Michael Tremer [Fri, 5 Jul 2024 08:21:10 +0000 (08:21 +0000)]
make.sh: Create all bind-mounts as read-only where possible
This way, the build environment can no longer modify any source any
more. This was not a huge integrity problem before as Git would have
shown differences, but it might cause damage to the build system which
need to manually be recovered.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 4 Jul 2024 17:06:07 +0000 (17:06 +0000)]
make.sh: Remove the fragile cleanup code
Since we now mount everything in a new namespace, there is no need to
clean up ourselves. This will be done when the last process leaves the
namespace.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 8 Jul 2024 11:48:42 +0000 (13:48 +0200)]
squid: Comment out access.log in rootfile
- Everytime an update has been done on squid the access.log file has been replaced with an
empty file, losing whatever messages have been in the log.
- This has been the case since squid was implemented in IPFire.
- Update of rootfile to comment out var/log/squid/access.log
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.61
"Changes with Apache 2.4.61
*) SECURITY: CVE-2024-39884: Apache HTTP Server: source code
disclosure with handlers configured via AddType (cve.mitre.org)
A regression in the core of Apache HTTP Server 2.4.60 ignores
some use of the legacy content-type based configuration of
handlers. "AddType" and similar configuration, under some
circumstances where files are requested indirectly, result in
source code disclosure of local content. For example, PHP
scripts may be served instead of interpreted.
Users are recommended to upgrade to version 2.4.61, which fixes
this issue."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 8 Jul 2024 11:41:11 +0000 (13:41 +0200)]
samba: Update to version 4.20.2
- Update from version 4.20.1 to 4.20.2
- Update of rootfile for both x86_64 and aarch64
- After doing a grep into the config directories I realised that the xxxMACHINExxx phrase
is only added into rootfiles in the main common or package directories and not in the
x86_64 and aarch64
- In the past I have submitted the samba rootfile with x86_64 replaced by xxxMACHINExxx.
It seems to have worked, so the replacement probably occurs even in the architecture
specific directories but it doesn't need to be used there as the directory is clearly
only for that one architecture.
- Changelog
4.20.2
* BUG 15662: vfs_widelinks with DFS shares breaks case insensitivity.
* BUG 13213: Samba build is not reproducible.
* BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare
function.
* BUG 15625: Many qsort() comparison functions are non-transitive, which can
lead to out-of-bounds access in some circumstances.
* BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI
bill.
* BUG 15654: We have added new options --vendor-name and --vendor-patch-
revision arguments to ./configure to allow distributions and packagers to
put their name in the Samba version string so that when debugging Samba the
source of the binary is obvious.
* BUG 15665: CTDB RADOS mutex helper misses namespace support.
* BUG 13019: Dynamic DNS updates with the internal DNS are not working.
* BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
SysvolReady=0.
* BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to
Windows Server 2022).
* BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
* BUG 15620: s4:nbt_server: does not provide unexpected handling, so winbindd
can't use nmb requests instead cldap.
* BUG 15642: winbindd, net ads join and other things don't work on an ipv6
only host.
* BUG 15659: Segmentation fault when deleting files in vfs_recycle.
* BUG 15664: Panic in vfs_offload_token_db_fetch_fsp().
* BUG 15666: "client use kerberos" and --use-kerberos is ignored for the
machine account.
* BUG 15435: Regression DFS not working with widelinks = true.
* BUG 15633: samba-gpupdate - Invalid NtVer in netlogon_samlogon_response.
* BUG 15653: idmap_ad creates an incorrect local krb5.conf in case of trusted
domain lookups.
* BUG 15660: The images don't build after the git security release and CentOS
8 Stream is EOL.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 4 Jul 2024 15:39:10 +0000 (15:39 +0000)]
vectorscan: Build as a fat library
The build system defaults to building the library for the host system
and therefore uses instructions that might not be available on the
target system.
This patch changes that we will build the library so that it will choose
the most optimised functions at runtime.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 2 Jul 2024 09:25:09 +0000 (09:25 +0000)]
OpenSSH: Ship the entire suite of helper programs
The SSH daemon has been split into a listener and session daemon to have
a smaller attack vector since the listener does not need to implement
the SSH protocol.
