line size choice
* Fix: change order of _cds_lfht_new_with_alloc parameters
* Add support for custom memory allocators for rculfhash
* ppc.h: use mftb on ppc
* rcutorture: Check histogram of ages
* docs: Add links to project resources
* Fix: allow clang to build liburcu on RISC-V
* Fix -Walloc-size
* cleanup: use an enum for the error states of nr_cpus_mask
* fix: add missing SPDX licensing tags
* urcu/uatomic/riscv: Mark RISC-V as broken
* Fix: urcu-bp: misaligned reader accesses
* rculfhash: Only pass integral types to atomic builtins
* LoongArch: Document that byte and short atomics are implemented with LL/SC
* Add LoongArch support
* Tests: Add test for byte/short atomics on addresses which are not word-aligned
* Complete removal of urcu-signal flavor
* doc/examples: Remove urcu-signal example
* tests/common: Remove urcu-signal common test files
* tests/benchmark: Remove urcu-signal benchmark tests
* tests/regression: Remove urcu-signal regression tests
* tests/unit: Remove urcu-signal unit tests
* Fix: Add missing cmm_smp_mb() in deprecated urcu-signal
* urcu/uatomic.h: Improve verbosity of static assert error messages
* urcu/compiler: Add urcu_static_assert
* Phase 1 of deprecating liburcu-signal
* uatomic/generic: Fix redundant declaration warning
* tests: Add tests for checking race conditions
* Add cmm_emit_legacy_smp_mb()
* urcu/annotate: Add CMM annotation
* tests/unit/test_build: Quiet unused return value
* benchmark: Use uatomic for accessing global states
* tests: Use uatomic for accessing global states
* urcu-wait: Fix wait state load/store
* Add CMM memory model
* urcu/arch/generic: Use atomic builtins if configured
* urcu/compiler: Use atomic builtins if configured
* configure: Add --enable-compiler-atomic-builtins option
* Fix: tests/rcutorture: Put thread offline on busy-wait
* tests/regression/rcutorture: Use urcu-wait
* tests/rcutorture: Factor out thread registration
* tests/regression/rcutorture: Add wait state
* urcu-wait: Initialize node in URCU_WAIT_NODE_INIT
* Complete REUSE support
* extras/abi: license data files under CC-1.0
* examples: use SPDX identifiers
* tests: use SPDX identifiers
* src: use SPDX identifiers
* Public headers: use SPDX identifiers
* Build system: use SPDX identifiers
* Fix: urcu-wait: add missing futex.h include
* doc: update GCC baseline to 4.8
* doc: update FreeBSD tested version
* doc: Remove Solaris from tested platforms
* Revert "compiler.h: Introduce caa_unqual_scalar_typeof"
* rculfhash: Use caa_container_of_check_null in cds_lfht_entry
* compiler.h: Introduce caa_container_of_check_null
* compiler.h: Introduce caa_unqual_scalar_typeof
* Avoid calling caa_container_of on NULL pointer in cds_lfht macros
* Fix: revise urcu_read_lock_update() comment
* Fix: uatomic powerpc comment about lwsync
* fix: aarch64: allow RHEL7 gcc 4.8.5-11
* aarch64: Implement caa_cpu_relax as yield instruction
* fix: warning 'noreturn' function does return on ppc
* Fix: use __noreturn__ for C11-compatibility
* Adjust shell scripts to allow Bash in other locations
* Add support for OpenBSD
* Bump version to 0.15.0-pre
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 3 Jan 2025 14:21:20 +0000 (15:21 +0100)]
kbd: Update to version 2.7.1
- Update from version 2.6.4 to 2.7.1
- Update of rootfile
- Changelog
2.7.1
setfont:
Fixed regression in argument parsing. Allow arguments and options to
be mixed.
dumpkeys:
Fixed dumpkeys on pc and non-pc architectures. The value of keycode 0
has a special meaning, but on some architectures (like powerpc)
keyboards may generate keycode zero.
2.7.0
libkeymap:
Add API to get/set keymap keywords.
Export functions to convert the value to kernel code.
Fix double kbdfile open.
Dump action codes for keycode 0.
libkfont:
Fix buffer allocation for doubled font.
Check console mode.
keymaps:
Add hcesar layout, for portuguese speaking countries.
Update Colemak-DH keymaps with upstream changes.
sv-latin1.map: make Ctrl+AltGr+9 act as Ctrl+].
fonts:
Remove non-free Agafari fonts.
build-sys:
Use autoconf 2.72.
Do not substitute variables from configure.
Makefiles cleanup.
Fix build warning.
other:
Add configure option to control keymaps compression.
Update man pages.
Remove deprecated startup scripts.
Remove outdated docs.
Update translations (from translationproject.org)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 3 Jan 2025 14:21:19 +0000 (15:21 +0100)]
dbus: Update to version 1.16.0
- Update from version 1.14.10 to 1.16.0
- Update of rootfile
- Autotools has been removed from dbus so build converted to meson
- Changelog
1.16.0
Build system and dependencies:
• The Meson build system is the recommended way to build dbus on Unix.
This requires Meson 0.56 and Python 3.5.
· Projects that depend on libdbus can build it as a Meson subproject.
See tests/use-as-subproject/meson.build for suggested build options.
• CMake continues to be available as an alternative build system,
and is recommended on Windows. This requires CMake 3.10.
• A C99 compiler such as gcc, clang, or Visual Studio 2015 is required.
A C11 compiler such as gcc, clang, or Visual Studio 2019 is recommended.
• On platforms with larger-than-64-bit pointers, a C11 compiler is required
Behaviour changes:
• On Unix, the well-known system bus socket is in the runtime state
directory by default (normally /run)
(see 1.15.4 for more details)
• On Linux with systemd, dbus-daemon starts as the target user/group
(retaining CAP_AUDIT_WRITE) instead of starting as root and
dropping privileges
Feature removals:
• Autotools build system
• pam_console/pam_foreground integration
(Autotools --with-console-auth, CMake -DDBUS_CONSOLE_AUTH_DIR)
New features and significant bug fixes:
• ProcessFD in GetConnectionCredentials() on Linux
(see 1.15.8 for more details)
• On Unix, the system message bus now loads .service files from /etc and /run
• Use close_range() to close unwanted file descriptors or mark them
close-on-exec, if available
• Use 64-bit timestamps internally on 32-bit platforms, for Y2038 safety
• Use APIs that can return 64-bit timestamps and inode numbers on
32-bit glibc
• AF_UNIX sockets are available on sufficiently recent Windows
• dbus-send can send arrays of variants, variant values in dictionaries,
and nested variants
• Portability to CPU architectures with larger-than-64-bit pointers
Dependencies:
• Building with CMake now requires CMake ≥ 3.10.
