Adolf Belka [Thu, 28 Nov 2024 11:49:07 +0000 (12:49 +0100)]
xz: Update to version 5.6.3
- Update from version 5.4.5 to 5.6.3
- Update of rootfile
- This update is now done only by the xz originator Lasse Collin (Larhzu). A new github
repo was created by Lasse for xz and this does not contain the malicious versions -
5.6.0 & 5.6.1 https://github.com/tukaani-project/xz/releases
- Version 5.6.3 is being used by Arch Linux and Ubuntu plucky
- Changelog
5.6.3
IMPORTANT: This includes a Windows-specific security fix to
the command line tools. liblzma isn't affected by this issue.
* liblzma:
- Fix x86-64 inline assembly compatibility with GNU Binutils
older than 2.27.
- Fix the build with GCC 4.2 on OpenBSD/sparc64.
* xzdec: Display an error instead of failing silently if the
unsupported option -M is specified.
* lzmainfo: Fix integer overflows when rounding the dictionary and
uncompressed sizes to the nearest mebibyte.
* Windows (except Cygwin and MSYS2): Add an application manifest to
xz, xzdec, lzmadec, and lzmainfo executables:
- Declare them compatible with Vista/7/8/8.1/10/11. This way
the programs won't needlessly use Operating System Context
of Vista when running on later Windows versions. This setting
doesn't mean that the executables cannot run on even older
versions if otherwise built that way.
- Declare them as UAC-compliant. MSVC added this by default
already but it wasn't done with MinGW-w64, at least not
with all toolchain variants.
- Declare them long path aware. This makes long path names
work on Windows 10 and 11 if the feature has been enabled
in the Windows registry.
- Use the UTF-8 code page on Windows 10 version 1903 and later.
* Now command line tools can access files whose names
contain characters that don't exist in the current
legacy code page.
* The options --files and --files0 now expect file lists
to be in UTF-8 instead of the legacy code page.
* This fixes a security issue: If a command line contains
Unicode characters (for example, filenames) that don't
exist in the current legacy code page, the characters are
converted to similar-looking characters with best-fit
mapping. Some best-fit mappings result in ASCII
characters that change the meaning of the command line,
which can be exploited with malicious filenames to do
argument injection or directory traversal attacks.
UTF-8 avoids best-fit mappings and thus fixes the issue.
Forcing the process code page to UTF-8 is possible only
on Windows 10 version 1903 and later. The command line
tools remain vulnerable if used on an old older
version of Windows.
This issue was discovered by Orange Tsai and splitline
from DEVCORE Research Team.
A related smaller issue remains: Windows filenames may
contain unpaired surrogates (invalid UTF-16). These are
converted to the replacement character U+FFFD in the
UTF-8 code page. Thus, filenames with different unpaired
surrogates appear identical and aren't distinguishable
from filenames that contain the actual replacement
character U+FFFD.
* When building with MinGW-w64, it is recommended to use
UCRT version instead of the old MSVCRT. For example,
non-ASCII characters from filenames won't print
correctly in messages to console with MSVCRT with
the UTF-8 code page (a cosmetic issue). liblzma-only
builds are still fine with MSVCRT.
- Cygwin and MSYS2 process command line options differently and
the above issues don't exist. There is no need to replace the
default application manifest on Cygwin and MSYS2.
* Autotools-based build:
- Fix feature checks with link-time optimization (-flto).
- Solaris: Fix a compatibility issue in version.sh. It matters
if one wants to regenerate configure by running autoconf.
* CMake:
- Use paths relative to ${prefix} in liblzma.pc when possible.
This is done only with CMake >= 3.20.
- MSVC: Install liblzma.pc as it can be useful with MSVC too.
- Windows: Fix liblzma filename prefix, for example:
* Cygwin: The DLL was incorrectly named liblzma-5.dll.
Now it is cyglzma-5.dll.
* MSVC: Rename import library from liblzma.lib to lzma.lib
while keeping liblzma.dll name as is. This helps with
"pkgconf --msvc-syntax --libs liblzma" because it mungles
"-llzma" in liblzma.pc to "lzma.lib".
* MinGW-w64: No changes.
- Windows: Use the correct resource file for lzmadec.exe.
Previously the resource file for xzdec.exe was used for both.
Autotools-based build isn't affected.
- Prefer a C11 compiler over a C99 compiler but accept both.
- Link Threads::Threads against liblzma using PRIVATE so that
-pthread and such flags won't unnecessarily get included in
the usage requirements of shared liblzma. That is,
target_link_libraries(foo PRIVATE liblzma::liblzma) no
longer adds -pthread if using POSIX threads and linking
against shared liblzma. The threading flags are still added
if linking against static liblzma.
* Updated translations: Catalan, Chinese (simplified), and
Brazilian Portuguese.
5.6.2
* Remove the backdoor (CVE-2024-3094).
* Not changed: Memory sanitizer (MSAN) has a false positive
in the CRC CLMUL code which also makes OSS Fuzz unhappy.
Valgrind is smarter and doesn't complain.
A revision to the CLMUL code is coming anyway and this issue
will be cleaned up as part of it. It won't be backported to
5.6.x or 5.4.x because the old code isn't wrong. There is
no reason to risk introducing regressions in old branches
just to silence a false positive.
* liblzma:
- lzma_index_decoder() and lzma_index_buffer_decode(): Fix
a missing output pointer initialization (*i = NULL) if the
functions are called with invalid arguments. The API docs
say that such an initialization is always done. In practice
this matters very little because the problem can only occur
if the calling application has a bug and these functions
return LZMA_PROG_ERROR.
- lzma_str_to_filters(): Fix a missing output pointer
initialization (*error_pos = 0). This is very similar
to the fix above.
- Fix C standard conformance with function pointer types.
- Remove GNU indirect function (IFUNC) support. This is *NOT*
done for security reasons even though the backdoor relied on
this code. The performance benefits of IFUNC are too tiny in
this project to make the extra complexity worth it.
- FreeBSD on ARM64: Add error checking to CRC32 instruction
support detection.
- Fix building with NVIDIA HPC SDK.
* xz:
- Fix a C standard conformance issue in --block-list parsing
(arithmetic on a null pointer).
- Fix a warning from GNU groff when processing the man page:
"warning: cannot select font 'CW'"
* xzdec: Add support for Linux Landlock ABI version 4. xz already
had the v3-to-v4 change but it had been forgotten from xzdec.
* Autotools-based build system (configure):
- Symbol versioning variant can now be overridden with
--enable-symbol-versions. Documentation in INSTALL was
updated to match.
- Add new configure option --enable-doxygen to enable
generation and installation of the liblzma API documentation
using Doxygen. Documentation in INSTALL and PACKAGERS was
updated to match.
CMake:
- Fix detection of Linux Landlock support. The detection code
in CMakeLists.txt had been sabotaged.
- Disable symbol versioning on non-glibc Linux to match what
the Autotools build does. For example, symbol versioning
isn't enabled with musl.
- Symbol versioning variant can now be overridden by setting
SYMBOL_VERSIONING to "OFF", "generic", or "linux".
- Add support for all tests in typical build configurations.
Now the only difference to the tests coverage to Autotools
is that CMake-based build will skip more tests if features
are disabled. Such builds are only for special cases like
embedded systems.
- Separate the CMake code for the tests into tests/tests.cmake.
It is used conditionally, thus it is possible to
rm -rf tests
and the CMake-based build will still work normally except
that no tests are then available.
- Add a option ENABLE_DOXYGEN to enable generation and
installation of the liblzma API documentation using Doxygen.
* Documentation:
- Omit the Doxygen-generated liblzma API documentation from the
package. Instead, the generation and installation of the API
docs can be enabled with a configure or CMake option if
Doxygen is available.
- Remove the XZ logo which was used in the API documentation.
The logo has been retired and isn't used by the project
anymore. However, it's OK to use it in contexts that refer
to the backdoor incident.
- Remove the PDF versions of the man pages from the source
package. These existed primarily for users of operating
systems which don't come with tools to render man page
source files. The plain text versions are still included
in doc/man/txt. PDF files can still be generated to doc/man,
if the required tools are available, using "make pdf" after
running "configure".
- Update home page URLs back to their old locations on
tukaani.org.
- Update maintainer info.
* Tests:
- In tests/files/README, explain how to recreate the ARM64
test files.
- Remove two tests that used tiny x86 and SPARC object files
as the input files. The matching .c file was included but
the object files aren't easy to reproduce. The test cases
weren't great anyway; they were from the early days (2009)
of the project when the test suite had very few tests.
- Improve a few tests.
5.4.7
* Not changed: Memory sanitizer (MSAN) has a false positive
in the CRC CLMUL code which also makes OSS Fuzz unhappy.
Valgrind is smarter and doesn't complain.
A revision to the CLMUL code is coming anyway and this issue
will be cleaned up as part of it. It won't be backported to
5.6.x or 5.4.x because the old code isn't wrong. There is
no reason to risk introducing regressions in old branches
just to silence a false positive.
* liblzma:
- lzma_index_decoder() and lzma_index_buffer_decode(): Fix
a missing output pointer initialization (*i = NULL) if the
functions are called with invalid arguments. The API docs
say that such an initialization is always done. In practice
this matters very little because the problem can only occur
if the calling application has a bug and these functions
return LZMA_PROG_ERROR.
- lzma_str_to_filters(): Fix a missing output pointer
initialization (*error_pos = 0). This is very similar
to the fix above.
- Fix C standard conformance with function pointer types.
This newly showed up with Clang 17 with -fsanitize=undefined.
There are no bug reports about this.
- Fix building with NVIDIA HPC SDK.
* xz:
- Fix a C standard conformance issue in --block-list parsing
(arithmetic on a null pointer).
- Fix a warning from GNU groff when processing the man page:
"warning: cannot select font 'CW'"
- Fix outdated threading related information on the man page.
* xzless:
- With "less" version 451 and later, use "||-" instead of "|-"
in the environment variable LESSOPEN. This way compressed
files that contain no uncompressed data are shown correctly
as empty.
- With "less" version 632 and later, use --show-preproc-errors
to make "less" show a warning on decompression errors.
* Autotools-based build system (configure):
- Symbol versioning variant can now be overridden with
--enable-symbol-versions. Documentation in INSTALL was
updated to match.
CMake:
- Linux on MicroBlaze is handled specially now. This matches
the changes made to the Autotools-based build in XZ Utils
5.4.2 and 5.2.11.
- Disable symbol versioning on non-glibc Linux to match what
the Autotools build does. For example, symbol versioning
isn't enabled with musl.
- Symbol versioning variant can now be overridden by setting
SYMBOL_VERSIONING to "OFF", "generic", or "linux".
* Documentation:
- Clarify the description of --disable-assembler in INSTALL.
The option only affects 32-bit x86 assembly usage.
- Add doc/examples/11_file_info.c. It was added to the
Git repository in 2017 but forgotten to be added into
distribution tarballs.
- Don't install the TODO file as part of the documentation.
The file is out of date.
- Update home page URLs back to their old locations on
tukaani.org.
- Update maintainer info.
5.4.6
* Fixed a bug involving internal function pointers in liblzma not
being initialized to NULL. The bug can only be triggered if
lzma_filters_update() is called on a LZMA1 encoder, so it does
not affect xz or any application known to us that uses liblzma.
* xz:
- Fixed a regression introduced in 5.4.2 that caused encoding
in the raw format to unnecessarily fail if --suffix was not
used. For instance, the following command no longer reports
that --suffix must be used:
echo foo | xz --format=raw --lzma2 | wc -c
- Fixed an issue on MinGW-w64 builds that prevented reading
from or writing to non-terminal character devices like NUL.
* Added a new test.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 28 Nov 2024 11:49:06 +0000 (12:49 +0100)]
xfsprogs: Update to version 6.11.0
- Update from version 6.9.0 to 6.11.0
- Update of rootfile
- The existing CONFIGURE_OPTIONS variable was empty so ./configure was run with a
standard PREFIX=/usr but split /usr has been removed from the build so the default
for all directories goes to being under /usr, including the library etc.
- Added entries for prefix, libdir and localstatedir into the variable
CONFIGURE_OPTIONS so that most files ended up in the same locxations as with previous
versions. fsck.xfs, mkfs.xfs & xfs_repair end up in /usr/sbin the same as all the
other xfs programs. A mv command addeed to move these three files into /sbin to match
the previous versions.
- Tested out this change in a vm system on my testbed. The xfs filesystem was created
without any issues and I ended up with a normally working system. I also rebooted
with fsck selected and the reboot occurred without any issues. No messages about
problems in the logs, only messages about a successful clean xfs mount. So both
fsck.xfs and mkfs.xfs seem to be working without any problems.
