Michael Tremer [Tue, 27 Jun 2023 09:55:20 +0000 (09:55 +0000)]
core176: Re-ship lots of stuff that is still linked against OpenSSL 1.1.1
There are no functional changes in these files, but they are however
linked against OpenSSL 1.1.1 and need to be re-shipped before we remove
the legacy library.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This cannot be done, yet, because an updated system still has hundreds
of files using the old libraries. Those will have to be re-shipped first
before we actually remove OpenSSL 1.1.1.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 25 Jun 2023 21:04:19 +0000 (21:04 +0000)]
CUPS: Update to 2.4.6
Several security-relevant bugs have been fixed since version 2.4.2,
please refer to https://github.com/OpenPrinting/cups/releases for the
respective changelogs.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Michael Tremer [Fri, 24 Mar 2023 15:49:22 +0000 (15:49 +0000)]
proxy: Skip VPNs that route everything for proxy.pac
The function tries to figure out which networks are connected locally,
but VPN tunnels that use 0.0.0.0 and GRE/VTI interfaces will be
considered local and the proxy is being disabled for everyone.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 May 2023 18:43:21 +0000 (20:43 +0200)]
go: Update to version 1.20.4
- Update from version 1.15.4 to 1.20.4
- Update of x86_64 rootfile
aarch64 rootfile needs to be created on a aarch64 build system
- Changelog is very large. For details see https://go.dev/doc/devel/release
50 mentions of security fixes in the changes from 1.15.4 to 1.20.4
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Jon Murphy [Fri, 2 Jun 2023 19:01:16 +0000 (14:01 -0500)]
extrahd.cgi: Fix for Bug #12863
-Fixes remove entries in 'extrahd' via the webinterface for extrahd.cgi file.
Suggested-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Jon Murphy <jon.murphy@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Adolf Belka [Sun, 18 Jun 2023 18:02:10 +0000 (20:02 +0200)]
update.sh: Fixes bug-13151 - removes old 69-dm-lvm-metad.rules file
- In Core Update 175 lvm was updated and 69-dm-lvm-metad.rules was replaced with
69-dm-lvm.rules in the lvm rootfile.
- That previous patch update did not remove the no longer existing 69-dm-lvm-metad.rules
from existing installations. This patch corrects that.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sun, 18 Jun 2023 18:02:09 +0000 (20:02 +0200)]
lvm: Fixes bug-13151 - update 69-dm-lvm.rules
- Redhat updated lvm udev rule 69-dm-lvm.rules to only work with systemd
- Update 69-dm-lvm.rules to work with IPFire based on input from @Daniel of what worked
to mount an existing lvm volume
Suggested-by: Daniel Weismüller <daniel.weismueller@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 16 Jun 2023 18:24:34 +0000 (20:24 +0200)]
pciutils: Update to version 3.10.0
- Update from version 3.9.0 to 3.10.0
- Update of rootfile
- version 3.9.0 failed to output some of the symbols. This was found as a bug in Fedora but
also seen by some people in IPFire CU175 with flashrom where the version 3.3 symbol is
provided.
Fedora made a patch to resolve this issue for 3.9.0 but 3.10.0 has been released since
then and Fedora removed the patch that was used for 2.9.0 as pciutils has had that bug
fixed - see first item in changelog.
- Changelog
Released as 3.10.0.
Fixed bug in definition of versioned symbol aliases
in shared libpci, which made compiling with link-time
optimization fail.
Filters now accept "0x..." syntax for backward compatibility.
Windows: The cfgmgr32 back-end which provides the list of devices
can be combined with another back-end which provides access
to configuration space.
ECAM (Enhanced Configuration Access Mechanism), which is defined
by the PCIe standard, is now supported. It requires root privileges,
access to physical memory, and also manual configuration on some
systems.
lspci: Tree view now works on multi-domain systems. It now respects
filters properly.
Last but not least, pci.ids were updated to the current snapshot
of the database. This includes overall cleanup of entries with
non-ASCII characters in their names -- such characters are allowed,
but only if they convey interesting information (e.g., umlauts
in German company names, but not the "registered trade mark" sign).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 30 May 2023 11:13:41 +0000 (13:13 +0200)]
ovpnmain.cgi: Fix Bug#13136 - Allow spaces when editing a static ip address pool name
- This was fixed for creating a static ip address pool name in bug#12865 but was not
applied to the case when the static ip address pool name was being edited.