In order to keep SSH working, we need to ship the session daemon, too.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 1 Jul 2024 19:47:36 +0000 (21:47 +0200)]
openssh: Update to version 9.8p1
- Update from version 9.7p1 to 9.8p1
- Update of rootfile
- Changelog
9.8p1
-There is a fix for CVE-2024-6387
-The number of changes is too large to show all here. As well as the CVE fix and
another security related fix there are a log of bug fixes as well. The details can
seen at https://www.openssh.com/txt/release-9.8
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Fri, 28 Jun 2024 08:32:33 +0000 (10:32 +0200)]
suricata: Update to 7.0.6
Excerpt from changelog:
"7.0.6 -- 2024-06-26
Security #7042: defrag: id reuse can lead to invalid reassembly (7.0.x backport)(CVE 2024-37151)
Security #7105: http2: oom from duplicate headers (7.0.x backport)
Security #7033: http/range: segv when http.memcap is reached (7.0.x backport)
Security #6988: modbus: txs without responses are never freed (7.0.x backport)
Bug #7107: packet: app-layer-events incorrectly used on recycled packets (7.0.x backport)
Bug #7064: util/radix-tree: Possible dereference of nullptr in case of unsuccess allocation of memory for node (7.0.x backport)
Bug #7063: smtp/mime: data command rejected by pipelining server does not reset data mode (7.0.x backport)
Bug #7060: smtp: split name logged as 2 names (7.0.x backport)
Bug #7050: af-packet: failure to start up on many threads plus high load (7.0.x backport)
Bug #7043: Crasher in HTTP chunked / StreamingBuffer (7.0.x backport)
Bug #7038: pcap/log: MacOS rotates file well before limit is reached (7.0.x backport)
Bug #7035: time: in offline mode, time can stay behind at pcap start (7.0.x backport)
Bug #7023: unix-socket: iface-bypassed-stat crash (7.0.x backport)
Bug #7021: unix-socket: hostbit commands don't properly release host (7.0.x backport)
Bug #7015: rust: build with rust 1.78 with slice::from_raw_parts now requiring the pointer to be non-null (7.0.x backport)
Bug #6990: tls.random buffers don't work as expected (7.0.x backport)
Bug #6986: iprep: rule with '=,0' can't match (7.0.x backport)
Bug #6975: detect: log relevant frames app-layer metdata (7.0.x backport)
Bug #6950: decode/ppp: decoder.event.ppp.wrong_type on valid packet (7.0.x backport)
Bug #6897: detect/port: upper boundary ports are not correctly handled (7.0.x backport)
Bug #6895: detect/port: port grouping does not happen correctly if gap between a single and range port (7.0.x backport)
Bug #6862: Lightweight rules profiling: crash when profiling ends (7.0.x backport)
Bug #6848: alerts: wrongly using tx id 0 when there is no tx (7.0.x backport)
Bug #6845: coverity: warning in port grouping code (7.0.x backport)
Bug #6844: detect/port: port ranges are incorrect when a port is single as well as a part of range (7.0.x backport)
Bug #6690: Ethernet src should match src ip (7.0.x backport)
Bug #6520: detect-engine/port: recursive DetectPortInsert calls are expensive (7.0.x backport)
Optimization #6830: detect/port: port grouping is quite slow in worst cases (7.0.x backport)
Optimization #6829: detect/port: PortGroupWhitelist fn takes a lot of processing time (7.0.x backport)
Feature #7010: JA4 support for TLS and QUIC (7.0.x backport)
Feature #6557: Capability to have rules profiling on pcap run (7.0.x backport)
Documentation #6910: userguide: document how to verify tar.gz signature (7.0.x backport)
Documentation #6687: docs: port userguide build instruction changes from master-6.0.x (7.0.x backport)
Documentation #6601: docs: update eBPF installation instructions (7.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 26 Jun 2024 15:35:18 +0000 (17:35 +0200)]
nano: Update to 8.0
For details see:
https://www.nano-editor.org/news.php
"2024 May 1 - GNU nano 8.0 "Grus grus"
By default ^F is bound to starting a forward search, and ^B to
starting a backward search, while M-F and M-B repeat the search
in the corresponding direction. (See the documentation if you
want the old bindings back.)
