Michael Tremer [Mon, 28 Apr 2025 09:45:51 +0000 (09:45 +0000)]
vpnmain.cgi: Fix editing connections that are using a PSK
This patch takes care of properly decoding the PSK if it was already
stored base64-encoded. If the connection is edited, it always will be
stored base64-encoded upon save.
It would have been nice to not send the PSK back to the browser again
(although the security benefits would have been marginal), but that
would make the code even messier than it is.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Tested-by: Christian Hernmarck <linux@hernmarck.ch>
Adolf Belka [Mon, 7 Apr 2025 18:43:44 +0000 (20:43 +0200)]
netovpnrw.cgi: Fixes bug13838 - additional file name correction for collectd-5.x
- One location in netovpnrw.cgi was missed with a filename change coming from the collectd
update.
- This resulted in missing graph content for the openvpn road warrior graphs.
- Tested out on my production IPFire system. Making the change resulted in the grahs
being visible again.
Fixes: Bug13838 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 7 Apr 2025 18:43:43 +0000 (20:43 +0200)]
graphs.pl: Fixes bug13838 - additional file name corrections for collectd-5.x
- Two locations in graphs.pl were missed with filename changes coming from the collectd
update.
- These result in missing graph content for the openvpn road warrior graphs.
- Tested out on my production IPFire system. Making the changes resulted in the grahs
being visible again.
Fixes: bug13838 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 2 Apr 2025 20:25:40 +0000 (22:25 +0200)]
libarchive: Update to version 3.7.9
- Update from version 3.7.7 to 3.7.9
- Update of rootfile
- 3 CVE fixes in 3.7.8
- Changelog
3.7.9
Important bugfixes:
a regression in libarchive 3.7.8 regarding GNU sparse entries was fixed
(#2558)
3.7.8
Security fixes:
tar reader: Handle truncation in the middle of a GNU long linkname (#2422,
CVE-2024-57970)
unzip: fix null pointer dereference (#2532, CVE-2025-1632)
tar reader: fix unchecked return value in list_item_verbose() (#2532,
CVE-2025-25724)
Important bugfixes:
7zip reader: add SPARC (#2399) and POWERPC (#2459) filter support for
non-LZMA compressors
tar reader: Ignore ustar size when pax size is present (#2405)
tar writer: Fix bug when -s/a/b/ used more than once with b flag (#2435)
cpio: Fix a Y2038 bug on Windows (#2471)
libarchive: Handle ARCHIVE_FILTER_LZOP in archive_read_append_filter (#2519)
libarchive: Adding missing seeker function to archive_read_open_FILE() (#2539)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 8 Apr 2025 21:37:27 +0000 (23:37 +0200)]
xz: Update to version 5.8.1
- Update from version 5.8.0 to 5.8.1
- Update of rootfile
- Changelog
5.8.1
IMPORTANT: This includes a security fix for CVE-2025-31115 which
affects XZ Utils from 5.3.3alpha to 5.8.0. No new 5.4.x or 5.6.x
releases will be made, but the fix is in the v5.4 and v5.6 branches
in the xz Git repository. A standalone patch for all affected
versions is available as well.
* Multithreaded .xz decoder (lzma_stream_decoder_mt()):
- Fix a bug that could at least result in a crash with
invalid input. (CVE-2025-31115)
- Fix a performance bug: Only one thread was used if the whole
input file was provided at once to lzma_code(), the output
buffer was big enough, timeout was disabled, and LZMA_FINISH
was used. There are no bug reports about this, thus it's
possible that no real-world application was affected.
* Avoid <stdalign.h> even with C11/C17 compilers. This fixes the
build with Oracle Developer Studio 12.6 on Solaris 10 when the
compiler is in C11 mode (the header doesn't exist).
* Autotools: Restore compatibility with GNU make versions older
than 4.0 by creating the package using GNU gettext 0.23.1
infrastructure instead of 0.24.
* Update Croatian translation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 2 Apr 2025 20:25:39 +0000 (22:25 +0200)]
kmod: Update to version 34.2
- Update from version 34.1 to 34.2
- Update of rootfile not required
- Changelog
34.2
NEWS: squash a couple of typos
libkmod: fix buffer-overflow in weakdep_to_char
testsuite: Add modprobe -c test for weakdep
autotools: Fix generated files in tarball
kmod 34.2
libkmod: release memory on builtin error path
libkmod: fix buffer-overflow in weakdep_to_char
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 2 Apr 2025 20:25:38 +0000 (22:25 +0200)]
jansson: Update to version 2.14.1
- Update from version 2.14 to 2.14.1
- Update of rootfile
- Changelog
2.14.1
Fixes:
- Fix thread safety of encoding and decoding when `uselocale` or `newlocale`
is used to switch locales inside the threads (#674, #675, #677. Thanks to
Bruno Haible for the report and help with fixing.)
- Use David M. Gay's `dtoa()` algorithm to avoid misprinting issues of real
numbers that are not exactly representable as a `double` (#680).
If this is not desirable, use `./configure --disable-dtoa` or `cmake
-DUSE_DTOA=OFF .`
Build:
- Make test output nicer in CMake based builds (#683)
- Simplify tests (#685)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 2 Apr 2025 20:25:37 +0000 (22:25 +0200)]
gdbm: Update to version 1.25
- Update from version 1.24 to 1.25
- Update of rootfile not required
- Changelog
1.25
New function: gdbm_open_ext
This function provides a general-purpose interface for opening and
creating GDBM files. It combines the possibilities of gdbm_open
and gdbm_fd_open and provides detailed control over database file
locking.
New gdbmtool command: collisions
The command prints the collision chains for the current bucket, or
for the buckets identified by its arguments:
collisions
Display collisions for the current bucket.
collisions N
Display collisions for bucket N.
collisions N0 N1
Display collisions for the range of buckets [N0, N1].
Pipelines in gdbmtool
The output of a gdbmtool command can be connected to the input of a
shell command using the traditional pipeline syntax.
