Adolf Belka [Wed, 7 Feb 2024 11:13:19 +0000 (12:13 +0100)]
expat: Update to version 2.6.0
- Update from version 2.5.0 to 2.6.0
- Update of rootfile
- This update fixes two CVE's. Not sure if IPFire would be vulnerable or not but safer
to update anyway.
- Changelog
2.6.0
Security fixes:
#789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
that can cause denial of service, in partial where
dealing with compressed XML input. Applications
that parsed a document in one go -- a single call to
functions XML_Parse or XML_ParseBuffer -- were not affected.
The smaller the chunks/buffers you use for parsing
previously, the bigger the problem prior to the fix.
Backporters should be careful to no omit parts of
pull request #789 and to include earlier pull request #771,
in order to not break the fix.
#777 CVE-2023-52426 -- Fix billion laughs attacks for users
compiling *without* XML_DTD defined (which is not common).
Users with XML_DTD defined have been protected since
Expat >=2.4.0 (and that was CVE-2013-0340 back then).
Bug fixes:
#753 Fix parse-size-dependent "invalid token" error for
external entities that start with a byte order mark
#780 Fix NULL pointer dereference in setContext via
XML_ExternalEntityParserCreate for compilation with
XML_DTD undefined
#812 #813 Protect against closing entities out of order
Other changes:
#723 Improve support for arc4random/arc4random_buf
#771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse
#761 #770 xmlwf: Support --help and --version
#759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read
#744 xmlwf: Improve language and URL clickability in help output
#673 examples: Add new example "element_declarations.c"
#764 Be stricter about macro XML_CONTEXT_BYTES at build time
#765 Make inclusion to expat_config.h consistent
#726 #727 Autotools: configure.ac: Support --disable-maintainer-mode
#678 #705 ..
#706 #733 #792 Autotools: Sync CMake templates with CMake 3.26
#795 Autotools: Make installation of shipped man page doc/xmlwf.1
independent of docbook2man availability
#815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
section "Cflags.private" in order to fix compilation
against static libexpat using pkg-config on Windows
#724 #751 Autotools|CMake: Require a C99 compiler
(a de-facto requirement already since Expat 2.2.2 of 2017)
#793 Autotools|CMake: Fix PACKAGE_BUGREPORT variable
#750 #786 Autotools|CMake: Make test suite require a C++11 compiler
#749 CMake: Require CMake >=3.5.0
#672 CMake: Lowercase off_t and size_t to help a bug in Meson
#746 CMake: Sort xmlwf sources alphabetically
#785 CMake|Windows: Fix generation of DLL file version info
#790 CMake: Build tests/benchmark/benchmark.c as well for
a build with -DEXPAT_BUILD_TESTS=ON
#745 #757 docs: Document the importance of isFinal + adjust tests
accordingly
#736 docs: Improve use of "NULL" and "null"
#713 docs: Be specific about version of XML (XML 1.0r4)
and version of C (C99); (XML 1.0r5 will need a sponsor.)
#762 docs: reference.html: Promote function XML_ParseBuffer more
#779 docs: reference.html: Add HTML anchors to XML_* macros
#760 docs: reference.html: Upgrade to OK.css 1.2.0
#763 #739 docs: Fix typos
#696 docs|CI: Use HTTPS URLs instead of HTTP at various places
#669 #670 ..
#692 #703 ..
#733 #772 Address compiler warnings
#798 #800 Address clang-tidy warnings
#775 #776 Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
for what these numbers do
Infrastructure:
#700 #701 docs: Document security policy in file SECURITY.md
#766 docs: Improve parse buffer variables in-code documentation
#674 #738 ..
#740 #747 ..
#748 #781 #782 Refactor coverage and conformance tests
#714 #716 Refactor debug level variables to unsigned long
#671 Improve handling of empty environment variable value
in function getDebugLevel (without visible user effect)
#755 #774 ..
#758 #783 ..
#784 #787 tests: Improve test coverage with regard to parse chunk size
#660 #797 #801 Fuzzing: Improve fuzzing coverage
#367 #799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests
#698 #721 CI: Resolve some Travis CI leftovers
#669 CI: Be robust towards absence of Git tags
#693 #694 CI: Set permissions to "contents: read" for security
#709 CI: Pin all GitHub Actions to specific commits for security
#739 CI: Reject spelling errors using codespell
#798 CI: Enforce clang-tidy clean code
#773 #808 ..
#809 #810 CI: Upgrade Clang from 15 to 18
#796 CI: Start using Clang's Control Flow Integrity sanitizer
#675 #720 #722 CI: Adapt to breaking changes in GitHub Actions Ubuntu images
#689 CI: Adapt to breaking changes in Clang/LLVM Debian packaging
#763 CI: Adapt to breaking changes in codespell
#803 CI: Adapt to breaking changes in Cppcheck
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 7 Feb 2024 11:21:49 +0000 (11:21 +0000)]
libvirt: Don't build for riscv64
There seems to be some problem that this package does not build from
source, but as we don't currently have any hardware that supports thise,
there is no point in debugging it.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 30 Jan 2024 17:45:44 +0000 (17:45 +0000)]
vpnmain.cgi: Add option to regenerate the host certificate
This is necessary since we now have a much shorter lifetime for the host
certificate. However, it is complicated to do this is which is why we
are copying the previous certificate and generate a new CSR. This is
then signed.
A caveat of this patch is that we do not rollover the key.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:53 +0000 (12:45 +0100)]
optionsfw.cgi: Move Firewall Options Drop commands to before the logging section
- Moved the Firewall Options Drop commands to before the logging section, as discussed
at January 2024 Video Call.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:52 +0000 (12:45 +0100)]
graphs.pl: Fixes bug12981 - Creates in and outgoing drop hostile graph entries
- This v3 version of the patch set splits the single hostile networks graph entry into
incoming hostile networks and outgoing hostile networks entries.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:51 +0000 (12:45 +0100)]
collectd.conf: Fix bug12981 - This creates in and out drop hostile data collection
- In this v3 version of the patch set the splitting of drop hostile logging into incoming
and outgoing logging means that the data collection and graphs need to have drop hostile
also split into incoming and outgoing.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:50 +0000 (12:45 +0100)]
en.pl: Fixes bug12981 - adds english language input for choice of drop hostile logging
- In this v3 version have added translations for hostile networks in and hostile
networks out and log drop hostile in and log drop hostile out.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:49 +0000 (12:45 +0100)]
firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic
- This v3 version now has two if loops allowing logging of incoming drop hostile or
outgoing drop hostile or both or neither.