Bug fixes:
• Avoid deprecation warnings with newer Meson versions
(dbus!507, Simon McVittie)
• Avoid deprecation warnings with newer CMake versions
(dbus#541, Ralf Habacker)
Tests and CI enhancements:
• When building with CMake, set the same environment variables as Meson.
This improves test coverage. (dbus#533, Ralf Habacker)
• Remove a remaining reference to Debian 11, which is EOL
(dbus!508, Simon McVittie)
1.15.92
Build-time configuration changes:
• When building with Meson, the embedded_tests option has been renamed
to intrusive_tests. This option adds test instrumentation in libdbus
and dbus-daemon, which reduces performance and is not secure.
For production builds of dbus in OS distributions, it must be false
(-Dintrusive_tests=false, which is the default)
During development, it should be set true (-Dintrusive_tests=true)
for full test coverage. (dbus#537, Simon McVittie)
• Similarly, when building with CMake, the DBUS_BUILD_TESTS option no
longer enables intrusive test instrumentation. A new option
-DDBUS_ENABLE_INTRUSIVE_TESTS=ON is equivalent to the Meson build
system's -Dintrusive_tests=true.
Bug fixes:
• If a DBusWatch callback fails because there is insufficient memory,
make sure to retry it within a finite time (dbus#536, Petr Malat)
• On macOS with launchd enabled, if the session bus launchd integration
is not correctly configured, don't treat that as a fatal error that
prevents connecting to the system bus (dbus#510, Mohamed Akram)
• If intrusive test instrumentation is enabled, older versions of dbus
would simulate an out-of-memory condition once per 2**32 allocations,
even if not specifically requested. This is no longer done.
(dbus#535, Simon McVittie)
• Fix compilation on non-Linux platforms with glibc, such as
Debian GNU/Hurd (dbus#539, Simon McVittie)
• Avoid test failures with non-trivial NSS modules, similar to dbus#256
(dbus#540, Simon McVittie)
• When built with CMake, make paths in DBus1Config relocatable
(dbus!499, Ralf Habacker)
1.15.90
Build-time configuration changes:
• The experimental Containers1 interface has been removed from this branch.
It is incomplete and not ready for production use, and has been
compile-time-disabled and impossible to enable without patching
since 1.13.20. To reduce confusion, delete the code completely.
It remains present on the git `master` branch for 1.17.x, and will
hopefully be reinstated during the 1.17.x cycle.
(dbus!488, dbus!490; Simon McVittie)
Bug fixes:
• Fix the Devhelp index for API documentation (dbus!486, Simon McVittie)
• Fix detection of socketpair() on Solaris 10 (dbus#531, Simon McVittie)
• Avoid undefined signed integer overflow when calculating hash table
indexes (dbus!487, Jami Kettunen)
1.15.12
Enhancements:
• D-Bus Specification 0.43:
· Recommend loading system services from /etc/dbus-1/system-services
and /run/dbus-1/system-services (dbus!467, Luca Boccassi)
· Reorganise documentation of the message bus to make it easier to add
new interfaces (dbus!472, Simon McVittie)
· Document o.fd.DBus.Debug.Stats interface (dbus!472, Simon McVittie)
· Document o.fd.DBus.Verbose interface (dbus!472, Simon McVittie)
· Formatting improvements (dbus!471, dbus!472; Simon McVittie)
· Don't imply that all clients need to support obsolete message bus
implementations (dbus!471, Simon McVittie)
• API design advice:
· Document typical approaches to emulating nullable types in the D-Bus
type system (dbus!446, Zeeshan Ali Khan)
• On Unix, additionally load system services from:
· /etc/dbus-1/system-services, reserved for use by either the local system
administrator, or software such as asset managers and configuration
management frameworks acting on their behalf
· /run/dbus-1/system-services, for ephemeral services
(dbus!467, Luca Boccassi)
Bug fixes:
• Increase file descriptor soft limit to hard limit before testing file
descriptor passing, and correctly skip the test for flooding the bus
with fds when the limit is too low, fixing test failures on Solaris
(dbus#176, Alan Coopersmith)
• When building API documentation with Doxygen, always generate a working
link in the index HTML page
(dbus#519, dbus!470; Ralf Habacker, Simon McVittie)
• When building with Meson, add (more) test dependencies so that 'meson test'
does not always need to be preceded by 'meson compile'
(dbus!468, Simon McVittie)
• When installing with Meson, don't fail if we are installing as root but
the user/group that will own the setuid dbus-daemon-launch-helper do not
yet exist (dbus#492, Jordan Williams)
• When building with Meson on Solaris, fix detection and build of
Solaris audit API integration
(dbus!477, Alan Coopersmith)
• Fix service activation timeouts when built with embedded tests (test
instrumentation) and run on a platform with a large file descriptor limit
(dbus#527, Simon McVittie)
• Fix test failures on platforms where deleting the current working
directory is not allowed, such as Solaris
(dbus!480, Alan Coopersmith)
Internal changes:
• CI fixes (dbus!474, Simon McVittie)
1.15.10
Build-time configuration changes:
• The Autotools build system has been removed. Its replacement is Meson.
(dbus#443, Ralf Habacker)
Enhancements:
• Use 64-bit timestamps internally.
