Michael Tremer [Tue, 10 Sep 2024 22:43:59 +0000 (00:43 +0200)]
IPS: Ada a graph that shows the IPS throughput
This graph is split into three parts. One shows bypassed packets, the
next one shows the actually scanned packets and lastly we show the total
throughput.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 10 Sep 2024 09:37:38 +0000 (11:37 +0200)]
firewall: Move the IPS after the NAT marking
This is because we might still land in the scenario where Suricata
crashes and NFQUEUE will simply ACCEPT all packets which will terminate
the processing of the mangle table.
Therefore the NFQUEUE rule should be the last one so that we never skip
any of the other processing.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 9 Sep 2024 09:49:30 +0000 (11:49 +0200)]
suricata: Move the IPS into the mangle table
This should make the IPS more efficient, we should have fewer rules and
the IPS will now sit at the edge of the networking stack as it will see
packets immediately when they come and and just before they leave.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 13 Sep 2024 16:25:16 +0000 (18:25 +0200)]
curl: Update to version 8.10.0
- Update from vesion 8.9.1 to 8.10.0
- Update of rootfile
- In previous versions if libpsl was not found then the build excluded it. Now it needs
to be explicitly disabled otherwise the build will stop with a warning that it could
not be found.
- Changelog
8.10.0
changes:
o autotools: add `--enable-windows-unicode` option [103]
o curl: --help [option] displays documentation for given cmdline option [19]
o curl: add --skip-existing [54]
o curl: for -O, use "default" as filename when the URL has none [34]
o curl: make --rate accept "number of units" [4]
o curl: make --show-headers the same as --include [6]
o curl: support --dump-header % to direct to stderr [31]
o curl: support embedding a CA bundle and --dump-ca-embed [20]
o curl: support repeated use of the verbose option; -vv etc [35]
o curl: use libuv for parallel transfers with --test-event [82]
o getinfo: add CURLINFO_POSTTRANSFER_TIME_T [87]
o mbedtls: add CURLOPT_TLS13_CIPHERS support [78]
o rustls: add support for setting TLS version and ciphers [113]
o vtls: stop offering alpn http/1.1 for http2-prior-knowledge [53]
o wolfssl: add CURLOPT_TLS13_CIPHERS support [76]
o wolfssl: add support for ssl cert blob / ssl key blob options [50]
bugfixes:
o asyn-thread: stop using GetAddrInfoExW on Windows [241]
o autotools: fix MS-DOS builds [249]
o autotools: fix typo in tests/data target [30]
o aws_sigv4: fix canon order for headers with same prefix [74]
o bearssl: fix setting tls version [203]
o bearssl: improve shutdown handling [45]
o BINDINGS: add zig binding [100]
o build: add `iphlpapi` lib for libssh on Windows [166]
o build: add `poll()` detection for cross-builds [244]
o build: add options to disable SHA-512/256 hash algo [239]
o build: check OS-native IDN first, then libidn2 [223]
o build: delete unused `REQUIRE_LIB_DEPS` [226]
o build: drop unused `NROFF` reference [253]
o build: drop unused feature-detection code for Apple `poll()` [227]
o build: generate `buildinfo.txt` for test logs [256]
o build: improve compiler version detection portability
o build: make `CURL_FORMAT_CURL_OFF_T[U]` work with mingw-w64 <=7.0.0 [207]
o build: silence C4232 MSVC warnings in vcpkg ngtcp2 builds [137]
o build: use -Wno-format-overflow [195]
o buildconf.bat: fix tool_hugehelp.c generation [173]
o cf-socket: fix pollset for listening [179]
o cf-socket: prevent KEEPALIVE_FACTOR being set to 1000 for Windows [185]
o cfilters: send flush [13]
o CHANGES: rename to CHANGES.md, no longer generated [40]
o CI: enable parallel testing in CI builds [18]
o ci: Update actions/upload-artifact digest to 89ef406 [24]
o cmake: `Libs.private` improvements [215]
o cmake: add `CURL_USE_PKGCONFIG` option [138]
o cmake: add Linux CI job, fix pytest with cmake [71]
o cmake: add math library when using wolfssl and ngtcp2 [66]
o cmake: add missing `pkg-config` hints to Find modules [158]
o cmake: add missing version detection to Find modules [170]
o cmake: add rustls [116]
o cmake: add support for versioned symbols option [51]
o cmake: add wolfSSH support [117]
o cmake: allow `pkg-config` in more envs [147]
o cmake: cleanup header paths [59]
o cmake: default `CURL_DISABLE_LDAPS` to the value of `CURL_DISABLE_LDAP` [231]
o cmake: delete MSVC warning suppression for tests/server [101]
o cmake: detect `nghttp2` via `pkg-config`, enable by default [21]
o cmake: detect and show VCPKG in platform flags [84]
o cmake: distcheck for files in CMake subdir [9]
o cmake: drop custom `CMakeOutput.log`/`CMakeError.log` logs [27]
o cmake: drop libssh CONFIG-style detection [167]
o cmake: drop no-op `tests/data/CMakeLists.txt` [26]
o cmake: drop reference to undefined variable [25]
o cmake: drop unused `HAVE_IDNA_STRERROR` [62]
o cmake: drop unused internal variable [22]
o cmake: exclude tests/http/clients builds by default [110]
o cmake: fix `GSS_VERSION` for Heimdal found via pkg-config [77]
o cmake: fix `pkg-config`-based detection in `FindGSS.cmake` [94]
o cmake: fix and tidy up c-ares builds, enable in more CI jobs [156]
o cmake: fix find rustls [148]
o cmake: fixup linking libgsasl when detected via CMake-native
o cmake: honor custom `CMAKE_UNITY_BUILD_BATCH_SIZE` [163]
o cmake: limit `pkg-config` to UNIX and MSVC+vcpkg by default [188]
o cmake: limit libidn2 `pkg-config` detection to `UNIX` [109]
o cmake: migrate dependency detections to Find modules [183]
o cmake: more small tidy-ups and fixes [80]
o cmake: rename wolfSSL and zstd config variables to uppercase [151]
o cmake: respect cflags/libdirs of native pkg-config detections [175]
o cmake: show CMake platform/compiler flags [63]
o cmake: show warning if libpsl is not found [154]
o cmake: sync code between test/example targets [234]
o cmake: sync up formatting in Find modules [129]
o cmake: TLS 1.3 warning only for bearssl and sectranp [118]
o cmake: update `curl-config.cmake.in` template var list
o cmake: update list of "advanced" variables [119]
o cmake: use numeric comparison for `HAVE_WIN32_WINNT` [69]
o cmdline-opts: language fix for expect100-timeout.md and max-time.md [192]
o configure: delete unused `CURL_DEFINE_UNQUOTED` function [224]
o configure: delete unused `HAVE_OPENSSL3` macro [225]
o configure: delete unused `m4/xc-translit.m4` [114]
o configure: detect AppleIDN [70]
o configure: fail if PSL is not disabled but not found [46]
o configure: fix WinIDN builds targeting old Windows [210]
o configure: remove USE_EXPLICIT_LIB_DEPS [199]
o configure: replace nonportable grep -o with awk [111]
o connect: always prefer ipv6 in IP eyeballing [209]
o connect: limit update IP info [191]
o cookie.md: try to articulate the two different uses this option has [92]
o curl: allow 500MB data URL encode strings [38]
o curl: find curlrc in XDG_CONFIG_HOME without leading dot [186]
o curl: fix --proxy-pinnedpubkey [91]
o curl: fix the -w urle.* variables [153]
o curl: make the progress bar detect terminal width changes [169]
o curl: warn on unsupported SSL options [106]
o Curl_rand_bytes to control env override [17]
o curl_sha512_256: fix symbol collisions with nettle library [131]
o CURLMOPT_SOCKETFUNCTION.md: expand on the easy argument [216]
o CURLOPT_XFERINFOFUNCTION: clarify the callback return codes [141]
o dist: add missing `docs/examples/CMakeLists.txt` [58]
o dist: add missing `FindNettle.cmake` [11]
o dist: add missing `lib/optiontable.pl` [115]
o dist: add missing `test_*.py` scripts [102]
o dist: drop buildconf [65]
o dist: fix reproducible build from release tarball [36]
o dmaketgz: only run 'make distclean' if Makefile exists
o docs/SSLCERTS: rewrite [174]
o docs: add description of effect of --location-trusted on cookie [157]
o docs: document the (weak) random value situation in rustls builds [252]
