Adolf Belka [Tue, 16 Aug 2022 10:42:15 +0000 (12:42 +0200)]
perl: Update to version 5.36.0
- Update from version 5.32.1 to 5.36.0
- Update of rootfile
- Changelog is too large to include here.
Version 5.34.0 can be found at https://perldoc.perl.org/5.34.0/perldelta
Version 5.34.1 can be found at https://perldoc.perl.org/5.34.1/perldelta
Version 5.36.0 can be found at https://perldoc.perl.org/5.36.0/perldelta
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 31 Aug 2022 21:00:21 +0000 (23:00 +0200)]
hplip: Update to version 3.22.6
- Update from version 3.22.4 to 3.22.6
- Update of rootfile
- Changelog
HPLIP 3.22.6 - This release has the following changes:
Added support for following new Distro's:
Mx Linux 21.1
Ubuntu 22.04
Fedora 36
Added support for the following new Printers:
HP Color LaserJet Managed MFP E785dn
HP Color LaserJet Managed MFP E78523dn
HP Color LaserJet Managed MFP E78528dn
HP Color LaserJet Managed MFP E786dn
HP Color LaserJet Managed MFP E786 Core Printer
HP Color LaserJet Managed MFP E78625dn
HP Color LaserJet Managed FlowMFP E786z
HP Color LaserJet Managed Flow MFP E78625z
HP Color LaserJet Managed MFP E78630dn
HP Color LaserJet Managed Flow MFP E78630z
HP Color LaserJet Managed MFP E78635dn
HP Color LaserJet Managed Flow MFP E78635z
HP LaserJet Managed MFP E731dn
HP LaserJet Managed MFP E731 Core Printer
HP LaserJet Managed MFP E73130dn
HP LaserJet Managed Flow MFP E731z
HP LaserJet Managed Flow MFP E73130z
HP LaserJet Managed MFP E73135dn
HP LaserJet Managed Flow MFP E73135z
HP LaserJet Managed MFP E73140dn
HP LaserJet Managed Flow MFP E73140z
HP Color LaserJet Managed MFP E877dn
HP Color LaserJet Managed MFP E877 Core Printer
HP Color LaserJet Managed MFP E87740dn
HP Color LaserJet Managed Flow MFP E877z
HP Color LaserJet Managed Flow MFP E87740z
HP Color LaserJet Managed MFP E87750dn
HP Color LaserJet Managed Flow MFP E87750z
HP Color LaserJet Managed MFP E87760dn
HP Color LaserJet Managed Flow MFP E87760z
HP Color LaserJet Managed MFP E87770dn
HP Color LaserJet Managed Flow MFP E87770z
HP LaserJet Managed MFP E826dn
HP LaserJet Managed MFP E826 Core Printer
HP LaserJet Managed MFP E82650dn
HP LaserJet Managed Flow MFP E826z
HP LaserJet Managed Flow MFP E82650z
HP LaserJet Managed MFP E82660dn
HP LaserJet Managed Flow MFP E82660z
HP LaserJet Managed MFP E82670dn
HP LaserJet Managed Flow MFP E82670z
HP LaserJet Managed MFP E730dn
HP LaserJet Managed MFP E73025dn
HP LaserJet Managed MFP E73030dn
HP LaserJet Pro MFP 3101fdwe
HP LaserJet Pro MFP 3101fdw
HP LaserJet Pro MFP 3102fdwe
HP LaserJet Pro MFP 3102fdw
HP LaserJet Pro MFP 3103fdw
HP LaserJet Pro MFP 3104fdw
HP LaserJet Pro MFP 3101fdne
HP LaserJet Pro MFP 3101fdn
HP LaserJet Pro MFP 3102fdne
HP LaserJet Pro MFP 3102fdn
HP LaserJet Pro MFP 3103fdn
HP LaserJet Pro MFP 3104fdn
HP LaserJet Pro 3001dwe
HP LaserJet Pro 3001dw
HP LaserJet Pro 3002dwe
HP LaserJet Pro 3002dw
HP LaserJet Pro 3003dw
HP LaserJet Pro 3004dw
HP LaserJet Pro 3001dne
HP LaserJet Pro 3001dn
HP LaserJet Pro 3002dne
HP LaserJet Pro 3002dn
HP LaserJet Pro 3003dn
HP LaserJet Pro 3004dn
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Thu, 11 Aug 2022 12:29:21 +0000 (14:29 +0200)]
fmt: Convert from build only to run time also for mpd
- libfmt required in run time by mpd
- mpd changelog specifically said fmt was a build only dependency
- Bug#12909 flagged up that fmt was also a run time dependency for mpd
Fixes: Bug#12909 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Sat, 6 Aug 2022 07:17:47 +0000 (07:17 +0000)]
vpnmain.cgi: Mark MODP-1536 as broken, phase out MODP-2048
https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf (released in
2015) recommends "to use primes of 2048 bits or larger", to which BSI's
techical guideline BSI-TR-02102 (https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102.pdf?__blob=publicationFile&v=5)
concurs. The latter also recommends not to use DH groups comprising of
less than 2000 bits after 2022, and shift to 3000 bit DH groups earlier
as a precaution.