- Changelog
6.11.0
Cleanups and bugfixes in mkfs/xfs_db/repair/scrub/mdrestore (Darrick J. Wong)
Drop libattr dependency (Darrick J. Wong)
Debian and Ubuntu archive changes (Bastian Germann)
6.10.1
fix C++ compilation errors in xfs_fs.h (Darrick J. Wong)
6.10.0
debian: enable xfs_scrub_all systemd timer services by default (Darrick J. Wong)
mkfs: set autofsck filesystem property (Darrick J. Wong)
xfs_scrub: use the autofsck fsproperty to select mode (Darrick J. Wong)
xfs_scrub: allow sysadmin to control background scrubs (Darrick J. Wong)
xfs_property: add a new tool to administer fs properties (Darrick J. Wong)
xfs_db: add a command to list xattrs (Darrick J. Wong)
xfs_db: improve getting and setting extended attributes (Darrick J. Wong)
xfs_io: edit filesystem properties (Darrick J. Wong)
xfs_scrub: defer phase5 file scans if dirloop fails (Darrick J. Wong)
xfs_repair: wipe ondisk parent pointers when there are none (Darrick J. Wong)
xfs_scrub: detect and repair directory tree corruptions (Darrick J. Wong)
xfs_repair: update ondisk parent pointer records (Darrick J. Wong)
xfs_spaceman: report directory tree corruption in the health information (Darrick J. Wong)
xfsprogs: support vectored scrub (Darrick J. Wong)
man: document vectored scrub mode (Darrick J. Wong)
man2: update ioctl_xfs_scrub_metadata.2 for parent pointers (Darrick J. Wong)
mkfs: enable formatting with parent pointers (Allison Henderson)
mkfs: Add parent pointers during protofile creation (Allison Henderson)
xfs_repair: check parent pointers (Darrick J. Wong)
xfs_db: compute hashes of parent pointers (Darrick J. Wong)
xfs_db: add link and unlink expert commands (Darrick J. Wong)
xfs_repair: build a parent pointer index (Darrick J. Wong)
xfs_db: add a parents command to list the parents of a file (Darrick J. Wong)
xfs_db: obfuscate dirent and parent pointer names consistently (Darrick J. Wong)
xfs_db: report parent pointers embedded in xattrs (Darrick J. Wong)
xfs_db: report parent bit on xattrs (Darrick J. Wong)
xfs_db: report parent pointers in version command (Darrick J. Wong)
xfs_scrub: use parent pointers to report lost file data (Darrick J. Wong)
xfs_scrub: use parent pointers when possible to report file operations (Darrick J. Wong)
xfs_logprint: decode parent pointers in ATTRI items fully (Allison Henderson)
xfs_io: Add i, n and f flags to parent command (Allison Henderson)
xfs_io: adapt parent command to new parent pointer ioctls (Darrick J. Wong)
libfrog: report parent pointers to userspace (Darrick J. Wong)
libfrog: add parent pointer support code (Darrick J. Wong)
man: document the XFS_IOC_GETPARENTS ioctl (Darrick J. Wong)
xfs_logprint: dump new attr log item fields (Darrick J. Wong)
xfs_scrub_all: failure reporting for the xfs_scrub_all job (Darrick J. Wong)
xfs_repair: check free space requirements before allowing upgrades (Darrick J. Wong)
xfs_scrub_all: convert systemctl calls to dbus (Darrick J. Wong)
xfs_scrub_all: trigger automatic media scans once per month (Darrick J. Wong)
xfs_scrub: add an optimization-only mode (Darrick J. Wong)
xfs_scrub_all: add CLI option for easier debugging (Darrick J. Wong)
xfs_scrub_all: enable periodic file data scrubs automatically (Darrick J. Wong)
xfs_scrub: automatic downgrades to dry-run mode in service mode (Darrick J. Wong)
xfs_scrub_all: support metadata+media scans of all filesystems (Darrick J. Wong)
xfs_scrub_all: fail fast on masked units (Darrick J. Wong)
xfs_scrub_all: remove journalctl background process (Darrick J. Wong)
xfs_scrub_all: only use the xfs_scrub@ systemd services in service mode (Darrick J. Wong)
xfs_scrub: tune fstrim minlen parameter based on free space histograms (Darrick J. Wong)
xfs_scrub: improve responsiveness while trimming the filesystem (Darrick J. Wong)
xfs_scrub: tighten up the security on the background systemd service (Darrick J. Wong)
xfs_scrub: don't call FITRIM after runtime errors (Darrick J. Wong)
xfs_scrub: use dynamic users when running as a systemd service (Darrick J. Wong)
xfs_scrub: report FITRIM errors properly (Darrick J. Wong)
xfs_scrub.service: reduce background CPU usage to less than one core if possible (Darrick J. Wong)
xfs_scrub: don't close stdout when closing the progress bar (Darrick J. Wong)
xfs_scrub: fix the work estimation for phase 8 (Darrick J. Wong)
libfrog: print cdf of free space buckets (Darrick J. Wong)
libfrog: print wider columns for free space histogram (Darrick J. Wong)
xfs_scrub: ignore phase 8 if the user disabled fstrim (Darrick J. Wong)
xfs_scrub: move FITRIM to phase 8 (Darrick J. Wong)
xfs_scrub: improve thread scheduling repair items during phase 4 (Darrick J. Wong)
xfs_scrub: avoid potential UAF after freeing a duplicate name entry (Darrick J. Wong)
xfs_scrub: enable users to bump information messages to warnings (Darrick J. Wong)
xfs_scrub: retry incomplete repairs (Darrick J. Wong)
xfs_scrub: warn about difficult repairs to rt and quota metadata (Darrick J. Wong)
xfs_scrub: any inconsistency in metadata should trigger difficulty warnings (Darrick J. Wong)
mkfs: add a formatting option for exchange-range (Darrick J. Wong)
xfs_repair: add exchange-range to file systems (Darrick J. Wong)
xfs_scrub: fix missing scrub coverage for broken inodes (Darrick J. Wong)
xfs_scrub: log when a repair was unnecessary (Darrick J. Wong)
libfrog: advertise exchange-range support (Darrick J. Wong)
xfs_io: create exchangerange command to test file range exchange ioctl (Darrick J. Wong)
xfs_fsr: skip the xattr/forkoff levering with the newer swapext implementations (Darrick J. Wong)
xfs_fsr: convert to bulkstat v5 ioctls (Darrick J. Wong)
xfs_logprint: support dumping exchmaps log items (Darrick J. Wong)
xfs_db: advertise exchange-range in the version command (Darrick J. Wong)
libfrog: add support for exchange range ioctl family (Darrick J. Wong)
libhandle: add support for bulkstat v5 (Darrick J. Wong)
man: document XFS_FSOP_GEOM_FLAGS_EXCHRANGE (Darrick J. Wong)
man: document the exchange-range ioctl (Darrick J. Wong)
xfs_repair: don't crash on -vv (Darrick J. Wong)
xfsprogs: Remove support for split-/usr installs (Chris Hofstaedtler)
libxfs: kernel sync (Darrick J. Wong)
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 28 Nov 2024 11:49:05 +0000 (12:49 +0100)]
vim: Update to version 9.1.0886
- Update from version 9.1 to 9.1.0886
- vim-9.1 came out at start of 2024. Since then patches fixing various bugs have been
commited into the vim git repository - nealy 900 patches. It looks like vim intends
to only infrequently do normal version updates but to issue tagged versions for
each patch fix. This release has patch 9.1.0886 and todays's version (2024-11-28) is
9.1.0891
- hardening patch was re-created with this latest patch.
- Update of rootfile
- Changelog is basically the commits from the github repo.
https://github.com/vim/vim/commits/v9.1.0886
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 28 Nov 2024 11:49:03 +0000 (12:49 +0100)]
usbutils: Update to version 018
- Update from version 017 to 018
- Update of rootfile
- meson is now the only build method
- Changelog
018
Add a manpage for lsusb.py
Add lsusb.py.1 to DISTCLEANFILES
Add a manpage for usbreset
usb-devices: fix bashism
autogen.sh: use valid email for 2024 copyright
README: list libudev as a requirement
meson: bump to libusb-1.0.22, reinstate libusb_set_option()
meson: set project details
meson: always include config.h first, use -include
meson: add compiler warnings to the build
meson: add all* CFLAGS from travis-autogen.sh
meson: temporary disable extra noisy warning
man: remove version from the manual pages
lsusb.py: remove inline lsusb-VERSION.py note
lsusb.py: remove @DATADIR@ instance
README: add Contributing section
lsusb.py: mention both usb.ids paths
Rename .in files to their final state
Update .gitignore files
meson: convert Wswitch-enum to Wswitch and enable
meson: enable commented out warnings
meson: add a bunch more warnings to the mix
travis: remove travis-ci files
ci: add build ci (Alpline) based on kmod's
ci: add Arch permutation
ci: add Debian permutation
ci: add Fedora permutation
ci: add Ubuntu permutation
ci: add codeql (static analysis) based on main.yml
ci: add SPDX copyright/licence identifiers
README: fix link, add DCO and SPDX details
lsusb: make internal API const-aware
lsusb: const annotate most data, re-enable -Wdiscarded-qualifiers
ci: run monthly checks by dependabot
meson: fold usbhid-dump/meson.build in
.gitmodules: remove no longer needed file
ci: add/update the final SPDX identifiers
man: move manual pages in designated sub-folder
ci: add reuse lint stage
lsusb: drop the audioterminal hash table
lsusb: drop the videoterminal hash table
lsusb: drop the genericstrtable hash tables
meson: re-enable some warnings
editorconfig: add initial config file
.clang-format: import from Linux kernel as of v6.11.-rc6
.clang-format: update for_each pattern and list
ci: add clang-format action
clang-format: bump column limit to 120
ci: directly use archlinux:multilib-devel
ci: drop the mkdir && cd dance
ci: add clang permutation, for 64bit only
lsusb: reformat and add trailing commas for multi-line arrays
usb-spec: move the opening curly brackets to end of line
ci: add codespell action, fix all typos
Include "negotiated speed" in device dump
lsusb: remove autotools checks for iconv
lsusb: remove byteswap.h check
lsusb: always include config.h
usbutils: remove usbutils.pc
usbutils: convert build system to use meson
usbutils.spdx: update file based on recent file movements
lsusb: fix memory leak in libusb
lsusb: billboard alternate mode is in little endian format
README: update based on build tool changes
lsusb: add support to show superspeed++
usbhid-dump: clean up meson.build a bit
justfile: add one
meson: disable -Wswitch-enum
usbutils.spdx: update the SPDX file
README.md: update the SPDX wording a bit
README.md: add the linux-usb mailing list to the README.
LICENSE: add LGPL-2.1 license text
usbutils.spdx: update the data
update usbutils.spdx file
editorconfig: make the line length 120
clang-format: add proper copyright information
clang-format: fix SPDX license
lsusb-t: get rid of custom list.h logic
LICENSES: add CC0 and MIT licenses
lsusb-t: fix memory leak
justfile: add some more targets
usbutils.spdx: update based on file additions
usbutils.spdx: update due to new file and checksums
usbreset: replace some unbounded strcpy() calls
sysfs.c: fix an theoretical issue with snprintf()
usbutils.spdx: update checksums
usbmisc: fix possible stack-buffer-overflow Running lsusb with -D argument and
path, which len is more than PATH_MAX + 1, cause stack-buffer-overflow because
of copy to the buf a string without null-terminator Force setting 0 byte to
the end of the buf fixes this error Fix #190
update ccid descriptor dumping to V1.1 spec
V1.1 is actually V1.10..
remove one space
usb-devices: Fix usb-devices with busybox
Do not warn about missing LPM bit when not required
lsusb: add VideoControl Endpoint Descriptor
ci: bump github/codeql-action in the all-actions group
ci: bump the all-actions group with 2 updates
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 28 Nov 2024 11:49:01 +0000 (12:49 +0100)]
chkconfig: Update to version 1.30
- Update from version 1.5 (2015) to 1.30 (Aug 2024)
- Fedora now have a github site for chkconfig which has had releases since 2023
- Update of rootfile not required
- Changelog
1.30
ostree: move admindir to /etc/alternatives.admindir by @vrothberg in #135
1.29
Translations update from Fedora Weblate by @weblate in #133
Avoid possible leaks in readConfig() by @dtardon in #128
fix issues found by static analyzers by @lnykryn in #125
Mkosi by @lnykryn in #127
1.28
test: return failures from the test suite by @lnykryn in #130
Prepare for bin-sbin merge by @jamacku in #131
1.27
Translations update from Fedora Weblate by @weblate in #124
Alternatives: Fix issues found by static analyzers by @lnykryn in #126
1.26
build(deps): bump actions/checkout from 3 to 4 by @dependabot in #113
Translations update from Fedora Weblate by @weblate in #114
build(deps): bump redhat-plumbers-in-action/differential-shellcheck from 4 to 5 by @dependabot in #115
Fix systemdActive() by @marcosfrm in #117
build(deps): bump github/codeql-action from 2 to 3 by @dependabot in #119
build(deps): bump actions/upload-artifact from 3 to 4 by @dependabot in #120
Translations update from Fedora Weblate by @weblate in #121
Add support for running using tmt by @jamacku in #123
1.25
Translations update from Fedora Weblate by @weblate in #110
Translations update from Fedora Weblate by @weblate in #111
alternatives: fix possible buffer overrun by @lnykryn in #112
1.24
Revert recent rpmautospec and Packit changes by @jamacku in #107
Fix way how we generate next version by @jamacku in #108
1.23
Remove changelog and update translations by @jamacku in #100
Translations update from Fedora Weblate by @weblate in #101
Fix --keep-foreign when the target is missing completely by @lnykryn in #104
Translations update from Fedora Weblate by @weblate in #103
Translations update from Fedora Weblate by @weblate in #105
1.22
Fedora release process (Packit, rpmautospec) by @jamacku in #91
releng: Packit remove extra job trigger by @jamacku in #92
Bump redhat-plumbers-in-action/differential-shellcheck from 3 to 4 by @dependabot in #94
test: fix ShellCheck error[SC2070] by @jamacku in #95
Add Locale linter (Weblate) by @jamacku in #98
Translations update from Fedora Weblate by @weblate in #96
migrate to SPDX license by @lzaoral in #99
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sun, 24 Nov 2024 12:27:15 +0000 (13:27 +0100)]
sysvinit: Update to version 3.11
- Update from version 3.10 to 3.11
- Update of rootfile not required
- Changelog
3.11
* Some escape characters were included in the inittab manual page, but not
displayed by the "man" command because they were not (ironically)
properly escaped. This has been fixed.