This will allow 32-bit builds of libdbus to continue working after 2038
if there is OS-level support for 64-bit time_t, either opt-in
(as on 32-bit glibc systems) or by default. (dbus!444, Alexander Kanavin)
• When building with CMake, build more HTML documentation
(dbus#504, Ralf Habacker)
Bug fixes:
• Don't crash if configured to watch more than 128 directories with
inotify (dbus#481, hongjinghao)
• Never add (uid_t) -1, (gid_t) -1 or (pid_t) 0 to credentials
(dbus!464, Alyssa Ross)
• Fix a regression since 1.15.0 for "autolaunch:" on Windows
(dbus#503, Thomas Sondergaard)
• When building with Meson, don't use stdatomic.h if it exists but is
non-functional, for example under Visual Studio 2022
(dbus#494, Thomas Sondergaard)
• When building with Meson, add test dependencies so that 'meson test'
does not always need to be preceded by 'meson compile'
(dbus!465, Alyssa Ross)
• When building with Meson, really enable launchd if appropriate
(dbus!463, Alyssa Ross)
• In the test suite, use a more widely-implemented group name 'tty'
in preference to 'bin' (dbus#514, Alyssa Ross)
• Ensure that `dbus-test-tool spam` options cannot leave the payload
length uninitialized (dbus!469, Simon McVittie)
• Fix compiler warnings with gcc 14 (dbus!469, Simon McVittie)
Documentation:
• Clarify ownership transfer of pending call in
dbus_connection_send_with_reply() (dbus!455, Wiebe Cazemier)
• Explicitly document dbus-send exit status (dbus#452, Philip Withnall)
• Refer to d-spy in preference to unmaintaned D-Feet
(dbus!460, Ludovico de Nittis)
• Update URL to Bustle tool (dbus!460, Ludovico de Nittis)
Internal changes:
• Replace _dbus_string_append_int(), _dbus_string_append_uint() with
calls to _dbus_string_append_printf()
(dbus!445, Simon McVittie)
• Clean up unused macros in CMake build
(dbus!463, Alyssa Ross)
• Internal CI changes
(dbus#487, dbus#488, dbus#489, dbus#509;
Ralf Habacker, Simon McVittie)
1.15.8
Build-time configuration changes:
• For this version of dbus, Meson is the recommended build system for all
Unix platforms. CMake continues to be recommended for Windows, but this
recommendation might change to Meson in a future release, so please
test the Meson build. See INSTALL for details.
• Autotools-generated files are no longer included in the tarball release.
The Autotools build system is likely to be removed in a future dbus
release, so Autotools users should migrate to Meson as soon as possible.
It is still possible to build using Autotools, by following the same
procedure as for a git clone (starting with the `./autogen.sh` script).
Enhancements:
• D-Bus Specification 0.42:
· GetConnectionCredentials can return ProcessFD
(dbus!420, dbus!398; Luca Boccassi)
• On Linux with sufficiently new glibc and kernel headers, report a pinned
process file descriptor (pidfd) as the ProcessFD member of the
GetConnectionCredentials() result
(dbus!420, dbus!398; Luca Boccassi)
• On Linux with systemd, start as the target user/group (retaining
CAP_AUDIT_WRITE to preserve the ability to write to the audit log),
instead of starting as root and dropping privileges
(dbus!399, Luca Boccassi)
• On 32-bit glibc systems, opt-in to 64-bit timestamps if possible.
This will allow 32-bit builds of libdbus to continue working after 2038.
(dbus#465, Simon McVittie)
• On 32-bit glibc systems when built with CMake, also opt-in to large
file sizes, offsets and inode numbers, as was done for Autotools
since 1.12.x and Meson since the Meson build was introduced
(dbus#465, fd.o #93545; Simon McVittie)
• Avoid known dbus-daemon options being interpreted as optional arguments
(dbus#467, Xin Shi)
• If libdbus is a Meson subproject in a larger project, announce it as an
implementation of the dbus-1 dependency (dbus!415, Barnabás Pőcze)
• When built with CMake, get the version number from Meson instead of
Autotools, in preparation for the Autotools build system being removed
(dbus!382, Ralf Habacker)
• When built with Meson, disable some unwanted warnings when either
assertions or checks is disabled (dbus!412, Simon McVittie)
• Use C11 <stdatomic.h> if possible (dbus!431, Simon McVittie)
• Expand coverage of SPDX/REUSE copyright/license information
(dbus!427, Simon McVittie)
• On Linux, let dbus-daemon start up successfully (with a warning) if
inotify initialization fails, even if DBUS_FATAL_WARNINGS=1 is present
in the environment (dbus#473, Simon McVittie)
• On Unix, provide a better error message when looking up a user by name
or user ID fails (dbus!442, Simon McVittie)
Bug fixes:
• Avoid a dbus-daemon crash if re-creating a connection's policy fails.
If it isn't possible to re-create its policy (for example if it belongs
to a user account that has been deleted or if the Name Service Switch is
broken, on a system not supporting SO_PEERGROUPS), we now log a warning,
continue to use its current policy, and continue to reload other
connections' policies. (dbus#343; Peter Benie, Simon McVittie)
• If getting the groups from a user ID fails, report the error correctly,
instead of logging "(null)" (dbus#343, Simon McVittie)
• Return the primary group ID in GetConnectionCredentials()' UnixGroupIDs
field for processes with a valid-but-empty supplementary group list
(dbus!422, cptpcrd)
• `sudo meson install` without a DESTDIR is now possible, although
strongly discouraged on production systems (dbus#436, Simon McVittie)
• Fix a Meson deprecation warning (dbus#439, Simon McVittie)
Tests and CI enhancements:
• Internal CI changes
(dbus#455, dbus!414, dbus#468, dbus#469, dbus!424, dbus!430, dbus#436,
dbus#470; Ralf Habacker, Simon McVittie)
1.15.6
Denial-of-service fixes:
• Fix an assertion failure in dbus-daemon when a privileged Monitoring
connection (dbus-monitor, busctl monitor, gdbus monitor or similar)
is active, and a message from the bus driver cannot be delivered to a
client connection due to <deny> rules or outgoing message quota. This
is a denial of service if triggered maliciously by a local attacker.
(dbus#457; hongjinghao, Simon McVittie)
Enhancements:
• Special-case reading pseudo-files from Linux /proc to take into
account the filesystem's unusual semantics (dbus!401, Luca Boccassi)
Other fixes:
• Fix compilation on compilers not supporting __FUNCTION__
(dbus!404, Barnabás Pőcze)
• Fix some memory leaks on out-of-memory conditions
(dbus!403, Barnabás Pőcze)
• Documentation:
· Update the README to recommend building with Meson
(dbus!402, Ahmed Abdelfattah)
· Fix syntax of a code sample in dbus-api-design
(dbus!396; Yen-Chin, Lee)
• CMake build fixes:
· Detect presence of <sys/syscall.h> (dbus!400, Luca Boccassi)
Tests and CI enhancements:
• Fix CI pipelines after freedesktop/freedesktop#540
(dbus!405, dbus#456; Simon McVittie)
• Ensure the messagebus user is created if necessary
(dbus#445, Ralf Habacker)
1.15.4
Dependencies:
• Building with CMake now requires CMake ≥ 3.9.