Fix a bug in block coalescing code
Other bugfixes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 2 Apr 2025 20:25:36 +0000 (22:25 +0200)]
ffmpeg: Update to version 7.1.1
- Update from version 7.1 to 7.1.1
- Update of rootfile
- Changelog
7.1.1
avformat/hls: Partially revert "reduce default max reload to 3"
avformat/mov: (v4) fix get_eia608_packet
avformat/iff: Check that we have a stream in read_dst_frame()
avcodec/aac/aacdec_lpd: Limit get_unary()
avcodec/aac/aacdec_usac: Simplify decode_usac_scale_factors()
avcodec/aac/aacdec: Clear SFO on error
avformat/mlvdec: fix size checks
avformat/wavdec: Fix overflow of intermediate in block_align check
avformat/mxfdec: Check edit unit for overflow in mxf_set_current_edit_unit()
avformat/hls: Fix twitter
avcodec/vvc/refs: fix negative pps_scaling_win offsets
libavformat/hls: Be more restrictive on mpegts extensions
avformat/hls: .ts is always ok even if its a mov/mp4
avcodec/h263dec: Check against previous dimensions instead of coded
avformat/hls: Print input format in error message
avformat/hls: Be more picky on extensions
avformat/iamf_parse: ensure there's at most one of each parameter types in
audio elements
avformat/iamf_parse: add missing constrains for num_parameters in
audio_element_oub()
avformat/iamf_parse: add missing av_free() call on failure path
lavc/hevcdec: unbreak WPP/progress2 code
fate: Add a dependency on ffprobe for fate-flcl1905
checkasm: aacencdsp: Actually test nonzero values in quant_bands
x86: aacencdsp: Fix negating signed values in aac_quantize_bands
rtmpproto: Avoid rare crashes in the fail: codepath in rtmp_open
configure: Improve the check for the rsync --contimeout option
avutil/downmix_info: add missing semicolon
doc/t2h: Support texinfo 7.1 and 7.2 pretest
avfilter/drawtext: fix memory leak when using "reinit" runtime command
avutil/downmix_info: zero the allocated buffer
avformat/mov: fix overflow in drift timestamp calculation
Changelog: update
avformat/mxfdec: Check avio_read() success in mxf_decrypt_triplet()
avcodec/huffyuvdec: Initialize whole output for decode_gray_bitstream()
avformat/iamf_reader: Initialize padding and check read in ff_iamf_read_packet()
avformat/ipmovie: Check signature_buffer read
avformat/wtvdec: Initialize buf
avcodec/cbs_vp9: Initialize VP9RawSuperframeIndex
avformat/vqf: Propagate errors from add_metadata()
avformat/vqf: Check avio_read() in add_metadata()
avcodec/ffv1enc: Fix RCT for GBR colorspace
avformat/dashdec: Check whitelist
avutil/avstring: dont mess with NULL pointers in av_match_list()
avfilter/vf_v360: Fix NULL pointer use
avcodec/mpegvideo_enc: Check FLV1 resolution limits
avcodec/ffv1enc: Fix handling of 32bit unsigned symbols
avformat/mov: perform sanity checks for heif before index building
avformat/mov: Factorize sanity check out
avcodec/vc1dec: Clear block_index in vc1_decode_reset()
avcodec/aacsbr_template: Clear n_q on error
avformat/iamf_parse: Check output_channel_count
avcodec/osq: Fixes several undefined overflows in do_decode()
swscale/output: Fix undefined overflow in yuv2rgba64_full_X_c_template()
avfilter/af_pan: Fix sscanf() use
avfilter/vf_grayworld: Use the correct pointer for av_log()
avfilter/vf_addroi: Add missing NULL termination to addroi_var_names[]()
avcodec/get_buffer: Use av_buffer_mallocz() for audio same as its done for video
avformat/jpegxl_anim_dec: clear buffer padding
avformat/rmdec: check that buf if completely filled
avcodec/cfhdenc: Clear dwt_tmp
avcodec/hapdec: Clear tex buffer
avformat/mxfdec: Check that key was read sucessfull
avformat/hevc: fix writing hvcC when no arrays are provided in hvcC-formatted
input
avformat/rtpdec: int overflow in start_time_realtime
avcodec/decode: Fix incorrect enum type used in side_data_map()
avformat/mov: fix crash when trying to get a fragment time for a non-existing
fragment
avformat/libssh: fix credential variables typo
avformat/hlsenc: check return value of avcodec_parameters_copy()
avformat/dashdec: format open_demux_for_component()
avformat/dashdec: check return code of avcodec_parameters_copy()
avformat/dashdec: return ret directly in open_demux_for_component()
avformat/smoothstreamingenc: check return value of avcodec_parameters_copy()
avcodec/cbs_av1: fix variable shadowing in cbs_av1_split_fragment()
doc/demuxers/dvdvideo: seeking is supported, remove outdated statement
avformat/dvdvideodec: check return code of ff_dvdclut_yuv_to_rgb()
avformat/dvdvideodec: fix missing last chapter marker due to off-by-one
avformat/dvdvideodec: don't allow seeking beyond dvdnav reported duration
avformat/dvdvideodec: discard duplicate or partial AC3 samples
avformat/dvdvideodec: drop packets with unset PTS or DTS
avformat/dvdvideodec: remove unnecessary need_parsing argument
avformat/dvdvideodec: open subdemuxer after initializing IFO headers
avformat/dvdvideodec: remove auto value for menu_lu option
avformat/dvdvideodec: default menu_vts option to 1 and clarify description
avformat/dvdvideodec: check the length of a NAV packet when reading titles
avformat/dvdvideodec: reset the subdemuxer on discontinuity instead of flushing
avformat/dvdvideodec: simplify dvdvideo_read_packet()
avformat/dvdvideodec: enable chapter calculation for menus
avformat/dvdvideodec: standardize the NAV packet event signal
avformat/dvdvideodec: move memcpy below missed NAV packet warning
avformat/dvdvideodec: remove "auto" value for -pg option, default to 1
avformat/dvdvideodec: measure duration of the current menu VOBU in state
avformat/dvdvideodec: fix menu PGC number off-by-one in state
avformat/dvdvideodec: remove unused headers
lavc/aarch64: Fix ff_pred16x16_plane_neon_10
lavc/aarch64: Fix ff_pred8x8_plane_neon_10
aarch64/vvc: Fix clip in alf
vp9: recon: Use emulated edge to prevent buffer overflows
arm: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter
aarch64: vp9mc: Load only 12 pixels in the 4 pixel wide horizontal filter
avformat/rpl: Fix check for negative values
avformat/mlvdec: Check avio_read()
avcodec/aac/aacdec: Free channel layout
avformat/mov: dereference pointer after null check
avcodec/utils: Fix block align overflow for ADPCM_IMA_WAV
avformat/matroskadec: Check pre_ns for overflow
tools/target_dec_fuzzer: Adjust threshold for EACMV
tools/target_dec_fuzzer: Adjust threshold for MVC1
tools/target_dec_fuzzer: Adjust Threshold for indeo5
avutil/timecode: Avoid fps overflow in av_timecode_get_smpte_from_framenum()
avcodec/aac/aacdec_usac: Dont leave type at a invalid value
avcodec/aac/aacdec_usac: Clean ics2->max_sfb when first SCE fails
avcodec/webp: Check ref_x/y
avcodec/ilbcdec: Initialize tempbuff2
swscale/swscale_unscaled: Fix odd height with nv24_to_yuv420p_chroma()
avcodec/hevc/hevcdec: initialize qp_y_tab
avformat/qcp: Check for read failure in header
avcodec/eatgq: Check bytestream2_get_buffer() for failure
avformat/dxa: check bpc
swscale/slice: clear allocated memory in alloc_lines()
avcodec/h2645_parse: Ignore NAL with nuh_layer_id == 63
avcodec/mjpegdec: Disallow progressive bayer images
avformat/icodec: fix integer overflow with nb_pal
doc/developer: Document relationship between git accounts and MAINTAINERS
doc/infra: Document trac backup system
doc/infra: Document gitolite
avformat/vividas: Check avio_read() for failure
avformat/ilbc: Check avio_read() for failure
avformat/nistspheredec: Clear buffer
avformat/mccdec: Initialize and check rate.den
avformat/rpl: check channels
INSTALL: explain the circular dependency issue and solution
avformat/mpegts: Initialize predefined_SLConfigDescriptor_seen
avformat/mxfdec: Fix overflow in midpoint computation
swscale/output: used unsigned for bit accumulation
swscale/rgb2rgb_template: Fix ff_rgb24toyv12_c() with odd height
avcodec/rangecoder: only perform renorm check/loop for callers that need it
avcodec/ffv1: add a named constant for the quant table size
avcodec/ffv1: RCT is only possible with RGB
avcodec/ffv1enc: Fix RCT with RGB64
avcodec/ffv1dec: Fix end computation with ec=2
avcodec/ffv1enc: Move slice termination into threads
avcodec/ffv1enc: Prevent generation of files with broken slices
avformat/matroskadec: Check desc_bytes so bits fit in 64bit
avformat/mov: Avoid overflow in dts
avcodec/ffv1enc: Correct error message about unsupported version
avcodec/ffv1: Store and reuse sx/sy
avcodec/ffv1enc: Slice combination is unsupported
avcodec/ffv1enc: 2Pass mode is not possible with golomb coding
avfilter/buffersrc: check for valid sample rate
avcodec/libdav1d: clear the buffered Dav1dData on decoding failure
avformat/iamf_writer: ensure the stream groups are not empty
