Adolf Belka [Sun, 31 Jan 2021 17:36:43 +0000 (18:36 +0100)]
qemu: Update to 5.2.0
- Update qemu from 5.0.0 to 5.2.0
- Changelogs for 5.1.0 and 5.2.0 available at https://wiki.qemu.org/ChangeLog/
- rootfile updated
- patch no longer needed as fix built into source. patch was not utilised
for 5.0.0 version. Patch line was commented out in previous lfs
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 30 Jan 2021 22:40:47 +0000 (23:40 +0100)]
cups-filters: Update to 1.28.7
- Update cups-filters from 1.27.4 to 1.28.7
- Changelog
CHANGES IN V1.28.7
- driverless: Removed the support quality check from Pull
request #235 as it takes significant time for each printer
being listed, making cups-driverd (`lpinfo -m`) timing out
when there are many printers (OpenPrinting CUPS issue #65).
- libcupsfilters: In the PPD generator give priority to Apple
Raster against PDF (Issue #331).
- libcupsfilters: Added NULL check when removing ".Borderless"
suffixes from page size names (Issue #314, Pull request
#328).
- libcupsfilters: In the cupsRasterParseIPPOptions() map the
color spaces the same way as in the PPD generator (Issue
#326, Pull request #327).
- libcupsfilters: Fixed addition of grayscale mode in
generated PPD files, to avoid duplicate entries
(OpenPrinting CUPS issue #59).
CHANGES IN V1.28.6
- libcupsfilters: In generated PPDs add a grayscale mode if
there are only color printing modes (from OpenPrinting
CUPS).
- libcupsfilters: In generated PPDs add an "OutputBin" option
also if it has only one choice (OpenPrinting CUPS pull
request #18).
- libcupsfilters: Generated PPDs could have an "Unknown"
default InputSlot (OpenPrinting CUPS issue #44).
- cups-browsed: Removed unneeded IPP attribute additions
preventing the created local queues from preserving a
location or description the user assigns to them (Issue
#323).
- cups-browsed: Removed all calls of the resolve_uri() function
of libcupsfilters, as these are not actually needed and in case
the supplied DNS-SD-based URI is not resolvable, the function
gets stuck for ~5 seconds.
- cups-browsed: Fixed several memory leaks, mainly from the
code to merge printer IPP attributes for clusters (Pull
request #322).
- cups-browsed: Silenced compiler warning.
- foomatic-rip: Fix infinite loop and input from file on raw
printing (Pull request #318).
- foomatic-rip: Remove temporary file created during pdf-to-ps
conversion (Pull request #313).
CHANGES IN V1.28.5
- cups-browsed: UUID from IPP response was used after its
pointer was freed by ippDelete() (Pull request #311).
CHANGES IN V1.28.4
- driverless: Avoid duplicate PPD list entries from the same
device via UUID
- driverless: Reduce ippfind calls by "driverless" and
"driverless-fax"called by CUPS. Let "driverless list" list
both print and fax PPDs and "driverless-fax list" do
nothing.
- driverless: Avoid duplicate listings in printer discovery,
by "driverless-fax" not listing any URI as "driverless"
lists them all already.
- driverless: Vastly improve performance by doing only one
ippfind call instead of two (IPP, IPPS) as ippfind accepts
more than one reg type on the command line.
- Sample PPDs: Corrected manufacturer name in
Fuji_Xerox-DocuPrint_CM305_df-PDF.ppd.
CHANGES IN V1.28.3
- libcupsfilters, cups-browsed: Fixed inconsistency between
resolvers for DNS-SD-based URIs, resolve_uri() and
ippfind_based_uri_converter(). Now both return a freeable
string.
- libcupsfilters: Fix uninitialized buffer and parsing ippfind
output in ippfind_based_uri_converter() function (Issue
#308, Pull request #309).
CHANGES IN V1.28.2
- driverless: Free allocated memory, use MAX_OUTPUT_LEN (Pull
request #304).
- driverless: Make the two ippfind tasks(for IPP
and IPPS) run in parallel (Pull request #302, #305, #306).
- braille: Support new liblouis tables not containing a
display name (Pull request #303)
- Build system: Let ./configure not error out when there is
more than one DejaVuSans.ttf test font candidate (Issue
#300).
- cups-browsed: Crash when a remote printer set as default
gets removed, due to missing variable in printf() call
(Issue #299).