* Enabled chaining commands together in the inittab file. This allows the
admin to run commands like "task1 && task2" or "task2 || task2" from the
inittab file.
* Fix typoes in halt manual page. Fixes provided by Bjarni Ingi Gislason.
* Fix typos/markdown in fstab-decode manual page.
Patch provided by Bjarni Ingi Gislason.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sun, 24 Nov 2024 12:27:14 +0000 (13:27 +0100)]
sysstat: Update to version 12.7.6
- Update from version 12.7.1 to 12.7.6
- Update of rootfile
- Changelog
12.7.6
* sar/sadf: [A_NET_ETCP]: Rename retrans/s field to retrseg/s
because it was already used in A_NET_NFS report.
* sadf: SVG: Fix oversized SVG canvas height.
* sadf: Don't cap SVG graph output at 100%.
* sadf: A_NET_SOFT: Don't display graphs for offline CPU.
* sadf: SVG: Don't ignore other views when one has to be skipped.
* sadf: Make sure structures will be alloacated for every installed
CPU.
* sadf: Define MIN_CANVAS_HEIGHT constant.
* sar: Display min/max values only when available.
* Define macros for CPU manipulation.
* SREALLOC() macro: Make sure size is not zero.
* Fix a warning given by gcc v13 with -fanalyzer option.
* [Eli Schwartz]: configure.ac: fix erroneous bashisms.
* sar manual page updated.
* DTD and XSD documents updated.
* Year updated in copyright messages.
* Other cosmetic changes in code.
* FAQ and README files updated.
* Non regression tests updated. New tests added.
12.7.5
* [Quan quan Cao]: sar/sadc: Add new metrics pgprom/s and pgdem/s.
* sar: Remove %vmeff metric.
* sadf: Update various output formats to take into account metrics
that have been added or removed.
* Update DTD and XSD documents.
* Update sar manual page.
* sar: Add a cron entry and a new systemd service and timer to rotate
daily data file at midnight.
* Option -V with sysstat commands also displays environment contents.
* [Sam Morris]: Use correct encoding to produce hyphen-minus when
rendering man pages.
* Add UMASK variable definition to sysstat(5) manual page.
* Update non regression tests.
* Add --getenv option to commands that didn't have it.
* Update README file for Debian-based distros.
* Update link to my personal web page in README and manual pages.
* NLS: Translations updated.
12.7.4
* Makefile.in: Fix installation error.
* Makefile.in: Remove gcc warning displayed in LTO mode.
12.7.3
* sar: Add new option '-x' used to display extended reports.
* [Pavel Kopylov]: Fix an overflow which is still possible for
some values.
* [Jan Kurik]: Fix export of PSI metrics to a PCP archive.
* [Lukáš Zaoral]: Tools that take `--dec=X` option should only accept
digits.
* common.c: Fix an overflow which was still possible for some values.
* iostat: Try to avoid displaying negative values.
* Free pointer if realloc() fails.
* Don't check if unsigned expressions are less than zero.
* Declare parameters with "const" when possible.
* Remove conditions which are always true.
* Reduce variables scope when relevant.
* Don't assign values that are never used.
* Fix types used in format strings.
* Split large functions into smaller ones.
* Specify field width when using sscanf() function.
* search_list_item(): Return position in list instead of a boolean.
* add_list_item(): Also return item position in list.
* svg_stats.c: Ignore negative values for fields position.
* svg_stats.c: Reuse buffers pointers definition.
* svg_stats.c: Reuse intermediate calculations.
* svg_stats.c: Don't repeat test on DISPLAY_CPU_DEF().
* sa_common.c: Don't use (void *) pointer in calculation.
* iostat.c: Clarify calculation precedence for '+' and '?'.
* sar/sadf: Refactor buffer allocation functions.
* sar/sadf: Add a check on file's records header data.
* sar/sadf: Stop when invalid data are read in records header.
* sar/sadf: Check upper bounds of value read from file.
* sadf_misc.c: Fix indentation in code.
* activity.c: Init item_list even for other commands than sadf.
* sa_conv.c: Reallocate buffers only when needed.
* sa_conv.c: Fix untrusted allocation size.
* pr_stats.c: Remove some dead code.
* sar.c: Make sure buffer is null terminated.
* do_test: Add several new options.
* do_test: Don't strip binaries when in TEST mode.
* Update non regression tests.
* simtest: Change default _unix_time value.
* Makefile.in: Simplify dependencies.
* Makefile_in: Small update made to copyyear target.
* sadf: XML: Update DTD and XSD documents.
* sadf: XML: Remove references to my personal web site.
* Restore mode for iconfig file.
* Fix typo in sar's manual page. Sar manual page updated.
* Other manual pages updated.
12.7.2
* All commands: Avoid displaying healthy metrics values in "red".
* sar/sadf: Add new activity: Battery statistics (A_PWR_BAT).
* [Kevin Stubbings]: Add CodeQL workflow.
* sar: Make sure timestamps are always displayed in local time.
* sar/sadf: Starting and ending times used with options -s/-e can now
be entered as a number of seconds since the epoch.
* sar/sadf: Strengthen tests made on arguments given to options -s/-e.
* sadf: PCP: Fix pmiID used for two USB metrics [12.6.2].
* [Nathanael P Wilson]: sadf: Fix extra space when no TZ printed.
* sadc: Add another overflow check [12.6.2].
* DTD and XSD documents updated.
* Makefile: Fix dependencies.
* NLS translations updated. New Belarusian translation added.
* Remove LGTM links from README file.
* Manual pages updated.
* Non regression tests updated.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sun, 24 Nov 2024 12:27:13 +0000 (13:27 +0100)]
swig: Update to version 4.3.0
- Update from version 4.1.0 to 4.3.0
- Update of rootfile
- Changelog
4.3.0
- Add experimental support for C as a target language.
- MzScheme/Racket is deprecated and planned for removal in SWIG-4.4.
- The distributed Windows binary is now a 64-bit executable.
- Add some missing use of move semantics for performance improvements.
- Enhanced handling of namespaces when using the nspace feature.
- STL wrapper enhancements for std::unique_ptr, std::string_view,
std::filesystem.
- Various enum and enum class wrapping improvements.
- Other C++ handling improvements around templates, friends, C++11
trailing return types and C++17 fold expressions.
- Many parser improvements for both C and C++, especially expressions.
- Improvements to handling of string and character literals.
- Minor preprocessor fixes.
- Python: Stricter stable ABI conformance, add support for python-3.13.
- C#: Add support for converting Doxygen comments into XML C# comments.
- Various other target language specific enhancements and updates for
Java, Javascript, Lua, MzScheme, Ocaml, Octave, Perl, Python, R, Ruby.
4.2.1
- Tcl 9.0 support.
- Octave 9.0 support.
- Improvements wrapping friend functions.
- Variadic templated functions within a template support.
- Type deduction enhancements.
- Stability and regression fixes.
4.2.0
- Various template wrapping improvements: template template parameters,
variadic templates, partially specialized templates, const template
parameters and improved error checking instantiating templates.
- Improved decltype() support for expressions.
- C++14 auto without trailing return type and C++11 auto variables.
- Numerous C++ using declarations improvements.
- Numerous fixes for constructors, destructors and assignment operators:
implicit, default and deleted and related non-assignable variable
wrappers.
- STL: std::array and std::map improvements, std::string_view support
added.
- Various C preprocessor improvements.
- Various issues fixed to do with architecture specific long type.
- Various Doxygen improvements.
- D1/Tango support removed. D2/Phobos is now the supported D version
and SWIG now generates code which works with recent D2 releases.
- New Javascript generator targeting Node.js binary stable ABI Node-API.
- Octave 8.1 support added.
- PHP7 support removed, PHP8 is now the supported PHP version.
- Python STL container wrappers now use the Python Iterator Protocol.
- Python stable ABI support added.
- Python 3.12 support added.
- Ruby 3.2 and 3.3 support.
- Scilab 2023.* support added.
- Various minor enhancements for C#, Go, Guile, Javascript, Lua, Ocaml,
Perl, PHP, R, Racket, Ruby, Scilab and Tcl.
- A number of deprecated features have been removed.
4.1.1
- Couple of stability fixes.
- Stability fix in ccache-swig when calculating hashes of inputs.
- Some template handling improvements.
- R - minor fixes plus deprecation for rtypecheck typemaps being optional.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sun, 24 Nov 2024 12:27:12 +0000 (13:27 +0100)]
sshfs: Update to version 3.7.3
- Update from version 3.7.2 to 3.7.3 (May 2022)
- Update of rootfile not required
- Changelog
3.7.3
* Minor bugfixes.
* This is the last release from the current maintainer. SSHFS is now no longer
maintained or developed. Github issue tracking and pull requests have
therefore been disabled. The mailing list (see below) is still available for
use.
If you would like to take over this project, you are welcome to do so. Please
fork it
and develop the fork for a while. Once there has been 6 months of reasonable
activity, please contact Nikolaus@rath.org and I'll be happy to give you
ownership of this repository or replace with a pointer to the fork.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sun, 24 Nov 2024 12:27:11 +0000 (13:27 +0100)]
screen: Update to version 5.0.0
- Update from version 4.9.1 to 5.0.0
- Update of rootfile
- Changelog
5.0.0
* Rewriten autentication mechanism
* Add escape %T to show current tty for window
* Add escape %O to show number of currently open windows
* Use wcwdith() instead of UTF-8 hard-coded tables
* New commands:
- auth [on|off]
Provides password protection
- status [top|up|down|bottom] [left|right]
The status window by default is in bottom-left corner.
This command can move status messages to any corner of the screen.
- truecolor [on|off]
- multiinput
Input to multiple windows at the same time
* Removed commands:
- time
- debug
- password
- maxwin
- nethack
* Fixes:
- Screen buffers ESC keypresses indefinitely
- Crashes after passing through a zmodem transfer
- Fix double -U issue
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sun, 24 Nov 2024 12:27:10 +0000 (13:27 +0100)]
ruby: Update to version 3.3.6
- Update from version 3.3.4 to 3.3.6
- Update of rootfile
- Changelog
3.3.6
Merge JSON 2.7.2 for Ruby 3.3 by hsbt · Pull Request #11541
Merge reline-0.5.10 by hsbt · Pull Request #11558
Bug #20718: Objects created with Data_Make_Struct and the default free function are not freed
Bug #20737: Accidentally changed warning target on Ruby 3.3
Bug #20723: IO#close is broken on Ruby 3.3+ when using the Fiber scheduler.
Use PRIuSIZE instead of %zu for size_t by nobu · Pull Request #9359
Bump REXML to 3.3.9 for Ruby 3.3 by ajmyers01 · Pull Request #11972
Bug #13831: error when try to install
Bug #20777: 3.3: RUBY_DESCRIPTION is corrupt when --yjit and --parser=prism
Bug #20704: Windows: -C option does not work for multibyte path name
Bug #20719: Float converts ASCII-incompatible string
Bug #20752: IO::Buffer#slice creates mutable IO::Buffer instance that points to readonly memory (e.g. fronzen String)
Bug #20755: IO::Buffer#transfer transfers mutable reference to String's memory but not lock ownership
Bug #20716: Different instance_method behavior in Ruby 2.7 and Ruby 3.x
Bug #20853: Hash key retrieval after Process.warmup
3.3.5
retry on cancelling of getaddrinfo by ko1 · Pull Request #11131
Bug #20633: compile error at vm_insnhelper.c when HAVE_DECL_ATOMIC_SIGNAL_FENCE is 0
Bug #20641: lib/bundled_gems.rb makes Kernel.require over 100x slower
Bug #20650: Memory leak in Regexp capture group when timeout
Bug #20088: Ruby 3.3.0 does not cross-complie on arm64-darwin
Bug #20653: Memory leak in String#start_with? when regexp times out
Bug #20654: Floor and ceil have unexpected behaviour when ndigits is large
Update RubyGems 3.5.16 and Bundler 2.5.16 for Ruby 3.3 by hsbt · Pull Request #11252
Bug #20668: [3.3] shareable_constant_value: literal crash
Backport warning feature for bundled gems from master by hsbt · Pull Request #11420
Bug #20688: Use-after-free in WeakMap and WeakKeyMap
Bug #20691: Use-after-free in WeakKeyMap#clear
Merge URI-0.13.1 for Ruby 3.3 by hsbt · Pull Request #11466
Bug #20667: Backport REXML CVE fixes
Bug #20651: false && (1 in 1) produces argument stack underflow (-1)
Bug #20649: Ripper fails to tokenize def f; (x)::A =
Bug #20344: argument stack underflow (-1)
Bug #20701: Hash argument passed as keyword splat can be mutated inside method
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sun, 24 Nov 2024 12:27:09 +0000 (13:27 +0100)]
qpdf: Updarte to version 11.9.1
- Update from version 11.9.0 to 11.9.1
- Update of rootfile
- Changelog
11.9.1
* Rewrite a recursive function to be iterative in linearization to
enable more complex files to be linearized, especially on Windows.