Build-time configuration changes:
• On Unix platforms, a path in the runtime state directory (often /run)
is now used for the well-known system bus socket by default. OS
distributors should check that the path used is equivalent to the
interoperable path /var/run/dbus/system_bus_socket, especially if
running on an OS where /var/run is not guaranteed to be a symbolic
link to /run.
(dbus#180; Issam E. Maghni, Simon McVittie)
· With Autotools, this is controlled by --runstatedir, which defaults
to ${localstatedir}/run but is often set to /run by OS distributors.
The path to the system bus socket can be overridden with the
--with-system-socket option if required.
· With CMake, this is controlled by the RUNSTATEDIR option, which has
behaviour similar to Autotools. There is no separate option for the
path to the system bus socket.
· With Meson, this is controlled by the runtime_dir option, which
defaults to /run if the installation prefix is set to /usr, or has
behaviour similar to Autotools otherwise. The path to the system bus
socket can be overridden with the system_socket option if required.
Denial of service fixes:
• Fix an incorrect assertion that could be used to crash dbus-daemon or
other users of DBusServer prior to authentication, if libdbus was compiled
with assertions enabled.
We recommend that production builds of dbus, for example in OS distributions,
should be compiled with checks but without assertions.
(dbus#421, Ralf Habacker; thanks to Evgeny Vereshchagin)
Enhancements:
• D-Bus Specification 0.41:
· Clarify handling of /run vs. /var/run on Unix systems
(dbus#180, Simon McVittie)
• Add dbus_connection_set_builtin_filters_enabled(), intended to be called
by tools that use BecomeMonitor() such as dbus-monitor
(dbus#301, Kai A. Hiller)
• When using the Meson build system, dbus can now be used as a subproject.
To avoid colliding with a separate system copy of dbus, building it as a
static library with tests, tools and the message bus disabled is
strongly recommended. See test/use-as-subproject for sample code.
(dbus!368, dbus!388; Daniel Wagner)
Other fixes:
• When connected to a dbus-broker, stop dbus-monitor from incorrectly
replying to Peer method calls that were sent to the dbus-broker with
a NULL destination (dbus#301, Kai A. Hiller)
• Fix out-of-bounds varargs read in the dbus-daemon's config-parser.
This is not attacker-triggerable and appears to be harmless in practice,
but is technically undefined behaviour and is detected as such by
AddressSanitizer. (dbus!357, Evgeny Vereshchagin)
• Avoid a data race in multi-threaded use of DBusCounter
(dbus#426, Ralf Habacker)
• Fix a crash with some glibc versions when non-auditable SELinux events
are logged (dbus!386, Jeremi Piotrowski)
• If dbus_message_demarshal() runs out of memory while validating a message,
report it as NoMemory rather than InvalidArgs (dbus#420, Simon McVittie)
• Use C11 _Alignof if available, for better standards-compliance
(dbus!389, Khem Raj)
• Stop including an outdated copy of pkg.m4 in the git tree
(dbus!365, Simon McVittie)
• Meson build fixes:
· Use -fvisibility=hidden on Unix if supported, in particular on Linux
(dbus!383, dbus#437; Simon McVittie)
· Fix build on macOS, and any other platform that has
CLOCK_MONOTONIC but not pthread_condattr_setclock()
(dbus#419, Jordan Williams)
• Documentation:
· Consistently use Gitlab bug reporting URL (dbus!372, Marco Trevisan)
• Licensing:
· Use MIT license for some test files that did not previous specify a
license, with permission from their authors (dbus!359, Simon McVittie)
· Add more SPDX/REUSE license markers
(dbus!311, dbus!369, dbus!370, dbus!371, dbus!375, dbus!376;
Ralf Habacker, Simon McVittie)
· Correct syntax of some SPDX license markers (dbus!360, Ralf Habacker)
• Tests fixes:
· Fix an assertion failure in test-autolaunch-win
(dbus#422, Ralf Habacker)
· Expand test coverage under CMake (dbus!322, Ralf Habacker)
· Fix the test-apparmor-activation test after dbus#416
(dbus!380, Dave Jones)
Internal changes:
• Add static assertions for some things we assume about pointers
(dbus!345, Simon McVittie)
• Refactoring (dbus!356, dbus#430, dbus#431; Simon McVittie, Xin Shi)
• Fix CI builds with recent git versions (dbus#447, Simon McVittie)
• Build dbus with clang during CI (dbus!358, Evgeny Vereshchagin)
1.15.2
Behaviour changes:
• On Linux, dbus-daemon and other uses of DBusServer now create a
path-based Unix socket, unix:path=..., when asked to listen on a
unix:tmpdir=... address. This makes unix:tmpdir=... equivalent to
unix:dir=... on all platforms.
Previous versions would have created an abstract socket, unix:abstract=...,
in this situation.
This change primarily affects the well-known session bus when run via
dbus-launch(1) or dbus-run-session(1). The user bus, enabled by configuring
dbus with --enable-user-session and running it on a systemd system,
already used path-based Unix sockets and is unaffected by this change.
This behaviour change prevents a sandbox escape via the session bus socket
in sandboxing frameworks that can share the network namespace with the host
system, such as Flatpak.
This change might cause a regression in situations where the abstract socket
is intentionally shared between the host system and a chroot or container,
such as some use-cases of schroot(1). That regression can be resolved by
using a bind-mount to share either the D-Bus socket, or the whole /tmp
directory, with the chroot or container.
(dbus#416, Simon McVittie)
Denial of service fixes:
Evgeny Vereshchagin discovered several ways in which an authenticated
local attacker could cause a crash (denial of service) in
dbus-daemon --system or a custom DBusServer. In uncommon configurations
these could potentially be carried out by an authenticated remote attacker.
• An invalid array of fixed-length elements where the length of the array
is not a multiple of the length of the element would cause an assertion
failure in debug builds or an out-of-bounds read in production builds.
This was a regression in version 1.3.0.
(dbus#413, CVE-2022-42011; Simon McVittie)
• A syntactically invalid type signature with incorrectly nested parentheses
and curly brackets would cause an assertion failure in debug builds.
Similar messages could potentially result in a crash or incorrect message
processing in a production build, although we are not aware of a practical
example. (dbus#418, CVE-2022-42010; Simon McVittie)
• A message in non-native endianness with out-of-band Unix file descriptors
would cause a use-after-free and possible memory corruption in production
builds, or an assertion failure in debug builds. This was a regression in
version 1.3.0. (dbus#417, CVE-2022-42012; Simon McVittie)
Enhancements:
• D-Bus Specification 0.40 (dbus#416, Simon McVittie)
· Clarify that unix:tmpdir is not required to use abstract sockets,
even where supported
· Mention implications of abstract sockets for Linux namespacing
1.15.0
Dependencies:
• On platforms where a pointer is larger than 64 bits, dbus requires at
least a C11 compiler.