- libcupsfilters: Removed all signal handling and global
variables from get_printer_attributes() and
ippfind_based_uri_converter(). This is overkill for these
quick operations and causes problems when shutting down
cups-browsed (Issue #298).
CHANGES IN V1.28.1
- COPYING: Fixed several typos
- libcupsfilters: Fixed typo in log message of
get_printer_attributes functions.
- cups-browsed: Fixed typos in configuration file and man page
- libcupsfilters: Let the PPD generator not suffix page size
names with ".Borderless" if all page sizes would get this
suffix, for example for printers which generally print
borderless.
- libcupsfilters: Added "faxPrefix" option for generated IPP
Fax Out PPDs, so that this option also appears in print
dialogs.
- driverless: List addresses for local services correctly when
using "--std-ipp-uris" (with "localhost" hostname).
- driverless: Make calls of the ippfind utility somewhat faster,
setting the timeout of ippfind to automatic.
- libcupsfilters: Resolve DNS-SD-based URIs for local services
correctly (using hostname "localhost").
- libcupsfilters: In get_printer_attributes() functions do not
try to convert URIs which are not DNS-SD-based (Issue #294).
- libcupsfilters: In get_printer_attributes() functions also
support URIs with "dnssd://..." scheme.
- libcupsfilters: Moved signal handling back into main
function of the get_printer_attributes() variants, it got
moved out accidentally.
- driverless: For generating a PPD, independent whether via
"driverless URI" or "driverless cat URI", always allow CUPS
driver URIs (prefixed with "driverless: " or
"driverless-fax:") and pure IPP URIs.
- driverless: Accept clean IPP URIs also for 'driverless cat
...' (Issue #295, Pull request #296).
- driverless-fax: Do not use fixed path for call of driverless
itself (Pull request #293).
CHANGES IN V1.28.0
- driverless, driverless-fax, libcupsfilters: Added IPP Fax
Out support. Now printer setup tools list an additional fax
"driver". A fax queue is created by selecting this
driver. Jobs have to be sent with "-o phone=12345" to supply
the destination phone number (Pull request #280).
- libfontembed: Silenced warning with gcc 10.x (Pull request
#287).
- cups-browsed: Added ./configure options
--enable-saving-created-queues and
--with-remote-cups-local-queue-naming (Pull request: #253,
#285).
- cups-browsed: Fixed several memory leaks, mainly from the
code to merge printer IPP attributes for clusters (Pull
request #281, #283).
- driverless: Added "--std-ipp-uris" command line option to
show listed URIs in standard hostname-based form (not the
CUPS DNS-SD-service-name-based form. Only for manual call of
the utility, for debugging purposes (Pull request #277).
- libfontembed: Removed assert() calls which cause crashes
when unsupported emoji fonts are installed (Issue #254, Pull
request #276).
- driverless: Added support for IPPS (use "ipps://..." URIs if
possible, Issue #251, Pull request #270, #273).
- gstoraster, gstopdf: When converting PostScript to PDF use
the "pdfwrite" output device with "-dPDFSETTINGS=/default"
instead of with "-dPDFSETTINGS=/printer". This reproduces
bitmaps in the PostScript file with their original image
quality (Issue #272).
- cups-browsed: Limit log file size and add backup file for
previous log entries. Introduced the configuration option
DebugLogFileSize in cups-browsed.conf to set the actual
limit in kilobytes or 0 to get the old behavior of an
unlimited size for the log file (Issue #260, Pull request
#267).
- gstoraster, gstopdf: Do not apply margins when output format
is PDF, as then we convert an incoming PostScript file to
PDF (pre-pdftopdf) and do not prepare the pages for the
printer (post-pdftopdf, Issue #250).
- cups-browsed: Do not write any log messages directly to
stderr, there were some concerning timeouts on queue
creation (Issue #260).
- Build system: Fix cross-compilation without DejaVu test font
in configure.ac (Issue #262, Pull request #263).
- libcupsfilters: Respect the fact that PPD keywords
are case-sensitive when adding "*cupsManualCopies: True" in
PPD file (Issue #242).
- libcupsfilters: Older versions of libcups (< 2.3.1)
had the enum name for fold-accordion finishings mistyped.
Added a workaround.
- cups-browsed: Remove left-over local queues from the
previous session more quickly when CUPS legacy browsing is
turned on.