o docs: fix some examples in man pages
o docs: improve cipher options documentation [159]
o docs: mention "@-" in more places [67]
o docs: remove ALTSVC.md, HSTS.md, HTTP2.md and PARALLEL-TRANSFERS.md [105]
o docs: update CIPHERS.md [140]
o doh-url.md: point out DOH server IP pinning [37]
o doh: remove redundant checks [242]
o easy: fix curl_easy_upkeep for shared connection caches [52]
o escape: allow curl_easy_escape to generate 3*input length output [39]
o FEATURES.md: fix typo [180]
o ftp: always offer line end conversions [219]
o ftp: flush pingpong before response [73]
o getinfo: return zero for unsupported options (when disabled) [189]
o GHA/windows: enable MulitSSL in an MSVC job [2]
o GHA: scan git repository and detect unvetted binary files [3]
o gnutls/wolfssl: improve error message when certificate fails [125]
o gnutls: send all data [230]
o gtls: fix OCSP stapling management [206]
o haproxy: send though next filter [222]
o hash: provide asserts to verify API use [96]
o http/2: simplify eos/blocked handling [90]
o http2+h3 filters: fix ctx init [142]
o http2: fix GOAWAY message sent to server [171]
o http2: improve rate limiting of downloads [33]
o http2: improved upload eos handling [41]
o http3.md: mention how the fallback can be h1 or h2 [194]
o hyper: call Curl_req_set_upload_done() [126]
o idn: more strictly check AppleIDN errors [98]
o idn: support non-UTF-8 input under AppleIDN [99]
o INSTALL.md: MultiSSL and QUIC are mutually exclusive [7]
o KNOWN_BUGS: "special characers" in URL works with aws-sigv4 [81]
o krb5: add Linux/macOS CI tests, fix cmake GSS detection [83]
o krb5: fix `-Wcast-align` [95]
o lib: add eos flag to send methods [14]
o lib: avoid macro collisions between wolfSSL and GnuTLS headers [133]
o lib: convert some debugf()s into traces [8]
o lib: delete stray undefs for `vsnprintf`, `vsprintf` [152]
o lib: fix AIX build issues [112]
o lib: fix building with wolfSSL without DES support [134]
o lib: make SSPI global symbols use Curl_ prefix [251]
o lib: prefer `CURL_SHA256_DIGEST_LENGTH` over the unprefixed name [132]
o lib: remove the final strncpy() calls [240]
o lib: remove use of RANDOM_FILE [235]
o libcurl.def: move from / into lib [238]
o libcurl.pc: add `Cflags.private` [10]
o libcurl.pc: add reference to `libgsasl` [150]
o libcurl/docs: expand on redirect following and secrets to other hosts [85]
o llist: remove direct struct accesses, use only functions [72]
o Makefile.dist: fix `ca-firefox` target [254]
o Makefile.mk: fixup enabling libidn2 [61]
o Makefile: remove 'scripts' duplicate from DIST_SUBDIRS
o maketgz: accept option to include latest commit hash [5]
o maketgz: fix RELEASE-TOOLS.md for daily tarballs [243]
o maketgz: move from / into scripts [237]
o managen: fix superfluous leading blank line in quoted sections [211]
o managen: in man output, remove the leading space from examples [198]
o managen: wordwrap long example lines in ASCII output [143]
o manpage: ensure a maximum width for the text version [75]
o max-filesize.md: mention zero disables the limit [93]
o mbedtls: add more informative logging [162]
o mbedtls: fix setting tls version [200]
o mbedtls: no longer use MBEDTLS_SSL_VERIFY_OPTIONAL [181]
o mime: avoid inifite loop in client reader [155]
o mk-ca-bundle.pl: include a link to the caextract webpage [68]
o multi: make the "general" list of easy handles a Curl_llist [97]
o multi: on socket callback error, remove socket hash entry nonetheless [149]
o ngtcp2/osslq: remove NULL pointer dereferences [213]
o ngtcp2: use NGHTTP3 prefix instead of NGTCP2 for errors in h3 callbacks [79]
o openssl quic: fix memory leak [229]
o openssl: certinfo errors now fail correctly [250]
o openssl: fix the data race when sharing an SSL session between threads [221]
o openssl: improve shutdown handling [44]
o pingpong: drain the input buffer when reading responses [193]
o POP3: fix multi-line responses [168]
o pop3: use the protocol handler ->write_resp [220]
o printf: fix mingw-w64 format checks [228]
o progress: ratelimit/progress tweaks [32]
o pytests: add tests for HEAD requests in all HTTP versions [42]
o rand: only provide weak random when needed [233]
o runtests: if DISABLED cannot be read, error out [56]
o runtests: log ignored but passed tests [130]
o runtests: remove "has_textaware" [217]
o rustls: fix setting tls version [202]
o rustls: make all tests pass [1]
o schannel: avoid malloc for CAinfo_blob_digest [247]
o scorecard: tweak request measurements [139]
o sectransp: fix setting tls version [204]
o SECURITY: mention OpenSSF best practices gold badge [161]
o setopt: allow CURLOPT_INTERFACE to be set to NULL [165]
o setopt: let CURLOPT_ECH set to NULL reset to default [187]
o setopt: make CURLOPT_TFTP_BLKSIZE accept bad values [184]
o sha256: fix symbol collision between nettle (GnuTLS) and OpenSSL [135]
o share: don't reinitialize conncache [214]
o sigpipe: init the struct so that first apply ignores [49]
o smb: convert superflous assign into assert [246]
o smtp: add tracing feature [120]
o splay: use access functions, add asserts, use Curl_timediff [121]
o spnego_gssapi: implement TLS channel bindings for openssl [146]
o src: delete `curlx_m*printf()` aliases [197]
o src: fix potential macro confusion in cmake unity builds [208]
o src: namespace symbols clashing with lib [248]
o src: replace copy of printf mappings with an include [190]
o ssh: deduplicate SSH backend includes (and fix libssh cmake unity build) [177]
o system_win32: fix typo
o test httpd: tweak cipher list [124]
o test1521: verify setting options to NULL better [182]
o test1707: output diff more for debugging differences in CI outputs
o test556: improve robustness [64]
o test579: improve robustness [60]
o test587: improve robustness [123]
o test649: improve robustness [122]
o test677: improve robustness [47]
o tests/runner: only allow [!A-Za-z0-9_-] in %if feature names [55]
o tests: constrain http pytest to tests/http directory [205]
o tests: don't mangle output if hostname or type unknown
o tests: ignore QUIT from FTP protocol comparisons [108]
o tests: provide docs as curldown, not nroff [12]
o tidy-up: misc build, tests, `lib/macos.c` [172]
o tidy-up: OS names [57]
o tool_operhlp: fix "potentially uninitialized local variable 'pc' used" [48]
o tool_paramhlp: bump maximum post data size in memory to 16GB [128]
o transfer: Curl_sendrecv() and event related improvements [164]
o transfer: remove comments, add asserts [218]
o transfer: skip EOS read when download done [196]
o url: dns_entry related improvements [16]
o url: fix connection reuse for HTTP/2 upgrades [236]
o urlapi: verify URL *decoded* hostname when set [160]
o urldata: introduce `data->mid`, a unique identifier inside a multi [127]
o urldata: remove 'scratch' from the UrlState struct [86]
o urldata: remove crlf_conversions counter [232]
o urldata: remove proxy_connect_closed bit [178]
o verify-release: shell script that verifies a release tarball [29]
o version: fix shadowing a `libssh.h` symbol [176]
o vtls: add SSLSUPP_CIPHER_LIST [107]
o vtls: fix MSVC 'cast truncates constant value' warning [23]
o vtls: fix static function name collisions between TLS backends [136]
o vtls: init ssl peer only once [15]
o websocket: introduce blocking sends [145]
o wolfssl: avoid taking cached x509 store ref if sslctx already using it [88]
o wolfssl: fix CURLOPT_SSLVERSION [144]
o wolfssl: fix setting tls version [201]
o wolfssl: improve shutdown handling [43]
o ws: flags to opcodes should ignore CURLWS_CONT flag [104]
o x509asn1: raise size limit for x509 certification information [28]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20240813 to 20240910
- Update of rootfile not required
- Changelog 20240910
Security updates for INTEL-SA-01103
Security updates for INTEL-SA-01097
Update for functional issues. Refer to Intel® Core™ Ultra Processor for details.