On other platforms, dbus now requires either a C99 compiler such as
gcc or clang, or Microsoft Visual Studio 2015 or later. Some workarounds
for pre-C99 environments are currently still present, but we plan to
remove them during this development cycle.
• Building with CMake now requires CMake ≥ 3.4.
• Building with Meson requires Meson ≥ 0.56 and Python ≥ 3.5.
Feature removal:
• Remove support for the obsolete pam_console and pam_foreground modules
(the Autotools --with-console-auth-dir= and CMake -DDBUS_CONSOLE_AUTH_DIR=
options, which have been deprecated since dbus 1.11.18).
(dbus#181, fd.o#101629)
Build-time configuration changes:
• Add a Meson build system. This is currently considered experimental,
but the intention is for it to replace Autotools and/or CMake in future
releases, preferably both. Please test!
(dbus!303, dbus!325; Félix Piédallu, Marc-André Lureau, Simon McVittie)
· This requires Meson 0.56 or newer, and Python 3.5 or newer.
· Expat can be built as a subproject using Meson's "wrap" mechanism,
if desired. This should make it considerably easier to build dbus
for Windows or other platforms without a library packaging system.
· GLib can also be built as a subproject using Meson's "wrap" mechanism,
if desired. This should make it considerably easier to build full
test coverage on Windows or other platforms without a library
packaging system.
• Please note that not all Meson build options correspond 1:1 to how
the closest equivalents in Autotools or CMake behave, and the Meson
build options are subject to change.
Distributors and developers evaluating the Meson build should check
that they are configuring dbus the way they intend to.
Enhancements:
• D-Bus Specification 0.39:
· Document how to represent internationalized domain names in D-Bus
names (dbus!324, Simon McVittie)
· Improve documentation of AF_UNIX sockets (Marc-André Lureau)
• On Unix, speed up closing file descriptors for subprocesses by using
closefrom() or close_range() where available
(dbus#278; rim, Simon McVittie)
• On Windows, dbus can now use AF_UNIX sockets, not just TCP.
This requires Windows 10 build 17063 or later at runtime,
and either Windows 10 SDK 17063 or mingw-w64 version 9.0.0 or later
at compile-time. (dbus!249, Marc-André Lureau)
• Teach dbus-send to handle variants in containers: arrays of variants,
variant values in dictionaries, and nested variants
(dbus!206, Frederik Van Bogaert)
• Detect programming errors with Windows mutexes if assertions are
enabled, similar to what we already did for pthreads mutexes
(dbus#369, Ralf Habacker)
• Move license text into LICENSES, and start to use SPDX markers
(Simon McVittie, Ralf Habacker)
Fixes:
• Portability to CPU architectures with larger-than-64-bit pointers
(dbus!335, dbus!318; Alex Richardson)
• Fix build failure on FreeBSD (dbus!277, Alex Richardson)
• Fix build failure on macOS with launchd enabled
(dbus!287, Dawid Wróbel)
• Preserve errno on failure to open /proc/self/oom_score_adj
(dbus!285, Gentoo#834725; Mike Gilbert)
• Improve dbus-launch --autolaunch so it can pick up an existing bus from
Linux XDG_RUNTIME_DIR or macOS launchd, even if X11 autolaunching was
disabled (dbus#385, dbus#392; Simon McVittie, Alex Richardson)
• Correctly escape AF_UNIX socket paths when converting them to D-Bus
address strings (dbus#405, Marc-André Lureau)
• On Linux, don't log warnings if oom_score_adj is read-only but does not
need to be changed (dbus!291, Simon McVittie)
• Slightly improve error-handling for inotify
(dbus!235, Simon McVittie)
• Don't crash if dbus-daemon is asked to watch more than 128 directories
for changes (dbus!302, Jan Tojnar)
• Silence various compiler warnings
(dbus!275, dbus!289, dbus!305, dbus!307, dbus!312, dbus!315;
Ralf Habacker, Simon McVittie, Alex Richardson, Marc-André Lureau)
• On Windows, use safer locking patterns for the system-global mutex used
to implement autolaunching (dbus#368, dbus#370; Ralf Habacker)
• Index dbus-arch-deps.h for API documentation when building out-of-tree
(dbus!312, Marc-André Lureau)
• Silence xmlto warnings when building man pages
(dbus!312, Marc-André Lureau)
• Fix build failure when checks are disabled but assertions are enabled
(dbus#412, Johannes Kauffmann)
• Use C99 flexible arrays in the memory pool implementation for better
support for modern compilers
(dbus!343, dbus!344; Alex Richardson, Simon McVittie)
• Autotools build system fixes:
· Don't treat --with-x or --with-x=yes as a request to disable X11,
fixing a regression in 1.13.20. Instead, require X11 libraries and
fail if they cannot be detected. (dbus!263, Lars Wendler)
· When a CMake project uses an Autotools-built libdbus in a
non-standard prefix, find dbus-arch-deps.h successfully
(dbus#314, Simon McVittie)
· Don't include generated XML catalog in source releases
(dbus!317, Jan Tojnar)
· Improve robustness of detecting gcc __sync atomic builtins
(dbus!320, Alex Richardson)
• CMake build system fixes:
· Detect endianness correctly, fixing interoperability with other D-Bus
implementations on big-endian systems (dbus#375, Ralf Habacker)
· Fix a race condition generating man pages and HTML documentation
(dbus#381, Ralf Habacker)
· When building for Unix, install session and system bus setup
in the intended locations
(dbus!267, dbus!297; Ralf Habacker, Alex Richardson)
· Detect setresuid() and getresuid() (dbus!319, Alex Richardson)
· Detect backtrace() on FreeBSD (dbus!281, Alex Richardson)
· Don't include headers from parent directory (dbus!282, Alex Richardson)
· Fix -Wunused-command-line-argument on FreeBSD
(dbus!278, Alex Richardson)
· Only add warning flags if the compiler supports them
(dbus!276, Alex Richardson)
· Distinguish between host and target TMPDIR when cross-compiling
(dbus!279, Alex Richardson)
· Improve compiler warning detection (dbus#387, Ralf Habacker)
· Allow TEST_SOCKET_DIR to be overridden (dbus!295, Ralf Habacker)
· Fix detection of atomic operations (dbus!306, Alex Richardson)
· Use DWARF 2 instead of STABS for debug symbols on Windows, for
compatibility with newer gcc versions (dbus!323, Marc-André Lureau)
· Fix use of paths relative to the dbus project directory when dbus is
vendored into a larger CMake project (dbus!332, Jordan Williams)
Tests and CI enhancements:
• Add an automated test for Windows autolaunching
(dbus#235, Ralf Habacker)