- cups-browsed: Left-over local queues from the previous
session for which the corresponding remote printer did not
appear again did not get removed as they were considered
externally overwritten.
- gstoraster, gstopdf: Add option "-dDoNumCopies" to
Ghostscript command line if we are outputting PDF (called
via gstopdf wrapper) and the number of copies supplied to
CUPS is 1 (4th command line argument). In this case we
convert incoming PostScript to PDF and need to respect
embedded PostScript commands to implement the number of
copies (Issue #255, CUPS Issue #5796, OpenSUSE bug
#1173345).
- imagetoraster: Potential null dereference fix (when no valid
PPD is supplied, Pull request #256).
- cups-browsed: Call cupsGetNamedDest() only if
"OnlyUnsupportedByCUPS No"
- Sample PPDs: Corrected ColorModel default for Generic PWG
Raster PPD to Color (Pull request #247).
- cups-browsed: Mark the temp queue as cups-browsed-generated
during setting printer-is-shared (Pull request #246).
- cups-browsed: Remove mentions of README and AUTHORS files in
the man page (Pull request #244).
- pclmtoraster: Added new filter to extract Raster data from
raster-only PDF files, here for the special case of PCLm
files (Pull request #243, #257).
- Sample PPDs: In Generic-PDF_Printer-PDF.ppd add option to
switch between color and grayscale printing (Pull request
#237).
CHANGES IN V1.27.5
- cups-browsed: Do not remove the created local queues on
shutdown, to avoid their re-creation on restart, so that
desktops get no cluttered with notifications of new queues
being created. One can return to the old behavior via
"KeepGeneratedQueuesOnShutdown No" in cups-browsed.conf
(Ubuntu bug #1869981, #1878241).
- cups-browsed: Do not accept DNS-SD broadcasts of IPPS type
of "remote" CUPS queues of another CUPS instance on the
local machine. This way we get a local queue pointing to
such a printer only in unencrypted version (IPP). For some
reason printing from one CUPS server to another on the same
machine works only unencrypted.
- foomatic-rip: Map two-sided-short-edge to DuplexTumble (Pull
request #236)
- Build system: In configure.ac use AS_IF instead of
AC_CHECK_FILE for font check (Issue #239, Pull request #240)
- cups-browsed: Cleaned up code for determining to which CUPS
server (host/port/domain socket) to connect, so that
connection via DomainSocket cups-browsed.conf directive,
CUPS_SERVER and IPP_PORT environment variables and all
defaults and methods of libcups, including CUPS' client.conf
work.
- gstoraster, rastertopdf: Do not pass NULL to fprintf() (Pull
request #230).
- libcupsfilters: Silence compiler warning (Pull request #229).
- rootfile updated
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 30 Jan 2021 22:40:27 +0000 (23:40 +0100)]
cifs-utils: Update to 6.12
- Update cifs-utils from 5.9 to 6.12
- Changelog - URL for each change gives more details of changes
December, 2020: Release 6.12
get/setcifsacl tools are improved to support changing owner, group and SACLs
mount.cifs is enhanced to use SUDO_UID env variable for cruid
smbinfo is re-written in Python language
https://lists.samba.org/archive/samba-technical/2020-December/136156.html
September, 2020: Release 6.11
CVE-2020-14342: mount.cifs: fix shell command injection
https://lists.samba.org/archive/samba-technical/2020-September/135747.html
December 16, 2019: Release 6.10
smb3 alias/fstype is added
smb2-quota tool is added to display quota information
smb2-secdesc UI tool to view security descriptors is added
smbinfo is enhanced with capabilities to dump session keys and get/set compression of files
smbinfo bash completion is supported
getcifsacl tool is improved to support multiple files
https://lists.samba.org/archive/samba-technical/2019-December/134662.html
April 5, 2019: Release 6.9
smbinfo utility is added to query various kinds of information from the server (objectId, snapshots, different FileInfo* classes and other metadata)
server IP change is supported by expiring DNS key resolver entries
get/setcifsacl tools are improved to handle unexpected behavior
share snapshot are allowed to be specified by a GMT token or SMB 100-nanoseconds time
various new mount option are documented: bsize, handletimeout, handlecache, rdma, max_credits and others
https://lists.samba.org/archive/samba-technical/2019-April/133233.html
March 9, 2018: Release 6.8
man pages updates (auto-negotiate protocol version by default) and cleanups (moving to .rst format)
setcifsacl: fix security descriptor buffer size mismatch
cifscreds: fix a segfault for incorrect usage
minor mount.cifs fixes
https://lists.samba.org/archive/samba-technical/2018-March/126227.html
March 2, 2017: Release 6.7
fixes for regressions from cifs.upcall overhaul