- Dependent on the choice in optionsfw.cgi this loop will either log or not log the
dropped hostile traffic.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:48 +0000 (12:45 +0100)]
rules.pl: Fixes bug12981 - Add in and out specific actions for drop hostile
- This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and
HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each
independently.
Fixes: bug12981 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Acked-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:47 +0000 (12:45 +0100)]
optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic
- This v3 version has split the logging choice for drop hostile to separate the logging of
incoming drop hostile and outgoing drop hostile.
- The bug originator had no port forwards so all hostile would be dropped normally anyway.
However the logs were being swamped by the logging of drop hostile making analysis
difficult. So incoming drop hostile was desired to not be logged. However logging of
outgoing drop hostile was desired to identify if clients on the internal lan were
infected with malware trying to reach home.
- Added option with drop hostile section to decide if the dropped traffic should be
logged or not.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Tested-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 Feb 2024 21:27:39 +0000 (22:27 +0100)]
strace: elfutils moved from addon dependency to core program
Fixes: Bug#13516 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 Feb 2024 21:27:38 +0000 (22:27 +0100)]
qemu: elfutils moved from addon dependency to core program
Fixes: Bug#13516 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 Feb 2024 21:27:37 +0000 (22:27 +0100)]
ltrace: elfutils moved from addon dependency to core program
Fixes: Bug#13516 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 Feb 2024 21:27:36 +0000 (22:27 +0100)]
frr: elfutils moved from addon dependency to core program
Fixes: Bug#13516 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 Feb 2024 21:27:35 +0000 (22:27 +0100)]
elfutils: Move from addon to core program. Required by suricata-7.0.2 for execution
- Updated lfs file to core program type
- Moved rootfile from packages to common
- Older suricata versions required elfutils only for building but suricata-7.0.2 fails to
start if elfutils is not present due to libelf.so.1 being missing.
- The requirement for elfutils is not mentioned at all in the changelog.
Fixes: Bug#13516 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 1 Feb 2024 08:29:13 +0000 (09:29 +0100)]
lzip: Update to version 1.24
- Update from version 1.23 to 1.24
- Update of rootfile not required
- Changelog
1.24
The option '--empty-error', which forces exit status 2 if any empty member
is found, has been added.
The option '--marking-error', which forces exit status 2 if the first LZMA
byte is non-zero in any member, has been added.
File diagnostics have been reformatted as 'PROGRAM: FILE: MESSAGE'.
Diagnostics caused by invalid arguments to command-line options now show the
argument and the name of the option.
The option '-o, --output' now preserves dates, permissions, and ownership of
the file when (de)compressing exactly one file.
The option '-o, --output' now creates missing intermediate directories when
writing to a file.
The variable MAKEINFO has been added to configure and Makefile.in.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 1 Feb 2024 08:29:11 +0000 (09:29 +0100)]
gettext: Update to version 0.22.4
- Update from version 0.22 to 0.22.4
- Update of rootfile
- Changelog
0.22.4
* Bug fixes:
- AM_GNU_GETTEXT now recognizes a statically built libintl on macOS and AIX.
- Build fixes on AIX.
0.22.3
* Portability:
- The libintl library now works on macOS 14. (Older versions of libintl
crash on macOS 14, due to an incompatible change in macOS.)
0.22.2
* Bug fixes:
- The libintl shared library now exports again some symbols that were
accidentally missing.
<https://savannah.gnu.org/bugs/index.php?64323>
This bug was introduced in version 0.22.
0.22.1
* Bug fixes:
- xgettext's processing of large Perl files may have led to errors
<https://savannah.gnu.org/bugs/index.php?64552>
- "xgettext --join-existing" could encounter errors.
<https://savannah.gnu.org/bugs/index.php?64490>
These bugs were introduced in version 0.22.
* Portability:
- Building on Android is now supported.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 1 Feb 2024 08:29:10 +0000 (09:29 +0100)]
ed: Update to version 1.20
- Update from version 1.19 to 1.20
- Update of rootfile not required
- Changelog
1.20
New command-line options '+line', '+/RE', and '+?RE' have been implemented to
set the current line to the line number specified or to the first or last line
matching the regular expression 'RE'.
(Suggested by Matthew Polk and John Cowan).
File names containing control characters 1 to 31 are now rejected unless they
are allowed with the command-line option '--unsafe-names'.
File names containing control characters 1 to 31 are now printed using octal
escape sequences.
Ed now rejects file names ending with a slash.
Intervening commands that don't set the modified flag no longer make a second
'e' or 'q' command fail with a 'buffer modified' warning.
Tilde expansion is now performed on file names supplied to commands; if a file
name starts with '~/', the tilde (~) is expanded to the contents of the
variable HOME. (Suggested by John Cowan).
Ed now warns the first time that a command modifies a buffer loaded from a
read-only file. (Suggested by Dan Jacobson).
Ed now creates missing intermediate directories when writing to a file.
It has been documented that 'e' creates an empty buffer if file does not exist.
It has been documented that 'f' sets the default filename, whether or not its
argument names an existing file.
The description of the exit status has been improved in '--help' and in the
manual.
The variable MAKEINFO has been added to configure and Makefile.in.
It has been documented in INSTALL that when choosing a C standard, the POSIX
features need to be enabled explicitly:
./configure CFLAGS+='--std=c99 -D_POSIX_C_SOURCE=2'
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 1 Feb 2024 08:29:09 +0000 (09:29 +0100)]
diffutils: Update to version 3.10
- Update from version 3.9 to 3.10
- Update of rootfile not required
- Changelog
3.10
Bug fixes
cmp/diff can again work with file dates past Y2K38
[bug introduced in 3.9]
diff -D no longer fails to output #ifndef lines.
[bug#61193 introduced in 3.9]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3450000 to 3450100
- Update of rootfile not required
- Changelog
3.45.1
Restore the JSON BLOB input bug, and promise to support the anomaly in subsequent
releases, for backward compatibility.
Fix the PRAGMA integrity_check command so that it works on read-only databases
that contain FTS3 and FTS5 tables. This resolves an issue introduced in version
3.44.0 but was undiscovered until after the 3.45.0 release.
Fix issues associated with processing corrupt JSONB inputs:
Prevent exponential runtime when converting a corrupt JSONB into text.
Fix a possible read of one byte past the end of the JSONB blob when
converting a corrupt JSONB into text.