Update for functional issues. Refer to 13th Generation Intel® Core™ Processor
Specification Update for details.
Update for functional issues. Refer to 12th Generation Intel® Core™ Processor
Family for details.
Update for functional issues. Refer to Intel® Processors and Intel® Core™ i3
N-Series for details.
For information on New Platforms and Updated Platforms see
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Tue, 10 Sep 2024 21:32:32 +0000 (23:32 +0200)]
header.pl: only get memory consumption when service is running
It probably doesn't matter much as the get_memory_consumption function just returns 0 when no pids are found. But it shouldn't even try as the mem var is never used when the service is not running.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Tue, 10 Sep 2024 21:12:31 +0000 (23:12 +0200)]
zabbix_agentd: Add IPFire services.get item
- Adds Zabbix Agent userparameter `ipfire.services.get` for the agent to get details about configured IPFire services (builtin and addon-services)
- Includes `ipfire_services.pl` script in sudoers for Zabbix Agent as it needs root permission to call addonctrl for addon service states.
- Adapts lfs install script to install new script
- Adds new script to rootfiles
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Tue, 10 Sep 2024 18:25:59 +0000 (20:25 +0200)]
zabbix_agentd: Update to 6.0.33 (LTS)
- Update from version 6.0.30 to 6.0.33
- Update of rootfile not required
Bugs fixed:
- ZBX-20766: Fixed confusing port binding error message
- ZBX-24391: Fixed Zabbix agent to return net.tcp.socket.count result without error if IPv6 is disabled
Full changelogs since 6.0.30:
- https://www.zabbix.com/rn/rn6.0.31
- https://www.zabbix.com/rn/rn6.0.32
- https://www.zabbix.com/rn/rn6.0.33
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 11 Sep 2024 09:31:43 +0000 (09:31 +0000)]
make.sh: Bind-mount all loop devices
There seems to be a different way how to create loop devices. On my
Debian system, the first loop device is a block device with major=7 and
minor=0, the second device is major=7 and minor=1, and so on.
On a system running Grml, the second loop device has major=7 and
minor=32, and all following ones are increasing their minor by 32
as well instead of one.
Since I don't have an easy way to detect this, we will simply bind-mount
all available loop devices in to the build environment.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 7 Sep 2024 17:29:27 +0000 (19:29 +0200)]
openvpn: Update to version 2.5.10
- Update from version 2.5.9 to 2.5.10
- Update of rootfile not required
- 3 CVE Fixes in this version but all are for Windows installations.
- Changelog
2.5.10
Security fixes
- CVE-2024-27459: Windows: fix a possible stack overflow in the
interactive service component which might lead to a local privilege
escalation. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
- CVE-2024-24974: Windows: disallow access to the interactive service
pipe from remote computers. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
- CVE-2024-27903: Windows: disallow loading of plugins from untrusted
installation paths, which could be used to attack openvpn.exe via
a malicious plugin. Plugins can now only be loaded from the OpenVPN
install directory, the Windows system directory, and possibly from
a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir. Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
User visible changes
- License amendment: all NEW commits fall under a modified license that
explicitly permits linking with Apache2 libraries (mbedTLS, OpenSSL) -
see COPYING for details. Existing code in the release/2.5 branch
will not been relicensed (only in release/2.6 and later branches).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Sep 2024 13:28:50 +0000 (15:28 +0200)]
sudo: Update to version 1.9.16
- Update from version 1.9.15p5 to 1.9.16
- Update of rootfile
- Changelog
1.9.16
* Added the "cmddenial_message" sudoers option to provide additional
information to the user when a command is denied by the sudoers
policy. The default message is still displayed.
* The time stamp used for file-based logs is now more consistent
with the time stamp produced by syslog. GitHub issues #327.
* Sudo will now warn the user if it can detect the user's terminal
but cannot determine the path to the terminal device. The sudoers
time stamp file will now use the terminal device number directly.
GitHub issue #329.
* The embedded copy of zlib has been updated to version 1.3.1.
* Improved error handling if generating the list of signals and signal
names fails at build time.
* Fixed a compilation issue on Linux systems without process_vm_readv().
* Fixed cross-compilation with WolfSSL.
* Added a "json_compact" value for the sudoers "log_format" option
which can be used when logging to a file. The existing "json"
value has been aliased to "json_pretty". In a future release,
"json" will be an alias for "json_compact". GitHub issue #357.
* A new "pam_silent" sudoers option has been added which may be
negated to avoid suppressing output from PAM authentication modules.
GitHub issue #216.
* Fixed several cvtsudoers JSON output problems.
GitHub issues #369, #370, #371, #373, #381.
* When sudo runs a command in a pseudo-terminal and the user's
terminal is revoked, the pseudo-terminal's foreground process
group will now receive SIGHUP before the terminal is revoked.
This emulates the behavior of the session leader exiting and is
consistent with what happens when, for example, an ssh session
is closed. GitHub issue #367.
* Fixed "make test" with Python 3.12. GitHub issue #374.
* In schema.ActiveDirectory, fixed the quoting in the example command.
GitHub issue #376.
* Paths specified via a Chdir_Spec or Chroot_Spec in sudoers may
now be double-quoted.
* Sudo insults are now included by default, but disabled unless
the --with-insults configure option is specified or the "insults"
sudoers option is enabled.
* The default sudoers file now enables the "secure_path" option by
default and preserves the EDITOR, VISUAL, and SUDO_EDITOR environment
variables when running visudo. The new --with-secure-path-value
configure option can be used to set the value of "secure_path" in
the default sudoers file. GitHub issue #387.
* A sudoers schema for IBM Directory Server (aka IBM Tivoli Directory
Server, IBM Security Directory Server, and IBM Security Verify
Directory) is now included.
* When cross-compiling sudo, the configure script now assumes that
the snprintf() function is C99-compliant if the C compiler
supports the C99 standard. Previously, configure would use
sudo's own snprintf() when cross-compiling. GitHub issue #386.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Sep 2024 08:44:49 +0000 (10:44 +0200)]
dhcpcd: Update to version 10.0.10
- Update from version 10.0.8 to 10.0.10
- Update of rootfile not required
- Patch for free selection of MTU has been removed as in version 10.0.9 the MTU code
was changed to not apply limits to it.
- Changelog
10.0.10
Reversion of commit "linux: make if_getnetworknamespace static"
10.0.9
Option 2: Fix stdin parsing by @holmanb in #289
IPv4LL: Restart ARP probling on address conflict by @LeoRuan in #340
DHCP: Handle option 108 correctly when receiving 0.0.0.0 OFFER by @taoyl-g
in #342
DHCP: No longer set interface mtu by @rsmarples in #346
Update privsep-linux.c to allow statx by @Jabrwock in #349
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 5 Sep 2024 08:31:53 +0000 (10:31 +0200)]
clamav: Update to version 1.3.2
- Update from version 1.3.1 to 1.3.2
- Update of rootfile
- 2 CVE Fixes
- Changelog
1.3.2
- [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506):
Changed the logging module to disable following symlinks on Linux and Unix
systems so as to prevent an attacker with existing access to the 'clamd' or
'freshclam' services from using a symlink to corrupt system files.