mount.cifs cleanups
https://lists.samba.org/archive/samba-technical/2017-March/119036.html
September 3, 2016: Release 6.6
cleanup/overhaul of cifs.upcall krb5 credcache handling
https://lists.samba.org/archive/samba-technical/2016-September/115974.html
February 22, 2016: Release 6.5
mount.cifs: ignore x- mount options
minor build fixes
minor manpage fix
https://lists.samba.org/archive/samba-technical/2016-February/112372.html
July 11, 2014: Release 6.4
allow PAM directory to be configurable
better determination of default keytab file
better cifscreds error handling
uppercase devicename when retrying mount
https://lists.samba.org/archive/samba-technical/2014-July/101132.html
January 9, 2014: Release 6.3
fixes for various bugs turned up by Coverity
clean unused cruft out of upcall binary
add new pam_cifscreds PAM module for establishing NTLM creds on login
https://lists.samba.org/archive/samba-technical/2014-January/097124.html
October 4, 2013: Release 6.2
setcifsacl can now work without a plugin
systemd-ask-password is found using $PATH now
cifs.upcall now works with KEYRING: credcaches
https://lists.samba.org/archive/samba-technical/2013-October/095287.html
July 2, 2013: Release 6.1
minor bugfixes
allow cifs.upcall to use dedicated keytab
https://lists.samba.org/archive/samba-technical/2013-July/093601.html
March 25, 2013: Release 6.0
minor bugfixes and documentation updates
support for NFS-style device names removed
https://lists.samba.org/archive/samba-technical/2013-March/091169.html
- Rootfile updated
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 30 Jan 2021 22:40:11 +0000 (23:40 +0100)]
screen: Update to 4.8.0
- Update screen from 4.2.1 to 4.8.0
- Changelog
Version 4.8.0 (05/02/2020)
* Improve startup time by only polling for files to close
Fixes:
- Fix for segfault if termcap doesn't have Km entry
- Make screen exit code be 0 when checking --version
- Fix potential memory corruption when using OSC 49
Version 4.7.0 (02/10/2019)
* Add support for SGR (1006) mouse mode
* Add support for OSC 11
* Update Unicode ambiguous and wide tables to 12.1.0
* Fixes:
- cross-compilation support (bug #43223)
- a lot of manpage fixes and cleanups
Version 4.6.2 (23/10/2017):
* Fixes:
- revert changes to cursor position restore behavour (bug #51832)
- set freed pointer to NULL (bug #52133)
- documentation fixes
- fix windowlist crashes (bug #43054 & #51500)
Version 4.6.1 (10/07/2017):
* Fixes:
- problems with starting session in some cases
- parallel make install
- segfault when querying info on nonUTF locale (bug #51402)
Version 4.6.0 (28/06/2017):
* Update Unicode wide tables to 9.0 (bug #50044)
* Support more serial speeds
* Improved namespaces support
* Migrate from fifos to sockets
* Start viewing scrollback at first line of output (bug #49377)
Version 4.5.1 (25/02/2017):
* Fixes:
- logfile permissions problem (CVE-2017-5618)
- SunOS build problem (bug #50089)
- FreeBSD core dumps (bug #50143)
Version 4.5.0 (10/12/2016):
* Allow specifying logfile's name via command line parameter '-L'
* Fixes:
- broken handling of "bind u digraph U+" (bug #48691)
- crash with long $TERM (bug #48983)
- crash when bumping blank window
- build for AIX (bug #49149)
- %x improperly separating arguments
- install with custom DESTDIR (bug #48370)
Version 4.4.0 (19/06/2016):
* Support up to 24 function keys
* Fix runtime issues
* 'logfile' command, starts logging into new file upon changing
Version 4.3.1 (28/06/2015):
* Fix resize bug
Version 4.3.0 (13/06/2015):
* Introduce Xx string escape showing the executed command of a window
* Implement dead/zombie window polling, allowing for auto reconnecting
* Allow setting hardstatus on first line
New Commands:
* 'sort' command sorting windows by title
* 'bumpleft', 'bumpright' - manually move windows on window list
* 'collapse' removing numbering 'gaps' between windows, by renumbering
* 'windows' command now accepts arguments for use with querying
- Rootfile updated
- Two screen patchfiles deleted as the patch changes are now built into
the source files
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sat, 30 Jan 2021 13:26:11 +0000 (14:26 +0100)]
Postfix: update to 3.5.9
This release adds runtime detection of DNSSEC support; please refer to
http://www.postfix.org/announcements/postfix-3.5.9.html for its full
announcement.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 29 Jan 2021 21:58:23 +0000 (22:58 +0100)]
dbus: Update to 1.12.20
- Update dbus from 1.11.12 to 1.12.20 (latest in release line
1.13.x is also available but this is the development line
and not recommended for production use
- Changelog between these two versions is very long (750 lines long) and
can be found in the NEWS file in the source tarball.