* Avoid non-standard use of `std::basic_string_view`. Contribution
from Zoe Clifford.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sun, 24 Nov 2024 12:27:08 +0000 (13:27 +0100)]
pciutils: Update to version 3.13.0
- Update from version 3.11.1 to 3.13.0
- Update of rootfile
- Changelog
3.13.0
* lspci decodes CXL 1.1 device link status information.
This requires a recent kernel which exports rcd_* atributes via
sysfs.
* Further development of the pcilmr (the link margining utility)
* Dump parsing supports 6-digit domain numbers.
* Bug fixes in PCIe link state reporting.
* Decode more fields in PCIe AER capability.
* Fixed build on Linux systems with musl libc.
* Updated pci.ids.
3.12.0
* lspci decodes the IDE (Integrity & Data Encryption) and TEE-IO
extended capabilities.
* Several bugs in back-ends for Windows were fixed and the
README.Windows updated.
* Fixed building on Haiku.
* We now use more C99 features.
* Optimization flags used for compiling individual object files
should be the same as optimization flags for linking the final
executable to make link-time optimization possible.
* We no longer look up subsystems in the HWDB, because there is
no API for querying only the subsystem. The lookup we used
previously returned a device name if there was no entry for
the particular subsystem.
* Updated pci.ids.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sun, 24 Nov 2024 12:27:06 +0000 (13:27 +0100)]
pam: Update to version 1.7.0
- Update from version 1.6.1 to 1.7.0
- Update of rootfile
- pam is now only built via meson. Therefore meson and ninja had to be moved to before
pam. This required python3 and python3-setuptools, expta, libffi, gdbm & sqlite to
also be moved before meson to ensure build was successful and that the python3
rootfile had all the required python files included.
- Changelog
1.7.0
* build: changed build system from autotools to meson.
* libpam_misc: use ECHOCTL in the terminal input
* pam_access: support UID and GID in access.conf
* pam_env: install environment file in vendordir if vendordir is enabled
* pam_issue: only count class user if logind support is enabled
* pam_limits: use systemd-logind instead of utmp if logind support is enabled
* pam_unix: compare password hashes in constant time
* Multiple minor bug fixes, build fixes, portability fixes,
documentation improvements, and translation updates.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 22 Nov 2024 15:06:50 +0000 (16:06 +0100)]
tshark: Update to version 4.4.2
- Update from version 4.4.1 to 4.4.2
- Update of rootfile
- Changelog
4.4.2
vulnerabilities fixed:
wnpa-sec-2024-14 FiveCo RAP dissector infinite loop. Issue 20176.
wnpa-sec-2024-15 ECMP dissector crash. Issue 20214.
bugs fixed:
CIP I/O is not detected by "enip" filter anymore. Issue 19517.
Fuzz job issue: fuzz-2024-09-03-7550.pcap. Issue 20041.
OSS-Fuzz 71476: wireshark:fuzzshark_ip_proto-udp: Index-out-of-bounds in
DOFObjectID_Create_Unmarshal. Issue 20065.
JA4_c hashes an empty field to e3b0c44298fc when it should be 000000000000.
Issue 20066.
Opening Wireshark 4.4.0 on macOS 15.0 disconnects iPhone Mirroring.
Issue 20082.
PTP analysis loses track of message associations in case of sequence
number resets. Issue 20099.
USB CCID: response packet in case SetParameters command is unsupported is
flagged as malformed. Issue 20107.
dumpcap crashes when run from TShark with a capture filter. Issue 20108.
SRT dissector: The StreamID (SID) in the handshake extension is displayed
without regarding the control characters and with NUL as terminating.
Issue 20113.
Ghost error message on POP3 packets. Issue 20124.
Building against c-ares 1.34 fails. Issue 20125.
D-Bus is not optional anymore. Issue 20126.
macOS Intel DMGs aren’t fully notarized. Issue 20129.
Incorrect name for MLD Capabilities and Operations Present flag in
dissection of MLD Capabilities for MLO wifi-7 capture. Issue 20134.
CQL Malformed Packet v4 S → C Type RESULT: Prepared[Malformed Packet]
Issue 20142.
Wi-Fi: 256 Block Ack (BA) is not parsed properly. Issue 20156.
BACnet ReadPropertyMultiple request Maximum allowed recursion depth
reached. Issue 20159.
Statistics→I/O Graph crashes when using simple moving average. Issue 20163.
HTTP2 body decompression fails on DATA with a single padded frame.
Issue 20167.
Compiler warning for ui/tap-rtp-common.c (ignoring return value) Issue 20169.
SIP dissector bug due to "be-route" param in VIA header. Issue 20173.
Coredump after trying to open 'Follow TCP stream' Issue 20174.
Protobuf JSON mapping error. Issue 20182.
Display filter "!stp.pvst.origvlan in { vlan.id }" causes a crash
(Version 4.4.1) Issue 20183.
Extcap plugins shipped with Wireshark Portable are not found in version
4.4.1. Issue 20184.
IEEE 802.11be: Wrong regulatory info in HE Operation IE in Beacon frame.
Issue 20187.
Wireshark 4.4.1 does not decode RTCP packets. Issue 20188.
Qt: Display filter sub-menu can only be opened on the triangle, not the
full name. Issue 20190.
Qt: Changing the display filter does not update the Conversations or
Endpoints dialogs. Issue 20191.
MODBUS Dissector bug. Issue 20192.
Modbus dissector bug - Field Occurence and Layer Operator modbus.bitval
field. Issue 20193.
Wireshark crashes when a field is dragged from packet details towards the
find input. Issue 20204.
Lua DissectorTable("") : set ("10,11") unexpected behavior in locales with
comma as decimal separator. Issue 20216.
The TCP dissector no longer falls back to using the client port as a
criterion for selecting a payload dissector when the server port does not
select a payload dissector (except for port 20, active FTP). This
behavior can be changed using the "Client port dissectors" preference.
Display filters now correctly handle floating point conversion errors.
The Lua API now has better support for comma-separated ranges in different
locales.
New and Updated Features
The TShark syntax for dumping only fields with a certain prefix has
changed from -G fields prefix to -G fields,prefix. This allows tshark -G
fields to again support also specifying the configuration profile to use.
Updated Protocol Support
ARTNET, ASN.1 PER, BACapp, BT BR/EDR, CQL, DOF, ECMP, ENIP, FiveCo RAP,
Frame, FTDI FT, HSRP, HTTP/2, ICMPv6, IEEE 802.11, MBTCP, MMS,
MPEG PES, PN-DCP, POP, ProtoBuf, PTP, RPC, RTCP, SIP, SRT, Syslog,
TCP, UMTS RLC, USB CCID, Wi-SUN, and ZigBee ZCL
New and Updated Capture File Support
BLF
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 20 Nov 2024 21:49:09 +0000 (22:49 +0100)]
openssl: Update to version 3.4.0
- Update from version 3.3.2 to 3.4.0
- Update of rootfile
- Changelog
3.4.0
This release incorporates the following potentially significant or incompatible
changes:
* Deprecation of TS_VERIFY_CTX_set_* functions and addition of replacement
TS_VERIFY_CTX_set0_* functions with improved semantics
* Redesigned use of OPENSSLDIR/ENGINESDIR/MODULESDIR on Windows such that
what were formerly build time locations can now be defined at run time
with registry keys
* The X25519 and X448 key exchange implementation in the FIPS provider
is unapproved and has `fips=no` property.
* SHAKE-128 and SHAKE-256 implementations have no default digest length
anymore. That means these algorithms cannot be used with
EVP_DigestFinal/_ex() unless the `xoflen` param is set before.
* Setting `config_diagnostics=1` in the config file will cause errors to
be returned from SSL_CTX_new() and SSL_CTX_new_ex() if there is an error
in the ssl module configuration.
* An empty renegotiate extension will be used in TLS client hellos instead
of the empty renegotiation SCSV, for all connections with a minimum TLS
version > 1.0.
* Deprecation of SSL_SESSION_get_time(), SSL_SESSION_set_time() and
SSL_CTX_flush_sessions() functions in favor of their respective `_ex`
functions which are Y2038-safe on platforms with Y2038-safe `time_t`
This release adds the following new features:
* Support for directly fetched composite signature algorithms such as
RSA-SHA2-256 including new API functions
* FIPS indicators support in the FIPS provider and various updates of the FIPS
provider required for future FIPS 140-3 validations
* Implementation of RFC 9579 (PBMAC1) in PKCS#12
* An optional additional random seed source RNG `JITTER` using a statically
linked jitterentropy library
* New options `-not_before` and `-not_after` for explicit setting start and
end dates of certificates created with the `req` and `x509` apps
* Support for integrity-only cipher suites TLS_SHA256_SHA256 and
TLS_SHA384_SHA384 in TLS 1.3, as defined in RFC 9150
* Support for requesting CRL in CMP
* Support for additional X.509v3 extensions related to Attribute Certificates
* Initial Attribute Certificate (RFC 5755) support
* Possibility to customize ECC groups initialization to use precomputed values
to save CPU time and use of this feature by the P-256 implementation
3.3.3
security patch release.
The most severe CVE fixed in this release is Low.
This release incorporates the following bug fixes and mitigations:
* Fixed possible OOB memory access with invalid low-level GF(2^m) elliptic
curve parameters.
([CVE-2024-9143])
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 20 Nov 2024 21:49:08 +0000 (22:49 +0100)]
openldap: Update to version 2.6.8
- Update from version 2.6.5 to 2.6.8
- Update of rootfile
- Replacement of previous 2.6.5-consolideated patch with 2.6.8-consolidated patch
- Changelog
2.6.8
Fixed libldap exit handling with OpenSSL3 again (ITS#9952)
Fixed libldap OpenSSL channel binding digest (ITS#10216)
Fixed slapd handling of large uid/gids peercred auth (ITS#10211)
Fixed slapd-asyncmeta/meta target structure allocations (ITS#10197)
Fixed slapd-meta with dynlist (ITS#10164)
Fixed slapd-meta binds when proxying internal op (ITS#10165)
Added slapo-nestgroup overlay (ITS#10161)
Added slapo-memberof 'addcheck' option (ITS#10167)
Fixed slapo-accesslog startup initialization (ITS#10170)
Fixed slapo-constraint double free on invalid attr (ITS#10204)
Fixed slapo-dynlist with abandoned operations (ITS#10044)
Build
Fixed build with gcc14.x (ITS#10166)
Fixed back-perl with clang15 (ITS#10177)
Fixed to reduce systemd dependencies (ITS#10214)
Contrib
Added slapo-alias contrib module (ITS#10104, ITS#10182)
Fixed slapo-autogroup to work with slapo-dynlist (ITS#10185)
Fixed smbk5pwd implicit function declaration (ITS#10206)
Documentation
Fixed slapo-memberof exattr requirements (ITS#7400)
Fixed slapo-memberof is no longer deprecated (ITS#7400)
Minor Cleanup
ITS#9921
ITS#10103
ITS#10171
ITS#10172
ITS#10173
ITS#10179
ITS#10183
ITS#10186
ITS#10188
ITS#10193
ITS#10209
2.6.7
Added slapo-dynlist option to disable filter support (ITS#10025)
Fixed liblber missing newline on long msg (ITS#10105)
Fixed libldap exit handling with OpenSSL3 (ITS#9952)
Fixed libldap with TLS and multiple ldap URIs (ITS#10101)
Fixed libldap OpenSSL cipher suite handling (ITS#10094)
Fixed libldap OpenSSL 3.0 and Diffie-Hellman param files (ITS#10124)
Fixed libldap timestamps on Windows (ITS#10100)
Fixed lloadd to work when resolv.conf is missing (ITS#10070)
Fixed lloadd handling of closing connection (ITS#10083)
Fixed lloadd tiers to be correctly linked on startup (ITS#10142)
Fixed slapd to honour disclose in matchedDN handling (ITS#10139)
Fixed slapd handling of regex testing in ACLs (ITS#10089)
Fixed slapd sync replication with glued database (ITS#10080)
Fixed slapd local logging on Windows (ITS#10092)
Fixed slapd-asyncmeta when remote suffix is empty (ITS#10076)
Fixed slapo-dynlist so it can't be global (ITS#10091)
Build
Fixed lloadd type mismatches (ITS#10074)
Fixed builds for Windows (ITS#10117)
Fixed build with clang16 (ITS#10123)
Documentation
Fixed slapo-homedir(5) attribute name for olcHomedirArchivePath (ITS#10057)
Minor Cleanup
ITS#10059
ITS#10068
ITS#10098
ITS#10109
ITS#10110
ITS#10129
ITS#10130
ITS#10135
ITS#10143
ITS#10144
ITS#10145
ITS#10153
2.6.6
Fixed slapd cn=config incorrect handling of paused (ITS#10045)
Fixed slapd-meta to account for MOD ops being optional (ITS#10067)
Fixed slapd-asyncmeta to account for MOD ops being optional (ITS#10067)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 20 Nov 2024 21:49:07 +0000 (22:49 +0100)]
oath-toolkit: Update to version 2.6.12
- Update from version 2.6.11 to 2.6.12
- Update of rootfile not required
- Changelog
2.6.12
** pam_oath: Drop privs when ${HOME} is used in the usersfile= setting.
Reported by Fabian Vogt (SUSE), and associated with CVE-2024-47191.
