Michael Tremer [Sat, 23 Mar 2024 14:03:36 +0000 (15:03 +0100)]
openvpnctrl: Rewrite the entire thing
This binary because a major headache as it has been changed so many
times by so many people neglegting the code quality. Therefore, the
logic has now been moved into initscripts and the binary changed so that
it only serves as a SUID wrapper to call the initscripts.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Sat, 23 Mar 2024 13:57:19 +0000 (14:57 +0100)]
initscripts: No longer restart OpenVPN when RED comes up/goes down
This is probably a relic from when dial-up connections where on trend
and systems were offline for long times of the day. Now, we should
always be on and there is no need to restart all those services on a
reconnect.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 20 Mar 2024 19:38:52 +0000 (20:38 +0100)]
ovpnmain.cgi: Migrate to subnet topology
For dynamic pools, this change is easy and does not require any extra
steps. For CCD clients however, we need to update the configuration to
replace the server IP address with the subnet mask.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 20 Mar 2024 13:56:20 +0000 (14:56 +0100)]
ovpnmain.cgi: Drop validdotmask()
This is a totally braindead function that prevented some basic usability
by using the more modern prefix notation. It simply checks if there is a
freaking dot. Great!
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 19 Mar 2024 19:44:18 +0000 (20:44 +0100)]
ovpnmain.cgi: Force NCP on clients
This change requires that all clients support NCP if they are set up
with a new connection. Existing clients remain supported using the
fallback cipher option.
This will result that connections with OpenVPN <= 2.3 cannot be set up
any more which is totally fine since that version is EOL.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 19 Mar 2024 19:11:31 +0000 (20:11 +0100)]
ovpnmain.cgi: Completely remove compression for RW clients
We will use the "compress migrate" option which disables compression by
default. If a client has been found that wants to use compression, the
server will push "stub-v2" to disable it. If that does not work, the
server might fall back to compression.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 19 Mar 2024 15:32:33 +0000 (16:32 +0100)]
ovpnmain.cgi: Drop newcleanssldatabase()
I have no idea why this was added when there is a function that does the
same already. The remove function also had typos in the path which
probably resulted in it not working very well.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 13 Jul 2025 09:39:34 +0000 (11:39 +0200)]
lm_sensors: Update to version 3.6.2
- Update from version 3.6.0 to 3.6.2
- Update of rootfiles for all architectures
- The original repo for lm_sensors had the last update in 2019 (3.6.0) and the last
commit in 2021. That repo was forked and has released two updates since then. This
repo is being used by Arch Linux and Ubuntu have changed to it in the latest Questing
Quokka version.
- The owner of this new repo has also taken some of the pull requests from the old repo
and merged them into the new one. Also some fixes from the Debian releases have also
been merged into the new repo.
- The only downside with this new repo is that version 3.6.2 was released in Jan 2024
and that release was the last commit in this new repo. So not sure if any further
updates will be forthcoming.
- If it is not considered suitable to update to this repo because it looks to no longer
be getting updated then this patch can be rejected.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:16 +0000 (12:14 +0200)]
btrfs-progs: Update to version 6.15
- Update from version 6.14 to 6.15
- Update of rootfile not required
- Changelog
6.15
* mkfs: new option --inode-flags to specify flags/attributes for
inodes/directories/subvolumes
* check:
* fix false alert on missing checksum for hole
* in lowmem mode, fix false alerts when checking refs
* convert: check feature compatibility when enabling block-group-tree
* tune convert-bgt: fix resume of conversion
* rescue: add new command fix-data-checksum, selectively fix or find
mismatching checksums
* other:
* new and updated tests
* documentation updates
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 10 Jul 2025 07:44:28 +0000 (09:44 +0200)]
cifs-utils: Update to version 7.4
- Update fropm version 7.3 to 7.4
- Update of rootfile
- According to Linux From Scratch cifs-utils-7.4 requires the autoreconf to work with
gcc-15. Certainly without it the build failed.