avformat/iamf_writer: fix setting num_samples_per_frame for OPUS
avformat/iamf_parse: fix setting duration for the last subblock in a
parameter definition
avformat/iamf_parse: add checks to parameter definition durations
avformat/iamf_parse: reject ambisonics mode > 1
checkasm: Print benchmarks of C-only functions
avcodec/ac3dec: fix downmix logic for eac3
avcodec/codec_desc: remove Intra Only prop for AAC
avcodec/mediacodecdec: set set keyframe flag in output frames
avcodec/libfdk-aacenc: set keyframe in output packets
avcodec/libfdk-aacdec: set keyframe flag and profile in output frames
avcodec/audiotoolboxnec: set set keyframe flag in output packets
avcodec/audiotoolboxdec: set set keyframe flag in output frames
avcodec/aacenc: set keyframe flag in output packets
avcodec/aac/aacdec: set keyframe flag in output frames
avcodec/aac_parser: set key_frame and profile
avformat/mov: don't unconditionally set all audio packets in fragments as key
frames
avformat/matroskadec: set all frames in a keyframe simple box as keyframes
avformat/test/movenc: set audio packets as key frames
avformat/movenc: write stss boxes for xHE-AAC
avformat/spdifdec: parse headers for audio codecs
avformat/movenc: don't disable edit lists when writing CMAF output
avcodec/libfdk-aacenc: export CPB properties
avformat/movenc: don't write a calculated avgBitrate when the provided one is
unset
libavutil/riscv: Make use of elf_aux_info() on FreeBSD / OpenBSD riscv
libavutil/ppc: defines involving bit shifts should be unsigned
libavutil/ppc: Include the hardware feature flags like the other archs
lavu/riscv: fix compilation without Vector support
avfilter/f_loop: fix aloop activate logic
avfilter/f_loop: fix length of aloop leftover buffer
avfilter/vf_zscale: align the frame buffers
lavfi/vf_zscale: fix call to av_pix_fmt_count_planes
lavfi/vf_zscale: fix tmp buffer ptr alignment for zimg_filter_graph_process
avfilter/framepool: align the frame buffers
avcodec/h2645_sei: use the RefStruct API for film_grain_characteristics
avcodec/aom_film_grain: allocate film grain metadata dynamically
avformat/mov: use an array of pointers for heif_item
avformat/mov: split off heif item initialization to its own function
avformat/mov: factorize getting the current item
lavc/h264idct: fix RISC-V group multiplier
lavc/h264dsp: move RISC-V fn pointers to .data.rel.ro
avcodec/jpegxl_parser: fix reading lz77-pair as initial entropy symbol
avcodec/jpegxl_parser: check entropy_decoder_read_symbol return value
avcodec/cbs_h266: Fix regression in DVB clip introduced by 93281630a71c06642adfebebb0d4b105a4e02e91
avcodec/x86/vvc: add prototypes for OF functions
Document stream specifier syntax change from 46cbe4ab5c
fftools/ffplay: fix crash when vk renderer is null
avutil/wchar_filename: re-introduce explicit cast of void* to char*
fate/ffmpeg: add samples dependency to fate-ffmpeg-spec-disposition
fftools/ffmpeg_filter: treat apad filter as a source
lavc/avcodec: fix global/private option precendence
avfilter/framesync: fix forward EOF pts
avcodec/vaapi_encode: fix compilation without CONFIG_VAAPI_1
libavcodec: x86: Remove an explicit include of config.asm
checkasm: lls: Use relative tolerances rather than absolute ones
arm: Consistently use proper interworking function returns
avcodec/libx265: unbreak build for X265_BUILD >= 213
fftools: log unconnected filter output label
fftools: do not access out of bounds filtergraph
avcodec/mediacodecenc: Fix access of uninitialized value
avformat/img2enc: Fix integer truncation when frame_pts is enabled
avformat/internal: Add ff_get_frame_filename
avformat/mov: don't return the latest stream when an item stream is expected
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 1 Apr 2025 20:50:02 +0000 (22:50 +0200)]
backup.pl: Fixes bug13737 - restarts ipsec to use the restored certs etc
- This adds a check if the ipsec server is enabled. If it is then ipsecctrl is run to
restart ipsec and ensure that the restored certs are all being used.
- Tested this out on my vm testbed and confirmed that with this I could restore a backup
and make the client connection as previously set up.
- Without this I had to press the Save button on the ipsec WUI page to get the certs
etc being used.
Fixes: bug13737 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 1 Apr 2025 18:08:00 +0000 (20:08 +0200)]
backup.pl: Fixes bug13737 - restarts ipsec to use the restored certs etc
- This adds a check if the ipsec server is enabled. If it is then ipsecctrl is run to
restart ipsec and ensure that the restored certs are all being used.
- Tested this out on my vm testbed and confirmed that with this I could restore a backup
and make the client connection as previously set up.
- Without this I had to press the Save button on the ipsec WUI page to get the certs
etc being used.
Fixes: bug13737 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 1 Apr 2025 18:07:59 +0000 (20:07 +0200)]
include: Add the contents of the ipsec certs directory to the backup
- Previously only the .pem files were bacdked up from the /var/ipfire/certs/ directory.
That was okay in the past as the serial and index files never changed after the
root/host cert set waqs created.
- With the renew process then the serial and index files get updated and these are needed
to match with the cert status that was backed up. Otherwise you could end up with one
set of values in the serial and index files that did not match with the restored
certs.
- This patch adds all the contents of the certs directory to the backup.
- Tested out on my vm testbed and successfully restored a backup and was able to connect
with the same client settings.
Fixes: bug13737 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 1 Apr 2025 18:07:58 +0000 (20:07 +0200)]
vpnmain.cgi: Fixes bug13737 - revoke any deleted client certificate
- As the serial number is incremented now for each new cert that is created, then when a
client cert is deleted from the ipsec list in the wui then that cert must be revoked
otherwise it will still be listed in the .index file as a valid certificate and then
the certificate name and DN could never be used again.
- Running the revoke command when deleting a client cert leaves the details in the .index
file but the same name can then be re-used and will get a new serial number etc.
Fixes: bug13737 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- This first part removes all usages of &cleanssldatabase with the client certificates.
This is not needed here. If used then the serial number would be moved back to 01 when
an existing client certificate is removged or a new one created, even if no errors
occurred.
- The usage of &cleanssldatabase has also been removed from the root/host cert creation
if it was successful, otherwise the index file is moved back to being empty and the
serial file to containing 01.
- The only usage now of the &cleanssldatabase is for when the root/host cert set is
being created or if an uploaded cert has been checked as good to install.
- This now means that each time a new client certificate is created the serial number
is incremented.
- The removal of the x509 root/host cert also unlinks all .pem files in the certs
directory and therefore also all the 01.pem, 02.pem etc files so the
&cleanssldatabase routine no longer needs to unlink the 01.pem file
- The &newcleanssldatabase script is no longer needed, as the &cleanssldatabase commands
used covers the required cleaning, so it has been removed.
- This patch together with the others from this set have been tested out on my vm system
and I was able to create a new root/host cert set and then new client certs and make
an ipsec certificate connection successfully. I could then renew the host cert and
the client connection still worked.
Fixes: bug13737 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 1 Apr 2025 12:26:50 +0000 (14:26 +0200)]
core194: Ship changed openssl.cnf file from CU184
- openssl.cnf had copy_extensions = copyall added to the [ IPFire ] section as part of
the ipsec host cert renewal process but the file was missed to be shipped with the
Core Update 184 update. So only users doing fresh installs of CU184 or later will
have the updated openssl.cnf file.
- This patch rectifies that situation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 31 Mar 2025 14:35:26 +0000 (16:35 +0200)]
firewall: Explicitely don't NAT any aliases
It seems that there is a problem with local connections that have
preselected an outgoing interface. That will work just fine, but
ultimately the packet will be NATed back to the primary RED IP address.