Enhanced testing using jfuzz to prevent any future JSONB problems such as the
above.
Fix a long-standing bug in which a read of a few bytes past the end of a
memory-mapped segment might occur when accessing a craftily corrupted database
using memory-mapped database.
Fix a long-standing bug in which a NULL pointer dereference might occur in the
bytecode engine due to incorrect bytecode being generated for a class of SQL
statements that are deliberately designed to stress the query planner but which
are otherwise pointless.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 31 Jan 2024 14:18:47 +0000 (15:18 +0100)]
readline: Update patches to patch 1 to patch 10
- Update from version 8.2 with patch 1 to 8.2 with patches 1 to 10
- Update of rootfile not required
- Changelog
Patch 10
Fix the case where text to be completed from the line buffer (quoted) is
compared to the common prefix of the possible matches (unquoted) and the
quoting makes the former appear to be longer than the latter. Readline
assumes the match doesn't add any characters to the word and doesn't display
multiple matches.
Patch 9
Fix issue where the directory name portion of the word to be completed (the
part that is passed to opendir()) requires both tilde expansion and dequoting.
Readline only performed tilde expansion in this case, so filename completion
would fail.
Patch 8
Add missing prototypes for several function declarations.
Patch 7
If readline is called with no prompt, it should display a newline if return
is typed on an empty line. It should still suppress the final newline if
return is typed on the last (empty) line of a multi-line command.
Patch 6
This is a variant of the same issue as the one fixed by patch 5. In this
case, the signal arrives and is pending before readline calls rl_getc().
When this happens, the pending signal will be handled by the loop, but may
alter or destroy some state that the callback uses. Readline needs to treat
this case the same way it would if a signal interrupts pselect/select, so
compound operations like searches and reading numeric arguments get cleaned
up properly.
Patch 5
If an application is using readline in callback mode, and a signal arrives
after readline checks for it in rl_callback_read_char() but before it
restores the application's signal handlers, it won't get processed until the
next time the application calls rl_callback_read_char(). Readline needs to
check for and resend any pending signals after restoring the application's
signal handlers.
Patch 4
There are systems that supply one of select or pselect, but not both.
Patch 3
The custom color prefix that readline uses to color possible completions
must have a leading `.'.
Patch 2
It's possible for readline to try to zero out a line that's not null-
terminated, leading to a memory fault.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 31 Jan 2024 14:18:45 +0000 (15:18 +0100)]
help2man: Update to version 1.49.3
- Update from version 1.49.2 to 1.49.3
- Update of rootfile not required
- Changelog
1.49.3
* Cleanup whitespace in po-texi/help2man-texi.pot.
* Add Korean translation (thanks to Seong-ho Cho).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 31 Jan 2024 14:18:44 +0000 (15:18 +0100)]
file: Update to version 5.45
- Update from version 5.44 to 5.45
- Update of rootfile not required
- Changelog
5.45
* PR/465: psrok1: Avoid muslc asctime_r crash
* add SIMH tape format support
* bump the max size of the elf section notes to be read to 128K
and make it configurable
* PR/415: Fix decompression with program returning empty
* PR/408: fix -p with seccomp
* PR/412: fix MinGW compilation
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 31 Jan 2024 11:09:41 +0000 (11:09 +0000)]
glibc: Import latest patches from upstream
These include (amongst others) fixes for:
GLIBC-SA-2024-0001:
===================
syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6246)
__vsyslog_internal did not handle a case where printing a SYSLOG_HEADER
containing a long program name failed to update the required buffer
size, leading to the allocation and overflow of a too-small buffer on
the heap.
GLIBC-SA-2024-0002:
===================
syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6779)
__vsyslog_internal used the return value of snprintf/vsnprintf to
calculate buffer sizes for memory allocation. If these functions (for
any reason) failed and returned -1, the resulting buffer would be too
small to hold output.
GLIBC-SA-2024-0003:
===================
syslog: Integer overflow in __vsyslog_internal (CVE-2023-6780)
__vsyslog_internal calculated a buffer size by adding two integers, but
did not first check if the addition would overflow.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 30 Jan 2024 18:01:52 +0000 (18:01 +0000)]
collectd: Do not sync
Calling a global sync operation manually is generally a bad idea as it
can block for forever. If people have storage that does not retain
anything that is being written to it, they need to fix their hardware.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 30 Jan 2024 22:13:45 +0000 (23:13 +0100)]
zlib: Update to version 1.3.1
- Update from version 1.3 to 1.3.1
- Update of rootfile
- Changelog
1.3.1
- Reject overflows of zip header fields in minizip
- Fix bug in inflateSync() for data held in bit buffer
- Add LIT_MEM define to use more memory for a small deflate speedup
- Fix decision on the emission of Zip64 end records in minizip
- Add bounds checking to ERR_MSG() macro, used by zError()
- Neutralize zip file traversal attacks in miniunz
- Fix a bug in ZLIB_DEBUG compiles in check_match()
- Various portability and appearance improvements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 30 Jan 2024 22:13:44 +0000 (23:13 +0100)]
xz: Update to version 5.4.6
- Update from version 5.4.5 to 5.4.6
- Update of rootfile
- Changelog
5.4.6
* Fixed a bug involving internal function pointers in liblzma not
being initialized to NULL. The bug can only be triggered if
lzma_filters_update() is called on a LZMA1 encoder, so it does
not affect xz or any application known to us that uses liblzma.
* xz:
- Fixed a regression introduced in 5.4.2 that caused encoding
in the raw format to unnecessarily fail if --suffix was not
used. For instance, the following command no longer reports
that --suffix must be used:
echo foo | xz --format=raw --lzma2 | wc -c
- Fixed an issue on MinGW-w64 builds that prevented reading
from or writing to non-terminal character devices like NUL.
* Added a new test.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 30 Jan 2024 22:13:42 +0000 (23:13 +0100)]
libpng: Update to version 1.6.41
- Update from 1.6.39 to 1.6.41
- Update of rootfile
- Changelog
1.6.41
Added SIMD-optimized code for the Loongarch LSX hardware.
(Contributed by GuXiWei, JinBo and ZhangLixia)
Fixed the run-time discovery of MIPS MSA hardware.
(Contributed by Sui Jingfeng)
Fixed an off-by-one error in the function `png_do_check_palette_indexes`,
which failed to recognize errors that might have existed in the first
column of a broken palette-encoded image. This was a benign regression
accidentally introduced in libpng-1.6.33. No pixel was harmed.