See <https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/43>.
Security bug triggered by new feature in pam_oath v2.6.7 released on
2021-05-01 with the USER/HOME placeholder strings, see
<https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/12>.
Quoting a writeup in an alternate patch by Matthias Gerstner (SUSE):
With the addition of the possibility to place a usersfile also into a
user's home directory via variable expansion of ${HOME} and ${USER} in
the `usersfile=` path specification, security issues sneaked in. The
PAM process usually runs with root privileges. The file operations in
an unprivileged user's home directory follow symlinks both when
reading and creating files, allowing for a potential local root
exploit, because of the `fchown()` performed on the newly created
usersfile.
We drop privileges to the user that is being logged into, assuming it
has the necessary permissions for the usersfile belonging in their
home directory. This restricts the ability for non-root users to
affect files beyond their control via liboath.
** liboath: Don't follow symbolic links for usersfile updates.
Reported by Fabian Vogt (SUSE), and associated with CVE-2024-47191.
See <https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/43>.
Security bug triggered by new feature in pam_oath v2.6.7 released on
2021-05-01 with the USER/HOME placeholder strings, see
<https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/12>.
The fix is to open files for writing in exclusive mode (i.e., fail if
the file exists including if it is a symbolic link).
We offer a brief self-test to reproduce the problem in
liboath/tests/tst_fopen-wx.c which you may use as follows:
cc -o tst_fopen-wx tst_fopen-wx.c $(pkg-config --libs --cflags liboath)
rm -f cve.oath cve.oath.new cve.sshd-config cve.oath.lock
printf 'HOTP/E/8\tsilver\t4711\t3132333435363738393031323334353637383930313233343536373839303132\n' > cve.oath
echo my-magic-cookie > cve.sshd-config
ln -s cve.sshd-config cve.oath.new
./tst_fopen-wx cve.oath silver 670691 4711
If this is linked with a vulnerable liboath it will print:
FAIL: Liboath VULNERABLE to fopen(wx) bug.
If you link it to a fixed liboath it will print:
PASS: Your liboath is NOT VULNERABLE to fopen(wx) bug.
For convenience, the liboath/tests/tst_fopen-wx.sh script can be used
to setup and invoke tst_fopen-wx.
** We publish a minimal source-only tarball generated by 'git archive'.
This tarball only contains the files stored in version controlled
sources, and no auxilliary files. The source-only tarball may be
reproduced on a Trisquel 11 platform using Git at (or near) version
2.46 from Guix. If something results in the 'git archive' format
changing again, the tarball can only be reproduced using an earlier
system. The git version in AlmaLinux 8, AlmaLinux 9, RockyLinux 8 and
RockyLinux 9 should all produce the same identical 'git archive'
tarball. The git version used on Debian 11, PureOS 10, Trisquel 11
and Ubuntu 22.04 should all produce an identical tarball. These two
'git archive' outputs are not the same, due to how Git works.
** oathtool: Fix test suite on 32-bit big-endian platforms. Fixes: #44.
Patch by Helge Deller and thanks to Jan Zerebecki. See
<https://lists.nongnu.org/archive/html/oath-toolkit-help/2024-04/msg00000.html>
and <https://gitlab.com/oath-toolkit/oath-toolkit/-/issues/44>.
** libpskc: Don't call deprecated xmlMemoryDump.
** libpskc: fix implicit declaration with musl.
See <https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/39>.
** libpskc: Fix linker warning when linked with mold.
Thanks to Jan Palus, see
<https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/30> and
<https://gitlab.com/oath-toolkit/oath-toolkit/-/merge_requests/36> for
regression testing.
** Various build fixes including updated gnulib files.
Fixes Windows tzset build errors, among other things.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 20 Nov 2024 21:49:06 +0000 (22:49 +0100)]
meson: Update to version 1.6.0
- Update from version 1.5.1 to 1.6.0
- Update of rootfile
- Changelog is too large to include here.
1.6.0
Support for OpenXL compiler in AIX.
The OpenXL compiler is now supported from Meson 1.6.0 onwards. So currently,
in AIX Operating system we support GCC and openXL compilers for Meson build
system.
Both the compilers will archive shared libraries and generate a shared object
for a shared module while using Meson in AIX.
alias_target of both_libraries
Previously, when passing a both_libs object to alias_target(), the alias
would only point to the shared library. It now points to both the static and
the shared library.
Default to printing deprecations when no minimum version is specified.
For a long time, the project() function has supported specifying the minimum
meson_version: needed by a project. When this is used, deprecated features
from before that version produce warnings, as do features which aren't
available in all supported versions.
When no minimum version was specified, meson didn't warn you even about
deprecated functionality that might go away in an upcoming semver major
release of meson.
Now, meson will treat an unspecified minimum version following semver:
For new features introduced in the current meson semver major cycle
(currently: all features added since 1.0) a warning is printed. Features
that have been available since the initial 1.0 release are assumed to be
widely available.
For features that have been deprecated by any version of meson, a warning
is printed. Since no minimum version was specified, it is assumed that
the project wishes to follow the latest and greatest functionality.
These warnings will overlap for functionality that was both deprecated and
replaced with an alternative in the current release cycle. The combination
means that projects without a minimum version specified are assumed to want
broad compatibility with the current release cycle (1.x).
Projects that specify a minimum meson_version: will continue to only receive
actionable warnings based on their current minimum version.
Cargo subprojects is experimental
Cargo subprojects was intended to be experimental with no stability
guarantees. That notice was unfortunately missing from documentation. Meson
will now start warning about usage of experimental features and future
releases might do breaking changes.
This is aligned with our general policy regarding mixing build systems.
Dependencies from CMake subprojects now use only PUBLIC link flags
Any dep obtained from a CMake subproject (or .wrap with method = cmake) now
only includes link flags marked in CMake as PUBLIC or INTERFACE. Flags
marked as PRIVATE are now only applied when building the subproject library
and not when using it as a dependency. This better matches how CMake handles
link flags and fixes link errors when using some CMake projects as subprojects.
New built-in option for default both_libraries
both_libraries targets used to be considered as a shared library by default.
There is now the default_both_libraries option to change this default.
When default_both_libraries is 'auto', both_libraries() with dependencies
that are both_libs themselves will link with the same kind of library.
For example, if libA is a both_libs and libB is a both_libs linked with libA
(or with an internal dependency on libA), the static lib of libB will link
with the static lib of libA, and the shared lib of libA will link with the
shared lib of libB.
New as_static and as_shared methods on internal dependencies
dep object returned by declare_dependency() now has .as_static() and
.as_shared() methods, to convert to a dependency that prefers the static or
the shared version of the linked both_libs target.
When the same dependency is used without those methods, the
default_both_libraries option determines which version is used.
Support for DIA SDK
Added support for Windows Debug Interface Access SDK (DIA SDK) dependency. It
allows reading with MSVC debugging information (.PDB format). This
dependency can only be used on Windows, with msvc, clang or clang-cl compiler.
Support for LLVM-based flang compiler
Added basic handling for the flang compiler that's now part of LLVM. It is
the successor of another compiler named flang by largely the same group of
developers, who now refer to the latter as "classic flang".
Meson already supports classic flang, and the LLVM-based flang now uses the
compiler-id 'llvm-flang'.
nvc and nvc++ now support setting std
The following standards are available for nvc: c89, c90, c99, c11, c17, c18,
gnu90, gnu89, gnu99, gnu11, gnu17, gnu18. For nvc++: c++98, c++03, c++11,
c++14, c++17, c++20, c++23, gnu++98, gnu++03, gnu++11, gnu++14, gnu++17,
gnu++20
Tools can be selected when calling has_tools() on the Qt modules
When checking for the presence of Qt tools, you can now explictly ask Meson
which tools you need. This is particularly useful when you do not need
lrelease because you are not shipping any translations. For example:
qt6_mod = import('qt6')
qt6_mod.has_tools(required: true, tools: ['moc', 'uic', 'rcc'])
valid tools are moc, uic, rcc and lrelease.
Simple tool to test build reproducibility
Meson now ships with a command for testing whether your project can be built
reproducibly. It can be used by running a command like the following in the
source root of your project:
meson reprotest --intermediaries -- --buildtype=debugoptimized
All command line options after the -- are passed to the build invocations
directly.
This tool is not meant to be exhaustive, but instead easy and convenient to
run. It will detect some but definitely not all reproducibility issues.
Support for variable in system dependencies
System Dependency method get_variable() now supports system variable.
test() and benchmark() functions accept new types
test and benchmark now accept ExternalPrograms (as returned by find_program)
in the args list. This can be useful where the test executable is a wrapper
which invokes another program given as an argument.
test('some_test', find_program('sudo'), args : [ find_program('sh'),
'script.sh' ])
Zig 0.11 can be used as a C/C++ compiler frontend
Zig offers a C/C++ frontend as a drop-in replacement for Clang. It worked
fine with Meson up to Zig 0.10. Since 0.11, Zig's dynamic linker reports
itself as zig ld, which wasn't known to Meson. Meson now correctly handles
Zig's linker.
You can use Zig's frontend via a machine file:
[binaries]
c = ['zig', 'cc']
cpp = ['zig', 'c++']
ar = ['zig', 'ar']
ranlib = ['zig', 'ranlib']
lib = ['zig', 'lib']
dlltool = ['zig', 'dlltool']
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 20 Nov 2024 21:49:05 +0000 (22:49 +0100)]
memtest: Update to version 7.20
- Update from version 7.00 to 7.20
- Update of rootfile not required
- Changelog
7.20
Add support for Loongson LA64 arch
Add support for latest Intel CPUs (ARL/MTL)
Add support for latest AMD CPUs (Zen5)
Preliminary support for NUMA
Bug fixes & optimizations
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 20 Nov 2024 21:49:04 +0000 (22:49 +0100)]
man: Update to version 2.13.0
- Update from version 2.12.0 to 2.13.0
- Update of rootfile
- Changelog
2.13.0
Compatibility notes:
* Drop support for versions of groff before 1.21 (released on 2010-12-31).
Fixes:
* Fix `man-suffixed-extension` test failure when not using the GNU
hierarchy organization.
* Fix `-Wmissing-variable-declarations` warnings with GCC 14.
* Fix `-Wflex-array-member-not-at-end` warning with GCC 14.
Improvements:
* Upgrade to Gnulib `stable-202407`.
* Support running the test suite against an installed package; this is
useful for systems such as Debian's autopkgtest framework.
2.12.1
Fixes:
* Fix excessive cleanup of `/var/cache/man` by `systemd-tmpfiles`.
Improvements:
* `man` matches the display width more accurately to the configured width.
* Upgrade to Gnulib `stable-202401`.
* Mention `groff`'s `pdf` device in `man(1)`.
* Speed up `seccomp` filter slightly.
* Document how to format pages using italic rather than underlined text.
Compatibility notes:
* Remove the obsolete `chconfig` tool for converting man-db configuration
files to the FHS. This transition took place almost 25 years ago (at
least in Debian), so it's not worth keeping it around now.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 20 Nov 2024 21:49:03 +0000 (22:49 +0100)]
lsof: Update to version 4.99.4
- Update from version 4.99.3 to 4.99.4
- Update of rootfile not required
- Changelog
4.99.4
fix version parser for clang (lsof-org#305) (#306)
In lsof manapge: mention /etc/services for -P option (#309)
[freebsd] don't use kf_sock_inpcb on modern versions. In
FreeBSD 14 and after the generic internet protocol control
block and protocol specific (TCP) control block are the same
pointer. The latter embeds the former. The kf_sock_inpcb is
planned for removal in FreeBSD 15.
[freebsd] Recognize FreeBSD 15
Fix typos in docs (#314)
[linux] Do not embed kernel version in CFLAGS (#314)
[linux] Linux 6.9 changed the pidfs appearence in procfs. Try
to maintain original output in lsof (#317)
[linux] closefrom_shim: Add optimized fallback for platforms
without closefrom or close_range (#316)
lib/misc.c: fix build against -std=c23 (`void (*)()`) changed
the meaning) (#327)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 13 Dec 2024 19:00:34 +0000 (20:00 +0100)]
libcap: Update to version 2.73
- Update from version 2.72 to 2.73
- Update of rootfile
- This version builds correctly with aarch64 - tested out building on the aarch64-builder
system
- Changelog
2.73
Bug fixes for libpsx changes in the 2.72 release.
Some architectures do not support the system call getdents(). More
modern architectures only support getdents64(), so use that. Patch
provided by Xi Ruoyao.
gettid() isn't consistently defined in all *libc's so create a macro
for using it in the libpsx sources.
Fix some static analysis found issues, surfaced by Carlos
Rodriguez-Fernandez from an analysis performed on Fedora's libcap-2.71
release.
Third attempt to get an executable cap package runnable example into the
documentation on go.pkg.dev.
It still isn't working, but I think the issue is now one for the go.dev
website:
Filed go/issues/70630 which got duped into this go/issues/70611 and
a fix was requested by Ian Taylor.
Remove a redundant c.String() function since fmt.Println(c) can figure
this detail out.