- This fix corrects that oversight.
Fixes: Bug#13136 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Matthias Fischer [Fri, 16 Jun 2023 15:52:08 +0000 (17:52 +0200)]
suricata: Update to 6.0.13
Excerpt from changelog:
"6.0.13 -- 2023-06-15
Security #6119: datasets: absolute path in rules can overwrite arbitrary files (6.0.x backport)
Bug #6138: Decode-events of IPv6 packets are not triggered (6.0.x backport)
Bug #6136: suricata-update: dump-sample-configs: configuration files not found (6.0.x backport)
Bug #6125: http2: cpu overconsumption in rust moving/memcpy in http2_parse_headers_blocks (6.0.x backport)
Bug #6113: ips: txs still logged for dropped flow (6.0.x backport)
Bug #6056: smtp: long line discard logic should be separate for server and client (6.0.x backport)
Bug #6055: ftp: long line discard logic should be separate for server and client (6.0.x backport)
Bug #5990: smtp: any command post a long command gets skipped (6.0.x backport)
Bug #5982: smtp: Long DATA line post boundary is capped at 4k Bytes (6.0.x backport)
Bug #5809: smb: convert transaction list to vecdeque (6.0.x backport)
Bug #5604: counters: tcp.syn, tcp.synack, tcp.rst depend on flow (6.0.x backport)
Bug #5550: dns: allow dns messages with invalid opcodes (6.0.x backport)
Task #5984: libhtp 0.5.44 (6.0.x backport)
Documentation #6134: userguide: add instructions/explanation for (not) running suricata with root (6.0.x backport)
Documentation #6121: datasets: 6.0.x work-arounds for dataset supply chain attacks"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 15 Jun 2023 19:55:01 +0000 (21:55 +0200)]
vpnmain.cgi: unique_subject = yes in index.txt.attr for first attempt with fresh install
- The patches for Bug#13138
https://patchwork.ipfire.org/project/ipfire/patch/20230603140541.13834-1-adolf.belka@ipfire.org/
https://patchwork.ipfire.org/project/ipfire/patch/20230606104050.8290-1-adolf.belka@ipfire.org/
work for an update to Core Update 175 but a fresh install of CU175 will still fail with
the error when creating the root/host certificate set for the first time.
- This patch ensures that the unique_subject = yes line is addeed to index.txt.attr
when the root/host certificate set is attempted to be created or is uploaded also for
the first attempt.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Updated from version 20230214 to 20230512-rev2 where the source tarball is named version 20230613
- Update of rootfile
- Changelog details for versions 20230512 and 20230512-rev2 can be found at
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 9 Jun 2023 21:10:10 +0000 (23:10 +0200)]
transmission: Update to version 4.0.3
- Update from version 3.00 to 4.0.3
- This v2 version has usr/share/transmission directory uncommented.
- Update of rootfile
- Build changed from autotools configure to cmake
- Changelog is very large. For details see
https://github.com/transmission/transmission/releases/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 24 May 2023 09:08:41 +0000 (09:08 +0000)]
misc-progs: setuid: Return exit code from called process
This patch will return the exit code from the called process which has
not been done before. This made it more difficult to catch any
unsuccessful calls from the web UI.
Partly Fixes: #12863 Tested-by: Jon Murphy <jon.murphy@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 20 May 2023 12:10:48 +0000 (14:10 +0200)]
wavemon: Update to version 0.9.4
- Update from version 0.7.5 to 0.9.4
- Update of rootfile
- wavemon would not build because it could not find the netlink include files. wavemon was
still looking in include/netlink/ as for libnl version 1 but with libnl3 the include
files are in include/libnl3/netlink/
- Based on an issue entry in the wavemon github repo I created the patch to force wavemon
to look in the correct place.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 20 May 2023 12:10:46 +0000 (14:10 +0200)]
tmux: Update to version 3.3a
- Update from version 3.3 to 3.3a
- Update of rootfile not required
- Changelog
CHANGES FROM 3.3 TO 3.3a
* Do not crash when run-shell produces output from a config file.