This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to Detlef for identifying this issue.
- [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505):
Fixed a possible out-of-bounds read bug in the PDF file parser that could
cause a denial-of-service (DoS) condition.
This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to OSS-Fuzz for identifying this issue.
- Removed unused Python modules from freshclam tests including deprecated
'cgi' module that is expected to cause test failures in Python 3.13.
- Fix unit test caused by expiring signing certificate.
- Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1305)
- Fixed a build issue on Windows with newer versions of Rust.
Also upgraded GitHub Actions imports to fix CI failures.
Fixes courtesy of liushuyu.
- Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1307)
- Fixed an unaligned pointer dereference issue on select architectures.
Fix courtesy of Sebastian Andrzej Siewior.
- Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1293)
- Fixes to Jenkins CI pipeline.
For details, see [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1330)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 4 Sep 2024 21:49:24 +0000 (23:49 +0200)]
expat: Update to version 2.6.3
- Update from version 2.6.2 to 2.6.3
- Update of rootfile
- 3 CVE Fixes in this release.
- Changelog
2.6.3
Security fixes:
#887 #890 CVE-2024-45490 -- Calling function XML_ParseBuffer with
len < 0 without noticing and then calling XML_GetBuffer
will have XML_ParseBuffer fail to recognize the problem
and XML_GetBuffer corrupt memory.
With the fix, XML_ParseBuffer now complains with error
XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
has been doing since Expat 2.2.1, and now documented.
Impact is denial of service to potentially artitrary code
execution.
#888 #891 CVE-2024-45491 -- Internal function dtdCopy can have an
integer overflow for nDefaultAtts on 32-bit platforms
(where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
#889 #892 CVE-2024-45492 -- Internal function nextScaffoldPart can
have an integer overflow for m_groupSize on 32-bit
platforms (where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
Other changes:
#851 #879 Autotools: Sync CMake templates with CMake 3.28
#853 Autotools: Always provide path to find(1) for portability
#861 Autotools: Ensure that the m4 directory always exists.
#870 Autotools: Simplify handling of SIZEOF_VOID_P
#869 Autotools: Support non-GNU sed
#856 Autotools|CMake: Fix main() to main(void)
#865 Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM
#863 Autotools|CMake: Stop requiring dos2unix
#854 #855 CMake: Fix check for symbols size_t and off_t
#864 docs|tests: Convert README to Markdown and update
#741 Windows: Drop support for Visual Studio <=15.0/2017
#886 Drop needless XML_DTD guards around is_param access
#885 Fix typo in a code comment
#894 #896 Version info bumped from 10:2:9 (libexpat*.so.1.9.2)
to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/
for what these numbers do
Infrastructure:
#880 Readme: Promote the call for help
#868 CI: Fix various issues
#849 CI: Allow triggering GitHub Actions workflows manually
#851 #872 ..
#873 #879 CI: Adapt to breaking changes in GitHub Actions
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 4 Sep 2024 18:51:24 +0000 (20:51 +0200)]
dtc: update to version 1.7.1 and move to before qemu build
- Update from version 1.6.1 to 1.7.1
- Move to before qemu build as it now requires a system libfdt for build as the bundled
version has been removed.
- Change HOME= to HOME=/usr so that the include files are placed in /usr/include which
is where qemu is looking for them when it checks that libfdt is available.
- Update disable_Werror patch to take account of differences in the source tarball
- Update of architectures from only aarch64 to all.
- Move rootfile from common/aarch64 to common/
- The previous fdt python files were commented out, hence not used at runtime and are
not needed at buildtime. From 9.0.1 onwards they require swig and python to be built
but as they are not needed there was no point to move swig to before dtc
- Changelog
1.7.1
* dtc
* Fix -Oasm output on PA-RISC by avoiding ';' separators
* Put symbolic label references in -Odts output when possible
* Add label relative path references
* Don't incorrectly attempt to create fixups for reference to path
in overlays
* Warning rather than hard error if integer expression results are
truncated due to cell size
* libfdt
* Add fdt_get_property_by_offset_w() function
* pylibfdt
* Fixed to work with Python 3.10
* A number of extra methods
* Fix out of tree build
* fdtget
* Add raw bytes output mode
* General
* Fixes for mixed-signedness comparison warnings
* Assorted other warning fixes
* Assorted updates to checks
* Assorted bugfixes
* Fix scripts to work with dash as well as bash
* Allow static builds
* Formalize Signed-off-by usage
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 4 Sep 2024 18:51:23 +0000 (20:51 +0200)]
qemu: Update to version 9.0.2
- Update from version 9.0.0 to 9.0.2
- Update of rootfile not required
- From version 9.0.1 onwards the bundled dtc has been removed but is required for the
build. In an associated patch dtc has been moved to before qemu.
- Changelog is only available at x.0 level
9.0 https://wiki.qemu.org/ChangeLog/9.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 3 Sep 2024 17:55:41 +0000 (19:55 +0200)]
qemu: Update to version 9.0.0
- Update from version 8.1.2 to 9.0.0
- Update of rootfile
- Version 9.0.1 and 9.0.2 no longer have the bundled dtc package to provide the libfdt
library and require a system version but identify the 1.7.1 version of dtc as being
older than 1.5.1. So currently qemu has only been updated to 9.0.0 until the reason
for this is identified and can be fixed. It has been raised as an issue on the qemu
gitlab site.
- Changelog is only available at x.0 level
9.0 https://wiki.qemu.org/ChangeLog/9.0
8.2 https://wiki.qemu.org/ChangeLog/8.2
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 3 Sep 2024 18:00:17 +0000 (18:00 +0000)]
openssl: Update to 3.3.2
Possible denial of service in X.509 name checks (CVE-2024-6119)
===============================================================
Severity: Moderate
Issue summary: Applications performing certificate name checks (e.g., TLS
clients checking server certificates) may attempt to read an invalid memory
address resulting in abnormal termination of the application process.
Impact summary: Abnormal termination of an application can a cause a denial of
service.
Applications performing certificate name checks (e.g., TLS clients checking
server certificates) may attempt to read an invalid memory address when
comparing the expected name with an `otherName` subject alternative name of an
X.509 certificate. This may result in an exception that terminates the
application program.
Note that basic certificate chain validation (signatures, dates, ...) is not
affected, the denial of service can occur only when the application also
specifies an expected DNS name, Email address or IP address.
TLS servers rarely solicit client certificates, and even when they do, they
generally don't perform a name check against a "reference identifier" (expected
identity), but rather extract the presented identity after checking the
certificate chain. So TLS servers are generally not affected and the severity
of the issue is Moderate.
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
OpenSSL 1.1.1 and 1.0.2 are also not affected by this issue.
OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 3 Sep 2024 18:00:17 +0000 (18:00 +0000)]
openssl: Update to 3.3.2
Possible denial of service in X.509 name checks (CVE-2024-6119)
===============================================================
Severity: Moderate
Issue summary: Applications performing certificate name checks (e.g., TLS
clients checking server certificates) may attempt to read an invalid memory
address resulting in abnormal termination of the application process.
Impact summary: Abnormal termination of an application can a cause a denial of
service.
Applications performing certificate name checks (e.g., TLS clients checking
server certificates) may attempt to read an invalid memory address when
comparing the expected name with an `otherName` subject alternative name of an
X.509 certificate. This may result in an exception that terminates the
application program.
Note that basic certificate chain validation (signatures, dates, ...) is not
affected, the denial of service can occur only when the application also
specifies an expected DNS name, Email address or IP address.
TLS servers rarely solicit client certificates, and even when they do, they
generally don't perform a name check against a "reference identifier" (expected
identity), but rather extract the presented identity after checking the
certificate chain. So TLS servers are generally not affected and the severity
of the issue is Moderate.
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
OpenSSL 1.1.1 and 1.0.2 are also not affected by this issue.
OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 3 Sep 2024 09:17:25 +0000 (11:17 +0200)]
taglib: Update to version 2.0.2
- Update from version 2.0.1 to 2.0.2
- Update of rootfile
- Changelog
2.0.2
* Fix parsing of ID3v2.2 frames.
* Tolerate MP4 files with unknown atom types as generated by Android tools.
* Support setting properties with arbitrary names in MP4 tags.
* Windows: Fix "-p" option in tagwriter example.
* Support building with older utfcpp versions.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 3 Sep 2024 09:17:24 +0000 (11:17 +0200)]
shairport-sync: Update to version 4.3.4
- Update from version 4.3.2 to 4.3.4
- Update of rootfile
- Changelog is only defined for 4.3, 4.2 etc so the below changelog is for all of 4.3
Cannot determine which things were alreday fixed in 4.3.2 and earlier and which are
from 4.3.3 onwards.
4.3
**Security Updates**
* A crashing bug in NQPTP has been fixed.
* The communications protocol used between NQPTP and Shairport Sync has been
revised and made more resilient to attempted misuse.
* In Linux systems, NQPTP no longer runs as `root` -- instead it runs as the
restriced user `nqptp`, with access to ports 319 and 320 set by the installer
via the `setcap` utility.
**Enhancements**
* A new volume control profile called `dasl-tapered` has been added in which
halving the volume control setting halves the output level.
For example, moving the volume slider from full to half reduces the output
level by 10dB, which roughly corresponds with a perceived halving of the audio
volume level.
Moving the volume slider from half to a quarter reduces the output level by a
a further 10dB.
The tapering rate is slightly modified at the lower end of the range if the
device's attenuation range is restricted (less than about 55dB).
To activate the `dasl-tapered` profile, set the `volume_control_profile` to
`"dasl_tapered"` in the configuration file and restart Shairport Sync.
Many thanks to David Leibovic, aka [dasl-](https://github.com/dasl-), for this.
* On graceful shutdown, an `active_end` signal should now be generated if the
system was in the active state. Addresses issue
[#1647](https://github.com/mikebrady/shairport-sync/issues/1647). Thanks to
[Tucker Kern](https://github.com/mill1000) for raising the issue.
**Bug Fixes**
* Fixed a bug that causes the Docker image to crash occasionally when OwnTone
interrupted an existing iOS session. Thanks to
[aaronk6](https://github.com/aaronk6) for the report.
* Fixed a cross-compliation error caused by not looking for the correct version
of the `ar` tool. The fix was to substitute the correct version during the
`autoreconf` phase. Thanks to
[sternenseemann](https://github.com/sternenseemann) for raising the
[issue](https://github.com/mikebrady/shairport-sync/issues/1705) and the
[PR](https://github.com/mikebrady/shairport-sync/pull/1706) containing the fix.
* Updated the mDNS strings for the Classic AirPlay feature of AP2, so that it
does not appear to provide MFi authentication. Addresses
[this discussion](https://github.com/mikebrady/shairport-sync/discussions/1691).
* Always uses a revision number of 1 when looking for status updates on the DACP
remote control port. This follows a suggestion in
[Issue #1658](https://github.com/mikebrady/shairport-sync/issues/1658). Thanks
to [ejurgensen](https://github.com/ejurgensen), as ever, for the report and
the suggested fix.
* Fixed a `statistics` bug (the minimum buffer size was incorrectly logged) and
also tidy up the statistics logging interval logic for resetting min and max
counters.
* Added an important missing format string argument to a call in the Jack Audio
backend. Many thanks to [michieldwitte] for their
[PR](https://github.com/mikebrady/shairport-sync/pull/1693).
**Maintenance**
* Stopped using a deprecated FFmpeg data structure reference.
* Stopped using deprecated OpenSSL calls. Thanks to [yubiuser] for their
[PR](https://github.com/mikebrady/shairport-sync/pull/1684) -- which did some
of the updating -- and for their guidance.
* Run workflow-based tests on PRs automatically. Thanks to [yubiuser]
for their [PR](https://github.com/mikebrady/shairport-sync/pull/1687).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 3 Sep 2024 09:17:23 +0000 (11:17 +0200)]
observium-agent: Update to version 24.4
- Update from version 23.1 to 24.4
- Update of rootfile not required
- Changelog is not provided in the source tarbal. Ther is a text changelog at
https://www.observium.org/svn.log but it is not clear if this is for the community
version used here or for the subscription based version. There is also no reference
to any version numbers so you can't easily tell which changes are in this version and
which not.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 3 Sep 2024 09:17:22 +0000 (11:17 +0200)]
mcelog: Update to version 200
- Update from version 196 to 200
- Update of rootfile not required
- Changelog is not provided. The git log,
https://git.kernel.org/cgit/utils/cpu/mce/mcelog.git/log/, should be viewed for changes.
The changes are mostly bug fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 3 Sep 2024 09:17:20 +0000 (11:17 +0200)]
iotop: Update to version 1.26
- Update from version 1.22 to 1.26
- Update of rootfile not required
- Changelog
1.26
Add clock in upper right corner
1.25
Fix bug when iotop busy loops after pressing ESC key
Change the condition of displaying processes in only mode
1.24
Fix a bug with graphs in ASCII mode
Show the status of the configuration in the help window
Support ancient compilers by @bbonev in #52
1.23
Changes by @bbonev in #43
Fix some issues reported by lintian by @debian-janitor in #42
Revert syscall count stuff by @bbonev in #44
Fix empty archlinux package by @bokunodev in #46
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 3 Sep 2024 09:17:21 +0000 (11:17 +0200)]
libvirt: Update to version 10.7.0
- Update from version 10.0.0 to 10.7.0
- Update of rootfile
- 1 CVE fix in 10.7.0 and 1 in 10.1.0
- Changelog
10.7.0
* **Security**
* CVE-2024-8235: Crash of ``virtinterfaced`` via ``virConnectListInterfaces()``
A refactor of the code fetching the list of interfaces for multiple APIs
introduced corner case on platforms where allocating 0 bytes of memory
results in a NULL pointer.
This corner case would lead to a NULL-pointer dereference and subsequent
crash of ``virtinterfaced`` if ``virConnectListInterfaces()`` is called
requesting 0 networks to be filled.
The bug was introduced in libvirt-10.4.0
* **New features**
* qemu: Introduce the ability to disable the built-in PS/2 controller
It is now possible to control the state of the ``ps2`` feature in the
domain XML for descendants of the generic PC machine type (``i440fx``,
``q35``, ``xenfv`` and ``isapc``).
* **Improvements**
* ch: support restore with network devices
Cloud-Hypervisor starting from V40.0 supports restoring file descriptor
backed network devices. So, create new net fds and pass them via
SCM_RIGHTS to CH during restore operation.
* ch: support basic networking modes
Cloud-Hypervisor driver now supports Ethernet, Network (NAT) and Bridge
networking modes.
10.6.0
* **Removed features**
* qemu: Require QEMU-5.2.0 or newer
The minimal required version of QEMU was bumped to 5.2.0.
* **New features**
* qemu: Add support for the 'pauth' Arm CPU feature
* Introduce pstore device
The aim of pstore device is to provide a bit of NVRAM storage for guest
kernel to record oops/panic logs just before it crashes. Typical usage
includes usage in combination with a watchdog so that the logs can be
inspected after the watchdog rebooted the machine.
* **Improvements**
* qemu: Set 'passt' net backend if 'default' is unsupported
If QEMU is compiled without SLIRP support, and if domain XML allows it,
starting from this release libvirt will use passt as the default backend
instead. Also, supported backends are now reported in the domain
capabilities XML.
* qemu: add a monitor to /proc/$pid when killing times out
In cases when a QEMU process takes longer to be killed, libvirt might have
skipped cleaning up after it. But now a /proc/$pid watch is installed so
this does not happen ever again.