• Avoid compiler warnings in test code
(dbus#383, dbus!274, dbus!275; Simon McVittie, Ralf Habacker)
• Avoid LeakSanitizer warnings in test code
(dbus!326, Simon McVittie)
• Speed up a particularly slow unit test by a factor of 30
(dbus!328, Simon McVittie)
• On Unix, skip tests that switch uid if run in a container that is
unable to do so, instead of failing (dbus#407, Simon McVittie)
• On Unix, consistently create test sockets in DBUS_TEST_SOCKET_DIR and
not the build directory, allowing the build directory to be mounted with
a non-POSIX filesystem (dbus!334, Alex Richardson)
• Gitlab-CI improvements
(dbus#383, dbus#388, dbus!262, dbus!288, dbus!292, dbus!296, dbus!299,
dbus!301;
Ralf Habacker, Simon McVittie, Alex Richardson)
• Added FreeBSD Gitlab-CI build jobs
(dbus!280, dbus!347; Alex Richardson)
• Use the latest MSYS2 packages for CI
(Ralf Habacker, Simon McVittie)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 22 Jan 2025 21:07:00 +0000 (22:07 +0100)]
clamav: Update to version 1.4.2
- Update from version 1.4.1 to 1.4.2
- Update of rootfile
- Changelog
1.4.2
- [CVE-2025-20128](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20128):
Fixed a possible buffer overflow read bug in the OLE2 file parser that could
cause a denial-of-service (DoS) condition.
This issue was introduced in version 1.0.0 and affects all currently
supported versions. It will be fixed in:
- 1.4.2
- 1.0.8
Thank you to OSS-Fuzz for identifying this issue.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Wed, 15 Jan 2025 14:57:45 +0000 (14:57 +0000)]
openssl: Dynamically link zlib
The former way was to open libz.so whenever it was needed. This is
however not a very good solution and we will have trouble in dependency
tracking and discover any linking problems much later.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 25 Dec 2024 13:48:28 +0000 (14:48 +0100)]
nut: Update to enable collectd to find the nut files
- with-dev is required as a configure option to ensure that the package-config files
are installed during the build so that collectd can find the libupsclient library
files which are needed for the nut plugin.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 25 Dec 2024 13:48:27 +0000 (14:48 +0100)]
make.sh: Change of position for nut and dependant programs
- With nut enabled in collectd as a plugin (to match with apcupsd) then it had to be
moved to before collectd.
- netsnmpd is required by nut for one of its rootfiles and therefore has to stay before
nut.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 25 Dec 2024 13:48:26 +0000 (14:48 +0100)]
update.sh: Update to migrate rrd directories for collectd-5.x
- Not tested by myself but it uses the same code as in the backup.pl changes which were
tested and worked. So expectation is that they will work in the Core Update but this
will be able to be evaluated when the Testing Release is issued.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 25 Dec 2024 13:48:25 +0000 (14:48 +0100)]
backup.pl: Update to migrate rrd directories for collectd-5.x
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 25 Dec 2024 13:48:24 +0000 (14:48 +0100)]
graphs.pl: Update to names used by collectd-5.x
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 25 Dec 2024 13:48:22 +0000 (14:48 +0100)]
collectd: Update to version 5.12.0
- Update from version 4.10.9 to 5.12.0
- Update of rootfile
- Removal of the patches that were used for version 4.10.9. Checking these they have
either been included, are no longer applicable as the involved code is no longer
present or were changes specific to BSD or Solaris OS's or were related to plugins
that were not enabled on IPFire such as mysql.
- If anyone is aware of patches that should be applied to version 5.12.0 then let me
know.
- Updated the plugin lists to disable some that were enabled such as multimeter and
battery. We shouldn't need to use IPFire as a multimeter and it should not really
be running on a laptop in battery mode.
- Re-arranged the order of the plugins to make them alphabetical again.
- Added nut to the enabled plugins. apcupsd was already enabled but nut was not.
- Disabled making warnings into errors, updated the librrd directory and specified
the libgcrypt directory so that the build was successfull.
- collecvtd-5.x supports parallel builds
- copied the 4.x to 5.x migration program into IPFire. This is then used when restoring
older backups or for the update script for when collectd-5.12.0 is merged.
- The change set was installed on my vm and the graphs all worked as expected and got
updated. Doing a restore from an earlier backup with the 4.x format of files was
correctly migrated and installed.
- Changelog is rather large covering everything that has changed and been updated.
Details can be found at https://github.com/collectd/collectd/releases
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 13 Jan 2025 21:41:05 +0000 (22:41 +0100)]
freeradius: Update to version 3.2.6
- Update from version 3.2.5 to 3.2.6
- Update of rootfile
- Changelog
3.2.6
Configuration changes
* require_message_authenticator=auto and limit_proxy_state=auto
are not applied for wildcard clients. This likely will
leave your network in an insecure state. Upgrade all clients!
Feature improvements
* Allow for "auth+acct" dynamic home servers.
* Allow for setting "Home-Server-Pool", etc. for proxying
accounting packets, just like authentication packets.
* Fix spelling in starent SN[1]-Subscriber-Acct-Mode attribute
value. Patch from John Thacker.
* Update dictionary.iea. Patch from John Thacker.
* Add warning for secrets that are too short.
* More debugging for SSL ciphers. Patch from Nick Porter.
* Update 3GPP dictionary. Patch from Nick Porter.
* Fix ZTE dictionary.
* Make radsecret more portable and avoid extra dependencies.
* Add timestamp for Client-Lost so we don't think it's 1970. Patch
from Alexander Clouter. #5353
Bug fixes
* Dynamic clients now inherit require_message_authenticator
and limit_proxy_state from dynamic client {...} definition.
* Fix radsecret build rules to better support parallel builds.
* Checkpoint systems should be reconfigured for the BlastRADIUS
attack: https://support.checkpoint.com/results/sk/sk182516
The Checkpoint systems drop packets containing Message-Authenticator,
which violates the RFCs and is completely ridiculous.