- rootfile updated
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 28 Jan 2021 20:17:30 +0000 (21:17 +0100)]
dma: Update to 0.13
- Update dma from 0.12 to 0.13
- No changelog information available
- No change to the rootfile
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 28 Jan 2021 20:17:00 +0000 (21:17 +0100)]
ipset: Update to 7.10
- Update ipset from 7.6 to 7.10
- Changelog
7.10
Kernel part changes
Fix patch "Handle false warning from -Wstringop-overflow"
Backward compatibility: handle renaming nla_strlcpy to nla_strscpy
treewide: rename nla_strlcpy to nla_strscpy. (Francis Laniel)
netfilter: ipset: fix shift-out-of-bounds in htable_bits() (Vasily Averin)
netfilter: ipset: fixes possible oops in mtype_resize (Vasily Averin)
Handle false warning from -Wstringop-overflow
Backward compatibility: handle missing strscpy with a wrapper of strlcpy.
Move compiler specific compatibility support to separated file (broken compatibility support reported by Ed W)
7.9
Userspace changes
Fix library versioning (Jan Engelhardt)
7.8
Kernel part changes
Complete backward compatibility fix for package copy of <linux/jhash.h>
Compatibility: check for kvzalloc() and GFP_KERNEL_ACCOUNT
netfilter: ipset: enable memory accounting for ipset allocations (Vasily Averin)
netfilter: ipset: prevent uninit-value in hash_ip6_add (Eric Dumazet)
Compatibility: use skb_policy() from if_vlan.h if available
Compatibility: Check for the fourth arg of list_for_each_entry_rcu()
Backward compatibility fix for the package copy of <linux/jhash.h>
7.7
Userspace changes
Expose the initval hash parameter to userspace
Handle all variable header parts in helper scripts instead ot test tasks
Add bucketsize parameter to all hash types
Support the -exist flag with the destroy command
Kernel part changes
Expose the initval hash parameter to userspace
Add bucketsize parameter to all hash types
Use fallthrough pseudo-keyword in the package copy of too
Support the -exist flag with the destroy command
netfilter: Use fallthrough pseudo-keyword (Gustavo A. R. Silva)
netfilter: Replace zero-length array with flexible-array member (Gustavo A. R. Silva)
netfilter: ipset: call ip_set_free() instead of kfree() (Eric Dumazet)
netfiler: ipset: fix unaligned atomic access (Russell King)
netfilter: ipset: Fix subcounter update skip (Phil Sutter)
ipset: Update byte and packet counters regardless of whether they match (Stefano Brivio)
netfilter: ipset: Pass lockdep expression to RCU lists (Amol Grover)
ip_set: Fix compatibility with kernels between v3.3 and v4.5 (Serhey Popovych)
ip_set: Fix build on kernels without INIT_DEFERRABLE_WORK (Serhey Popovych)
ipset: Support kernels with at least system_wq support
ip_set: Fix build on kernels without system_power_efficient_wq (Serhey Popovych)
- Rootfiles updated
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 28 Jan 2021 18:43:22 +0000 (19:43 +0100)]
freetype: update to 2.10.4
This fixes a heap buffer overflow in the handling of embedded PNG
bitmaps (CVE-2020-15999). Further information is available at
https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/ .
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 28 Jan 2021 14:55:57 +0000 (15:55 +0100)]
minicom: Update to 2.8
- Update minicom from 2.7.1 to 2.8
- Changelog for version 2.8
New timestamp mode: Delta to previous line.