(Contributed by Adam Richter; reviewed by John Bowler)
Fixed, improved and modernized the contrib/pngminus programs, i.e.,
png2pnm.c and pnm2png.c
Removed old and peculiar portability hacks that were meant to silence
warnings issued by gcc version 7.1 alone.
(Contributed by John Bowler)
Fixed and modernized the CMake file, and raised the minimum required
CMake version from 3.1 to 3.6.
(Contributed by Clinton Ingram, Timothy Lyanguzov, Tyler Kropp, et al.)
Allowed the configure script to disable the building of auxiliary tools
and tests, thus catching up with the CMake file.
(Contributed by Carlo Bramini)
Fixed a build issue on Mac.
(Contributed by Zixu Wang)
Moved the Autoconf macro files to scripts/autoconf.
Moved the CMake files (except for the main CMakeLists.txt) to
scripts/cmake and moved the list of their contributing authors to
scripts/cmake/AUTHORS.md
Updated the CI configurations and scripts.
Relicensed the CI scripts to the MIT License.
Improved the test coverage.
(Contributed by John Bowler)
1.6.40
Fixed the eXIf chunk multiplicity checks.
Fixed a memory leak in pCAL processing.
Corrected the validity report about tRNS inside png_get_valid().
Fixed various build issues on *BSD, Mac and Windows.
Updated the configurations and the scripts for continuous integration.
Cleaned up the code, the build scripts, and the documentation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 30 Jan 2024 22:13:40 +0000 (23:13 +0100)]
bash: Update to include patches 22 to 26
- Update from version 5.2 with patches 1 to 21 to 5.2 with patches 1 to 26
- Update of rootfile not required
- Changelog
Patch 26
The custom color prefix that readline uses to color possible completions
must have a leading `.'.
Patch 25
Make sure a subshell checks for and handles any terminating signals before
exiting (which might have arrived after the command completed) so the parent
and any EXIT trap will see the correct value for $?.
Patch 24
Fix bug where associative array compound assignment would not expand tildes
in values.
Patch 23
Running `local -' multiple times in a shell function would overwrite the
original saved set of options.
Patch 22
It's possible for readline to try to zero out a line that's not null-
terminated, leading to a memory fault.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 30 Jan 2024 22:13:39 +0000 (23:13 +0100)]
acl: Update to version 2.3.2
- Update from version 2.3.1 to 2.3.2
- Update of rootfile
- Changelog is only available from reviewing the git commits
https://git.savannah.nongnu.org/cgit/acl.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Mon, 29 Jan 2024 16:25:55 +0000 (17:25 +0100)]
vnstat: Update to 2.12
For details see:
https://humdi.net/vnstat/CHANGES
"2.12 / 21-Jan-2024
- Fixed
- QueryMode documentation in configuration file didn't match implementation
or man page description
- Daemon didn't try to import legacy databases when --noadd was used and no
current version database initially existed resulting in the process
exiting even when something could have been done
- Daemon didn't try to import legacy databases when --initdb was used and
no current version database initially existed, this behaviour can still
be enabled by using --noadd in combination with --initdb
- Using --nodaemon and --initdb at the same time didn't result in an error
being shown
- New
- Add 95th percentile output as --95th, also available via --alert, --json,
--xml and image output, requires 5MinuteHours configuration to be set to
at least 744 for storing all the necessary data
- Add --json support for --alert
- Database queries resulting in error exit with status 1
- Show spinning animation at the beginning of -l / --live output line,
visibility configurable using LiveSpinner configuration option
- Add -ic / --invert-colors option to image output for facilitating for
example dark mode switching without needing to have multiple separate
color configurations
- Add dark mode option to image output example cgi (examples/vnstat.cgi)
- Add option 4 to QueryMode for selecting summary output of single
interface regardless of the number of interfaces in the database
- Add optional mode parameter to -q / --query for overriding QueryMode
for summary output and for enabling control of summary output style
regardless of the number of interfaces in the database
- Add --startempty option to daemon for starting and keeping the daemon
running even if no interfaces were discovered and the database is empty
- Add --noremove option to daemon for disabling the automatic removal of
interfaces from database that aren't currently visible and haven't seen
any traffic
- Add third mode option to --iflist and --dbiflist for getting only the
interface count as output"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Mon, 29 Jan 2024 16:25:05 +0000 (17:25 +0100)]
mc: Update to 4.8.31
For details see:
https://midnight-commander.org/wiki/NEWS-4.8.31
"Major changes since 4.8.30
Core
Minimal version of GLib is 2.32.0.
VFS
fish: drop support of native FISH server and protocol. Rename VFS to shell (#4232)
extfs;
uc1541 extfs: update up to 3.6 version (#4511)
s3+: port to Python3 (#4324)
Support for LZO/LZOP compression format (#4509)
...
Skins: add color for non-printable characters in editor (#4433)
Fixes
FTBFS on FreeBSD with ext2fs attribute support (#4493)
Broken stickchars (-a) mode (#4498)
Wrong timestamp after resuming of file copy operation (#4499)
Editor: wrong deletion of marked column (#3761)
Diff viewer: segfault when display of line numbers is enabled (#4500)
Tar VFS: broken handling of hard links (#4494)
Sftp VFS: failure establishing SSH session due hashed host names in ~/.ssh/known_hosts (#4506)
Shell VFS: incorrect file names with cyrillic or diacritic symbols (#4507)
mc.ext.ini: incorrect description of of how multiple sections and keys with same names are processed (#4497)
mc.ext.ini: unescaped backslash \ is treated as invalid escape sequence in glib-2.77.3 and glib-2.79 (#4502)
mc.ext.ini: file "Makefile.zip" is handled as Makefile not as zip-arhive (#4419)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 30 Jan 2024 15:09:54 +0000 (15:09 +0000)]
openssl: Update to 3.2.1
* A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
NULL, but OpenSSL did not correctly check for this case. A fix has been
applied to prevent a NULL pointer dereference that results in OpenSSL
crashing. If an application processes PKCS12 files from an untrusted source
using the OpenSSL APIs then that application will be vulnerable to this
issue prior to this fix.
OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security
significant.
([CVE-2024-0727])
*Matt Caswell*
* When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this
computation completes quickly. However, if n is an overly large prime,
then this computation would take a long time.
An application that calls EVP_PKEY_public_check() and supplies an RSA key
obtained from an untrusted source could be vulnerable to a Denial of Service
attack.