Freshen up setcap.c sources. Sort the argument help.
Add go vet to the tests for cap and psx packages.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 14 Dec 2024 12:05:47 +0000 (12:05 +0000)]
flash-image: Create a journal when the filesystem is being created
We recently started to have problems when a new installation was
launched from the flash image that creating the journal corrupted the
filesystem on the next mount operation.
Since we would like all IPFire installations to have a journal, we
create this now when we create the image and won't try to add it later.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 14 Dec 2024 12:05:46 +0000 (12:05 +0000)]
installer: Remove the option to install without journal
It was possible to install a new system without a journal. I think this
is a very outdated concept now and should be avoided in favour of
filesystem integrity.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 7 Dec 2024 11:50:51 +0000 (11:50 +0000)]
Config: Don't interpret file names as regular expressions
When we are searching for changes in rootfiles, we walk through each
file that we have found in the build and check if it exists in the
rootfile. That check interpreted filenames as regular expressions which
caused a problem in the case of "/usr/bin/[".
This patch changes that grep will only search for an exact string match
(-F) and the string must be the entire line (-x).
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Sat, 7 Dec 2024 15:03:59 +0000 (16:03 +0100)]
openssh: Introduce include directory for additional sshd config files
This patch adds the prosibility to place additional *.config files in /etc/ssh/sshd_config.d/
which will be included and loaded during the daemon startup process.
Because this files will not be overwritten by any update, they can be used to place custom
or other persistent settings.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 21:11:06 +0000 (22:11 +0100)]
libxml2: Update to version 2.13.5
- Update from version 2.13.3 to 2.13.5
- Update of rootfile
- Changelog
2.13.5
### Regressions
- xmlIO: Fix reading from non-regular files like pipes (Nick Wellnhofer)
- xmlreader: Fix return value of xmlTextReaderReadString (Nick Wellnhofer)
- parser: Fix loading of parameter entities in external DTDs
(Nick Wellnhofer)
- parser: Fix downstream code that swaps DTDs (Nick Wellnhofer)
- parser: Fix detection of duplicate attributes (Nick Wellnhofer)
- string: Fix va_copy fallback (Nick Wellnhofer)
### Bug fixes
- xpath: Fix parsing of non-ASCII names (Nick Wellnhofer)
2.13.4
### Regressions
- parser: Make unsupported encodings an error in declarations
- io: don't set the executable bit when creating files (triallax)
- xmlcatalog: Improved fix for #699
- Revert "catalog: Fetch XML catalog before dumping"
- io: Add missing calls to xmlInitParser
- tree: Restore return value of xmlNodeListGetString with NULL list
- parser: Fix error handling after reaching limit
- parser: Make xmlParseChunk return an error if parser was stopped
### Bug fixes
- python: Fix SAX driver with character streams
### Improvements
- xpath: Make recursion check work with xmlXPathCompile
- parser: Report at least one fatal error
### Portability
- include: Check whether _MSC_VER is defined
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 21:11:03 +0000 (22:11 +0100)]
libtirpc: Update to version 1.3.6
- Update from version 1.3.5 to 1.3.6
- Update of rootfile not required
- Changelog
1.3.6
configure.ac: Using autoupdate updated to the latest autoconf macros
svc_fd_create: skip getsockname on a non-network socket
As svcfd_create(3) said, it can:
Create a service on top of any open file descriptor.
But getsockname and getpeername in svc_fd_create assume that
fd should be a connected socket.
This patch will leave xp_raddr and xp_laddr uninitialized
if fd is not a connected socket.
detect whether linker supports --version-script
check for gss_pname_to_uid or hardcode an early return if we can't use
aname to localname
test for IPV6_PKTINFO and potentially define __APPLE_USE_RFC_3542 to expose
macos supports both RFC 2292 and RFC 3542 versions of ipv6 options and
you choose which to expose, with a define
macos uses the same mutex primitives as linux and so can use these defines
check for struct rpcent in netdb.h before redefining
macos defines it in netdb.h
include string.h when we need a memset prototype for
attempt to use machine/endian.h if endian.h does not exist
macos has the former, not the latter
updated macOS support for tirpc [2/7] SOL_IP vs IPPROTO_IP
in order to have protocol numbers on macOS, we need to first determine
we don't have SOL_IP, and then that we do have IPPROTO_IP, and then
define the former as the latter. do the same for IPV6
check for getpeereid
macos ships with it, this avoids trying to build a replacement for a defined
function
rpcb_prot.x: Update _PATH_RPCBINDSOCK 2f9ce0c updated rpcb_prot.h, but rpcb_prot.x must be updated as well.
Move rpcbind.sock to /run
Most of the distros have /var/run as symlink to /run.
Because /var may be a separate partition, and could even be mounted via
NFS, having to look directly to /run help to avoid issues rpcbind
startup early in boot when /var might not be available.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 21:11:02 +0000 (22:11 +0100)]
libpipeline: Update to version 1.5.8
- Update from version 1.5.7 to 1.5.8
- Update of rootfile
- Changelog
1.5.8
* Upgrade to Gnulib `stable-202407`. Building libpipeline now requires
Automake >= 1.14.
* Use C23-style `nullptr`.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 21:11:01 +0000 (22:11 +0100)]
libpcap: Update to version 1.10.5
- Update from version 1.10.4 to 1.10.5
- Update of rootfile
- Fixes for 2 CVE's
- Changelog
1.10.5
Source code:
Spell WirelessHART details properly.
Mark pcap_vasprintf() as printf-like.
Finalize moving of bpf_filter.c. (GH #1166)
Remove an unneeded argument from gen_mcode6().
Don't do some Berkeley YACC workarounds with YACC releases not
requiring them.
Use correct data types rather than int in some cases.
Squelch compiler warning in grammar.c.
Fix findalldevtest compilation if IPv6 isn't enabled.
Rename helper routines for pcap modules to have names beginning with
pcapint_, to avoid namespace collisions for code linking statically
with libpcap.
Avoid casting hack for the Windows cleanup-on-exit routine.
Use %zu format for one case of printing a size_t.
Fix some Coverity errors.
Fix availabilities of some functions to match reality.
pcap: make the seconds and microseconds/nanoseconds fields unsigned.
Remove the unused pcap-rpcap-int.h header file.
Thread safety:
Make some static variables thread-local; fixes issue #1174.
Packet filtering:
Improve reporting of some invalid filter expressions.
Return an error from pcap_compile() if the scanner fails to initialize.
Optimizer fix from Archit Shah to recompute dominators after
moving code (#976); fixes #945 (although the resulting filter
isn't empty).
Optimizer fix from Archit Shah to mark value as unknown when store
of that value is deleted (#972); fixes #143, #434, #436, #437,
and #1076.
Linux:
Properly return warnings.
Don't use DLT_LINUX_SLL2 for anything other than the "any" device.
Avoid 32-bit unsigned integer overflow in USB captures. Fixes
issues #1134 and #1205.
Fix a file descriptor leak.
Properly report warnings about unknown ARPHRD_ types.
Fix DLT_CAN_SOCKETCAN handling of CAN FD.
Add CAN XL support to DLT_CAN_SOCKETCAN.
Clean up the code that sets the "real" ("original") length for
isochronous USB transfers.
Avoid unnecessary blocking on recvmsg() in the Bluetooth monitor and
Bluetoth modules.
Solaris:
Handle BPF returning ESRCH for unknown devices.
List the "any" device if it's supported.
Report {non-existent zone}/{interface} errors appropriately.
Allow attaching to links owned by a non-global zone. (Based on
pull request #1202.)
Fix AF_LINK handling on illumos.
macOS:
Redid the availability macros to be closer to what Apple's doing
in recent SDKs, including tagging pcap-namedb.h routines.
Fix the install name of the installed shared library to have a
full path when building with CMake.
Fix universal builds.
Haiku:
Convert the module to C. Fixes issue #1114.
Address a few compiler warnings. Fixes issue #1114.
Fix various build problems. Fixes issue #1114.
Report non-existent devices correctly.
Fix handling of packet statistics.
Fix packet timestamping.
Fix packet filtering with low snaplen.
Improve connection status reporting.
Add support for promiscuous mode.
Detect DLTs and loopback capture support at run time.
Report IEEE 802.11 as PCAP_IF_WIRELESS.
Windows:
Fix internal handling of "not supported" error codes from NPF.
Work around a bug in Npcap 1.00 in case of driver version mismatch.
Don't call WSACleanup() when handling a failed WSAStartup().
BSD, macOS, AIX, Solaris 11, Linux:
Add a new error PCAP_ERROR_CAPTURE_NOTSUP, for use if a capture
mechanism is not present, in the hopes that, for example,
attempts to capture on Windows Services for Linux 1, in which
the NT kernel attempts to simulate Linux system calls but does
not support packet sockets, can get an error that better
indicates the underlying problem.
AirPcap:
Format an error message if we run out of memory.
nflog:
Fix count of dropped packets.
Make sure we don't overflow when rounding up the TLV length.
rpcap:
Handle routines removed in at least some OpenSSL libraries.
CVE-2023-7256: Clean up sock_initaddress() and its callers to avoid
double frees in some cases.
Don't define SOCKET ourselves; instead, define PCAP_SOCKET as int
on UN*Xes and as SOCKET on Windows.
CVE-2024-8006: Fix pcap_findalldevs_ex() not to crash if passed a
file:// URL with a path to a directory that cannot be opened.
Savefiles:
Handle DLT_/LINKTYPE_ mapping better, to handle some
OpenBSD-specific link types better.
Treat if_tsoffset as signed in pcapng files, as the spec says.
Don't try to fix the "real" length for isochronous USB
transfers if the number of USB descriptors is too large.
Reject pcap files where one of the reserved fields in the
"link-layer type plus other stuff" is non-zero.
Building and testing:
Add a configure option to help debugging (--enable-instrument-functions).
Improved tests and error reporting for uses of pkg-config, and
improve help message.
Fix Haiku build.
With CMake, install headers in CMAKE_INSTALL_INCLUDEDIR rather
than just include.
Build libpcap.a before building test programs.
Print address family numerically, as well as symbolically,
in findalldevstest.
Fail with suggestions, rather than failing over to no capture
support, if no capture mechanism was found. Fixes issue #1016.
Don't indent comments in Make, as that may cause them not to be
recognized as comments.
Don't check for libssl if we aren't going to use it.
Better handle enabling and disabling of sanitizers. Fixes issue
#1171.
CMakeLists.txt: Print "Symlinking: /some/path to ..." conditionally.
Evaluate CMAKE_INSTALL_PREFIX at install time.
cmake: Update the minimum required version to 2.8.12 (except Windows).
cmake: suppress CMP0042 OLD deprecated warning.
Makefile.in: Add the releasecheck target.
Cirrus CI: Add the "make releasecheck" command in the Linux task.
Makefile.in: Add the whitespacecheck target.
Cirrus CI: Run the "make whitespacecheck" command in the Linux task.
Autoconf: Update config.{guess,sub}, timestamps 2024-01-01.
Autoconf: Update the install-sh script to the 2020-11-14.01 version.
Compile with '-Wnull-pointer-subtraction',
'-Wunused-but-set-parameter', and '-Wunused-but-set-variable' in
devel mode if supported.
Don't ignore spaces between CMAKE_C_FLAGS and DPDK_C_FLAGS with
CMake.
Use noreturn and __format__ with XL C 7.0 and later.
Check for the same -W flags in autotools and CMake.
Autoconf: Add autogen.sh, remove configure and config.h.in and put
these generated files in the release tarball.
Autoconf: Get the size of a time_t.
Fix propagation of cc_werr_cflags() output.
Makefile.in(s): Fix the depend target.
mkdep: Exit with a non-zero status if a command fails.
Fix HCI_CHANNEL_MONITOR detection with musl libc.
Extend "make shellcheck" onto mkdep too.
Add initial support for building with TinyCC.
Address all known compiler warnings specific to illumos, Linux, NetBSD,
Solaris and Sun C; in CI expect warnings specific to TinyCC only.
Documentation:
Update and fix pcap-filter man page.
Add a README.haiku.md file.
Document pcap-config better.
Man page formatting and prose fixes.
Rename doc/README.Win32.md to doc/README.windows.md.
Update pcap-savefile man page to match the Internet-Draft for
pcap.
Fix CMake issues for target used by other projects.
Explain "any" device better in pcap_open_live(3PCAP).
Update INSTALL.md.
Note in man pages that errbuf arguments must point to an error
buffer.
Note that if pcap_findalldevs() fails it sets *alldevsp to NULL;
there's no devices list to free.
Explain "other addresses" in pcap_findalldevs(3PCAP).
Document pcap_lookupnet(3PCAP) a bit better.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 21:11:00 +0000 (22:11 +0100)]
liboping: Update to version 1.10.0
- Update from version 1.3.4 (2009) to 1.10.0 (2017)
- Update of rootfile
- Changelog
1.10.0
* Build system: Search the "rt" library for clock_gettime(). This
fixes build issues on Mac OS X. Thanks to Yann E. Morni for this
fix. #9
* Build system: The "--with[out]-ncurses" option has been added and
allows to enforce/disable the building of "noping". Thanks to Thomas
Deutschmann for the patch. #15
* Build system: Compatibility code to work with pkg-config < 0.27 has
been added. #22
* liboping: Creation of ICMPv4 packets has been fixed: due to an
incorrect sizeof() the payload may have been prefixed by 20 zero
bytes, resulting in larger packets than desired. Thanks to Kyle Zhou
for reporting and fixing this. #10
* liboping: The number of file descriptors used has been reduced to at
most two (from one per host). This and a few other optimizations
significantly improve performance. Thanks to Luke Heberling for the
patch. #11
* oping, noping: Handling of the "-O" command line flag has been
fixed.