Add HPA ESC sequence
Add alternative window support (ti/te)
Fix file name of non-global configuration settings.
Update translations: Indonesian, French, Swedish, Spanish, German, Brazilian Portuguese, Vietnamese, Polish, Danish, Norwegian, Serbian
New translation: Serbian, Simplified chinese
Fix F10 macro key used in current setups
Add F11 and F12 for macro use
Fixed DTR for recent systems
Add support for RS485.
Add --capturefile-buffer-mode option
Bug fixes
- Updated rootfile
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 27 Jan 2021 22:17:00 +0000 (23:17 +0100)]
arping: Update to 2.21
- Update arping from 2.15 to 2.21
- Notable changes from 2.20 to 2.21:
* Use more modern pcap API calls, when available
* Add payload data to mac ping
* chdir(/) after chroot()
* Misc minor cleanup
- Notable changes from 2.19 to 2.20:
* Improved support for cross-compile
* Use unveil(2) and pledge(2) where available (i.e. OpenBSD)
* Fix false duplicates when destination address is *also* assigned to local interface
* Minor typo-level fixes
- Notable changes from 2.18 to 2.19:
* Added -g to drop privs to alternate user (for Android)
* Slightly improved error messages
- Notable changes from 2.17 to 2.18:
* Make -w/-W work like 'ping'
- Notable changes from 2.16 to 2.17:
* Add padding to packets to work on Raspberry Pi 3
- Notable changes from 2.15 to 2.16:
* VLAN tagging (Nikolay Aleksandrov)
* 802.1Q priority (Nikolay Aleksandrov)
* Added a bunch of unit tests.
* Be more lazy about initializing libnet.
This fixes issues where arping would sometimes pick an unsuitable
device during arg parsing, if the "first" device on the system is
not a "normal" device.
- No change to rootfile
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 28 Jan 2021 16:00:47 +0000 (17:00 +0100)]
libloc: ship a more recent database by default
The database we ship by default is meanwhile four weeks old, and since
the merge window for Core Update 154 is still open, there is no need to
ship data being more outdated than they have to be. :-)
The second version of this patch also updates the checksum for the
downloaded database file.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 27 Jan 2021 20:14:44 +0000 (21:14 +0100)]
sudo: Upgrade to 1.9.5p2
- Update sudo from 1.9.5p1 to 1.9.5p2
- Major changes between version 1.9.5p2 and 1.9.5p1:
Fixed sudo's setprogname(3) emulation on systems that don't provide it.
Fixed a problem with the sudoers log server client where a partial write to the server could result the sudo process consuming large amounts of CPU time due to a cycle in the buffer queue. Bug #954.
Added a missing dependency on libsudo_util in libsudo_eventlog. Fixes a link error when building sudo statically.
The user's KRB5CCNAME environment variable is now preserved when performing PAM authentication. This fixes GSSAPI authentication when the user has a non-default ccache.
When invoked as sudoedit, the same set of command line options are now accepted as for sudo -e. The -H and -P options are now rejected for sudoedit and sudo -e which matches the sudo 1.7 behavior. This is part of the fix for CVE-2021-3156.
Fixed a potential buffer overflow when unescaping backslashes in the command's arguments. Normally, sudo escapes special characters when running a command via a shell (sudo -s or sudo -i). However, it was also possible to run sudoedit with the -s or -i flags in which case no escaping had actually been done, making a buffer overflow possible. This fixes CVE-2021-3156.
- No change to rootfile
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 6 Jan 2021 14:38:03 +0000 (14:38 +0000)]
samba: Add helper script to pipe password
It is complicated to set the password in the C helper binary.
Therefore it is being set by a helper script.
This is still not an optimal solution since the password might be
exposed to the shell environment, but has the advantage that shell
command injection is no longer possible.
Fixes: #12562 Reported-by: Albert Schwarzkopf <ipfire@quitesimple.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 6 Jan 2021 12:00:32 +0000 (12:00 +0000)]
samba: Remove option to chose user group and shell
There is no need for this being implemented and it is dangerous to allow
the user to create any shell accounts or users that belong to groups
with higher privileges.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 5 Jan 2021 16:01:56 +0000 (16:01 +0000)]
Drop launch-ether-wake
The helper binary is being dropped and etherwake is enabled
for CAP_NET_RAW. This allows execution by unprivileged users
as needed by the web user interface (nobody).