The function EVP_PKEY_public_check() is not called from other OpenSSL
functions however it is called from the OpenSSL pkey command line
application. For that reason that application is also vulnerable if used
with the "-pubin" and "-check" options on untrusted data.
To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
([CVE-2023-6237])
*Tomáš Mráz*
* Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
rather than SM2.
*Richard Levitte*
* The POLY1305 MAC (message authentication code) implementation in OpenSSL
for PowerPC CPUs saves the contents of vector registers in different
order than they are restored. Thus the contents of some of these vector
registers is corrupted when returning to the caller. The vulnerable code is
used only on newer PowerPC processors supporting the PowerISA 2.07
instructions.
The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the
application process. However unless the compiler uses the vector registers
for storing pointers, the most likely consequence, if any, would be an
incorrect result of some application dependent calculations or a crash
leading to a denial of service.
([CVE-2023-6129])
*Rohan McLure*
* Fix excessive time spent in DH check / generation with large Q parameter
value.
Applications that use the functions DH_generate_key() to generate an
X9.42 DH key may experience long delays. Likewise, applications that use
DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.
([CVE-2023-5678])
*Richard Levitte*
* Disable building QUIC server utility when OpenSSL is configured with
`no-apps`.
*Vitalii Koshura*
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 30 Jan 2024 15:09:54 +0000 (15:09 +0000)]
openssl: Update to 3.2.1
* A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
NULL, but OpenSSL did not correctly check for this case. A fix has been
applied to prevent a NULL pointer dereference that results in OpenSSL
crashing. If an application processes PKCS12 files from an untrusted source
using the OpenSSL APIs then that application will be vulnerable to this
issue prior to this fix.
OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security
significant.
([CVE-2024-0727])
*Matt Caswell*
* When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this
computation completes quickly. However, if n is an overly large prime,
then this computation would take a long time.
An application that calls EVP_PKEY_public_check() and supplies an RSA key
obtained from an untrusted source could be vulnerable to a Denial of Service
attack.
The function EVP_PKEY_public_check() is not called from other OpenSSL
functions however it is called from the OpenSSL pkey command line
application. For that reason that application is also vulnerable if used
with the "-pubin" and "-check" options on untrusted data.
To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
([CVE-2023-6237])
*Tomáš Mráz*
* Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
rather than SM2.
*Richard Levitte*
* The POLY1305 MAC (message authentication code) implementation in OpenSSL
for PowerPC CPUs saves the contents of vector registers in different
order than they are restored. Thus the contents of some of these vector
registers is corrupted when returning to the caller. The vulnerable code is
used only on newer PowerPC processors supporting the PowerISA 2.07
instructions.
The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the
application process. However unless the compiler uses the vector registers
for storing pointers, the most likely consequence, if any, would be an
incorrect result of some application dependent calculations or a crash
leading to a denial of service.
([CVE-2023-6129])
*Rohan McLure*
* Fix excessive time spent in DH check / generation with large Q parameter
value.
Applications that use the functions DH_generate_key() to generate an
X9.42 DH key may experience long delays. Likewise, applications that use
DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.
([CVE-2023-5678])
*Richard Levitte*
* Disable building QUIC server utility when OpenSSL is configured with
`no-apps`.
*Vitalii Koshura*
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:20 +0000 (14:41 +0100)]
python3-trio: Update to version 0.23.1
- Update from version 0.22.0 to 0.23.1
- Update of rootfile
- Changelog
0.23.0
Headline features
Add type hints. (#543)
Features
When exiting a nursery block, the parent task always waits for child tasks
to exit. This wait cannot be cancelled. However, previously, if you tried
to cancel it, it would inject a Cancelled exception, even though it wasn’t
cancelled. Most users probably never noticed either way, but injecting a
Cancelled here is not really useful, and in some rare cases caused
confusion or problems, so Trio no longer does that. (#1457)
If called from a thread spawned by trio.to_thread.run_sync,
trio.from_thread.run and trio.from_thread.run_sync now reuse the task and
cancellation status of the host task; this means that context variables and
cancel scopes naturally propagate ‘through’ threads spawned by Trio. You
can also use trio.from_thread.check_cancelled to efficiently check for
cancellation without reentering the Trio thread. (#2392)
trio.lowlevel.start_guest_run() now does a bit more setup of the guest run
before it returns to its caller, so that the caller can immediately make
calls to trio.current_time(), trio.lowlevel.spawn_system_task(),
trio.lowlevel.current_trio_token(), etc. (#2696)
Bugfixes
When a starting function raises before calling trio.TaskStatus.started(),
trio.Nursery.start() will no longer wrap the exception in an undocumented
ExceptionGroup. Previously, trio.Nursery.start() would incorrectly raise an
ExceptionGroup containing it when using trio.run(...,
strict_exception_groups=True). (#2611)
Deprecations and removals
To better reflect the underlying thread handling semantics, the keyword
argument for trio.to_thread.run_sync that was previously called cancellable
is now named abandon_on_cancel. It still does the same thing – allow the
thread to be abandoned if the call to trio.to_thread.run_sync is
cancelled – but since we now have other ways to propagate a cancellation
without abandoning the thread, “cancellable” has become somewhat of a
misnomer. The old cancellable name is now deprecated. (#2841)
Deprecated support for math.inf for the backlog argument in
open_tcp_listeners, making its docstring correct in the fact that only
TypeError is raised if invalid arguments are passed. (#2842)
Removals without deprecations
Drop support for Python3.7 and PyPy3.7/3.8. (#2668)
Removed special MultiError traceback handling for IPython. As of version
8.15 ExceptionGroup is handled natively. (#2702)
Miscellaneous internal changes
Trio now indicates its presence to sniffio using the sniffio.thread_local
interface that is preferred since sniffio v1.3.0. This should be less
likely than the previous approach to cause sniffio.current_async_library()
to return incorrect results due to unintended inheritance of contextvars.
(#2700)
On windows, if SIO_BASE_HANDLE failed and SIO_BSP_HANDLE_POLL didn’t return
a different socket, runtime error will now raise from the OSError that
indicated the issue so that in the event it does happen it might help with
debugging. (#2807)
0.22.2
Bugfixes
Fix PermissionError when importing trio due to trying to access pthread.