Command-line option --modernbindings (-/) makes ^Q quit, ^X cut,
^C copy, ^V paste, ^Z undo, ^Y redo, ^O open a file, ^W write a file,
^R replace, ^G find again, ^D find again backwards, ^A set the mark,
^T jump to a line, ^P show the position, and ^E execute.
Above modern bindings are activated also when the name of
nano's executable (or a symlink to it) starts with the letter "e".
To open a file at a certain line number, one can now use also
nano filename:number, besides nano +number filename.
<Alt+Home> and <Alt+End> put the cursor on the first and last
row in the viewport, while retaining the horizontal position.
When the three digits in an #RGB color code are all the same,
the code is mapped to the xterm grey scale, giving access to
fourteen levels of grey instead of just four.
For easier access, M-" is bound to placing/removing an anchor,
and M-' to jumping to the next anchor.
Whenever an error occurs, the keystroke buffer is cleared, thus
stopping the execution of a macro or a string bind.
The mousewheel scrolls the viewport instead of moving the cursor."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Tue, 25 Jun 2024 22:39:31 +0000 (00:39 +0200)]
bind: Update to 9.16.50
For details see:
https://downloads.isc.org/isc/bind9/9.16.50/doc/arm/html/notes.html#notes-for-bind-9-16-50
"New Features
Added RESOLVER.ARPA to the built in empty zones."
Important:
"This is the last maintenance release of BIND 9.16. This version is now end of life. Please upgrade to
BIND 9.18, the current stable version."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 24 Jun 2024 15:10:39 +0000 (17:10 +0200)]
ipblocklist-sources: Update to include the Abuse.ch Botnet C2 ip blocklist
- Blocklist addition was discussed and agreed at IPFire dev conf call in June 2024.
- Tested on vm system.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 24 Jun 2024 15:10:38 +0000 (17:10 +0200)]
ipblocklist-sources: Update to include the 3CORESec ip blocklists
- The patch for this was created by Stefan Schantl
- Blocklist addition was discussed and agreed at IPFire dev conf call in June 2024.
- Tested on vm system.
- The combined list was removed because it is just the three others which can be selected
in the WUI to give the equivalent result.
Created-by: Stefan Schantl <stefan.schantl@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 21 Jun 2024 16:04:46 +0000 (18:04 +0200)]
apcupsd: Update email scripts to work with dma
- The standard email scripts supllied with apcupsd are coded on the basis that sendmail
is being used. The format of the email information in those scripts does not work with
the dma mail system implemented in IPFire.
- The scripts provided in the config/apcupsd directory have been updated to work with
dma. The scripts have been confirmed to work with my production system that is using
a UPS.
- This patch will replace the standard apcupsd scripts with the ones tailored for IPFire.
- If any existing users have modified their scripts to already work with dma then their
versions will be saved in their backup.
- The apcupsd-3.14.14-2.ipfire package created in the build with the above changes has
been installed on a vm system and confirmed to provide the IPFire tailored scripts.
- The lfs change is the addition of the copying of the scripts to the /etc/apcupsd
directory.
- No change to the rootfile as the scripts names are the same.
- The only thing a user will need to do is to ensure the IPFire email system is enabled,
configure and confirmed working. Then valid FROM and TO email addresses need to be
added to each script.
- Once this patch submission is accepted then I will do an update to the apcupsd IPFire
documentation page to describe these scripts and how to update the email addresses.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 19 Jun 2024 10:40:52 +0000 (12:40 +0200)]
speexdsp: New package required for build of tshark-4.2.5
- tshark in the past had its own version of speexdsp used only for some "arbitrary
resampling code" used for the build of tshark.
- speexdsp has been removed from tshark so it is now a build requirement.