To prevent this, we are adding some extra rules that skip the MASQUERADE
target.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 31 Mar 2025 13:45:00 +0000 (15:45 +0200)]
libxml2: Update to version 2.14.0
- Update from version 2.13.5 to 2.14.0
- Update of rootfile
- sobump so ran find-dependencies. apache2, clamav, collectd, libvirt, libxslt, nfs,
rng-tools, rrdtool and tshark are all linked against the lib bump. So additional
patches are in this set to bump the PAK_VER and ship the addons and to ship the
linkied core packages. Hope it is done correctly. Let me know if not.
- 2 CVE fixes added into version 2.13.6
- Changelog
2.14.0
Major changes
The HTML tokenizer now conforms fully to HTML5. Several non-standard
syntax warnings were removed. Note that HTML5 tree construction isn't
implemented yet.
Binary compatibility is restricted to versions 2.14 or newer. On ELF
systems, the soname was bumped from libxml2.so.2 to libxml2.so.16.
The serialization API will now take user-provided or default encodings
into account when serializing attribute values, matching the
serialization of text and avoiding unnecessary escaping.
The XML parser won't try to merge consecutive CDATA sections as before
to align with web standards. Each CDATA section will create exactly one
node or SAX callback.
Support for RELAX NG can now be disabled with a new configuration
option independently of XML Schemas support. It is still enabled by
default.
The "legacy" configuration option won't enable support for HTTP and
LZMA anymore. These features will be removed in the next release.
Parts of the xmllint executable were refactored, allowing the
combination of more options. OOM errors should be reported reliably now.
Several improvements were made to the build systems. Meson is fully
supported now.
Parts of the buffering code were reworked and simplified.
Overflow checks before reallocations were hardenend.
Some unprefixed symbols were renamed to avoid namespace pollution.
New features
Input callbacks can now be set on a parser context and an improved API
to create parser input is available. The following new functions,
taking a parser input object, were added:
- xmlCtxtParseDocument
- xmlCtxtParseContent as replacement for xmlParseBalancedChunkMemory
and xmlParseInNodeContext
- xmlCtxtParseDtd
The xmlSave API now has additional options to replace global settings.
Parser options XML_PARSE_UNZIP, XML_PARSE_NO_SYS_CATALOG and
XML_PARSE_CATALOG_PI were added.
An API function to install a custom character encoding converter is
now available. This makes it possible to use ICU for encoding conversion
even if libxml2 was compiled without ICU support, see example/icu.c.
Deprecations
Access to many public struct members is now deprecated. Several accessor
functions were added to use instead.
More internal functions were deprecated.
Removals
Metadata about the HTML4 content model was removed from the htmlElemDesc
struct and related functions were deprecated.
The FTP module and related functions were removed.
Support for the range and point extensions of the xpointer() scheme
was removed. The rest of the XPointer implementation isn't affected.
The xpointer() scheme now behaves like the xpath1() scheme.
Several legacy symbols and the functions in xmlunicode.h were removed.
ELF version information was removed.
The shell was moved from libxml2 to xmllint. Several related functions
are no longer available.
The libxml.m4 file containing autoconf macros was removed.
The --with-tree configuration option was removed.
The hack to detect single-threaded programs under glibc was removed.
Planned removals
Support for HTTP and LZMA compression is planned to be removed in the
2.15 release.
The following features are considered for removal:
- Modules API (xmlmodule.h)
- Schematron support
- Support for zlib compressed file I/O
- Legacy Windows build system in win32
RELAX NG support is still in a bad state and a long-term removal
candidate.
2.13.7
Regressions
- tree: Fix xmlTextMerge with NULL args
- io: Fix `compressed` flag for uncompressed stdin
- parser: Fix parsing of DTD content
2.13.6
Security
- [CVE-2025-24928] Fix stack-buffer-overflow in xmlSnprintfElements
- [CVE-2024-56171] Fix use-after-free after xmlSchemaItemListAdd
- pattern: Fix compilation of explicit child axis
Regressions
- xmllint: Support compressed input from stdin
- uri: Fix handling of Windows drive letters
- reader: Fix return value of xmlTextReaderReadString again
- SAX2: Fix xmlSAX2ResolveEntity if systemId is NULL
Portability
- dict: Handle ENOSYS from getentropy gracefully
- Fix compilation with uclibc (Dario Binacchi)
- python: Declare init func with PyMODINIT_FUNC
- tests: Fix sanitizer version check on old Apple clang
- cmake: Work around broken sys/random.h in old macOS SDKs
Build
- autotools: Set AC_CONFIG_AUX_DIR
- cmake: Always build Python module as shared library
- cmake: add missing `Bcrypt` link on Windows (Saleem Abdulrasool)
- cmake: Fix compatibility in package version file
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 31 Mar 2025 13:18:22 +0000 (15:18 +0200)]
procps: Update to version 4.0.5
- Update from version 4.0.4 to 4.0.5
- Update of rootfile
- sobump so ran find-dependencies. usr/bin/uptime from coreutils is linked to the procps
libs. So a separate patch created to ship coreutils. I hope I have done it correctly
- Changelog
4.0.5
* library
increment current, revision and age to 0: 1:0:0
internal: days/users when value is 0 issue #303
internal: dont print 60s but increment minute issue #302
internal: stat api fixed remaining cpu distortions issue #321
internal: only count user sessions
internal: Recover from meminfo seek using LXC Debian #1072831
internal: stat api no longer counts guest tics twice issue #339
external: zswap & zswapped added to meminfo api
external: schedule class added to pids api
external: disk sleep added to pids api, sleep revised issue #265
external: docker containers added to pids api
external: procps_users new exported function
external: procps_uptime_snprint uses given upseconds
external: procps_container_uptime
external: meminfo api adds SecPageTables, Unaccepted
external: pids api now provides open file descriptors
external: 'info' parm removed from all 'VAL' macros issue #332
external: Add procps_sigmask_names
external: Add procps_capability_names
external: Add PIDS_CAP__PRM Permitted Capabilities
* build-sys: Added --disable-pidwait and fixed logic issue #352
* kill: Correctly parse negative pids issue #354
* pgrep: select process by environment variable issue #167
* pgrep: Rework pidfile reading to include stdin issue #318
* pmap: Don't escape correct UTF-8 characters
* ps: Add environ field
* ps: Add htprv and htshr fields for HugeTables
* ps: restore lost tasks for options --sort with -H issue #304
* ps: add 'docker' containers field, similar to 'lxc'
* ps: Restore AIX free-format issue #323
* ps: can display open file descriptors for each task
* ps: Fix signames scanning issue #341
* ps: Add -o pcap,pcaps to show permitted capabilities
* ps: Zombies show <defunct> in the commandname issue #355
* ps: Use quick mode if possible merge #239
* slabtop: Add --human option for slab size
* snice: Minor fix for help screen Debian #1086441
* sysctl: Add glob excludes merge #206
* sysctl: --all skips stat_refresh Debian #978688
* top: added a 'CLS' scheduling class field, like ps
* top: exploit library addition of 'disk sleep' issue #265
* top: add 'docker' containers field, similar to 'lxc'
* top: provides additional control over colors
* top: can display open file descriptors for each task
* top: corrected cpu % for hosts with qemu processes issue #339
* top: remains functional if /proc mounted subset=pid
* top: can display a task's permitted capabilities (^A)
* uptime: Add container uptime option issue #300
* vmstat: Add page allocation to --stats
* vmstat.8: si/so are changed by --unit Debian #1061944
* w: Don't segfault with -s option issue #301
* w: Cache pids list issue #305
* w: Add container uptime option
* w.1: Note utmp is for non-systemd Debian #1080333
* watch: use clock_gettime issue #295
* watch.1: --chgexit only works for visible changes Debian #729569
* hugetop: a new utility to show huge page information merge #214
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 31 Mar 2025 13:15:55 +0000 (15:15 +0200)]
xz: Update to version 5.8.0
- Update from version 5.6.3 to 5.8.0
- branch 5.8 is the new stable branch. Branch 5.6 from now on will only get critical
fixes, there will be no new releases on that old branch.