* Fix duplicate CoA packet issue. #5397
* Several fixes in the event code
* Don't leak memory in rlm_sql_sqlite. #5392
* Don't stop processing RadSec data too early.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 16 Jan 2025 17:19:10 +0000 (18:19 +0100)]
libxxhash: Update to version 0.8.3 and make available to rsync
- Update from version 0.8.2 to 0.8.3
- Update of rootfile
- Move libxxhash to before rsync in make.sh
- Changelog
0.8.3
- fix : variant `XXH3_128bits_withSecretandSeed()` could produce an invalid
result in some specific set of conditions, #894 by @hltj
- cli : vector extension detected at runtime on x86/x64, enabled by default
- cli : new commands `--filelist` and `--files-from`, by @Ian-Clowes
- cli : XXH3 64-bits GNU format can now be generated and checked (command `-H3`)
- portability: LoongArch SX SIMD extension, by @lrzlin
- portability: can build on AIX, suggested by @likema
- portability: validated for SPARC cpus
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 16 Jan 2025 17:19:09 +0000 (18:19 +0100)]
rsync: Update to version 3.4.1
- Update from version 3.3.0 to 3.4.1 as the previous patch which went from 3.3.0 to 3.4.0
has only been merged into CU190 and not into next where this patch is being done.
Not sure if this will cause problems or not. I updated the PAK_VER of rsynce from
19 to 21 so that it went over the PAK_VER of the version merged into CU190.
- If how I have done it is not the best or not correct just let me know how I should do
it and I will re-do it.
- Update of rootfile not required.
- Added in enabling xxhash as we have that available in IPFire as another addon.
- Ran rsync -V and confirmed that xxhash is now available to rsync.
- Changelog
3.4.1
Release 3.4.1 is a fix for regressions introduced in 3.4.0
BUG FIXES:
- fixed handling of -H flag with conflict in internal flag values
- fixed a user after free in logging of failed rename
- fixed build on systems without openat()
- removed dependency on alloca() in bundled popt
DEVELOPER RELATED:
- fix to permissions handling in the developer release script
3.4.0 (This was already in the previous patch that went from 3.3.0 to 3.4.0
Release 3.4.0 is a security release that fixes a number of important
vulnerabilities. For more details on the vulnerabilities please see the CERT
report https://kb.cert.org/vuls/id/952657
PROTOCOL NUMBER:
- The protocol number was changed to 32 to make it easier for
administrators to check their servers have been updated
SECURITY FIXES:
Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at
Google Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for
discovering these vulnerabilities and working with the rsync project
to develop and test fixes.
- CVE-2024-12084 - Heap Buffer Overflow in Checksum Parsing.
- CVE-2024-12085 - Info Leak via uninitialized Stack contents defeats ASLR.
- CVE-2024-12086 - Server leaks arbitrary client files.
- CVE-2024-12087 - Server can make client write files outside of destination directory using symbolic links.
- CVE-2024-12088 - --safe-links Bypass.
- CVE-2024-12747 - symlink race condition.
BUG FIXES:
- Fixed the included popt to avoid a memory error on modern gcc versions.
- Fixed an incorrect extern variable's type that caused an ACL issue on macOS.
- Fixed IPv6 configure check
INTERNAL:
- Updated included popt to version 1.19.
DEVELOPER RELATED:
- Various improvements to the release scripts and git setup.
- Improved packaging/var-checker to identify variable type issues.
- added FreeBSD and Solaris CI builds
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 9 Jan 2025 15:08:22 +0000 (15:08 +0000)]
kernel: Strip modules
The kernel does not strip modules by default. This can be enabled by
passing INSTALL_MOD_STRIP=1 when installing the modules.
Since we are not actually building the kernel with debuginfo and we are
comressing the modules afterwards, there is not a huge saving on disk
space, but there is a small saving of memory when loading the modules.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 8 Jan 2025 12:18:54 +0000 (13:18 +0100)]
fr.pl: Additional update to French translations for the optionsfw.cgi page
Reported-by: Phil SCAR <p27m@orange.fr> Fixes: Bug13800 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 6 Jan 2025 13:52:26 +0000 (14:52 +0100)]
speedtest-cli: Fix for bug13805 - error message if run on hour or half hour
- Created a self consistent patch set out of four patches on the speedtest-cli
github site. Slight changes needed in each to allow them to be successfully applied
in sequence.
- Additional comments added to top of the various patches.
- Tested out this modified package on my vm testbed and it fixes the bug of
speedtest-cli giving an error message if run on the hour or on the half hour. I
tested it out with the original system first and it failed with the error message
for 7 half hour tests. With this modified version it ran for 9 half hour slots with
no problems at all. Tested with the command being run via fcrontab.
- None of these patches have ben merged by the speedtest-cli github owner as the last
commit was July 2021 and the patches were proposed in Feb 2023. There has been no
resposne to anything on the speedtest-cli github site by the owner.
- I have reviewed all the patches and the content looks fine to me with no concerns
from a security point of view although it would be good to get feedback from
alternative eyes.
- Update of rootfile not required.
Fixes: Bug13805 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Tested-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 21 Dec 2024 12:55:39 +0000 (13:55 +0100)]
clamav: Update to version 1.4.1
- Update from version 1.3.2 to 1.4.1
- Update of rootfile
- Changelog
1.4.1
ClamAV 1.4.1 is a critical patch release with the following fixes:
- [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506):
Changed the logging module to disable following symlinks on Linux and Unix
systems so as to prevent an attacker with existing access to the 'clamd' or
'freshclam' services from using a symlink to corrupt system files.
This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to Detlef for identifying this issue.
- [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505):
Fixed a possible out-of-bounds read bug in the PDF file parser that could
cause a denial-of-service (DoS) condition.
This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to OSS-Fuzz for identifying this issue.
- Removed unused Python modules from freshclam tests including deprecated
'cgi' module that is expected to cause test failures in Python 3.13.
1.4.0
Major changes
- Added support for extracting ALZ archives.
The new ClamAV file type for ALZ archives is `CL_TYPE_ALZ`.
Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html)
option to enable or disable ALZ archive support.
> _Tip_: DCONF (Dynamic CONFiguration) is a feature that allows for some
> configuration changes to be made via ClamAV `.cfg` "signatures".
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1183)
- Added support for extracting LHA/LZH archives.