* **Bug fixes**
* virt-aa-helper: Allow RO access to /usr/share/edk2-ovmf
When binary version of edk2 is distributed, the files reside under
/usr/share/edk2-ovmf. Allow virt-aa-helper to generate paths under that
directory.
* virt-host-validate: Allow longer list of CPU flags
During its run, virt-host-validate parses /proc/cpuinfo to learn about CPU
flags. But due to a bug it parsed only the first 1024 bytes worth of CPU
flags leading to unexpected results. The file is now parsed properly.
* capabilities: Be more forgiving when decoding OEM strings
On some systems, OEM strings are scattered in multiple sections. This
confused libvirt when generating capabilities XML. Not anymore.
10.5.0
* **New features**
* Introduce SEV-SNP support
SEV-SNP is introduced as another type of ``<launchSecurity/>``. Its support
is reported in both domain capabilities and ``virt-host-validate``.
* **Improvements**
* tools: virt-pki-validate has been rewritten in C
The ``virt-pki-validate`` shell script has been rewritten as a C program,
providing an output format that matches ``virt-host-validate``, removing
the dependency on ``certtool`` and providing more comprehensive checks
of the certificate properties.
* qemu: implement iommu coldplug/unplug
The ``<iommu/>`` device can be now cold plugged and/or cold unplugged.
* Pass shutoff reason to release hook
Sometimes in release hook it is useful to know if the VM shutdown was
graceful or not. This is especially useful to do cleanup based on the VM
shutdown failure reason in release hook. Starting with this release the
last argument 'extra' is used to pass VM shutoff reason in the call to
release hook.
* nodedev: improve DASD detection
In newer DASD driver versions the ID_TYPE tag is supported. This tag is
missing after a system reboot but when the ccw device is set offline and
online the tag is included. To fix this version independently we need to
check if a device detected as type disk is actually a DASD to maintain the
node object consistency and not end up with multiple node objects for
DASDs.
* **Bug fixes**
* remote_daemon_dispatch: Unref sasl session when closing client connection
A memory leak was identified when a client started SASL but then suddenly
closed connection. This is now fixed.
* qemu: Fix migration with disabled vmx-* CPU features
Migrating a domain with some vmx-* CPU features marked as disabled could
have failed as the destination would incorrectly expect those features to
be enabled after starting QEMU.
* qemu: Fix ``libvirtd``/``virtqemud`` crash when VM shuts down during migration
The libvirt daemon could crash when a VM was shut down while being migrated
to another host.
10.4.0
* **New features**
* qemu: Support for ras feature for virt machine type
It is now possible to set on/off ``ras`` feature in the domain XML for virt
(Arm) machine type as ``<ras state='on'/>``.
* SSH proxy for VM
Libvirt now installs a binary helper that allows connecting to QEMU domains
via SSH using the following scheme: ``ssh user@qemu/virtualMachine``.
* qemu: Support for ``virtio`` sound model
Sound devices can now be configured to use the virtio model with
``<sound model='virtio'/>``. This model is available from QEMU 8.2.0
onwards.
* network: use nftables to setup virtual network firewall rules
The network driver can now use nftables rules for the virtual
network firewalls, rather than iptables. With the standard build
options, nftables is preferred over iptables (with fallback to
iptables if nftables isn't installed), but this can be modified at
build time, or at runtime via the firewall_backend setting in
network.conf. (NB: the nwfilter driver still uses
ebtables/iptables).
* **Improvements**
* qemu: add zstd to supported compression formats
Extend the list of supported formats of QEMU save image by adding zstd
compression.
* qemu: Implement support for hotplugging evdev input devices
As of this release, hotplug and hotunplug of evdev ``<input/>`` devices is
supported.
* **Bug fixes**
* virsh/virt-admin: Fix ``--help`` option for all commands
A bug introduced in `v10.3.0 (2024-05-02)`_ caused that the attempt to print
help for any command by using the ``--help`` option in ``virsh`` and
``virt-admin`` would print::
$ virsh list --help
error: command 'list' doesn't support option --help
instead of the help output. A workaround for the affected version is to use
the help command::
$ virsh help list
* qemu: Fix ``virsh save`` and migration when storage in question is root_squashed NFS
Attempting to save a VM to a root_squash NFS mount or migrating with disks
hosted on such mount could, in some scenarios, result in error stating::
'Unknown error 255'
The bug was introduced in `v10.1.0 (2024-03-01)`_.
* qemu: Don't set affinity for isolcpus unless explicitly requested
When starting a domain, by default libvirt sets affinity of QEMU process to
all online CPUs. This also included isolated CPUs (``isolcpus=``) which is
wrong. As of this release, isolated CPUs are left untouched, unless
explicitly configured in domain XML.
* qemu_hotplug: Properly assign USB address to hotplugged usb-net device
Previously, the network device hotplug logic would try to ensure only CCW
or PCI addresses. With recent support for the usb-net model, USB addresses
for usb-net network devices are assigned automatically.
* qemu: Fix hotplug of ``virtiofs`` filesystem device with ``<boot order=`` set
The bug was introduced in `v10.3.0 (2024-05-02)`_ when attempting to reject
unsupported configurations. During hotplug the addresses are
assigned after validation and thus errorneously reject valid configs.
10.3.0
* **New features**
* qemu: Proper support for USB network device
USB address is now automatically assigned to USB network devices thus they
can be used without manual configuration.
* conf: Introduce memReserve attribute to <controller/>
Some PCI devices have large non-prefetchable memory. This can be a problem
in case when such device needs to be hotplugged as the firmware can't
foresee such situation. The user thus can override the value calculated at
start to accomodate for such devices.
* **Improvements**
* Improve validation of USB devices
Certain USB device types ('sound', 'fs', 'chr', 'ccid' and 'net') were not
properly handled in the check whether the VM config supports USB and thus
would result in poor error messages.
* virsh: Fix behaviour of ``--name`` and ``--parent`` used together when listing checkpoint and snapshots
The ``checkpoint-list`` and ``snapshot-list`` commands would ignore the
``--name`` option to print only the name when used with ``--parent``.
* Extend libvirt-guests to shutdown only persistent VMs
Users can now choose to shutdown only persistent VMs when the host is being
shut down.
* **Bug fixes**
* qemu: Fix migration with custom XML
Libvirt 10.2.0 would sometimes complain about incompatible CPU definition
when trying to migrate or save a domain and passing a custom XML even
though such XML was properly generated as migratable. Hitting this bug
depends on the guest CPU definition and the host on which a particular
domain was running.
* qemu: Fix TLS hostname verification failure in certain non-shared storage migration scenarios
In certain scenarios (parallel migration, newly also post-copy migration)
libvirt would wrongly pass an empty hostname to QEMU to be used for TLS
certificate hostname validation, which would result into failure of the
non-shared storage migration step::
error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname
* Create OVS ports as transient
Libvirt now creates OVS ports as transient which prevents them from
reappearing or going stale on sudden reboots.
* Clear OVS QoS settings when domain shuts down
Libvirt now clears QoS settings on domain shutdown, so they no longer pile
up in OVS database.
10.2.0
* **New features**
* ch: Basic save and restore support for ch driver
The ch driver now supports basic save and restore operations. This is
functional on domains without any network, host device config defined.
The ``path`` parameter for save and restore should be a directory.
* qemu: Support for driver type ``mtp`` in ``<filesystem/>`` devices
The ``mtp`` driver type exposes the ``usb-mtp`` device in QEMU. The
guest can access files on this driver through the Media Transfer
Protocol (MTP).
* qemu: Added support for the loongarch64 architecture
It is now possible for libvirt to run loongarch64 guests, including on
other architectures via TCG. For the best results, it is recommended to
use the upcoming QEMU 9.0.0 release together with the development version
of edk2.
* qemu: Introduce virDomainGraphicsReload API
Reloading the graphics display is now supported for QEMU guests using
VNC. This is useful to make QEMU reload the TLS certificates without
restarting the guest. Available via the ``virDomainGraphicsReload`` API
and the ``domdisplay-reload`` virsh command.