- Update of rootfile
- Changlog
5.8.0
This bumps the minor version of liblzma because new features were
added. The API and ABI are still backward compatible with liblzma
5.6.x, 5.4.x, 5.2.x, and 5.0.x.
* liblzma on 32/64-bit x86: When possible, use SSE2 intrinsics
instead of memcpy() in the LZMA/LZMA2 decoder. In typical cases,
this may reduce decompression time by 0-5 %. However, when built
against musl libc, over 15 % time reduction was observed with
highly compressed files.
* CMake: Make the feature test macros match the Autotools-based
build on NetBSD, Darwin, and mingw-w64.
* Update the Croatian, Italian, Portuguese, and Romanian
translations.
* Update the German, Italian, Korean, Romanian, Serbian, and
Ukrainian man page translations.
Summary of changes in the 5.7.x development releases:
* Mark the following LZMA Utils script aliases as deprecated:
lzcmp, lzdiff, lzless, lzmore, lzgrep, lzegrep, and lzfgrep.
* liblzma:
- Improve LZMA/LZMA2 encoder speed on 64-bit PowerPC (both
endiannesses) and those 64-bit RISC-V processors that
support fast unaligned access.
- Add low-level APIs for RISC-V, ARM64, and x86 BCJ filters
to lzma/bcj.h. These are primarily for erofs-utils.
- x86/x86-64/E2K CLMUL CRC code was rewritten.
- Use the CRC32 instructions on LoongArch.
* xz:
- Synchronize the output file and its directory using fsync()
before deleting the input file. No syncing is done when xz
isn't going to delete the input file.
- Add --no-sync to disable the sync-before-delete behavior.
- Make --single-stream imply --keep.
* xz, xzdec, lzmainfo: When printing messages, replace
non-printable characters with question marks.
* xz and xzdec on Linux: Support Landlock ABI versions 5 and 6.
* CMake: Revise the configuration variables and some of their
options, and document them in the file INSTALL. CMake support
is no longer experimental. (It was already not experimental
when building for native Windows.)
* Add build-aux/license-check.sh.
5.6.4
* liblzma: Fix LZMA/LZMA2 encoder on big endian ARM64.
* xz:
- Fix --filters= and --filters1= ... --filters9= options
parsing. They require an argument, thus "xz --filters lzma2"
should work in addition to "xz --filters=lzma2".
- On the man page, note in the --compress and --decompress
options that the default behavior is to delete the input
file unless writing to standard output. It was already
documented in the DESCRIPTION section but new users in
a hurry might miss it.
* Windows (native builds, not Cygwin): Fix regressions introduced
in XZ Utils 5.6.3 which caused non-ASCII characters to display
incorrectly. Only builds with translation support were affected
(--enable-nls or ENABLE_NLS=ON). The following changes affect
builds that have translations enabled:
- Require UCRT because MSVCRT doesn't support UTF-8
locales and thus translations won't be readable on
Windows 10 version 1903 and later. (MSVCRT builds
are still possible with --disable-nls or ENABLE_NLS=OFF.)
- Require gettext-runtime >= 0.23.1 because older versions
don't autodetect the use of the UTF-8 code page. This
resulted in garbled non-ASCII characters even with UCRT.
- Partially fix alignment issues in xz --verbose --list
with translated messages. Chinese (simplified),
Chinese (traditional), and Korean column headings
are misaligned still because Windows and MinGW-w64
don't provide wcwidth() and XZ Utils doesn't include
a replacement function either.
* CMake: Explicitly disable unity builds. This prevents build
failures when another project uses XZ Utils via CMake's
FetchContent module, and that project enables unity builds.
* Update Chinese (traditional) and Serbian translations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 31 Mar 2025 13:15:53 +0000 (15:15 +0200)]
harfbuzz: Update to version 11.0.0
- Update from version 10.4.0 to 11.0.0
- Update of rootfile
- Changelog
11.0.0
- There are three new font-functions implementations (integrations) in this
release:
* `hb-coretext` has gained one, calling into the CoreText library,
* `hb-directwrite` has gained one, calling into the DirectWrite library.
* `hb-fontations` has gained one, calling into the Skrifa Rust library.
All three are mostly useful for performance and correctness testing, but some
clients might find them useful.
An API is added to use them from a single API by providing a backend name
string:
* `hb_font_set_funcs_using()`
- Several new APIs are added, to load a font-face using different
"face-loaders", and a single entry point to them all using a loader name
string:
* `hb_ft_face_create_from_file_or_fail()` and
`hb_ft_face_create_from_blob_or_fail()`
* `hb_coretext_face_create_from_file_or_fail()` and
`hb_coretext_face_create_from_blob_or_fail()`
* `hb_directwrite_face_create_from_file_or_fail()` and
`hb_directwrite_face_create_from_blob_or_fail()`
* `hb_face_create_from_file_or_fail_using()`
- All drawing and painting operations using the default, `hb-ot` functions have
become memory allocation-free.
- Several performance optimizations have been implemented.
- Application of the `trak` table during shaping has been improved.
- The `directwrite` shaper now supports font variations, and correctly applies
user features.
- The `hb-directwrite` API and shaper has graduated from experimental.
- Various bug fixes and other improvements.
- New API:
+hb_malloc
+hb_calloc
+hb_realloc
+hb_free
+hb_face_list_loaders
+hb_face_create_or_fail_using
+hb_face_create_from_file_or_fail_using
+hb_font_list_funcs
+hb_font_set_funcs_using
+hb_coretext_face_create_from_blob_or_fail
+hb_directwrite_face_create_from_file_or_fail
+hb_directwrite_face_create_from_blob_or_fail
+hb_directwrite_font_create
+hb_directwrite_font_get_dw_font_face
+hb_directwrite_font_set_funcs
+hb_fontations_font_set_funcs
+hb_ft_face_create_from_blob_or_fail
+hb_paint_push_font_transform
+hb_paint_push_inverse_font_transform
+HB_BUFFER_CLUSTER_LEVEL_GRAPHEMES
+HB_BUFFER_CLUSTER_LEVEL_IS_MONOTONE
+HB_BUFFER_CLUSTER_LEVEL_IS_GRAPHEMES
+HB_BUFFER_CLUSTER_LEVEL_IS_CHARACTERS
- Deprecated API:
+hb_directwrite_font_get_dw_font
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 31 Mar 2025 13:15:54 +0000 (15:15 +0200)]
iproute2: Update to version 6.14.0
- Update from version 6.11.0 to 6.14.0
- Update of rootfile
- Changelog is not available. Details of changes have to be found by reviewing the git
log file - https://web.git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stephen Cuka [Sun, 30 Mar 2025 17:05:21 +0000 (11:05 -0600)]
pakfire.cgi: Add upgrade confirmation page.
- Add upgrade confirmation page. Clicking on the 'Upgrade' button on the main page displays the confirmation page.
- The upgrade confirmation page runs 'pakfire update' then displays all available core and add-on upgrades for confirmation. If there are any 'ERROR' messages from the 'pakfire update', they are displayed on the confirmation page.
Robin Roevens [Fri, 28 Mar 2025 23:23:32 +0000 (00:23 +0100)]
zabbix_agentd: Set passive check agents to 3 by default on new installations.
Zabbix Agent since v7 by default forks 10 instances to listen for and concurrently execute incoming (passive) checks. This was only 3 in previous versions and should be plenty on an IPFire instance where resources can be scarce.