The new ClamAV file type for LHA/LZH archives is `CL_TYPE_LHA_LZH`.
Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html)
option to enable or disable LHA/LZH archive support.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1192)
- Added the ability to disable image fuzzy hashing, if needed. For context,
image fuzzy hashing is a detection mechanism useful for identifying malware
by matching images included with the malware or phishing email/document.
New ClamScan options:
```
--scan-image[=yes(*)/no]
--scan-image-fuzzy-hash[=yes(*)/no]
```
New ClamD config options:
```
ScanImage yes(*)/no
ScanImageFuzzyHash yes(*)/no
```
New libclamav scan options:
```c
options.parse &= ~CL_SCAN_PARSE_IMAGE;
options.parse &= ~CL_SCAN_PARSE_IMAGE_FUZZY_HASH;
```
Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html)
option to enable or disable image fuzzy hashing support.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1186)
Other improvements
- Added cross-compiling instructions for targeting ARM64/aarch64 processors for
[Windows](https://github.com/Cisco-Talos/clamav/blob/main/INSTALL-cross-windows-arm64.md)
and
[Linux](https://github.com/Cisco-Talos/clamav/blob/main/INSTALL-cross-linux-arm64.md).
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1116)
- Improved the Freshclam warning messages when being blocked or rate limited
so as to include the Cloudflare Ray ID, which helps with issue triage.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1195)
- Removed unnecessary memory allocation checks when the size to be allocated
is fixed or comes from a trusted source.
We also renamed internal memory allocation functions and macros, so it is
more obvious what each function does.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1137)
- Improved the Freshclam documentation to make it clear that the `--datadir`
option must be an absolute path to a directory that already exists, is
writable by Freshclam, and is readable by ClamScan and ClamD.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1199)
- Added an optimization to avoid calculating the file hash if the clean file
cache has been disabled. The file hash may still be calculated as needed to
perform hash-based signature matching if any hash-based signatures exist that
target a file of the same size, or if any hash-based signatures exist that
target "any" file size.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1167)
- Added an improvement to the SystemD service file for ClamOnAcc so that the
service will shut down faster on some systems.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1164)
- Added a CMake build dependency on the version map files so that the build
will re-run if changes are made to the version map files.
Work courtesy of Sebastian Andrzej Siewior.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1294)
- Added an improvement to the CMake build so that the RUSTFLAGS settings
are inherited from the environment.
Work courtesy of liushuyu.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1301)
Bug fixes
- Silenced confusing warning message when scanning some HTML files.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1252)
- Fixed minor compiler warnings.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1197)
- Since the build system changed from Autotools to CMake, ClamAV no longer
supports building with configurations where bzip2, libxml2, libz, libjson-c,
or libpcre2 are not available. Libpcre is no longer supported in favor of
libpcre2. In this release, we removed all the dead code associated with those
unsupported build configurations.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1217)
- Fixed assorted typos. Patch courtesy of RainRat.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1228)
- Added missing documentation for the ClamScan `--force-to-disk` option.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1186)
- Fixed an issue where ClamAV unit tests would prefer an older
libclamunrar_iface library from the install path, if present, rather than
the recently compiled library in the build path.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1258)
- Fixed a build issue on Windows with newer versions of Rust.
Also upgraded GitHub Actions imports to fix CI failures.
Fixes courtesy of liushuyu.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1307)
- Fixed an unaligned pointer dereference issue on select architectures.
Fix courtesy of Sebastian Andrzej Siewior.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1293)
- Fixed a bug that prevented loading plaintext (non-CVD) signature files
when using the `--fail-if-cvd-older-than=DAYS` / `FailIfCvdOlderThan` option.
Fix courtesy of Bark.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1309)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 21 Dec 2024 12:55:08 +0000 (13:55 +0100)]
rust: Update to version 1.83.0
- Update from version 1.67.0 to 1.83.0
- Update x86_64, aarch64 & riscv64 rootfiles
- This version of rust hasd the fix to ensure that ruby builds okay with aarch64 &
riscv64. This required a fix to be applied to the LLVM and then for the updated
LLVM to be built into rust. That has occurred with this version.
- Tested out the build on aarch64 and riscv64 and confirmed that ruby built without
any problems with this version of rust.
- The update of rust required a range of updates of other rust crates plus the
inclusion of new crates and the pinning of some crates to older versions. This patch
set includes all the rust crate changes.
- The download-rust-crate script results in source tarballs that have a Cargo.toml.orig
file included in them. This is not allowed in the rust building so the rust-rand file
which is used as a template for the rust crate script has been modified to remove
this .orig file so that the build can complete.
- With this updated version of rust the clamav addon can also now be updated and so is
also included in this patch set.
- There are 29 rust crate changes.
- Changelog is too large to include here. Details can be found at
https://releases.rs/docs/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:17 +0000 (18:51 +0200)]
samba: Modification to disable cups for samba build and install
- As discussed at IPFire conf call on 7th Oct
- disable cups for the samba configure stage
- Update of rootfiles
- Update of samba.cgi to remove the printing of a printer share into the samba
configuration file.
- Tested out on vm system. Installed samba with only avahi, perl-Parse-Yapp, perl-JSON
and wsdd as dependencies. Installed without any problems. Existing share was able
to be accessed without any problems and a new share was created and was also able
to be accessed without problems.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:16 +0000 (18:51 +0200)]
perl-Imager: Removal of all tiff related lines in rootfile
- With removal of libtiff, the perl-Imager rootfile has to have tiff related lines
removed.
- perl-Imager works without the tiff lines in place. Only no tiff images will be able
to be processed by perl-Imager but that is not required for its use in IPFire.
- Tested out creating an OpenVPN connection with OTP enabled and the OTP QR code was
produced and able to be viewed.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:15 +0000 (18:51 +0200)]
make.sh: All removed packages removed from make.sh
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:14 +0000 (18:51 +0200)]
qpdf: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:13 +0000 (18:51 +0200)]
poppler-data: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:12 +0000 (18:51 +0200)]
poppler: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:11 +0000 (18:51 +0200)]
openjpeg: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:10 +0000 (18:51 +0200)]
libtiff: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:09 +0000 (18:51 +0200)]
lcms2: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:08 +0000 (18:51 +0200)]
hplip: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:07 +0000 (18:51 +0200)]
gutenprint: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:06 +0000 (18:51 +0200)]
ghostscript: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:05 +0000 (18:51 +0200)]
foomatic: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
projects / people / ms / ipfire-2.x.git / log