- Changelog
7.4
mount.cifs: retry mount on -EINPROGRESS
cifs.upcall: correctly treat UPTARGET_UNSPECIFIED as UPTARGET_APP
cifs.upcall: fix memory leaks in check_service_ticket_exits()
getcifsacl, setcifsacl: use <libgen.h> for basename
cifscreds: use <libgen.h> for basename
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 10 Jul 2025 07:44:29 +0000 (09:44 +0200)]
libtalloc: Update to version 2.4.3
- Update from version 2.4.2 to 2.4.3
- Update of rootfile
- The last changelog is recorded in the sourcde tarball is from 2007. The only place I
have found anything is by filtering the samba gitlab mirror to show the commits
related to talloc.
https://gitlab.com/samba-team/samba/-/commits/talloc-2.4.3?ref_type=tags
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 9 Jul 2025 12:09:49 +0000 (14:09 +0200)]
json-glib: Move to be built after glib has been built
- Shifted to build after glib is built and removed the dist entry that is used for
addons.
- Checked the glib library and the libgio entries are uncommented so that should be okay
- Checked build and this package then built with no problems but in the addon package
build section libtpms failed to build as it was missing the dist entry. Also the same
with swtpm so this is a patch set with the changes to those two packages as well.
- Full build tested out and confirmed working on x86_64 with this patch set applied.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 9 Jul 2025 08:11:46 +0000 (10:11 +0200)]
libhtp: Update to version 0.5.51
- Update from version 0.5.50 to 0.5.51
- Update of rootfile not required
- suricata-7.0.11 requires libhtp-0.5.51
- Changelog
0.5.51
- decompressors: fix leak in lzma error case
- request: do not fully error on data after HTTP/0.9
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 9 Jul 2025 08:11:45 +0000 (10:11 +0200)]
suricata: Update to version 7.0.11
- Update from version 7.0.10 to 7.0.11
- Update of rootfile not required
- Changelog
7.0.11
Security #7766: libhtp-c: memory leak with lzma(HIGH - CVE 2025-53537)
Security #7659: http2: global tx (stream id 0) may open file and never close it
(7.0.x backport)(HIGH - CVE 2025-53538)
Bug #7779: mpm/ac: error "Just ran out of space in the queue" (7.0.x backport)
Bug #7748: byte_extract: issue with saved 'name' in distance keyword
(7.0.x backport)
Bug #7736: brotli: old crate version has integer underflow (7.0.x backport)
Bug #7731: dcerpc: uint16 overflow (rust debug assertion) (7.0.x backport)
Bug #7716: snmp: probing parser returns ALPROTO_FAILED instead of
ALPROTO_UNKNOWN if slice.len() < 4 (7.0.x backport)
Bug #7690: datasets: set type IP can't set IPv4 (7.0.x backport)
Bug #7688: flow: non-TCP protocol timeout handling leads to missing flows
(7.0.x backport)
Bug #7682: flow: race condition at shutdown leads to duplicate flows
(7.0.x backport)
Bug #7670: http: lack of setting updated_ts leads to detection delay
(7.0.x backport)
Bug #7663: ips: deconflict pass flow and drop packet rules (7.0.x backport)
Bug #7661: pcap: continuous file reading fails on an empty directory
(7.0.x backport)
Bug #7652: rust: warnings with rustc 1.86
Bug #7610: http: reachable assertion when memcap reached during rule reload
Bug #7375: dpdk: iface-copy should not be mandatory (7.0.x backport)
Bug #7293: CI: clang-format does not work for main-7.0.x branch (7.0.x backport)
Optimization #7781: mpm/ac-ks: reduce stack usage (7.0.x backport)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 16:33:00 +0000 (18:33 +0200)]
libtasn1: Update to version 4.20.0 & move before gnutls
- Update from version 4.19.0 to 4.20.0
- Update of rootfile
- Move earlier in make.sh so that the library can be used by gnutls in place of the
gnutls bundled version.
- Fix for a CVE
- Changelog
4.20.0
- The release tarball is now reproducible.
- We publish a minimal source-only tarball generated by 'git archive'.
- Update gnulib files and various build/maintenance fixes.