Users with an existing installation will have to manually add the parameter to their config if they don't want the Zabbix new default of 10 . This will be documented in the wiki.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 28 Mar 2025 21:03:25 +0000 (22:03 +0100)]
expat: Update to version 2.7.1
- Update from version 2.7.0 to 2.7.1
- Update of rootfile
- Changelog
2.7.1
Bug fixes:
#980 #989 Restore event pointer behavior from Expat 2.6.4
(that the fix to CVE-2024-8176 changed in 2.7.0);
affected API functions are:
- XML_GetCurrentByteCount
- XML_GetCurrentByteIndex
- XML_GetCurrentColumnNumber
- XML_GetCurrentLineNumber
- XML_GetInputContext
Other changes:
#976 #977 Autotools: Integrate files "fuzz/xml_lpm_fuzzer.{cpp,proto}"
with Automake that were missing from 2.7.0 release tarballs
#983 #984 Fix printf format specifiers for 32bit Emscripten
#992 docs: Promote OpenSSF Best Practices self-certification
#978 tests/benchmark: Resolve mistaken double close
#986 Address compiler warnings
#990 #993 Version info bumped from 11:1:10 (libexpat*.so.1.10.1)
to 11:2:10 (libexpat*.so.1.10.2); see https://verbump.de/
for what these numbers do
Infrastructure:
#982 CI: Start running Perl XML::Parser integration tests
#987 CI: Enforce Clang Static Analyzer clean code
#991 CI: Re-enable warning clang-analyzer-valist.Uninitialized
for clang-tidy
#981 CI: Cover compilation with musl
#983 #984 CI: Cover compilation with 32bit Emscripten
#976 #977 CI: Protect against fuzzer files missing from future
release archives
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stephen Cuka [Thu, 27 Mar 2025 05:34:40 +0000 (23:34 -0600)]
pakfire.cgi: Convert icons to buttons.
- Convert icons to buttons on main and confirmation pages.
- Disable Upgrade button if no core or add-on updates available.
- Disable Install and Remove buttons until an add-on is selected
to install or remove.
- Change 'abort' to 'cancel'.
- Change 'uninstall' to 'remove'.
- Set fixed height on select boxes to keep the size the same if
there are no options for the select.
- Change translation for install/remove description text, the previous
text referred to the icons.
'pakfire install description' -> 'Please select one or more add-ons to install.'
'pakfire uninstall description' -> 'Please select one or more add-ons to remove.'
Signed-off-by: Stephen Cuka <stephen@firemypi.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stephen Cuka [Mon, 24 Mar 2025 00:35:43 +0000 (18:35 -0600)]
langs: Add 'pakfire updates' translation.
Add missing 'pakfire updates' tr to en.pl and it.pl. For other
languages, in cases where the existing 'pakfire updates' tr does not
match the 'available updates' tr currently used by pakfire.cgi, give
precedence to the 'available updates' tr and update 'pakfire updates'
accordingly.
Signed-off-by: Stephen Cuka <stephen@firemypi.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 27 Mar 2025 22:45:52 +0000 (23:45 +0100)]
zabbix_agentd: Disable passive checks by default on new installations.
Zabbix Agent by default normally forks 10 instances to listen for incoming (passive) checks.
I, however, recommend only using active checks on an IPFire instance, so that the agent on the instance will only actively contact the Zabbix server to request a list of checks to perform instead of waiting for the server to contact the agent for every check.
This frees up some resources valuable to smaller systems and makes the agent not to listen on any TCP port, which is a possible attack surface less.
Users with an existing installation will have to manually add the parameter to their config. This will be documented in the wiki.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 27 Mar 2025 22:45:51 +0000 (23:45 +0100)]
zabbix_agentd: Update to 7.0.11 (LTS)
- Update from version 6.0.33 to 7.0.11
- Update of rootfile not required
This is a major release update to the next LTS version and breaks compatibility with Zabbix Server 6.x.
A survey on the forum resulted in nobody claiming to still use Zabbix Server v6.x.
Matthias Fischer [Tue, 25 Mar 2025 18:08:51 +0000 (19:08 +0100)]
suricata: Update to 7.0.10
For details see:
https://suricata.io/2025/03/25/suricata-7-0-10-released/
"This is an extra release to address a critical issue in 7.0.9 affecting
AF_PACKET users: setting a BPF would cause Suricata to fail to start up. As
this affected many users, we’ve decided to push this release earlier than
originally planned. Our QA processes have been updated to avoid similar
issues going forward."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 24 Mar 2025 17:44:26 +0000 (18:44 +0100)]
libidn: Removal of package as no longer needed.
- A while back elinks changed from using libidn to libidn2. At that time that left
ghostscript as the only package still using libidn. With the removal of cups and
associated packages, including ghostscript, libidn is no longer used. libidn2 is
used where required now.
- This removes the lfs and rootfiles and removes the entry from the make.sh file.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 24 Mar 2025 17:44:25 +0000 (18:44 +0100)]
cifs-utils: Update to version 7.3
- Update from version 7.1 to 7.3
- Update of rootfile not required.
- Changelog
7.3
Fix regression in mount.cifs with guest mount option
cldap_ping: Fix socket fd leak
resolve_host.c: Initialize site_name
7.2
cifs-utils: Skip TGT check if valid service ticket is already available
docs: update actimeo description
docs: add max_cached_dirs description
docs: add esize description
cifs-utils: support and document password2 mount option
use enums to check password or password2 in set_password,
get_password_from_file and minor documentation additions
Fix compiler warnings in mount.cifs
Do not pass passwords with sec=none and sec=krb5
smbinfo: add bash completion support for filestreaminfo, keys, gettconinfo
cifs-utils: bump version to 7.2
CIFS.upcall to accomodate new namespace mount opt
cifs-utils: add documentation for upcall_target
cifs-utils: avoid using mktemp when updating mtab
getcifsacl: fix return code check for getting full ACL
cifscreds: use continue instead of break when matching commands
cifscreds: allow user to set the key's timeout
configure.ac: libtalloc is now mandatory
cldap_ping.c: add missing <sys/types.h> include
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20240722.0 to 20250127.0
- Update of rootfile
- Changelog 20250127.0
What's New:
Added support for Bazel 8.0
Added support for Bazel Platforms for better portability
Added ABSL_ATTRIBUTE_VIEW and ABSL_ATTRIBUTE_OWNER for diagnosing certain
lifetime issues
Many performance improvements
A security issue in hash container create/resize has been fixed. Note that
the latest patch releases for previous LTS versions also address this
issue.
Breaking Changes:
Bazel BUILD files now reference repositories by their canonical names from
the Bazel Central Registry. For example, Abseil is now @abseil-cpp
instead of @com_google_absl, and GoogleTest is now @googletest instead
of @com_google_googletest. Users still using the old WORKSPACE system
may need to use repo_mapping on repositories that still use the old
names. See 90a7ba6 for an example.
Other:
This will be the last release to support C++14. Future releases will
require at least C++17.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 24 Mar 2025 10:35:51 +0000 (11:35 +0100)]
util-linux: Update to version 2.41
- Update from version 2.40.2 to 2.41
- Update of rootfile for all three architectures. This time confirmed that all three
have been edited to remove the + additions to lines.
- There are two new commands available, bits and coresched. I have commented both of
these out as they are new and have therefore never been used in the past. If they
are something that should be used in IPFire then the lines can always be uncommented.
- Changelog
2.41
Release highlights - full list of all changes is too large to put here (~1400
lines). The details can be found in the source tarball
/Documentation/releases/v2.41-ReleaseNotes file.
agetty:
- Fixed an issue where issue files were not being printed from additional
locations, such as /run or /usr/lib. This change now allows for the use of
local information from /etc, in addition to generated files from /run and
distribution-specific files from /usr/lib.
cfdisk and sfdisk:
- Added support for the --sector-size command line option.
sfdisk:
- Added a new option, --discard-free.
fdisk:
- Added a new command, 'T', to discard sectors.
chrt:
- The --sched-runtime now supports SCHED_{OTHER,BATCH} policies.
column:
- Can now handle ANSI SGR colors inside OSC 8 hyperlink escape codes and
sequences.
enosys:
- Can now dump defined filters.
libmount:
- Added experimental support for statmount() and listmount() syscalls.