* Do not unintentionally turn off all mouse mode when button mode is also
present.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 20 May 2023 12:10:45 +0000 (14:10 +0200)]
stunnel: Update to version 5.69
- Update from version 5.63 to 5.69
- Update of rootfile not required
- Changelog
Version 5.69, 2023.03.04, urgency: MEDIUM
* New features
- Improved logging performance with the "output" option.
- Improved file read performance on the WIN32 platform.
- DH and kDHEPSK ciphersuites removed from FIPS defaults.
- Set the LimitNOFILE ulimit in stunnel.service to allow
for up to 10,000 concurrent clients.
* Bugfixes
- Fixed the "CApath" option on the WIN32 platform by
applying https://github.com/openssl/openssl/pull/20312.
- Fixed stunnel.spec used for building rpm packages.
- Fixed tests on some OSes and architectures by merging
Debian 07-tests-errmsg.patch (thx to Peter Pentchev).
Version 5.68, 2023.02.07, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.8.
* New features
- Added the new 'CAengine' service-level option
to load a trusted CA certificate from an engine.
- Added requesting client certificates in server
mode with 'CApath' besides 'CAfile'.
- Improved file read performance.
- Improved logging performance.
* Bugfixes
- Fixed EWOULDBLOCK errors in protocol negotiation.
- Fixed handling TLS errors in protocol negotiation.
- Prevented following fatal TLS alerts with TCP resets.
- Improved OpenSSL initialization on WIN32.
- Improved testing suite stability.
Version 5.67, 2022.11.01, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.7.
* New features
- Provided a logging callback to custom engines.
* Bugfixes
- Fixed "make cert" with OpenSSL older than 3.0.
- Fixed the code and the documentation to use conscious
language for SNI servers (thx to Clemens Lang).
Version 5.66, 2022.09.11, urgency: MEDIUM
* New features
- OpenSSL 3.0 FIPS Provider support for Windows.
* Bugfixes
- Fixed building on machines without pkg-config.
- Added the missing "environ" declaration for
BSD-based operating systems.
- Fixed the passphrase dialog with OpenSSL 3.0.
Version 5.65, 2022.07.17, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.5.
* Bugfixes
- Fixed handling globally enabled FIPS.
- Fixed openssl.cnf processing in WIN32 GUI.
- Fixed a number of compiler warnings.
- Fixed tests on older versions of OpenSSL.
Version 5.64, 2022.05.06, urgency: MEDIUM
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.3.
* New features
- Updated the pkcs11 engine for Windows.
* Bugfixes
- Removed the SERVICE_INTERACTIVE_PROCESS flag in
"stunnel -install".
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 17:04:52 +0000 (19:04 +0200)]
stress: Update to version 1.0.7
- Update from version 1.0.5 to 1.0.7
- Update of rootfile not required
- Changelog
Version 1.0.7
* Check for sys/prctl.h availability, because non-Linux
architectures don't provide <sys/prctl.h>.
* Improved GitHub CI:
- Added CI test for macOS.
- Added a check for stress command.
- Added a test for 'make dist-bzip2'.
* Moved manpage from doc/ to man/.
Version 1.0.6
* Register parent termination signal in child processes.
* Added 'make dist' check in CI test.
* Added rights for Vratislav Bendel.
* Re-organized src/stress.c via astyle command.
* Updated GPL-2 license text for src/stress.c.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 17:04:51 +0000 (19:04 +0200)]
strace: Update to version 6.3
- Update from version 6.1 to 6.3
- Update of rootfile not required
- Changelog
Noteworthy changes in release 6.3 (2023-05-08)
* Improvements
* Implemented --trace-fds=set option for filtering only the syscalls
that operate on the specified set of file descriptors.
* Implemented --decode-fds=signalfd option for decoding of signal masks
associated with signalfd file descriptors.
* Implemented --syscall-limit option to automatically detach tracees
after capturing the specified number of syscalls.
* Implemented --argv0 option to set argv[0] of the command being executed.
* Implemented decoding of PR_GET_MDWE and PR_SET_MDWE operations of prctl
syscall.
* Implemented decoding of IP_LOCAL_PORT_RANGE socket option.
* Implemented decoding of IFLA_BRPORT_MCAST_N_GROUPS,
IFLA_BRPORT_MCAST_MAX_GROUPS, IFLA_GSO_IPV4_MAX_SIZE,
IFLA_GRO_IPV4_MAX_SIZE, and TCA_EXT_WARN_MSG netlink attributes.