* **Bug fixes**
* qemu: Fix migration from libvirt older than 9.10.0 when vmx is enabled
A domain with vmx feature enabled (which may be even done automatically
with ``mode='host-model'``) started by libvirt 9.9.0 or older cannot be
migrated to libvirt 9.10.0, 10.0.0, and 10.1.0 as the target host would
complain about a lot of extra ``vmx-*`` features. Migration of similar
domains started by the affected releases to libvirt 9.9.0 and older
does not work either. Since libvirt 10.2.0 migration works again with
libvirt 9.9.0 and older in both directions. Migration from the affected
releases to 10.2.0 works as well, but the other direction remains broken
unless the fix is backported.
* node_device: Don't report spurious errors from PCI VPD parsing
In last release the PCI Vital Product Data parser was enhanced to report
errors but that effort failed as some kernels have the file but don't allow
reading it causing logs to be spammed with::
libvirtd[21055]: operation failed: failed to read the PCI VPD data
Since the data is used only in the node device XML and errors are ignored if
the parsing failed, this release removes all the error reporting.
* qemu: set correct SELinux label for unprivileged virtiofsd
It is now possible to use virtiofsd-based ``<filesystem>`` shares even
if the guest is confined using SELinux.
* qemu: fix a crash on unprivileged virtiofsd hotplug
Hotplugging virtiofsd-based filesystems works now.
* virt-admin: Fix segfault when libvirtd dies
``virt-admin`` no longer crashes when ``libvirtd`` unexpectedly closes
the connection.
10.1.0
* **Security**
* ``CVE-2024-1441``: Fix off-by-one error leading to a crash
In **libvirt-1.0.0** there were couple of interface listing APIs
introduced which had an off-by-one error. That error could lead to a
very rare crash if an array was passed to those functions which did
not fit all the interfaces.
In **libvirt-5.10** a check for non-NULL arrays has been adjusted to
allow for NULL arrays with size 0 instead of rejecting all NULL
arrays. However that made the above issue significantly worse since
that off-by-one error now did not write beyond an array, but
dereferenced said NULL pointer making the crash certain in a
specific scenario in which a NULL array of size 0 was passed to the
aforementioned functions.
* **New features**
* nodedev: Support updating mdevs
The node device driver has been extended to allow updating mediated node
devices. Options are available to target the update against the persistent,
active or both configurations of a mediated device.
**Note:** The support is only available with at least mdevctl v1.3.0 installed.
* qemu: Add support for /dev/userfaultfd
On hosts with new enough kernel which supports /dev/userfaultfd libvirt will
now automatically grant QEMU access to this device. It's no longer needed to
set vm.unprivileged_userfaultfd sysctl.
* qemu: Support clusters in CPU topology
It is now possible to configure the guest CPU topology to use clusters.
Additionally, if CPU clusters are present in the host topology, they will
be reported as part of the capabilities XML.
* network: Make virtual domains resolvable from the host
When starting a virtual network with a new ``register='yes'`` attribute
in the ``<domain>`` element, libvirt will configure ``systemd-resolved``
to resolve names of the connected guests using the name server started
for this network.
* qemu: Introduce dynamicMemslots attribute for virtio-mem
QEMU now allows setting ``.dynamic-memslots`` attribute for virtio-mem-pci
devices. When turned on, it allows memory exposed to guest to be split into
multiple memory slots and thus smaller memory footprint (see the original
commit for detailed explanation).
* **Improvements**
* nodedev: Add ability to update persistent mediated devices by defining them
Existing persistent mediated devices can now also be updated by
``virNodeDeviceDefineXML()`` as long as parent and UUID remain unchanged.
* ch: Enable ``ethernet`` interface mode support
``<interface type='ethernet'/>`` can now be used for CH domains.
* viraccessdriverpolkit: Add missing vtpm case
Secrets with ``<usage type='vtpm'>`` were left unable to be checked for in
the access driver, i.e. in ACL rules. Missing code was provided.
* virt-admin: Notify users to use explicit URI if connection fails
``virt-admin`` doesn't try to guess the URI of the daemon to manage so a
failure to connect may be confusing for users if modular daemons are used.
Add a hint to use the URI of the dameon to manage.
* **Bug fixes**
* qemu_process: Skip over non-virtio non-TAP NIC models when refreshing rx-filter
If ``trustGuestRxFilters`` is enabled for a vNIC that doesn't support it,
libvirt may throw an error when such domain is being started, loaded from a
saved state, migrated, etc. These errors are now silenced, but make sure to
fix such configurations (after previous release it is even possible to
change ``trustGuestRxFilters`` value on live domains via
``virDomainUpdateDeviceFlags()`` or ``virsh device-update``).
* domain: Fix check for overlapping ``<memory/>`` devices
A bug was identified which caused libvirt to report two NVDIMMs as
overlapping even though they weren't. This now fixed.
* vmx: Accept empty fileName for cdrom-image
Turns out, ``fileName`` attribute (which contains path to CDROM image) can
be set to an empty string (``""``) to denote a state in which the CDROM has
no medium in it. Libvirt used to reject such configuration file, but not
anymore.
* qemu_hotplug: Don't lose 'created' flag in qemuDomainChangeNet()
When starting a domain, libvirt tracks what resources it created for it and
which were pre-existing and uses this information to preserve pre-existing
resources when cleaning up after said domain is shut off. But for macvtaps
this information was lost after the macvtap device was changed (e.g. via
``virsh update-device``).
* Fix virStream hole handling
When a client sent multiple holes into a virStream it may have caused
daemon hangup as the daemon stopped processing RPC from the client
temporarily. This is now fixed.
* nodedev: Don't generate broken XML with certain hardware
A broken node device XML would be generated in a rare case when a hardware
device had certain characters in the VPD fields.
* qemu: Fix reservation of manually specified port for disk migration
A manually specified port would not be relased after disk migration making
it impossible to use it again.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 3 Sep 2024 09:17:19 +0000 (11:17 +0200)]
clamav: Update to version 1.3.1
- Update from version 1.3.0 to 1.3.1
- Update of rootfile not required
- As we can not upgrade currently to version 1.4.0 due to the rust/ruby issue we need to
update to 1.3.1 as it has a CVE fix in it.
- There are three rust dependencies that have been updated but all have a rust-1.57
requirement so have no problem with our current rust-1.67.0 version
- Changelog
1.3.1
This is a critical patch release with the following fixes:
- [CVE-2024-20380](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20380):
Fixed a possible crash in the HTML file parser that could cause a
denial-of-service (DoS) condition.
This issue affects version 1.3.0 only and does not affect prior versions.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1242)
- Updated select Rust dependencies to the latest versions.
This resolved Cargo audit complaints and included PNG parser bug fixes.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1227)
- Fixed a bug causing some text to be truncated when converting from UTF-16.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1230)
- Fixed assorted complaints identified by Coverity static analysis.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1235)
- Fixed a bug causing CVDs downloaded by the `DatabaseCustomURL` Freshclam
config option to be pruned and then re-downloaded with every update.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1238)
- Added the new 'valhalla' database name to the list of optional databases in
preparation for future work.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1238)
- Added symbols to the `libclamav.map` file to enable additional build
configurations.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1244)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 2 Sep 2024 12:25:59 +0000 (14:25 +0200)]
tshark: Update to version 4.2.7
- Update from version 4.2.6 to 4.2.7
- Update of rootfile
- Version 4.4.0 is out but is a major change version. I have therefore decided to wait
for a few update versions before looking at changing to it. Most of the changes appear
to be more for the gui wireshark than for the cli tshark that IPFire nis using.
- The version 4.2.x branch will still have ongoing bug and security fixes anyway.
- CVE fix in this version update.
- Changelog
4.2.7
Bug Fixes
The following vulnerability has been fixed:
• wnpa-sec-2024-11[2] NTLMSSP dissector crash. Issue 19943[3].
CVE-2024-8250[4].