- It is only used for the build of tshark so the rootfile has all entries commented out.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 19 Jun 2024 10:40:51 +0000 (12:40 +0200)]
asciidoctor: New package required for build of tshark-4.2.5
- Only used for build of tshark so rootfile has all entries commented out.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 19 Jun 2024 10:40:50 +0000 (12:40 +0200)]
ruby: New package required for build of asciidoctor required for tshark-4.2.5
- Only used for build of asciidoctor so rootfile has all entries commented out.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 19 Jun 2024 10:40:49 +0000 (12:40 +0200)]
tshark: Update to version 4.2.5
- Update from version 4.0.8 to 4.2.5
- Update of rootfile
- Version 4.2.5 requires asciidoctor to be built for tshark to build. Despite lots of
investigation and testing out various commands, tshark will not build if asciidoctor is
not present, even if the docs are not going to be used. It is only required for the
build
- To build asciidoctor ruby has to be installed. It is only required for the build of
asciidoctor
- tshark has previously had its own version of speexdsp built in. It is only used to
provide some "arbitrary resampling code" during the build and does not end up in the
running tshark system. Version 4.2.5 has removed the internal speexdsp code but it
is still a required dependency for building, so speexdsp also need to be installed but
only for the build stage.
- The associated patches with this one provide the build installation of ruby, asciidoctor
and speexdsp. With these installed tshark was able to be built.
- version 4.0.8 and 4.2.5 of tshark were tested out on a vm system with the command
"tshark -c 100 > tshark" and this wrote 100 packets from the vm red0 interface to a
text file. Both the old and new versions provided the same sort of result. To a first
level of testing this shows that the 4.2.5 version is functioning as the previous
version was.
- This version had an sobump so find-dependencies was run. All files linked to the three
libraries in tshark are all also in tshark. No other package is linked to.
- Changelog
There are 13 releases between 4.0.8 and 4.2.5 so the changelist is too large to
include here. Details can be found in the release notes for each version at
https://www.wireshark.org/docs/relnotes/
21 CVE vulnerabilities have been fixed that were identified in 7 of the 13 versions.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 18 Jun 2024 10:48:58 +0000 (12:48 +0200)]
zstd: Update to version 1.5.6
- Update from version 1.5.5 to 1.5.6
- Update of rootfile
- Changelog
1.5.6 (Mar 2024)
api: Promote `ZSTD_c_targetCBlockSize` to Stable API by @felixhandte
api: new `ZSTD_d_maxBlockSize` experimental parameter, to reduce streaming decompression memory, by @terrelln
perf: improve performance of param `ZSTD_c_targetCBlockSize`, by @Cyan4973
perf: improved compression of arrays of integers at high compression, by @Cyan4973
lib: reduce binary size with selective built-time exclusion, by @felixhandte
lib: improved huffman speed on small data and linux kernel, by @terrelln
lib: accept dictionaries with partial literal tables, by @terrelln
lib: fix CCtx size estimation with external sequence producer, by @embg
lib: fix corner case decoder behaviors, by @Cyan4973 and @aimuz
lib: fix zdict prototype mismatch in static_only mode, by @ldv-alt
lib: fix several bugs in magicless-format decoding, by @embg
cli: add common compressed file types to `--exclude-compressed`` by @daniellerozenblit
cli: fix mixing `-c` and `-o` commands with `--rm`, by @Cyan4973
cli: fix erroneous exclusion of hidden files with `--output-dir-mirror` by @felixhandte
cli: improved time accuracy on BSD, by @felixhandte
cli: better errors on argument parsing, by @KapJI
tests: better compatibility with older versions of `grep`, by @Cyan4973
tests: lorem ipsum generator as default backup content, by @Cyan4973
build: cmake improvements by @terrelln, @sighingnow, @gjasny, @JohanMabille, @Saverio976, @gruenich, @teo-tsirpanis
build: bazel support, by @jondo2010
build: fix cross-compiling for AArch64 with lld by @jcelerier
build: fix Apple platform compatibility, by @nidhijaju
build: fix Visual 2012 and lower compatibility, by @Cyan4973
build: improve win32 support, by @DimitriPapadopoulos
build: better C90 compliance for zlibWrapper, by @emaste
port: make: fat binaries on macos, by @mredig
port: ARM64EC compatibility for Windows, by @dunhor
port: QNX support by @klausholstjacobsen
port: MSYS2 and Cygwin makefile installation and test support, by @QBos07
port: risc-v support validation in CI, by @Cyan4973
port: sparc64 support validation in CI, by @Cyan4973
port: AIX compatibility, by @likema
port: HP-UX compatibility, by @likema
doc: Improved specification accuracy, by @elasota
bug: Fix and deprecate ZSTD_generateSequences (#3981)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / people / ms / ipfire-2.x.git / log