* Updated lists of F_SEAL_*, IFLA_*, IORING_*, MFD_*, NFT_*, TCA_*,
and V4L2_PIX_FMT_* constants.
* Updated lists of ioctl commands from Linux 6.3.
* Bug fixes
* Fixed build on hppa with uapi headers from Linux >= 6.2.
* Fixed --status filtering when -c option is in use.
Noteworthy changes in release 6.2 (2023-02-26)
* Improvements
* Implemented collision resolution for overlapping ioctl commands
from tty and snd subsystems.
* Implemented decoding of IFLA_BRPORT_MAB and IFLA_DEVLINK_PORT
netlink attributes.
* Updated lists of ALG_*, BPF_*, IFLA_*, KEY_*, KVM_*, LANDLOCK_*,
MEMBARRIER_*, NFT_*, NTF_*, and V4L2_* constants.
* Updated lists of ioctl commands from Linux 6.2.
* Bug fixes
* Fixed build on alpha architecture.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 17:04:50 +0000 (19:04 +0200)]
nginx: Update to version 1.24.0
- Update from version 1.22.1 to 1.24.0
- Update of rootfile not required
- Changelog (including some CVE's)
Changes with nginx 1.24.0 11 Apr 2023
*) 1.24.x stable branch.
Changes with nginx 1.23.4 28 Mar 2023
*) Change: now TLSv1.3 protocol is enabled by default.
*) Change: now nginx issues a warning if protocol parameters of a
listening socket are redefined.
*) Change: now nginx closes connections with lingering if pipelining was
used by the client.
*) Feature: byte ranges support in the ngx_http_gzip_static_module.
*) Bugfix: port ranges in the "listen" directive did not work; the bug
had appeared in 1.23.3.
Thanks to Valentin Bartenev.
*) Bugfix: incorrect location might be chosen to process a request if a
prefix location longer than 255 characters was used in the
configuration.
*) Bugfix: non-ASCII characters in file names on Windows were not
supported by the ngx_http_autoindex_module, the ngx_http_dav_module,
and the "include" directive.
*) Change: the logging level of the "data length too long", "length too
short", "bad legacy version", "no shared signature algorithms", "bad
digest length", "missing sigalgs extension", "encrypted length too
long", "bad length", "bad key update", "mixed handshake and non
handshake data", "ccs received early", "data between ccs and
finished", "packet length too long", "too many warn alerts", "record
too small", and "got a fin before a ccs" SSL errors has been lowered
from "crit" to "info".
*) Bugfix: a socket leak might occur when using HTTP/2 and the
"error_page" directive to redirect errors with code 400.
*) Bugfix: messages about logging to syslog errors did not contain
information that the errors happened while logging to syslog.
Thanks to Safar Safarly.
*) Workaround: "gzip filter failed to use preallocated memory" alerts
appeared in logs when using zlib-ng.
*) Bugfix: in the mail proxy server.
Changes with nginx 1.23.3 13 Dec 2022
*) Bugfix: an error might occur when reading PROXY protocol version 2
header with large number of TLVs.
*) Bugfix: a segmentation fault might occur in a worker process if SSI
was used to process subrequests created by other modules.
Thanks to Ciel Zhao.
*) Workaround: when a hostname used in the "listen" directive resolves
to multiple addresses, nginx now ignores duplicates within these
addresses.
*) Bugfix: nginx might hog CPU during unbuffered proxying if SSL
connections to backends were used.
Changes with nginx 1.23.2 19 Oct 2022
*) Security: processing of a specially crafted mp4 file by the
ngx_http_mp4_module might cause a worker process crash, worker
process memory disclosure, or might have potential other impact
(CVE-2022-41741, CVE-2022-41742).
*) Feature: the "$proxy_protocol_tlv_..." variables.
*) Feature: TLS session tickets encryption keys are now automatically
rotated when using shared memory in the "ssl_session_cache"
directive.
*) Change: the logging level of the "bad record type" SSL errors has
been lowered from "crit" to "info".
Thanks to Murilo Andrade.
*) Change: now when using shared memory in the "ssl_session_cache"
directive the "could not allocate new session" errors are logged at
the "warn" level instead of "alert" and not more often than once per
second.