Reported-by: Albert Schwarzkopf <ipfire@quitesimple.org> Fixes: #12562 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 21 Jan 2021 20:17:06 +0000 (21:17 +0100)]
iptables: Update to version 1.8.7
- Update from 1.8.6 to 1.8.7
Florian Westphal (4):
xtables-monitor: fix rule printing
xtables-monitor: fix packet family protocol
xtables-monitor: print packet first
xtables-monitor:
Pablo Neira Ayuso (2):
tests: shell: update format of registers in bitwise payloads.
configure: bump version for 1.8.7 release
Phil Sutter (21):
nft: Optimize class-based IP prefix matches
ebtables: Optimize masked MAC address matches
tests/shell: Add test for bitwise avoidance fixes
ebtables: Fix for broken chain renaming
iptables-test.py: Accept multiple test files on commandline
iptables-test.py: Try to unshare netns by default
libxtables: Extend MAC address printing/parsing support
xtables-arp: Don't use ARPT_INV_*
xshared: Merge some command option-related code
tests/shell: Test for fixed extension registration
extensions: dccp: Fix for DCCP type 'INVALID'
nft: Fix selective chain compatibility checks
nft: cache: Introduce nft_cache_add_chain()
nft: Implement nft_chain_foreach()
nft: cache: Move nft_chain_find() over
nft: Introduce struct nft_chain
nft: Introduce a dedicated base chain array
nft: cache: Sort custom chains by name
tests: shell: Drop any dump sorting in place
nft: Avoid pointless table/chain creation
tests/shell: Fix nft-only/0009-needless-bitwise_0
- Rootfile updated
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Sat, 16 Jan 2021 15:57:56 +0000 (16:57 +0100)]
logrotate: Update to 3.18.0
Exerpt from 'ChangeLog.md':
"## [3.18.0] - 2021-01-08
- allow UIDs and GIDs to be specified numerically (#217)
- add support for Zstandard compressed files (#355)
- make `delaycompress` not to fail with `rotate 0` (#341)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 14 Jan 2021 18:37:11 +0000 (19:37 +0100)]
sudo: Upgrade to 1.9.5p1
- Upgrade sudo from 1.8.10p3 to 1.9.5p1
- Move sudo from legacy release (1.8) branch to stable release (1.9) branch
- Update rootfile
- Changelog available at https://www.sudo.ws/changes.html
- Tested out on vm testbed and sudo is working correctly
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 13 Jan 2021 11:12:03 +0000 (11:12 +0000)]
ssh: Ignore any errors when stopping daemon
The SSH init script only kills the main daemon which leads to any child
processes (for remaining connections) being untouched.
killproc returns 4 (unknown error) when not all processes were killed
which is not intended here. Therefore we ignore the error and do not
pause the shut down process for a minute.
Fixes: #12544 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Giovanni Aneloni [Mon, 27 Apr 2020 22:23:57 +0000 (00:23 +0200)]
unbound: make local zone transparent
Change local zone to "trasnparent" instead of "typetrasnparent" to avoid NXDOMAIN when querying local hosts
Fixes: #12391 Signed-off-by: Giovanni Aneloni <giovanni.aneloni@live.com> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Wed, 6 Jan 2021 14:18:27 +0000 (15:18 +0100)]
ddns.cgi: Make dealing with auth tokens more user-friendly.
If a provider supports authentication with a token, now
the username and password fileds will be swapped by some
Java Script code in favour of an input field for the token.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Jonatan Schlag [Wed, 6 Jan 2021 10:16:49 +0000 (10:16 +0000)]
unbound: keep probing when servers are down
Till now when a server was in the "blocking regime" there was one probe
made every 15 min, to see if this server is up again. In situations
where all servers where down (e.g. because of a massive package loss)
it could take up to 15 min to have a working dns again.
This patch changes this behaviour in a way that a server marked down is
probed every 2 min.
Fixes: #12557 Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 5 Jan 2021 14:20:57 +0000 (15:20 +0100)]
sshfs: Update to 3.7.1
- Update sshfs from 2.2 to 3.7.1
- Changelog is available at https://github.com/libfuse/sshfs/releases
- Build had to be changed from autotools to meson/ninja
- Change in rootfiles
Signed-off-by: Adolf Belka <ahb.ipfire@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>