(#2688)
0.22.1
Breaking changes
Timeout functions now raise ValueError if passed math.nan. This includes
trio.sleep, trio.sleep_until, trio.move_on_at, trio.move_on_after,
trio.fail_at and trio.fail_after. (#2493)
Features
Added support for naming threads created with trio.to_thread.run_sync,
requires pthreads so is only available on POSIX platforms with glibc
installed. (#1148)
trio.socket.socket now prints the address it tried to connect to upon
failure. (#1810)
Bugfixes
Fixed a crash that can occur when running Trio within an embedded Python
interpreter, by handling the TypeError that is raised when trying to
(re-)install a C signal handler. (#2333)
Fix sniffio.current_async_library() when Trio tasks are spawned from a
non-Trio context (such as when using trio-asyncio). Previously, a regular
Trio task would inherit the non-Trio library name, and spawning a system
task would cause the non-Trio caller to start thinking it was Trio. (#2462)
Issued a new release as in the git tag for 0.22.0, trio.__version__ is
incorrectly set to 0.21.0+dev. (#2485)
Improved documentation
Documented that Nursery.start_soon does not guarantee task ordering. (#970)
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:19 +0000 (14:41 +0100)]
python3-pyfuse3: Update to version 3.3.0
- Update from version 3.2.2 to 3.3.0
- Update of rootfile
- Changelog
3.3.0
Note: This is the first pyfuse3 release compatible with Cython 3.0.0 release.
Cython 0.29.x is also still supported.
Cythonized with latest Cython 3.0.0.
Drop Python 3.6 and 3.7 support and testing, #71.
CI: also test python 3.12. test on cython 0.29 and cython 3.0.
Tell Cython that callbacks may raise exceptions, #80.
Fix lookup in examples/hello.py, similar to #16.
Misc. CI, testing, build and sphinx related fixes.
3.2.3
cythonize with latest Cython 0.29.34 (brings Python 3.12 support)
add a minimal pyproject.toml, require setuptools
tests: fix integer overflow on 32-bit arches, fixes #47
test: Use shutil.which() instead of external which(1) program
setup.py: catch more generic OSError when searching Cython, fixes #63
setup.py: require Cython >= 0.29
fix basedir computation in setup.py (fix pip install -e .)
use sphinx < 6.0 due to compatibility issues with more recent versions
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:18 +0000 (14:41 +0100)]
python3-packaging: Update to version 23.2
- Update from version 23.0 to 23.2
- Update of rootfile
- Changelog
23.2
Document calendar-based versioning scheme (#716)
Enforce that the entire marker string is parsed (#687)
Requirement parsing no longer automatically validates the URL (#120)
Canonicalize names for requirements comparison (#644)
Introduce metadata.Metadata (along with metadata.ExceptionGroup and
metadata.InvalidMetadata; #570)
Introduce the validate keyword parameter to utils.normalize_name() (#570)
Introduce utils.is_normalized_name() (#570)
Make utils.parse_sdist_filename() and utils.parse_wheel_filename() raise
InvalidSdistFilename and InvalidWheelFilename, respectively, when the
version component of the name is invalid
23.1
Parse raw metadata (#671)
Import underlying parser functions as an underscored variable (#663)
Improve error for local version label with unsupported operators (#675)
Add dedicated error for specifiers with incorrect .* suffix
Replace spaces in platform names with underscores (#620)
Relax typing of _key on _BaseVersion (#669)
Handle prefix match with zeros at end of prefix correctly (#674)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:17 +0000 (14:41 +0100)]
python3-msgpack: Update to version 1.0.7
- Update from version 1.0.4 to 1.0.7
- Update of rootfile
- Changelog
1.0.7
Fix build error of extension module on Windows. (#567)
setup.py doesn't skip build error of extension module. (#568)
1.0.6
Add Python 3.12 wheels (#517)
Remove Python 2.7, 3.6, and 3.7 support
1.0.5
Use __BYTE_ORDER__ instead of __BYTE_ORDER for portability. (#513, #514)
Add Python 3.11 wheels (#517)
fallback: Fix packing multidimensional memoryview (#527)
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:16 +0000 (14:41 +0100)]
python3-exceptiongroup: Update to version 1.2.0
- Updated from version 1.1.0 to 1.2.0
- Update of rootfile
- Changelog
1.2.0
Added special monkeypatching if Apport has overridden sys.excepthook so it
will format exception groups correctly (PR by John Litborn)
Added a backport of contextlib.suppress() from Python 3.12.1 which also
handles suppressing exceptions inside exception groups
Fixed bare raise in a handler reraising the original naked exception rather
than an exception group which is what is raised when you do a raise in an
except* handler
1.1.3
catch() now raises a TypeError if passed an async exception handler instead
of just giving a RuntimeWarning about the coroutine never being awaited.
(#66, PR by John Litborn)
Fixed plain raise statement in an exception handler callback to work like a
raise in an except* block
Fixed new exception group not being chained to the original exception when
raising an exception group from exceptions raised in handler callbacks
Fixed type annotations of the derive(), subgroup() and split() methods to
match the ones in typeshed
1.1.2
Changed handling of exceptions in exception group handler callbacks to not
wrap a single exception in an exception group, as per CPython issue 103590
1.1.1
Worked around CPython issue #98778, urllib.error.HTTPError(..., fp=None)
raises KeyError on unknown attribute access, on affected Python versions.
(PR by Zac Hatfield-Dodds)
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:15 +0000 (14:41 +0100)]
python3-calver: New build dependency for python3-trove-classifiers
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used setup.py build approach as the pyproject.toml approach failed to build successfully
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:14 +0000 (14:41 +0100)]
python3-trove-classifiers: New build dependency for python3-hatchling
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used setup.py build approach as the pyproject.toml approach failed to build successfully.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:13 +0000 (14:41 +0100)]
python3-pluggy: New build dependency for python3-hatchling
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used setup.py build approach as pyproject.toml approach kept failing to build
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:12 +0000 (14:41 +0100)]
python3-pathspec: New build dependency for python3-hatchling
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:11 +0000 (14:41 +0100)]
python3-editables: New build dependency for python3-hatchling
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:10 +0000 (14:41 +0100)]
python3-hatch-fancy-pypi-readme: New build dependency for python3-attrs
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:09 +0000 (14:41 +0100)]
python3-hatch-vcs: New build dependency for python3-attrs
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:08 +0000 (14:41 +0100)]
python3-hatchling: New build dependency for python3-attrs
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:07 +0000 (14:41 +0100)]
python3-attrs: Update to version 23.2.0
- Update from version 22.1.0 to 23.2.0
- Update of rootfile
- setup.py is no longer available so build to use pyproject.toml was used.