- Fix CVE-2024-12133: Potential DoS in handling of numerous SEQUENCE OF or
SET OF elements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 16:32:59 +0000 (18:32 +0200)]
gnutls: Update to version 3.8.9
- Update from version 3.8.8 to 3.8.9
- Update of rootfile
- I found that gnutls was using its own bundled versions of libtasn1 and libunistring
and that there had been some CVE's with libtasn1 which were then fixed later in the
gnutls bundled version together with some fixes in the gnutls code. So this patch,
as well updating the version has also removed the options to use the included
versions of the libtasn1 and libunistring libraries. libtasn1 was already in IPFire
and just needed to be moved to before gnutls. libunistring had to be added in.
- The disable-guile option was removed as the guile bindings were removed in
gnutls-3.8.0 and the option is no longer recognised.
- Changelog
3.8.9
** libgnutls: leancrypto was added as an interim option for PQC
The library can now be built with leancrypto instead of liboqs for
post-quantum cryptography (PQC), when configured with
--with-leancrypto option instead of --with-liboqs.
** libgnutls: Experimental support for ML-DSA signature algorithm
The library and certtool now support ML-DSA signature algorithm as
defined in FIPS 204 and based on
draft-ietf-lamps-dilithium-certificates-04. This feature is
currently marked as experimental and can only be enabled when
compiled with --with-leancrypto or --with-liboqs.
Contributed by David Dudas.
** libgnutls: Support for ML-KEM-1024 key encapsulation mechanism
The support for ML-KEM post-quantum key encapsulation mechanisms
has been extended to cover ML-KEM-1024, in addition to ML-KEM-768.
MLKEM1024 is only offered as SecP384r1MLKEM1024 hybrid as per
draft-kwiatkowski-tls-ecdhe-mlkem-03.
** libgnutls: Fix potential DoS in handling certificates with numerous name
constraints, as a follow-up of CVE-2024-12133 in libtasn1. The
bundled copy of libtasn1 has also been updated to the latest 4.20.0
release to complete the fix. Reported by Bing Shi (#1553).
[GNUTLS-SA-2025-02-07, CVSS: medium] [CVE-2024-12243]
** API and ABI modifications:
GNUTLS_PK_MLDSA44: New enum member of gnutls_pk_algorithm_t
GNUTLS_PK_MLDSA65: New enum member of gnutls_pk_algorithm_t
GNUTLS_PK_MLDSA87: New enum member of gnutls_pk_algorithm_t
GNUTLS_SIGN_MLDSA44: New enum member of gnutls_sign_algorithm_t
GNUTLS_SIGN_MLDSA65: New enum member of gnutls_sign_algorithm_t
GNUTLS_SIGN_MLDSA87: New enum member of gnutls_sign_algorithm_t
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 4 Jul 2025 10:14:46 +0000 (12:14 +0200)]
util-linux: Update to version 2.41.1
- Update from version 2.41 to 2.41.1
- Update of rootfile not required
- Changelog
2.41.1
autotools:
- don't use wide-character ncurses if --disable-widechar (by Karel Zak)
cfdisk:
- fix memory leak and possible NULL dereference [gcc-analyzer] (by Karel Zak)
column:
- fix compiler warning for non-widechar compilation (by Karel Zak)
fdformat:
- use size_t and ssize_t (by Karel Zak)
fdisk:
- fix possible memory leak (by Karel Zak)
fdisk,partx:
- avoid strcasecmp() for ASCII-only strings (by Karel Zak)
findmnt:
- fix -k option parsing regression (by Karel Zak)
hardlink:
- define more function as inline (by Karel Zak)
- fix performance regression (inefficient signal evaluation) (by Karel Zak)
- Use macro for verbose output (by Karel Zak)
include/cctype:
- fix string comparison (by Karel Zak)
include/mount-api-utils:
- include linux/unistd.h (by Thomas Weißschuh)
libblkid:
- Fix crash while parsing config with libeconf (by Stanislav Brabec)
- befs fix underflow (by Milan Broz)
- avoid strcasecmp() for ASCII-only strings (by Karel Zak)
libblkid/src/topology/dm:
- fix fscanf return value check to match expected number of parsed items
(by Mingjie Shen)
libfdisk:
- avoid strcasecmp() for ASCII-only strings (by Karel Zak)
libmount:
- (subdir) restrict for real mounts only (by Karel Zak)
- (subdir) remove unused code (by Karel Zak)
- avoid calling memset() unnecessarily (by Karel Zak)
- avoid strcasecmp() for ASCII-only strings (by Karel Zak)
- fix --no-canonicalize regression (by Karel Zak)
libuuid:
- fix uuid_time on macOS without attribute((alias)) (by Eugene Gershnik)
lsblk:
- use ID_PART_ENTRY_SCHEME as fallback for PTTYPE (by Karel Zak)
- avoid strcasecmp() for ASCII-only strings (by Karel Zak)
lscpu:
- fix possible buffer overflow in cpuinfo parser (by Karel Zak)
- Fix loongarch op-mode output with recent kernel (by Xi Ruoyao)
lsfd:
- (bug fix) scan the protocol field of /proc/net/packet as a hex number
(by Masatake YAMATO)
- fix the description for PACKET.PROTOCOL column (by Masatake YAMATO)
lsns:
- enhance compilation without USE_NS_GET_API (by Karel Zak)
- fix undefined reference to add_namespace_for_nsfd #3483 (by Thomas
Devoogdt)
meson:
- add feature for translated documentation (by Thomas Weißschuh)
- remove tinfo dependency from 'more' (by Thomas Weißschuh)
- fix manadocs for libsmartcols and libblkid (by Karel Zak)
- fix po-man installation (by Karel Zak)
misc:
- never include wchar.h (by Karel Zak)
more:
- fix broken ':!command' command key (by cgoesche)
- fix implicit previous shell_line execution #3508 (by cgoesche)
mount:
- (man) add missing word (by Jakub Wilk)
namespace.h:
- fix compilation on Linux < 4.10 (by Thomas Devoogdt)
po:
- update uk.po (from translationproject.org) (by Yuri Chornoivan)
- update sr.po (from translationproject.org) (by Мирослав Николић)
- update ro.po (from translationproject.org) (by Remus-Gabriel Chelu)
- update pt.po (from translationproject.org) (by Pedro Albuquerque)
- update pl.po (from translationproject.org) (by Jakub Bogusz)
- update nl.po (from translationproject.org) (by Benno Schulenberg)
- update ja.po (from translationproject.org) (by YOSHIDA Hideki)
- update hr.po (from translationproject.org) (by Božidar Putanec)
- update fr.po (from translationproject.org) (by Frédéric Marchal)
- update es.po (from translationproject.org) (by Antonio Ceballos Roa)
- update de.po (from translationproject.org) (by Mario Blättermann)
- update cs.po (from translationproject.org) (by Petr Písař)
po-man:
- merge changes (by Karel Zak)
- update sr.po (from translationproject.org) (by Мирослав Николић)
- update de.po (from translationproject.org) (by Mario Blättermann)
tests:
- (test_mkfds::mapped-packet-socket) add a new parameter, protocol (by
Masatake YAMATO)
treewide:
- add ul_ to parse_timestamp() function name (by Karel Zak)
- add ul_ to parse_switch() function name (by Stanislav Brabec)
- add ul_ to parse_size() function name (by Karel Zak)
- add ul_ to parse_range() function name (by Karel Zak)
- fix optional arguments usage (by Karel Zak)
- avoid strcasecmp() for ASCII-only strings (by Karel Zak)
Wipefs:
- improve --all descriptions for whole-disks (by Karel Zak)
Misc:
- Do not call exit() on code ending in shared libraries (by Cristian
Rodríguez)
- remove two leftover license lines from colors.{c,h} (by Benno Schulenberg)
- remove "Copyright (C) ...." notes from files that claim no copyright
(by Benno Schulenberg)
- correct the full name of the GPL in various files (by Benno Schulenberg)
- Make scols_column_set_data_func docs visible (by FeRD (Frank Dana))
- Do not use strerror on shared libraries (by Cristian Rodríguez)
- Fix typo in blkdiscard docs (by pls-no-hack)
- lib/fileeq.c Fix a typo in message. (by Masanari Iida)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