*) Bugfix: nginx/Windows could not be built with OpenSSL 3.0.x.
*) Bugfix: in logging of the PROXY protocol errors.
Thanks to Sergey Brester.
*) Workaround: shared memory from the "ssl_session_cache" directive was
spent on sessions using TLS session tickets when using TLSv1.3 with
OpenSSL.
*) Workaround: timeout specified with the "ssl_session_timeout"
directive did not work when using TLSv1.3 with OpenSSL or BoringSSL.
Changes with nginx 1.23.1 19 Jul 2022
*) Feature: memory usage optimization in configurations with SSL
proxying.
*) Feature: looking up of IPv4 addresses while resolving now can be
disabled with the "ipv4=off" parameter of the "resolver" directive.
*) Change: the logging level of the "bad key share", "bad extension",
"bad cipher", and "bad ecpoint" SSL errors has been lowered from
"crit" to "info".
*) Bugfix: while returning byte ranges nginx did not remove the
"Content-Range" header line if it was present in the original backend
response.
*) Bugfix: a proxied response might be truncated during reconfiguration
on Linux; the bug had appeared in 1.17.5.
Changes with nginx 1.23.0 21 Jun 2022
*) Change in internal API: now header lines are represented as linked
lists.
*) Change: now nginx combines arbitrary header lines with identical
names when sending to FastCGI, SCGI, and uwsgi backends, in the
$r->header_in() method of the ngx_http_perl_module, and during lookup
of the "$http_...", "$sent_http_...", "$sent_trailer_...",
"$upstream_http_...", and "$upstream_trailer_..." variables.
*) Bugfix: if there were multiple "Vary" header lines in the backend
response, nginx only used the last of them when caching.
*) Bugfix: if there were multiple "WWW-Authenticate" header lines in the
backend response and errors with code 401 were intercepted or the
"auth_request" directive was used, nginx only sent the first of the
header lines to the client.
*) Change: the logging level of the "application data after close
notify" SSL errors has been lowered from "crit" to "info".
*) Bugfix: connections might hang if nginx was built on Linux 2.6.17 or
newer, but was used on systems without EPOLLRDHUP support, notably
with epoll emulation layers; the bug had appeared in 1.17.5.
Thanks to Marcus Ball.
*) Bugfix: nginx did not cache the response if the "Expires" response
header line disabled caching, but following "Cache-Control" header
line enabled caching.
Changes with nginx 1.21.6 25 Jan 2022
*) Bugfix: when using EPOLLEXCLUSIVE on Linux client connections were
unevenly distributed among worker processes.
*) Bugfix: nginx returned the "Connection: keep-alive" header line in
responses during graceful shutdown of old worker processes.
*) Bugfix: in the "ssl_session_ticket_key" when using TLSv1.3.
Changes with nginx 1.21.5 28 Dec 2021
*) Change: now nginx is built with the PCRE2 library by default.
*) Change: now nginx always uses sendfile(SF_NODISKIO) on FreeBSD.
*) Feature: support for sendfile(SF_NOCACHE) on FreeBSD.
*) Feature: the $ssl_curve variable.
*) Bugfix: connections might hang when using HTTP/2 without SSL with the
"sendfile" and "aio" directives.
Changes with nginx 1.21.4 02 Nov 2021
*) Change: support for NPN instead of ALPN to establish HTTP/2
connections has been removed.
*) Change: now nginx rejects SSL connections if ALPN is used by the
client, but no supported protocols can be negotiated.
*) Change: the default value of the "sendfile_max_chunk" directive was
changed to 2 megabytes.
*) Feature: the "proxy_half_close" directive in the stream module.
*) Feature: the "ssl_alpn" directive in the stream module.
*) Feature: the $ssl_alpn_protocol variable.
*) Feature: support for SSL_sendfile() when using OpenSSL 3.0.
*) Feature: the "mp4_start_key_frame" directive in the
ngx_http_mp4_module.
Thanks to Tracey Jaquith.
*) Bugfix: in the $content_length variable when using chunked transfer
encoding.
*) Bugfix: after receiving a response with incorrect length from a
proxied backend nginx might nevertheless cache the connection.
Thanks to Awdhesh Mathpal.