- A new series of build dependencies are also now required for python3-attrs
- Changelog
23.2.0
Changes
The type annotation for attrs.resolve_types() is now correct. #1141
Type stubs now use typing.dataclass_transform to decorate dataclass-like
decorators, instead of the non-standard __dataclass_transform__ special
form, which is only supported by Pyright. #1158
Fixed serialization of namedtuple fields using attrs.asdict/astuple() with
retain_collection_types=True. #1165
attrs.AttrsInstance is now a typing.Protocol in both type hints and code.
This allows you to subclass it along with another Protocol. #1172
If attrs detects that __attrs_pre_init__ accepts more than just self, it
will call it with the same arguments as __init__ was called. This allows
you to, for example, pass arguments to super().__init__(). #1187
Slotted classes now transform functools.cached_property decorated methods to
support equivalent semantics. #1200
Added class_body argument to attrs.make_class() to provide additional
attributes for newly created classes. It is, for example, now possible to
attach methods. #1203
23.1.0
Backwards-incompatible Changes
Python 3.6 has been dropped and packaging switched to static package data
using Hatch. #993
Deprecations
The support for zope-interface via the attrs.validators.provides validator
is now deprecated and will be removed in, or after, April 2024.
The presence of a C-based package in our developement dependencies has
caused headaches and we’re not under the impression it’s used a lot.
Let us know if you’re using it and we might publish it as a separate
package. #1120
Changes
attrs.filters.exclude() and attrs.filters.include() now support the passing
of attribute names as strings. #1068
attrs.has() and attrs.fields() now handle generic classes correctly. #1079
Fix frozen exception classes when raised within e.g.
contextlib.contextmanager, which mutates their __traceback__ attributes. #1081
@frozen now works with type checkers that implement PEP-681 (ex. pyright).
#1084
Restored ability to unpickle instances pickled before 22.2.0. #1085
attrs.asdict()’s and attrs.astuple()’s type stubs now accept the
attrs.AttrsInstance protocol. #1090
Fix slots class cellvar updating closure in CPython 3.8+ even when
__code__ introspection is unavailable. #1092
attrs.resolve_types() can now pass include_extras to typing.get_type_hints()
on Python 3.9+, and does so by default. #1099
Added instructions for pull request workflow to CONTRIBUTING.md. #1105
Added type parameter to attrs.field() function for use with attrs.make_class().
Please note that type checkers ignore type metadata passed into
make_class(), but it can be useful if you’re wrapping attrs. #1107
It is now possible for attrs.evolve() (and attr.evolve()) to change fields
named inst if the instance is passed as a positional argument.
Passing the instance using the inst keyword argument is now deprecated and
will be removed in, or after, April 2024. #1117
attrs.validators.optional() now also accepts a tuple of validators
(in addition to lists of validators). #1122
22.2.0
Backwards-incompatible Changes
Python 3.5 is not supported anymore. #988
Deprecations
Python 3.6 is now deprecated and support will be removed in the next
release. #1017
Changes
attrs.field() now supports an alias option for explicit __init__ argument
names.
Get __init__ signatures matching any taste, peculiar or plain! The PEP 681
compatible alias option can be use to override private attribute name
mangling, or add other arbitrary field argument name overrides. #950
attrs.NOTHING is now an enum value, making it possible to use with e.g.
typing.Literal. #983
Added missing re-import of attr.AttrsInstance to the attrs namespace. #987
Fix slight performance regression in classes with custom __setattr__ and
speedup even more. #991
Class-creation performance improvements by switching performance-sensitive
templating operations to f-strings.
You can expect an improvement of about 5% – even for very simple classes. #995
attrs.has() is now a TypeGuard for AttrsInstance. That means that type
checkers know a class is an instance of an attrs class if you check it
using attrs.has() (or attr.has()) first. #997
Made attrs.AttrsInstance stub available at runtime and fixed type errors
related to the usage of attrs.AttrsInstance in Pyright. #999
On Python 3.10 and later, call abc.update_abstractmethods() on dict classes
after creation. This improves the detection of abstractness. #1001
attrs’s pickling methods now use dicts instead of tuples. That is safer and
more robust across different versions of a class. #1009
Added attrs.validators.not_(wrapped_validator) to logically invert
wrapped_validator by accepting only values where wrapped_validator rejects
the value with a ValueError or TypeError (by default, exception types
configurable). #1010
The type stubs for attrs.cmp_using() now have default values. #1027
To conform with PEP 681, attr.s() and attrs.define() now accept unsafe_hash
in addition to hash. #1065
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:06 +0000 (14:41 +0100)]
borgbackup: Update to version 1.2.7
- Update from version 1.2.3 to 1.2.7
- Update of rootfile
- Patch set put together to also update the dependency packages where they have been
updated.
- Changelog
1.2.7
Fixes:
- docs: CVE-2023-36811 upgrade steps: consider checkpoint archives, #7802
- check/compact: fix spurious reappearance of orphan chunks since borg
1.2, #6687 -
this consists of 2 fixes:
- for existing chunks: check --repair: recreate shadow index, #6687
- for newly created chunks: update shadow index when doing a
double-put, #5661
- LockRoster.modify: no KeyError if element was already gone, #7937
- create --X-from-command: run subcommands with a clean environment, #7916
- list --sort-by: support "archive" as alias of "name", #7873
- fix rc and msg if arg parsing throws an exception, #7885
Other changes:
- support and test on Python 3.12
- include unistd.h in _chunker.c (fix for Python 3.13)
- allow msgpack 1.0.6 and 1.0.7
- TAM issues: show tracebacks, improve borg check logging, #7797
- replace "datetime.utcfromtimestamp" with custom helper to avoid
deprecation warnings when using Python 3.12
- vagrant:
- use generic/debian9 box, fixes #7579
- add VM with debian bookworm / test on OpenSSL 3.0.x.
- docs:
- not only attack/unsafe, can also be a fs issue, #7853
- point to CVE-2023-36811 upgrade steps from borg 1.1 to 1.2 upgrade
steps, #7899
- upgrade steps needed for all kinds of repos (including "none"
encryption mode), #7813
- upgrade steps: talk about consequences of borg check, #7816
- upgrade steps: remove period that could be interpreted as part of
the command
- automated-local.rst: use GPT UUID for consistent udev rule
- create disk/partition sector backup by disk serial number, #7934
- update macOS hint about full disk access
- clarify borg prune -a option description, #7871
- readthedocs: also build offline docs (HTMLzip), #7835
- frontends: add "check.rebuild_refcounts" message
1.2.6
Fixes:
- The upgrade procedure docs as published with borg 1.2.5 did not work,
if the repository had archives resulting from a borg rename or borg
recreate operation.