According to RFC 3526, section 8, MODP-1536 provides an estimated
security between 90 and 120 bits, a value that can be reasonably
considered broken today, as it has been so for other types of
cryptographic algorithms already, and per section 2.4 in the
aforementioned paper, breaking 1024-bit DH is considered feasible for
the NSA in 2015, which does not inspire confidence for MODP-1536 in
2022.
Therefore, this patch suggests to mark MODP-1536 as broken, since it
de facto is, and tag MODP-2048 as weak. The latter is also removed from
the default selection, so newly created VPN connections won't use it
anymore, to follow BSI's recommendations of using DH groups >= 3000 bits
in 2022 and later.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 8 Aug 2022 20:27:42 +0000 (20:27 +0000)]
flash-images: Drop 2gb-ext4 from image filename
This is now being dropped since the image won't fit onto a 2GB device
any more and since there is only one type of image, we don't need to
state the filesystem type.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Mon, 1 Aug 2022 17:39:59 +0000 (17:39 +0000)]
linux: Do not allow slab caches to be merged
From the kernel documentation:
> For reduced kernel memory fragmentation, slab caches can be
> merged when they share the same size and other characteristics.
> This carries a risk of kernel heap overflows being able to
> overwrite objects from merged caches (and more easily control
> cache layout), which makes such heap attacks easier to exploit
> by attackers. By keeping caches unmerged, these kinds of exploits
> can usually only damage objects in the same cache. [...]
Thus, it is more sane to leave slab merging disabled. KSPP and ClipOS
recommend this as well.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://www.nano-editor.org/news.php
"Changes between v6.3 and v6.4:
------------------------------
Benno Schulenberg (24):
bump version numbers and add a news item for the 6.4 release
display: remember text and column positions when softwrapping a line
docs: concisely describe how the linter behaves
docs: remove the two notices about the changed defaults
docs: rename README.GIT to README.hacking, so it's clearer what is meant
docs: stop mentioning the obsoleted keywords that were removed
files: designate the root directory with a simple "/", not with "//"
formatter: instead of leaving curses, use full_refresh() to wipe messages
gnulib: update to its current upstream state
help: reshuffle two shortcuts so that more help-line items are paired
options: stop accepting -z, as --suspendable has been dropped too
rcfile: remove five obsolete or deprecated keywords
syntax: default: do not colorize a square or angle bracket after a URL
syntax: perl: add missing keywords, and reduce the length of some lines
syntax: python: mention an alternative linter in a comment
tweaks: add a missing word to a news item
tweaks: add a translator hint
tweaks: improve a comment, and reshuffle two functions plus some lines
tweaks: put each regex on separate line, to better show many keywords
tweaks: rename a variable, to not be the same as a function name
tweaks: rename two variables, to not contain the name of another
tweaks: reshuffle a description and rewrap another
tweaks: reshuffle a few lines, to group things better
version: condense the copyright message, to not dominate the output
LIU Hao (1):
build: ignore errors from `git describe`"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Jon Murphy [Fri, 5 Aug 2022 02:38:11 +0000 (21:38 -0500)]
netatalk: update to 3.1.13
- this releases fixes the following major security issues:
CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123,
CVE-2022-23124, CVE-2022-23125 and CVE-2022-0194.
- FIX: afpd: make a variable declaration a definition
- UPD: Remove bundled libevent
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Tue, 2 Aug 2022 09:20:48 +0000 (11:20 +0200)]
borgbackup: Fix Bug#12611 by adding fuse mount capability with pyfuse3
- The addition of pyfuse3 requires a total of 11 python3 module dependencies and the
addition of python3-Cython during the build
- The other dependencies etc are submitted in the rest of this patch series.
Fixes: Bug#12611 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Peter Müller [Mon, 1 Aug 2022 17:18:07 +0000 (17:18 +0000)]
linux: Randomize layout of sensitive kernel structures
To quote from the kernel documentation:
> If you say Y here, the layouts of structures that are entirely
> function pointers (and have not been manually annotated with
> __no_randomize_layout), or structures that have been explicitly
> marked with __randomize_layout, will be randomized at compile-time.
> This can introduce the requirement of an additional information
> exposure vulnerability for exploits targeting these structure
> types.
>
> Enabling this feature will introduce some performance impact,
> slightly increase memory usage, and prevent the use of forensic
> tools like Volatility against the system (unless the kernel
> source tree isn't cleaned after kernel installation).