- This new functionality can be accessed using "findmnt --kernel=listmount".
- Added a new mount option, X-mount.nocanonicalize[=source|target].
- Added new mount extensions to the "ro" flag (ro[=vfs,fs]).
- Added a new option, X-mount.noloop, to disable automatic loop device
creation.
- Now supports bind symlinks over symlinks.
- Reads all kernel info/warning/error messages from new API syscalls (and
mount(8) prints them).
libuuid:
- Now supports RFC9562 UUIDs.
findmnt, lsblk, and lsfd:
- Added a new --hyperlink command line option to print paths as terminal
hyperlinks.
findmnt:
- Can now address filesystems using --id and --uniq-id (requires listmount()
kernel support).
flock:
- Added support for the --fcntl command line option.
hardlink:
- Can now prioritize specified trees on the command line using
--prioritize-trees.
- Can exclude sub-trees using --exclude-subtree or keep them in the current
mount using --mount.
- Duplicates can now be printed using --list-duplicates.
hwclock:
- Added a new --param-index option to address position for
RTC_PARAM_{GET,SET} ioctls.
kill:
- Can now decode signal masks (e.g. as used in /proc) to signal names.
libblkid:
- Made many changes to improve detection, including exfat, GPT, LUKS2,
bitlocker, etc.
login:
- Added support for LOGIN_ENV_SAFELIST in /etc/login.def.
lsfd:
- Now supports pidfs and AF_VSOCK sockets.
lsipc, ipcmk, ipcrm:
- Now supports POSIX ipc.
lslogins:
- Now supports lastlog2.
lsns:
- Added support for the --filter option.
build by meson:
- Now supports translated man pages and has fixed many bugs.
mkswap:
- The option --file should now be usable on btrfs.
nsenter:
- Improved support for pidfd and can now join target process's socket net
namespace.
scriptlive:
- Added a new option, --echo <never|always|auto>.
zramctl:
- Now supports COMP-RATIO and --algorithm-params.
2.40.4
libmount:
- Revert "libmount: exec mount helpers with posixly correct argument order"
po:
- merge changes
po-man:
- merge changes
- Fix table formatting
2.40.3
agetty:
- Prevent cursor escape
- add "systemd" to --version output
- fix ambiguous ‘else’ [-Werror=dangling-else]
audit-arch.h:
- add defines for m68k, sh
autotools:
- Check for BPF_OBJ_NAME_LEN (required by lsfd)
- add --disable-enosys, check for linux/audit.h
- add Libs.private to uuid.pc
- allow enabling dmesg with --disable-all-programs
- allow enabling lsblk with --disable-all-programs
- check for sys/vfs.h and linux/bpf.h
- fix securedir and pam_lastlog2 install
bash-completion:
- add `--pty` and `--no-pty` options for `su` and `runuser`
- complete `--user` only for `runuser`, not for `su`
chcpu(8):
- Document CPU deconfiguring behavior
- Fix typo
ci:
- bump coveralls compiler version to gcc 13
doc:
- fsck.8.adoc - fix email typo
docs:
- update AUTHORS file
fdisk:
- (man) improve --sector-size description
- fix SGI boot file prompt
- fix fdisk_sgi_set_bootfile return value
- fix sgi_check_bootfile name size minimum
- fix sgi_menu_cb return value
fincore:
- Use correct syscall number for cachestat on alpha
fstab.5 mount:
- fstab.5 mount.8 add note about field separator
hardlink:
- fix memory corruption (size calculation)
- hardlink.1 directory|file is mandatory
hwclock:
- Remove ioperm declare as it causes nested extern declare warning
lib/env:
- fix env_list_setenv() for strings without '='
libblkid:
- (exfat) validate fields used by prober
- (gpt) use blkid_probe_verify_csum() for partition array checksum
- add FSLASTBLOCK for swaparea
- bitlocker add image for Windows 7+ BitLocker
- bitlocker fix version on big-endian systems
- improve portability
libfdisk:
- make sure libblkid uses the same sector size
libmount:
- exec mount helpers with posixly correct argument order
- extract common error handling function
- propagate first error of multiple filesystem types
libmount/context_mount:
- fix argument number comments
logger:
- correctly format tv_usec
lscpu:
- Skip aarch64 decode path for rest of the architectures
- make code more readable
lslocks:
- remove deadcode [coverity scan]
lsns:
- ignore ESRCH errors reported when accessing files under /proc
man pages:
- document `--user` option for `runuser`
- use `user` rather than `username`
meson:
- check for BPF_OBJ_NAME_LEN and linux/bpf.h
mkswap:
- set selinux label also when creating file
more:
- make sure we have data on stderr
nsenter:
- support empty environ[]
partx:
- Fix example in man page
po:
- merge changes
- update de.po (from translationproject.org)
- update ja.po (from translationproject.org)
- update pt_BR.po (from translationproject.org)
- update sr.po (from translationproject.org)
- update zh_CN.po (from translationproject.org)
po-man:
- add missing langs to po4a.cfg
- fix typo, update .gitignore
- merge changes
- update fr.po (from translationproject.org)
- update pt_BR.po (from translationproject.org)
tests:
- fdisk/bsd Update expected output for alpha
umount, losetup:
- Document loop destroy behavior
uuidd:
- fix /var/lib/libuuid mode uuidd-tmpfiles.conf
- fix typo in tmpfiles.conf
- fix /var/lib/libuuid mode uuidd-tmpfiles.conf
- fix typo in tmpfiles.conf
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 23 Mar 2025 17:34:28 +0000 (18:34 +0100)]
tzdata: Update to version 2025b
- Update from version 2025a to 2025b
- Update of rootfile
- Changelog
2025b
Briefly:
New zone for Aysén Region in Chile which moves from -04/-03 to -03.
Changes to future timestamps
Chile's Aysén Region moves from -04/-03 to -03 year-round, joining
Magallanes Region. The region will not change its clocks on
2025-04-05 at 24:00, diverging from America/Santiago and creating a
new zone America/Coyhaique. (Thanks to Yonathan Dossow.) Model
this as a change to standard offset effective 2025-03-20.
Changes to past timestamps
Iran switched from +04 to +0330 on 1978-11-10 at 24:00, not at
year end. (Thanks to Roozbeh Pournader.)
Changes to code
'zic -l TIMEZONE -d . -l /some/other/file/system' no longer
attempts to create an incorrect symlink, and no longer has a
read buffer underflow. (Problem reported by Evgeniy Gorbanev.)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 23 Mar 2025 17:31:14 +0000 (18:31 +0100)]
shadow: Update to version 4.17.4
- Update from version 4.17.3 to 4.17.4
- Update of rootfile not required
- Changelog
4.17.4
Revert "lib/, src/: Use local time for human-readable dates"
lib/getdate.y: Ignore time-zone information and use UTC
src/chfn.c: Partially revert "lib/, src/: Use strsep(3) instead of its pattern"
src/chfn.c: Use stpsep() instead of its pattern
src/chfn.c: Add local variable to refer to the separated field
src/chfn.c: copy_field(): Rename local variable
lib/commonio.c: Rely on the POSIX.1-2008 behavior of realpath(3)
lib/fs/readlink/: readlinknul(): Use ssize_t to simplify
autogen.sh: Promote -Wsign-compare to an error
lib/sizeof.h: ssizeof(): Add signed variant of sizeof
src/lastlog.c: Use ssizeof() to avoid a -Wsign-compare diagnostic
tests/unit/test_xasprintf.c: Fix sign-mismatch diagnostic
configure.ac: stop checking for utmp location
configure.ac: be deterministic about passwd location
lib/, src/: update audit messages
lib/: audit function for groups
src/: update group audit messages
doc/: Remove list of distributions
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 23 Mar 2025 17:26:04 +0000 (18:26 +0100)]
libusb: Update to version 1.0.28
- Update from version 1.0.27 to 1.0.28
- Update of rootfile
- Changelog
1.0.28
* New libusb_get_ssplus_usb_device_capability_descriptor API
for query of SuperSpeed+ Capability Descriptors
* API support for reporting USB 3.2 Gen2x2 speeds
* macOS: Fix Zero-Length Packet for multiple packets per frame
* Windows: Base HID device descriptor on OS-cached values
* Build fixes for Haiku and SunOS
* Many code correctness fixes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 12 Mar 2025 11:03:22 +0000 (12:03 +0100)]
sources: Update ipblocklist with Threatview.io IP list
- Blocklist addition was discussed and agreed at IPFire dev conf call in March 2025.