*) Bugfix: invalid headers from backends were logged at the "info" level
instead of "error"; the bug had appeared in 1.21.1.
*) Bugfix: requests might hang when using HTTP/2 and the "aio_write"
directive.
Changes with nginx 1.21.3 07 Sep 2021
*) Change: optimization of client request body reading when using
HTTP/2.
*) Bugfix: in request body filters internal API when using HTTP/2 and
buffering of the data being processed.
Changes with nginx 1.21.2 31 Aug 2021
*) Change: now nginx rejects HTTP/1.0 requests with the
"Transfer-Encoding" header line.
*) Change: export ciphers are no longer supported.
*) Feature: OpenSSL 3.0 compatibility.
*) Feature: the "Auth-SSL-Protocol" and "Auth-SSL-Cipher" header lines
are now passed to the mail proxy authentication server.
Thanks to Rob Mueller.
*) Feature: request body filters API now permits buffering of the data
being processed.
*) Bugfix: backend SSL connections in the stream module might hang after
an SSL handshake.
*) Bugfix: the security level, which is available in OpenSSL 1.1.0 or
newer, did not affect loading of the server certificates when set
with "@SECLEVEL=N" in the "ssl_ciphers" directive.
*) Bugfix: SSL connections with gRPC backends might hang if select,
poll, or /dev/poll methods were used.
*) Bugfix: when using HTTP/2 client request body was always written to
disk if the "Content-Length" header line was not present in the
request.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 17:04:49 +0000 (19:04 +0200)]
mpfr: Update with latest bug patches
- Update version 4.2.0 from 4 bug patches to 9 bug patches
- Update of rootfile not required
- Bug fix changelog
5 The mpfr_reldiff function, which computes |b−c|/b, is buggy on special values,
e.g. on the following (b,c) values: (+Inf,+Inf) gives ±0 instead of NaN (like
NaN/Inf); (+0,+0) gives 1 instead of NaN (like 0/0); (+0,1) gives 1 instead of
Inf (like 1/0). Moreover, the sign of 0 for (+Inf,+Inf) or (−Inf,−Inf) is not
set, i.e. it is just the sign of the destination before the call; as a
consequence, results are not even consistent. These bugs are fixed by the
reldiff patch.
Corresponding changeset in the 4.2 branch: 81e4d4427.
6 The reuse tests are incomplete: the sign of a result zero is not checked, so
that it can miss bugs (one of the mpfr_reldiff bugs mentioned above, in
particular). The tests-reuse patch adds a check of the sign of zero and
contains other minor improvements.
Corresponding changeset in the 4.2 branch: e6d47b8f5.
7 The general code for the power function (mpfr_pow_general internal function) has
two bugs in particular cases: the first one is an incorrect computation of the
error bound when there has been an intermediate underflow or overflow (in such
a case, the computation is performed again with a rescaling, thus with an
additional error term, but there is a bug in the computation of this term), so
that the result may be rounded incorrectly (in particular, a spurious overflow
is possible); the second one occurs in a corner case (destination precision 1,
rounding to nearest, and where the rounded result assuming an unbounded
exponent range would be 2emin−2 and the exact result is larger than this value),
with the only consequence being a missing underflow exception (the underflow
flag is not set). These two bugs are fixed by the pow_general patch, which also
provides testcases.
Note: The second bug was introduced by commit 936df8ef6 in MPFR 4.1.0 (the code
simplification was incorrect, and there were no associated tests in the
testsuite).
Corresponding changesets in the 4.2 branch: 85bc7331c, 5fa407a6c, 9a16c173e.
8 The mpfr_compound_si function can take a huge amount of memory and time in some
cases (when the argument x is a large even integer and xn is represented exactly
in the target precision) and does not correctly detect overflows and underflows.
This is fixed by the compound patch, which also provides various tests.
Corresponding changesets in the 4.2 branch: 7635c4a35, 74d86a61f, 952fb0f5c, a4894f68d, 7bb748775, f5cb40571, d87459969.
9 MPFR can crash when a formatted output function is called with %.2147483648Rg in
the format string. For instance: mpfr_snprintf (NULL, 0, "%.2147483648Rg\n", x);
This is fixed by the printf_large_prec_for_g patch, which also provides
testcases.