>
> The seed used for compilation is located at
> scripts/gcc-plgins/randomize_layout_seed.h. It remains after
> a make clean to allow for external modules to be compiled with
> the existing seed and will be removed by a make mrproper or
> make distclean.
>
> Note that the implementation requires gcc 4.7 or newer.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 3 Aug 2022 10:27:23 +0000 (10:27 +0000)]
GnuTLS: Update to 3.7.7
Please refer to https://lists.gnupg.org/pipermail/gnutls-help/2022-July/004746.html
the release notes of this version, and https://www.gnutls.org/security-new.html#GNUTLS-SA-2022-07-07
for the accompanying security advisory.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Tue, 2 Aug 2022 14:17:21 +0000 (14:17 +0000)]
mpd: Update to 0.23.8
Full changelog since version 0.23.6:
ver 0.23.8 (2022/07/09)
* storage
- curl: fix crash if web server does not understand WebDAV
* input
- cdio_paranoia: fix crash if no drive was found
- cdio_paranoia: faster cancellation
- cdio_paranoia: don't scan for replay gain tags
- pipewire: fix playback of very short tracks
- pipewire: drop all buffers before manual song change
- pipewire: fix stuttering after manual song change
- snapcast: fix busy loop while paused
- snapcast: fix stuttering after resuming playback
* mixer
- better error messages
- alsa: fix setting volume before playback starts
- pipewire: fix crash bug
- pipewire: fix volume change events with PipeWire 0.3.53
- pipewire: don't force initial volume=100%
* support libfmt 9
ver 0.23.7 (2022/05/09)
* database
- upnp: support pupnp 1.14
* decoder
- ffmpeg: fix HLS seeking
- opus: fix missing song length on high-latency files
* output
- shout: require at least libshout 2.4.0
* mixer
- pipewire: fix volume restore
- software: update volume of disabled outputs
* support libiconv
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Mon, 1 Aug 2022 15:55:06 +0000 (15:55 +0000)]
git: Update to 2.37.1
Please refer to
- https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.37.0.txt
- https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.37.1.txt
for the changes since 2.36.1.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Mon, 1 Aug 2022 15:57:08 +0000 (15:57 +0000)]
NRPE: Update to 4.1.0
Full changelog:
4.1.0 - 2022-07-18
ENHANCEMENTS
Add support for OpenSSL 3 (and EL9/Debian 11/Ubuntu 22)
Allow tcpd/libwrap to be excluded from build when present on the system
Allow loading of full certificate chains
Change -u (connection issues return UNKNOWN) to include all SSL-layer failures.
Disable renegotiation and enforce server cipher order when using SSL
Verify that private keys match certificates when using SSL
FIXES
Fixed incorrect default for nasty_metachars in nrpe.cfg
Fixed incorrect help text for --use-adh
Fixed potential out-of-bound read when used with IPv6
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Mon, 1 Aug 2022 16:02:11 +0000 (18:02 +0200)]
parted: Update LFS to reflect that parted is no longer an addon
- In 2018 parted was moved from being an addon to being a core program
- The rootfile was moved from rootfiles/packages/ to rootfiles/common/
- The LFS was not updated to remove the PAK_VER etc elements.
- This patch adjusts the LFS file to be in line with being a core program
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-2
"Features
Merge #718: Introduce infra-cache-max-rtt option to config max retransmit timeout.
Bug Fixes
Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing
for one loop pass'.
Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT
on outbound tcp sockets.
Fix verbose EDE error printout.
Fix dname count in sldns parse type descriptor for SVCB and HTTPS.
For windows crosscompile, fix setting the IPV6_MTU socket option
equivalent (IPV6_USER_MTU); allows cross compiling with latest cross-compiler versions.
Merge PR 714: Avoid treat normal hosts as unresponsive servers. And fixup the lock code.
iana portlist update.
Update documentation for 'outbound-msg-retry:'.
Tests for ghost domain fixes."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Mon, 11 Jul 2022 15:07:22 +0000 (15:07 +0000)]
linux: Give CONFIG_RANDOMIZE_BASE on aarch64 another try
Quoted from https://capsule8.com/blog/kernel-configuration-glossary/:
> Significance: Critical
>
> In support of Kernel Address Space Layout Randomization (KASLR) this randomizes
> the physical address at which the kernel image is decompressed and the virtual
> address where the kernel image is mapped as a security feature that deters
> exploit attempts relying on knowledge of the location of kernel code internals.
We tried to enable this back in 2020, and failed. Since then, things
may have been improved, so let's give this low-hanging fruit another
try.
Fixes: #12363 Signed-off-by: Peter Müller <peter.mueller@ipfire.org>