- Tested on vm system.
- Adjusted the entry alignment for the three 3coresec entries as they had used tabs and
all the rest used spaces for alignment. Now all entries are lined up the same.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 12 Mar 2025 14:46:10 +0000 (15:46 +0100)]
ipblocklist-functions.pl: Specify an IPFire user agent for the downloads
- As discussed at the IPFire conf call in March 2025, this patch provides an IPFire
specific User Agent string for the IP Block Lists downloads using LWP::UserAgent.
- It turned out that there was already a function in general-functions.pl that creates
an IPFire Useer Agent string. This was used for this IP Blocklist download.
- Currently it gave me the string IPFire/2.29/192.
- This was tested out with the Threatview.io IP blocklist download and it worked fine.
- If this patch is approved and merged then I will let contact Threatview.io to let them
know what our User Agent string is.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 21 Mar 2025 13:30:45 +0000 (14:30 +0100)]
mpfr: Update to version 4.2.2
- Update from version 4.2.1 to 4.2.2
- Update of rootfile
- Changelog
4.2.2
- In order to resolve a portability issue with the _Float128 fallback to
__float128 for binary128 support (e.g. with Clang and glibc 2.41), the
prototypes of the corresponding conversion functions had to be changed,
with _Float128 replaced by mpfr_float128, where mpfr_float128 is a macro
defined as _Float128 by default. This changes neither the ABI nor the API
(except that the end user of MPFR would need to define mpfr_float128 as
the actual type for the binary128 format if this is not the standard
_Float128 type).
- Other bug fixes (see <https://www.mpfr.org/mpfr-4.2.1/#fixed> and/or the
ChangeLog file). In particular, the formatted output functions behaved
incorrectly with %c on the value 0; such a use is uncommon, but this bug
may have security implications.
- Improved MPFR manual.
- Detect the use of GMP's buggy vsnprintf replacement at configure time.
With it, the tests of "%a" will be disabled to avoid an assertion failure
in the MPFR testsuite. A warning will be displayed in the configure output
in such a case.
Also, note that due to new tests related to the fix of the formatted
output functions with %c on the value 0, failures in the tfprintf and
tsprintf tests may be observed if GMP has been built with its vsnprintf
replacement (i.e. if GMP detected at configure time that the vsnprintf
function from the C library is buggy/non-conforming). This is due to a
bug in the vsnprintf replacement from GMP 6.3.0 (official tarball) and
below. This could be observed on MS Windows and OpenBSD. To get rid of
these failures, either use a fixed version (recommended!) or build the
MPFR tests with the MPFR_TESTS_SKIP_CHECK_NULL macro defined.
See the INSTALL file for other details.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 21 Mar 2025 10:24:56 +0000 (11:24 +0100)]
samba: Update to version 4.22.0
- Update from version 4.21.4
- Update of rootfile for all three architectures
- Changelog
4.22.0
NEW FEATURES/CHANGES
SMB3 Directory Leases
Starting with Samba 4.22 SMB3 Directory Leases are supported. The new
global option "smb3 directory leases" controls whether the feature is
enabled or not. By default, SMB3 Directory Leases are enabled on
non-clustered Samba and disabled on clustered Samba, based on the
"clustering" option. See man smb.conf for more details.
SMB3 Directory Leases allow clients to cache directory listings and,
depending on the workload, result in a decent reduction in SMB
requests from clients.
Netlogon Ping over LDAP and LDAPS
Samba must query domain controller information via simple queries on
the AD rootdse's netlogon attribute. Typically this is done via
connectionless LDAP, using UDP on port 389. The same information is
also available via classic LDAP rootdse queries over TCP. Samba can
now be configured to use TCP via the new "client netlogon ping
protocol" parameter to enable running in environments where firewalls
completely block port 389 or UDP traffic to domain controllers.
Experimental Himmelblaud Authentication in Samba
Samba now includes experimental support for Azure Entra ID
authentication via `himmelblaud`, located in the `rust/` directory.
This implementation provides basic authentication and is configured
through `smb.conf`, utilizing options such as `realm`,
`winbindd_socket_directory`, and `template_homedir`. New global
parameters include `himmelblaud_sfa_fallback`,
`himmelblaud_hello_enabled`, and `himmelblaud_hsm_pin_path`.
To enable, configure Samba with `--enable-rust --with-himmelblau`.
AD DC schema upgrade and provision performance improvements
By increasing the LDB index cache size for certain offline operations
that are likely to require large transactions, these are now several
times faster.
REMOVED FEATURES
The "nmbd proxy logon" feature was removed. This was used before
Samba4 acquired a NBT server.
The parameter "cldap port" has been removed. CLDAP runs over UDP port
389, we don't see a reason why this should ever be changed to a
different port. Moreover, we had several places in the code where
Samba did not respect this parameter, so the behaviour was at least
inconsistent.
fruit:posix_rename
This option of the vfs_fruit VFS module that could be used to enable
POSIX directory rename behaviour for OS X clients has been removed
as it could result in severe problems for Windows clients.
As a possible workaround it is possible to prevent creation of
.DS_Store files (a Finder thingy to store directory view settings)
on network mounts by running
$ defaults write com.apple.desktopservices DSDontWriteNetworkStores true
on the Mac.
smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
smb3 directory leases New Auto
vfs mkdir use tmp name New Auto
client netlogon ping protocol New cldap
himmelblaud hello enabled New no
himmelblaud hsm pin path New default hsm pin path
himmelblaud sfa fallback New no
client use krb5 netlogon Experimental no
reject aes netlogon servers Experimental no
server reject aes schannel Experimental no
server support krb5 netlogon Experimental no
fruit:posix_rename Removed
cldap port Removed
CHANGES SINCE 4.22.0rc4
* BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD.
* BUG 15797: Unable to connect to CephFS subvolume shares with
vfs_shadow_copy2.
* BUG 15801: `NT_STATUS_ACCESS_DENIED making remote directory` on OpenBSD.
* BUG 15820: Incorrect FSF address in ctdb pcp scripts.
* BUG 15804: "samba-tool domain backup offline" hangs.
CHANGES SINCE 4.22.0rc3
* BUG 15815: client use krb5 netlogon is experimental and should not be used
in production.
CHANGES SINCE 4.22.0rc2
* BUG 15738: Creation of GPOs applicable to more than one group is impossible
with Samba 4.20.0 and later.
* BUG 15806: samba-tool acl commands broken for relative path names
* BUG 15807: pysmbd seg faults when file is not found.
* BUG 15796: Spotlight search results don't show file size and creation date.
* BUG 15759: net ads create/join/winbind producing unix dysfunctional
keytabs.
* BUG 15806: samba-tool acl commands broken for relative path names.
* BUG 15807: pysmbd seg faults when file is not found.
* BUG 15680: Trust domains are not created.
* BUG 15680: Trust domains are not created.
* BUG 15703: General improvements for vfs_ceph_new module.
CHANGES SINCE 4.22.0rc1
* BUG 15798: libnet4: seg fault after dc lookup failure
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