* oping, noping: The "-b" option has been added and enables a bell
whenever an echo reply is received. Thanks to Antoine Beaupré for
the patch. #6
* noping: The background color has been changed to use the terminal
default. Thanks to @middleO. #18
* noping: The ability to add hosts after noping has started (the "a"
key) has been added. Thanks to Hamish Coleman for the patch. #20,
#23
1.9.0
* liboping: The new "PING_OPT_MARK" option allows to mark packets,
which can be used for filtering and routing such packets on Linux.
* oping, noping: The new "-m" command line option allows to set a mark
on packets sent by the tool.
* oping, noping: The new "-O" command line option allows to write
measurements to an CSV file.
* oping, noping: The new "-w" command line option allows to specify
the timeout after which a packet/reply is considered "dropped".
1.8.0
* oping, noping: Average and standard deviation have been removed from
the status output, which show median and 95th percentile instead.
The percentile can be chosen with the "-P" option.
* noping: The additional graph types "histogram" and "boxplot" have
been added, which can be selected with the "-g" option.
1.7.0
* oping, noping: The new -Z option allows the exit status to indicate
the number of failing hosts. Thanks to Barak Pearlmutter for the
patch.
* noping: The ability to print a "prettyping" style graph has been
added. Thanks to Antoine Beaupré for his work!
* src/liboping.c: Build issues on Solaris have been fixed. Thanks
Scott Severtson for the fix!
* Build system: Creation and installation of a pkg-config file has
been added. Thanks to Barak Pearlmutter for the patch.
1.6.2
* Build system: Setting capabilities and the set-UID bit has been made
more fault-tolerant, so that it will work with Debian's fakeroot(1)
utility.
* src/liboping.c: Fixed a compiler warning about an non-static format
string. Thanks to Brian Edwards for pointing this out.
* src/liboping.c: Fixed compilation under Mac OS X and Solaris. Thanks
to Clayton O'Neill for his patch.
1.6.1
* Build system: If "make install" is executed as root, the CAP_NET_RAW
capability is added to the binary (on Linux) or the set-UID bit is
set (other Unixes).
* src/oping.c: Fix compiler warnings which may abort the build. Thanks
to James Bromberger for reporting the problem.
* noping: Compatibility with ncurses 5.8 has been fixed. Thanks to
Gaetan Bisson for his patch.
1.6.0
* liboping: Improve timing of received network packets using
SO_TIMESTAMP if available. Thanks to Bruno Prémont for his patch.
1.5.1
* oping, noping: Alias for the “Voice Admit” DSCP has been added.
* src/oping.c, src/liboping.c: Compiler warnings / errors have been
fixed. Thanks to James Bromberger for reporting one of them.
1.5.0
* src/liboping.c: The possibility to set the QoS byte of outgoing IPv4
and IPv6 packets and read the byte from incoming packets has been
added. Thanks to Vladimir Melnikov for his patch.
* oping, noping: Add the ability to configure the QoS field on the
command line. If either the QoS field of outgoing or incoming
packets is non-standard, the QoS byte of incoming packets will be
printed.
* liboping: The library has been relicensed under the LGPL 2.1.
1.4.0
* noping: A new front-end to liboping, using the ncurses library, has
been added. The new command line application displays ping
statistics online and highlights aberrant round-trip times.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 21:10:59 +0000 (22:10 +0100)]
libnl-3: Update to version 3.11.0
- Update from version 3.10.0 to 3.11.0
- Update of rootfile not required
- Changelog details are only available by viewing the git repo commits
https://github.com/thom311/libnl/commits/main/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 21:10:58 +0000 (22:10 +0100)]
libjpeg: Update to version 3.0.4
- Update from version 3.0.3 to 3.0.4
- Update of rootfile not required
- Changelog
3.0.4
1. Fixed an issue whereby the CPU usage of the default marker processor in the
decompressor grew exponentially with the number of markers. This caused an
unreasonable slow-down in `jpeg_read_header()` if an application called
`jpeg_save_markers()` to save markers of a particular type and then attempted
to decompress a JPEG image containing an excessive number of markers of that
type.
2. Hardened the default marker processor in the decompressor to guard against
an issue (exposed by 3.0 beta2[6]) whereby attempting to decompress a
specially-crafted malformed JPEG image (specifically an image with a complete
12-bit-per-sample Start Of Frame segment followed by an incomplete
8-bit-per-sample Start Of Frame segment) using buffered-image mode and input
prefetching caused a segfault if the `fill_input_buffer()` method in the
calling application's custom source manager incorrectly returned `FALSE` in
response to a prematurely-terminated JPEG data stream.
3. Fixed an issue in cjpeg whereby, when generating a 12-bit-per-sample or
16-bit-per-sample lossless JPEG image, specifying a point transform value
greater than 7 resulted in an error ("Invalid progressive/lossless parameters")
unless the `-precision` option was specified before the `-lossless` option.
4. Fixed a regression introduced by 3.0.3[3] that made it impossible for
calling applications to generate 12-bit-per-sample arithmetic-coded lossy JPEG
images using the TurboJPEG API.
5. Fixed an error ("Destination buffer is not large enough") that occurred when
attempting to generate a full-color lossless JPEG image using the TurboJPEG
Java API's `byte[] TJCompressor.compress()` method if the value of
`TJ.PARAM_SUBSAMP` was not `TJ.SAMP_444`.
6. Fixed a segfault in djpeg that occurred if a negative width was specified
with the `-crop` option. Since the cropping region width was read into an
unsigned 32-bit integer, a negative width was interpreted as a very large
value. With certain negative width and positive left boundary values, the
bounds checks in djpeg and `jpeg_crop_scanline()` overflowed and did not detect
the out-of-bounds width, which caused a buffer overrun in the upsampling or
color conversion routine. Both bounds checks now use 64-bit integers to guard
against overflow, and djpeg now checks for negative numbers when it parses the
crop specification from the command line.
7. Fixed an issue whereby the TurboJPEG lossless transformation function and
methods checked the specified cropping region against the source image
dimensions and level of chrominance subsampling rather than the destination
image dimensions and level of chrominance subsampling, which caused some
cropping regions to be unduly rejected when performing 90-degree rotation,
270-degree rotation, transposition, transverse transposition, or grayscale
conversion.
8. Fixed an issue whereby the TurboJPEG lossless transformation function and
methods did not honor `TJXOPT_COPYNONE`/`TJTransform.OPT_COPYNONE` unless it
was specified for all lossless transforms.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 21:10:57 +0000 (22:10 +0100)]
libgpg-error: Update to version 1.51
- Update from version 1.50 to 1.51
- Update of rootfile
- Changelog
1.51
* Allow initialization of new Windows threads to utf8 mode. [T7185]
* Add GPGRT_PROCESS_ALLOW_SET_FG for gpgrt_process_spawn.
[rEb79d4206f4]
* Add new spawn function to modify the environment. [T7307]
* Fix missing environ var for macOS and others. [T7169,T7307]
* Fix forgotten _gpgrt_post_syscall on create pipe failure. [rEbcab96484d]
* Let gpgrt_poll return an error for a closed fd. [rE4a3dc85f69]
* Fix build error introduced by C-committee stupidity. [T7344]
* Interface changes relative to the 1.50 release:
_gpg_w32_gettext_use_utf8 EXTN (new value 2).
gpgrt_spawn_actions_set_env_rev NEW.
GPGRT_PROCESS_ALLOW_SET_FG NEW.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from version 20240517-3.1 to 20240808-3.1
- Update of rootfile
- Changelog 20240808-3.1
* all: sync with upstream source
* doc/Makefile.am: fix regression. Name all manpage links as el_*
(e.g. el_history.3) to avoid conflicts.
Reported by Zopolis4
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 21:10:55 +0000 (22:10 +0100)]
libcap: Update to version 2.72
- Update from version 2.70 to 2.72
- Update of rootfile
- Changelog
2.72
ERRATA:
Failed to support more modern Linux architectures including arm64. Fix provided
by Xi Ruoyao.
This specific release is devoted to a wholesale rewrite of libpsx to operate on
native Linux threads (aka LWP = Light Weight Processes).
Given the potential for misbehavior, we're isolating this release to that change.
Should some issue(s) arise, and folk need to roll back, this will hopefully
make downstream packagers' lives a bit easier: skip this release altogether.
This addresses LCAP-CR-23-102 (SEVERITY) NONE from the libcap-2.69 security
audit. This addresses Bug 217476.
This addresses C++ std::thread libpsx support. This addresses Bug 218607
reported by Vini Ipsmaker.
Included a test case for this: contrib/bug218607/
This now allows the PSX mechanism to apply to threads launched by loaded .so
plugins. This addresses Bug 219174 reported by Stas Sergeev.
Included a test case for this: tests/b219174.c
The rewrite has significantly reduced the need for any odd linking of the
-lpsx library. Namely, if code makes use of the psx_syscall*() functions,
there is no need for anything other than -lpsx on the link line.
Updated a whole lot of documentation that warned folk about the
-wrap=pthread_create linking need not being needed any more. (Bug 219456)
Linking -lcap and -lpsx still requires some extra care. Updated
cap_get_proc(3) manual page to explain.
Was unable to figure out how to work around the pre-go1.16.* bug related to
cgo and interrupt handling while thread exit with the rewritten libpsx code.
Decided to abandon full support for earlier versions of Go.
Explanation is Bug 219478 which points to old Go bug.
Transitioned key used for signing Go package tags to use the 0D23D34C577B08C4082CFD76430C5CFF993116B1 key.
Very tiny documentation change for the cap package to try again to get a runnable
example to show up on the pkg.go.dev website.
2.71
Reduce the need for CAP_SETPCAP in IAB setting to the specific instances in
which the kernel requires it. This addresses Bug 219169 reported by
Christopher Head.
Resolve subtle libpsx linker flag issue related to -Bsymbolic-functions. This
addresses Bug 219169 reported by Stas Sergeev.
Add new GPG signing key. At this stage, none of the older keys have been
retired. This addresses Bug 218860 requested by David Runge at Arch Linux. Key
details:
$ gpg --fingerprint 0D23D34C577B08C4082CFD76430C5CFF993116B1
pub ed25519 2024-10-26 [SC]
0D23 D34C 577B 08C4 082C FD76 430C 5CFF 9931 16B1
uid [ultimate] Andrew G. Morgan (2024+ libcap signing key)
<morgan@kernel.org>
sub cv25519 2024-10-26 [E]
Expand use of various $(xFLAGS) to building simple binaries in the build tree.
Requested by Pierre-Clément Tosi.
Numerous documentation updates and clarifications.
Added a programming example to the cap package documentation. Exploring how to
embed viewer runnable content in the automatically generated online pkg.go.dev
documentation.
Work around a longstanding glibc segfault annoyance for in-build-tree testing.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 21:10:54 +0000 (22:10 +0100)]
libarchive: Update to version 3.7.7
- Update from version 3.7.4 to 3.7.7
- Update of rootfile
- Fixes for 3 CVE's in 3.7.5
- Changelog
3.7.7
Security fixes:
gzip: prevent a hang when processing a malformed gzip inside a gzip (#2366, OSS-Fuzz)
tar: don't crash on truncated tar archives (#2364, OSS-Fuzz)
tar: fix two leaks in tar header parsing (#2377)
Important bugfixes:
7-zip: read/write symlink paths as UTF-8 (#2252)
cpio: exit with an error code if an entry could not be extracted (#2371)
rar5: report encrypted entries (#2096)
tar: fix truncation of entry pathnames in specific archives (#2360)
windows: fix ARCHIVE_EXTRACT_SECURE_NOABSOLUTEPATHS (#2363)
3.7.6
This release fixes a tar regression introduced in libarchive 3.7.5 (#2331, #2337)
Important bugfixes.
tar: clean up linkpath between entries (#2343)
tar: fix memory leaks when processing symlinks or parsing pax headers (#2338)
iso: be more cautious about parsing ISO-9660 timestamps (#2330)
3.7.5
Security fixes:
fix multiple vulnerabilities identified by SAST (#2251, #2256)
cpio: ignore out-of-range gid/uid/size/ino and harden AFIO parsing (#2258)
lzop: prevent integer overflow (#2174)
rar4: protect copy_from_lzss_window_to_unp() (#2172, CVE-2024-20696)
rar4: fix CVE-2024-26256 (#2269, CVS-2024-26256)
rar4: fix OOB in delta and audio filter (#2148, #2149)
rar4: fix out of boundary access with large files (#2179)
rar4: add boundary checks to rgb filter (#2210)
rar4: fix OOB access with unicode filenames (#2203)
rar5: clear 'data ready' cache on window buffer reallocs (#2265)
rpm: calculate huge header sizes correctly (#2158)
unzip: unify EOF handling (#2175)
util: fix out of boundary access in mktemp functions (#2160)
uu: stop processing if lines are too long (#2168)
Important bugfixes:
7zip: fix issue when skipping first file in 7zip archive that is a
multiple of 65536 bytes (#2245)
ar: fix archive entries having no type (#2290)
lha: do not allow negative file sizes (#2155)
lha: fix integer truncation on 32-bit systems (#2161)
shar: check strdup return value (#2173)
rar5: don't try to read rediculously long names (#2259)
xar: fix another infinite loop and expat error handling (#2150)
many Windows fixes, cleanups and improvements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 21:10:53 +0000 (22:10 +0100)]
less: Update to version 668
- Update from version 661 to 668
- Update of rootfile not required
- Changelog
668
* Make 256/true colors work better on Windows without -Da
(github #539, github #546, github #562).