The updated docs now use BORG_WORKAROUNDS=ignore_invalid_archive_tam
at some places to avoid that issue, #7791.
See: fix pre-1.2.5 archives spoofing vulnerability (CVE-2023-36811),
details and necessary upgrade procedure described above.
Other changes:
- updated 1.2.5 changelog entry: 1.2.5 already has the fix for
rename/recreate.
- remove cython restrictions. recommended is to build with
cython 0.29.latest, because borg 1.2.x uses this since years and it
is very stable. You can also try to build with cython 3.0.x, there is
a good chance that it works. As a 3rd option, we also bundle the
`*.c` files cython outputs in the release pypi package, so you can
also just use these and not need cython at all.
1.2.5
Fixes:
- Security: fix pre-1.2.5 archives spoofing vulnerability (CVE-2023-36811),
see details and necessary upgrade procedure described above.
- rename/recreate: correctly update resulting archive's TAM, see #7791
- create: do not try to read parent dir of recursion root, #7746
- extract: fix false warning about pattern never matching, #4110
- diff: remove surrogates before output, #7535
- compact: clear empty directories at end of compact process, #6823
- create --files-cache=size: fix crash, #7658
- keyfiles: improve key sanity check, #7561
- only warn about "invalid" chunker params, #7590
- ProgressIndicatorPercent: fix space computation for wide chars, #3027
- improve argparse validator error messages
New features:
- mount: make up volname if not given (macOS), #7690.
macFUSE supports a volname mount option to give what finder displays on
the desktop / in the directory view. if the user did not specify it,
we make something up, because otherwise it would be "macFUSE Volume 0
(Python)" and hide the mountpoint directory name.
- BORG_WORKAROUNDS=authenticated_no_key to extract from authenticated repos
without key, #7700
Other changes:
- add `utcnow()` helper function to avoid deprecated `datetime.utcnow()`
- stay on latest Cython 0.29 (0.29.36) for borg 1.2.x (do not use
Cython 3.0 yet)
- docs:
- move upgrade notes to own section, see #7546
- mount -olocal: how to show mount in finder's sidebar, #5321
- list: fix --pattern examples, #7611
- improve patterns help
- incl./excl. options, path-from-stdin exclusiveness
- obfuscation docs: markup fix, note about MAX_DATA_SIZE
- --one-file-system: add macOS apfs notes, #4876
- improve --one-file-system help string, #5618
- rewrite borg check docs
- improve the docs for --keep-within, #7687
- fix borg init command in environment.rst.inc
- 1.1.x upgrade notes: more precise borg upgrade instructions, #3396
-tests:
- fix repo reopen
- avoid long ids in pytest output
- check buzhash chunksize distribution, see #7586
1.2.4
New features:
- import-tar: add --ignore-zeros to process concatenated tars, #7432.
- debug id-hash: computes file/chunk content id-hash, #7406
- diff: --content-only does not show mode/ctime/mtime changes, #7248
- diff: JSON strings in diff output are now sorted alphabetically
Bug fixes:
- xattrs: fix namespace processing on FreeBSD, #6997
- diff: fix path related bug seen when addressing deferred items.
- debug get-obj/put-obj: always give chunkid as cli param, see #7290
(this is an incompatible change, see also borg debug id-hash)
- extract: fix mtime when ResourceFork xattr is set (macOS specific), #7234
- recreate: without --chunker-params, do not re-chunk, #7337
- recreate: when --target is given, do not detect "nothing to do".
use case: borg recreate -a src --target dst can be used to make a copy
of an archive inside the same repository, #7254.
- set .hardlink_master for ALL hardlinkable items, #7175
- locking: fix host, pid, tid order.
tid (thread id) must be parsed as hex from lock file name.
- update development.lock.txt, including a setuptools security fix, #7227
Other changes:
- requirements: allow msgpack 1.0.5 also
- upgrade Cython to 0.29.33
- hashindex minor fixes, refactor, tweaks, tests
- use os.replace not os.rename
- remove BORG_LIBB2_PREFIX (not used any more)
- docs:
- BORG_KEY_FILE: clarify docs, #7444
- update FAQ about locale/unicode issues, #6999
- improve mount options rendering, #7359
- make timestamps in manual pages reproducible
- installation: update Fedora in distribution list, #7357
- tests:
- fix test_size_on_disk_accurate for large st_blksize, #7250
- add same_ts_ns function and use it for relaxed timestamp comparisons
- "auto" compressor tests: don't assume a specific size,
do not assume zlib is better than lz4, #7363
- add test for extracted directory mtime
- vagrant:
- upgrade local freebsd 12.1 box -> generic/freebsd13 box (13.1)
- use pythons > 3.8 which work on freebsd 13.1
- pyenv: also install python 3.11.1 for testing
- pyenv: use python 3.10.1, 3.10.0 build is broken on freebsd
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 11:22:18 +0000 (12:22 +0100)]
dhcpcd: Update to version 10.0.6 + fix issue experinced by some community users.
- Update from version 10.0.4 to 10.0.6
- Update of rootfile not required.
- In version 10.0.4 a bug was found
https://github.com/NetworkConfiguration/dhcpcd/issues/260
which was fixed in version 10.0.5. From the community forum it looks like some people
have experienced this issue with the update to 10.0.4 in CU182
https://community.ipfire.org/t/core-update-182-aarch64-red0-interface-stops/10827
- According to the dhcpcd issue report this problem can affect both x86_64 and aarch64
but it seems to affect aarch64 systems much more often and the reports in the community
forum are related to aarch64.
- This patch updates to version 10.0.6 because that is the current latest version and
includes the fix commits for the above issue that were built into 10.0.5
- Changelog
10.0.6
privsep: Stop proxying stderr to console and fix some detachment issues
non-privsep: Fix launcher hangup
DHCP6: Allow the invalid interface name - to mean don't assign an address
from a delegated prefix
DHCP6: Load the configuration for the interface being activated from prefix
delegation
10.0.5
DHCP: re-enter DISCOVER phase if server doesn't reply to our REQUEST
privsep: Allow __NR_dup3 syscall as some libc's use that instead of the dup2
dhcpcd uses
dev: Fix an issue where not opening the dev plugin folder if configured
returned the wrong fd
privsep: Harden the launcher process detecting daemonisation.
compat: arc4random uses explicit_bzero if available
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>