The following bugs have been fixed:
• Fuzz job issue: fuzz-2024-01-31-7745.pcap. Issue 19627[5].
• OSS-Fuzz 70534: wireshark:fuzzshark_ip_proto-udp: Stack-overflow
in dissect_cbor_main_type. Issue 19935[6].
• SOME/IP Protocol heuristic dissector fails to parse. Issue
19670[7].
• 6loWPAN: Page Number Field Incorrect Registration. Issue
19934[8].
• PacketBB incorrectly reports "Malformed Packet" Issue 19972[9].
Updated Protocol Support
6LoWPAN, BGP, CAN-ETH, CBOR, IEEE 802.11, LBMSRS, NTLMSSP, PacketBB,
PN-MRP, SOME/IP, USBLL, X.75, and Zabbix
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 27 Aug 2024 11:54:13 +0000 (13:54 +0200)]
python3-msgpack: Update to version 1.0.8
- Update from version 1.0.7 to 1.0.8
- Update of rootfile
- borgbackup now works with version 1.0.8 of msgpack
- Changelog
1.0.8
exclude C/Cython files from wheel by @methane in #577
Build pure Python wheel for minor architectures.
update Cython to 3.0.8 by @methane in #581
This fixes memory leak when iterating over Unpacker on Python 3.12.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 27 Aug 2024 11:54:12 +0000 (13:54 +0200)]
borgbackup: Update to version 1.4.0
- Update from version 1.2.7 to 1.4.0
- Update of rootfile
- This version now requires libxxhash and can now work with python3-msgpack at version
1.0.8 so additional patch submissions combined with this one for implementation of
libxxhash and for update og python3-msgpack.
- Tested out changes on my vm testbed system and was able to access old repo info and
fusemount the repo successfully and write a new backup. So everything I normally
test is functioning.
- Changelog
1.4.0
Compatibility notes:
By default, borg 1.4 will behave quite similar to borg 1.2 (it was forked off
from 1.2-maint branch at 1.2.7).
- the slashdot hack: be careful not to accidentally give paths containing
/./ to "borg create" if you do not want to trigger this feature (which
strips the left part of the path from archived items).
- BORG_EXIT_CODES=modern is a feature that borg script, wrapper and GUI
authors may want to use to get more specific error and warning return
codes from borg.
In that case, of course they will need to make sure to correctly deal
with these new codes, see the internals/frontends docs.
Other changes:
- vagrant: revive the buster64 box, RHEL8 has same glibc
- tests: fix pytest_report_header, #8232
- docs:
- mount: add examples using :: positional argument, #8255
- Installation: update Arch Linux repo name
- update standalone binary section
1.4.0rc1
Fixes:
- setup.py: fix import error reporting for cythonize import, #8208
- setup.py: detect noexec build fs issue, #8208
Other changes:
- changed insufficiently reserved length for log message, #8152
- use Python 3.11.9, Cython 3.0.10 and PyInstaller 6.7.0 for binary builds
- docs:
- use python 3.9 in cygwin install docs, fixes #8196
- recreate: remove experimental status
- github CI: fix PKG_CONFIG_PATH for openssl 3.0
- vagrant:
- add a ubuntu noble (24.04) VM
- drop buster VM, fixes #8171
1.4.0b2
Fixes:
- check: fix return code for index entry value discrepancies
- benchmark: inherit options --rsh --remote-path, #8099
- sdist: dynamically compute readme (long_description)
- create: deal with EBUSY, #8123
- No need to use OpenSSL 3.0 on OpenBSD, use LibreSSL.
- fix Ctrl-C / SIGINT behaviour for pyinstaller-made binaries, #8155
New features:
- create: add the slashdot hack, update docs, #4685
- upgrade --check-tam: check manifest TAM auth, exit with rc=1 if there
are issues.
- upgrade --check-archives-tam: check archives TAM auth, exit with rc=1
if there are issues.
Other changes:
- improve acl_get / acl_set error handling, improved/added tests, #8125
- remove bundled lz4/zstd/xxhash code (require the respective
libs/headers),
simplify setup.py, remove support for all BORG_USE_BUNDLED_*=YES, #8094
- require Cython 3.0.3 at least (fixes py312 memory leak), #8133
- allow msgpack 1.0.8, #8133
- init: better borg key export instructions
- init: remove compatibility warning for borg <=1.0.8
The warning refers to a compatibility issue not relevant any
more since borg 1.0.9 (released 2016-12).
- locate libacl via pkgconfig
- scripts/make.py: move clean, build_man, build_usage to there,
so we do not need to invoke setup.py directly, update docs
- docs:
- how to run the testsuite using the dist package
- add non-root deployment strategy (systemd / capabilities)
- simplify TAM-related upgrade docs using the new commands
- vagrant:
- use python 3.11.8
- use pyinstaller 6.5.0
- add xxhash for macOS, add libxxhash-dev for debianoid systems
- use openindiana/hipster box
1.4.0b1
Fixes:
- fix CommandError args, #8029
New features:
- implement "borg version" (shows client and server version), #7829
Other changes:
- better error msg for corrupted key data, #8016
- repository: give clean error msg for invalid nonce file, #7967
- check_can_create_repository: deal with PermissionErrors, #7016
- add ConnectionBrokenWithHint for BrokenPipeErrors and similar, #7016
- with-lock: catch exception, print error msg, #8022
- use cython 3.0.8
- modernize msgpack wrapper
- docs:
- add brew bundle instructions (macOS)
- improve docs for borg with-lock, #8022
1.4.0a1
New features:
- BORG_EXIT_CODES=modern: optional more specific return codes (for
errors and warnings).
The default value of this new environment variable is "legacy", which
should result in a behaviour similar to borg 1.2 and older (only using
rc 0, 1 and 2).
"modern" exit codes are much more specific (see the
internals/frontends docs).
Fixes:
- PATH: do not accept empty strings, #4221.
This affects the cli interface of misc. commands (create, extract,
diff, mount, ...) and they now will reject "" (empty string) given as
a path.
Other changes:
- Python: require Python >= 3.9, drop support for 3.8, #6383
- Cython: require Cython >= 3.0, drop support for Cython 0.29.x,
use 3str language level (default in cython3), #7978
- use pyinstaller 6.3.0 and python 3.11 for binary build, #7987
- msgpack: require >= 1.0.3, <= 1.0.7
- replace flake8 by ruff style/issue checker
- tests: remove python-dateutil dependency
- tests: move conftest.py to src/borg/testsuite, #6386
- move misc. config/metadata to pyproject.toml
- vagrant:
- use a freebsd 14 box, #6871
- use generic/openbsd7 box
- use openssl 3 on macOS, FreeBSD, OpenBSD
- remove ubuntu 20.04 "focal" box
- remove debian 9 "stretch" box (remove stretch-based binary builds)
- require recent setuptools and setuptools_scm
- crypto: get rid of deprecated HMAC_* functions to avoid warnings.
Instead, use hmac.digest from Python stdlib.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20231030 to 20240811
- Update of rootfile
- Rootfile reviewed and modified as per steps outlined by @Peter Müller
- AMD have issued firmware fixes for processors affected by the SinkClose vulnerability.
I don't know if they are in this version already or not but I will check for any new
updates periodically. Worth having the fixes just in case even though the likelyhood
is that those processors more likely to be used for IPFire (Ryzen 1000, 2000 & 3000)
will not be getting the fixes generated and provided.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 28 Aug 2024 15:28:42 +0000 (15:28 +0000)]
make.sh: Bind-mount /proc as a workaround for unshare
unshare seems to want to change the mount propagation for /proc
before it has been mounted. In order to workaround that problem,
we bind-mount /proc to itself before.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 29 Aug 2024 07:34:54 +0000 (07:34 +0000)]
coreutils: Drop the i18n patch
This patch caused that coreutils had to have to be reconfigured with
"autoreconf". However, we don't have autopoint available at this stage
in the build process and therefore we can't do this here.
I don't really know why we would require the patch and therefore suggest
dropping it.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