* Fix build using --with-secure (github #544).
* Fix crash when using --header on command line (github #545).
* Fix possible crash when scrolling left/right or toggling -S (github #547).
* Fix bug when using #stop in a lesskey file (github #551).
* Fix bug when using --shift or --match-shift on command line with
a parameter starting with '.' (github #554).
* Fix bug in R command when file size changes (github #553).
* Fix bug using --header when file does not fill screen (github #556).
* Fix ^X bug when output is not a terminal (github #558).
* Fix bug where ^Z is not handled immediately (github #563).
* Fix bug where first byte from a LESSOPEN filter is deleted if it is
greater than 0x7F (github #568).
* Fix uninitialized variable in edit_ifile (github #573).
* Fix incorrect handling of UTF-8 chars in prompts (github #576).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 21:10:52 +0000 (22:10 +0100)]
krb5: Update to version 1.21.3
- Update from version 1.21.2 to 1.21.3
- Update of rootfile not required
- Changelog
1.21.3
* Fix vulnerabilities in GSS message token handling [CVE-2024-37370,
CVE-2024-37371].
* Fix a potential bad pointer free in krb5_cccol_have_contents().
* Fix a memory leak in the macOS ccache type.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 21:10:51 +0000 (22:10 +0100)]
knot: Update to version 3.4.2
- Update from version 3.3.8 to 3.4.2
- Update of rootfile
- Changelog
3.4.2
Improvements:
- knotd: new warning log upon every incremental update if previous
zone signing failed
- mod-cookies: support for two secret values specification
- keymgr: key pregenerate works even when a KSK exists
- libs: upgraded embedded libngtcp2 to 1.8.1
Bugfixes:
- knotd: server can crash when processing just a terminal label as QNAME
- knotd: failed to compile if no atomic operations available
- kjournalprint: failed to merge zone-in-journal if followed by a
non-first changeset
- knot-exporter: faulty escape sequence in time value parsing
- knot-exporter: failed to parse zone-status output
- kxdpgun: periodic statistics doesn't work correctly for longer time
periods
3.4.1
Features:
- knotd: ACL configuration allows protocol specification (see
'acl.protocol')
- knotc: support for benevolent zone updates (see zone-begin with
'+benevolent')
- knotd: implemented TLS session resumption
- knotd: pending TLS connections leak memory when the server shuts down
- kjournalprint: added print merged changesets mode (see '-M')
- libknot: added NXNAME meta type (Thanks to Jan Včelák)
Improvements:
- knotd: DNSKEY synchronization event logs removed/added *DNSKEYs
- knotd: control command log message contains filters and flags in
the debug mode
- knotc: zone status prints running, pending, and frozen duration
- knotd,knotc: unification of control flags and filters
- keymgr: key listing reports configured keys that are inaccessible
- libs: upgraded embedded libngtcp2 to 1.8.0
- doc: various fixes and updates
Bugfixes:
- knotd: missing support for IPv6 link local address configuration
- knotd: zone reload occasionally causes a core dump #939 (Thanks to
lidcc2)
- knotd: race condition in DDNS over QUIC processing
- knotd: imperfect signal handling on some auxiliary threads
- knotd: EDNS EXPIRE not updated when zone signing results in up-to-date
- knotd: failed to reload autogenerated QUIC/TLS key after process
ownership change
- knotc: zone backup filter +keysonly doesn't disable other defaults
- kxdpgun: failed to receive more data over QUIC until 1-RTT
handshake is done
- knsupdate: memory leak if rdata parsing fails
- doc: failed to install manual pages from a tarball
- Dockerfile: TCP port 853 not exposed for DoT
3.4.0
Features:
- knotd: full DNS over TLS (DoT, RFC 7858) implementation (see 'DNS
over TLS')
- knotd: bidirectional XFR over TLS (XoT) support with opportunistic,
strict, and mutual authentication profiles
- knotd: support for DDNS over QUIC and TLS
- knotd: DNSSEC validation requires the remaining RRSIG validity is
longer than 'rrsig-refresh'
- knotd: new event for automatic DNSSEC revalidation
- knotd: if enabled DNSSEC signing, EDNS expire is adjusted to the
earliest RRSIG expiration
- knotd: added support for libdbus as an alternative to systemd dbus
(see '--enable-dbus=libdbus' configure parameter)
- knotd: new XDP-related configuration options
(see 'xdp.ring-size', 'xdp.busypoll-budget', and
'xdp.busypoll-timeout')
- knotc: new command for explicit triggering DNSSEC validation (see
'zone-validate' command)
- keymgr: SKR verification requires end of DNSKEY RRSIG validity
covers next DNSKEY snapshot
- kdig: +nocrypto applies also to CERT, DS, SSHFP, DHCID, TLSA,
ZONEMD, and TSIG
- knsupdate: added support for DDNS over QUIC and TLS (see '-Q' and
'-S' parameters)
- kxdpgun: support for reading a binary input file (see '-B' parameter)
- kxdpgun: support for output in JSON (see '-j' parameter)
- kxdpgun: support for periodical output (see '-S' parameter)
- mod-rrl: module offers limiting of non-UDP protocols based on
consumed time (see 'mod-rrl.time-rate-limit' and
'mod-rrl.time-instant-limit')
- utils: -VV option for listing compile time configuration summary
Improvements:
- knotd: up to eight DDNS queries can be queued per zone when frozen
- knotd: the number of created/validated RRSIGs is logged
- knotd: overhaul of atomic operations usage
- knotd: unified DNAME semantic errors with the CNAME ones
(see 'Handling CNAME and DNAME-related updates')
- knotd: better DDNS pre-check to prevent dropping a bulk of updates
- knotd: extended SOA presence semantic checks
- knotd: disallowed concurrent control zone and config transactions
to avoid deadlock
- knotd: disallowed opening zone transaction when blocking command is
running to avoid deadlock
- knotd: new XDP statistic counters
- knotd: remote zone serial is logged upon received incoming transfer
- knotd: zone backup stores and zone restore checks the CPU
architecture compatibility
- knotd: time configuration options support 'w', 'M', and 'y' units
- knotd: some control commands can be processed asynchronously
- knotc: zone backup overwrites already existing backupdir in the
force mode
- kdig: EDNS is enabled by default
- kdig: the default EDNS payload size was lowered to 1232
- mod-rrl: completely reimplemented UDP rate limiting using an efficient
query-counting mechanism on several address prefix lengths
- mod-rrl: module no longer requires explicit configuration
- libknot: various XDP improvements and new configuration parameters
- docker: increased -D_FORTIFY_SOURCE to 3
Bugfixes:
- knotd: deadlock during zone-ksk-submitted processing of a frozen zone
- kxdpgun: race condition in SIGUSR1 signal processing
- doc: parallel build is unreliable #928
Compatibility:
- configure: increase minimal GnuTLS version to 3.6.10
- configure: removed deprecated libidn 1 support
- configure: removed liburcu search fallback
- configure: required GCC or LLVM Clang compiler with C11 support
- knotd: removed already ignored obsolete configuration options
- keymgr: removed legacy parameter '--brief'
- kjournalprint: removed legacy parameter '--no-color'
- kjournalprint: removed legacy database specification without '--dir'
- kcatalogprint: removed legacy database specification without '--dir'
- packaging: CentOS 7, Debian 10, and Ubuntu 18.04 no longer supported
- doc: removed info pages
3.3.9
Improvements:
- libknot: added EDE code 30
- libknot: improved performance of knot_rrset_to_wire_extra()
- libs: upgraded embedded libngtcp2 to 1.7.0
- doc: various fixes and updates
Bugfixes:
- keymgr: pregenerate clears future timestamps of old keys and
creates new keys
- mod-dnsproxy: defective TSIG processing
- mod-dnsproxy: TCP not detected in the XDP mode
- kxdpgun: unsuccessful interface initialization leaks memory
- packaging: libknot not installed with python3-libknot
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 21:10:50 +0000 (22:10 +0100)]
kmod: Update to version 33
- Update from version 32 to 33
- Update of rootfile
- Changelog
33
- Improvements
- Allow to handle compressed modules even without decompression
libraries linked in. Previously we would detect if the kernel
supported the decompression algorithm and pass the module directly
through finit_module(). However it wouldn't consider the file if
the respective decompression library was compiled out. Now it's
possible to completely disable all libraries and still have module
load working with libkmod.
Tools that inspect module content themselves like modinfo and depmod
won't work if the decompression library is not enabled.
- Add weak dependencies - these are similar to pre softdep, but they
don't cause the dependency to be loaded by libkmod: when a module has
a weak dependency, it is expected that module may or may not be used,
with decision happening in runtime by the kernel. It's purpose is to
be informational for other tools like ones used to create initramfs,
so the module is made available before switch_root(), but doesn't
imply it to be loaded when not needed.
- Improve compatibility with non-gnu libc like musl and uClibc. Now it's
possible to build and use libkmod and tools without any additional
compat patches.
- Move manpages from xsltproc to scdoc, which is now needed during build.
- Improve documentation in manpages, fixing typos, rewording sentences,
detailing how configuration files are handled with precedence order
and making all the manpages more consistent on how to reference
options, environment variables, configuration, authors, etc.
- Speed up zstd decompression, particularly when not using glibc.
- Stop parsing .alias files from modprobe.d directories. Configuration
files were always documented as needing the .conf extension. For
compatibility reason with module-init-tools, kmod also parsed .alias
files. However that was also done in module-init-tools for
compatibility reasons and not documented anywhere. From inspection
on what distros are using, none use .alias files in practice, so
stop parsing those files and follow what's documented.
- Adopt SPDX for license and cleanup comments on individual files.
- Since kmod 29 there's a github mirror for the repository. Now it's
also used for issues and improvement tracking. With that, the old
TODO file has been removed and distros/users are encouraged to file
issues in github.
- Bug fixes
- Move kmod.pc to the right dir, ${datadir}/pkgconfig, as it's related
to kmod, not libkmod.
- Fix error handling while loading a file and mmap fails.
- Fix error handling while handling errors from the decompression
libraries.
- Add missing documentation for KMOD_INDEX_MODULES_BUILTIN that was
added in v27 breaking the ABI. A wide search has found one external
tool using it, which hasn't been updated in the past 12 years. It
was deemed safe to simply update the documentation to include the
missing enum.
- Move kmod_module_new_from_name_lookup() to the correct symbol
version. It was added by mistake to @LIBKMOD_5 when v30 got released.
No external user of this API was found, so it was considered safe
to just move it.
- Others
- Overwrite symlinks when installing tools.
- General cleanup of how (de)compression libraries are integrated.
- Add CI infrastructure to automatically test in several distros
before applying commit series. Currently the latest versions of
Alpine, Archlinux, Fedora and Ubuntu are covered. More distros are
easy to add as they are all containerized.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 21:10:49 +0000 (22:10 +0100)]
json-c: Update to version 0.18
- Update from version 0.17 to 0.18
- Update of rootfile
- Changelog
0.18
Deprecated and removed features:
* Clean up pre-3.9 CMake support in CMakeLists.txt
New features
* Build pkg-config for msvc as well
Significant changes and bug fixes
* Critical fix for binary compatibility with 0.16: Move the
json_tokener_error_memory entry to the end of enum json_tokener_error.
* Issue #829: attempt to detect clang-cl.exe and pass MSVC-compatile
command line arguments.
* PR #831 - rename WIN32 to _WIN32
* PR #839 - Fix gcc 5 "may be used uninitialized" failure in
json_pointer.c
* PR #849 - random_seed.c: add a Coverity Scan suppression
* Issue #854: Set error=json_tokener_error_memory in
json_tokener_parser_verbose() when allocating the tokener fails.
* Issue #857: fix a few places where json_tokener should have been
returning json_tokener_error_memory but wasn't.
* Handle yet another out-of-memory condition in json_tokener,
duplocate can return NULL.
* Various fixes in the fuzzers
* A few minor doc fixes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 19 Nov 2024 11:09:35 +0000 (12:09 +0100)]
ipset: Update to version 7.22
- Update from version 7.19 to 7.22
- Update of rootfile not required
- Changelog
7.22
- ipset: fix json output format for IPSET_OPT_IP (Z. Liu)
- tests: add namespace test and take into account delayed
set removal at module remove
- Update autoconfig tools to build cleanly on Debian bookworm
7.21
- The patch "Fix hex literals in json output" broke save mode, restore it
- Fix -Werror=format-extra-args warning
- Workaround misleading -Wstringop-truncation warning
7.20
- Ignore *.order.cmd and *.symvers.cmd files in kernel builds
- Bash completion utility updated
- Fix json output for -name option (Mark)
- Fix hex literals in json output
- tests: increase timeout to cope with slow virtual test machine
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
projects / ipfire-2.x.git / log