Corresponding changesets in the 4.2 branch: 686f82776, 769ad91a6.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 17:04:48 +0000 (19:04 +0200)]
minidlna: Update to version 1.3.2
- Update from version 1.3.0 to 1.3.2
- Update of rootfile not required
- Patch for CVE-2022-26505 is now built into the source tarball
- Changelog
1.3.2 - Released 30-Aug-2022
- Improved DNS rebinding attack protection.
- Added Samsung Neo QLED series (2021) support.
- Added webm/rm/rmvb support.
1.3.1 - Released 11-Feb-2022
- Fixed a potential crash in SSDP request parsing.
- Fixed a configure script failure on some platforms.
- Protect against DNS rebinding attacks.
- Fix an socket leakage issue on some platforms.
- Minor bug fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 17:04:47 +0000 (19:04 +0200)]
fping: Update to version 5.1
- Update from version 5.0 to 5.1
- Update of rootfile not required
- Changelog
fping 5.1 (2022-02-06)
## Bugfixes and other changes
- Use setcap to specify specific files in fping.spec (#232, thanks @zdyxry)
- Netdata: use host instead name as family label (#226, thanks @k0ste)
- Netdata: use formatstring macro PRId64 (#229, thanks @gsnw)
- Allow -4 option to be given multiple times (#215, thanks @normanr)
- Documentation fix (#208, thanks @timgates42)
- Retain privileges until after privileged setsockopt (#200, thanks @simetnicbr)
- Set bind to source only when option is set (#198, thanks @dinoex)
- Update Azure test pipeline (#197, thanks @gsnw)
- Fix getnameinfo not called properly for IPv4 (#227, thanks @aafbsd)
- Fixed wrong timestamp under Free- and OpenBSD and macOS (#217, thanks @gsnw)
- Documentation updates (#240, thanks @auerswal)
- Updated autotools (autoconf 2.71, automake 1.16.5, libtool 2.4.6)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 11:47:53 +0000 (13:47 +0200)]
pam: Update to version 1.5.3
- Update from version 1.5.2 to 1.5.3
- Update of rootfile
- Changelog
Release 1.5.3
* configure: added options to configure stylesheets.
* configure: added --enable-logind option to use logind instead of utmp
in pam_issue and pam_timestamp.
* pam_modutil_getlogin: changed to use getlogin() from libc instead of parsing
utmp.
* Added libeconf support to pam_env and pam_shells.
* Added vendor directory support to pam_access, pam_env, pam_group, pam_faillock,
pam_limits, pam_namespace, pam_pwhistory, pam_sepermit, pam_shells, and pam_time.
* pam_limits: changed to not fail on missing config files.
* pam_pwhistory: added conf= option to specify config file location.
* pam_pwhistory: added file= option to specify password history file location.
* pam_shells: added shells.d support when libeconf and vendordir are enabled.
* Deprecated pam_lastlog: this module is no longer built by default because
it uses utmp, wtmp, btmp and lastlog, but none of them are Y2038 safe,
even on 64bit architectures.
pam_lastlog will be removed in one of the next releases, consider using
pam_lastlog2 (from https://github.com/thkukuk/lastlog2) and/or
pam_wtmpdb (from https://github.com/thkukuk/wtmpdb) instead.
* Deprecated _pam_overwrite(), _pam_overwrite_n(), and _pam_drop_reply() macros
provided by _pam_macros.h; the memory override performed by these macros can
be optimized out by the compiler and therefore can no longer be relied upon.
* Multiple minor bug fixes, portability fixes, documentation improvements,
and translation updates.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 11:47:52 +0000 (13:47 +0200)]
nettle: Update to version 3.9
- Update from version 3.8.1 to 3.9
- Update of rootfile
- Changelog
NEWS for the Nettle 3.9 release
This release includes bug fixes, several new features, a few
performance improvements, and one performance regression
affecting GCM on certain platforms.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.7 and libhogweed.so.6.7, with sonames
libnettle.so.8 and libhogweed.so.6.
This release includes a rewrite of the C implementation of
GHASH (dating from 2011), as well as the plain x86_64 assembly
version, to use precomputed tables in a different way, with
tables always accessed in the same sequential manner.
This should make Nettle's GHASH implementation side-channel
silent on all platforms, but considerably slower on platforms
without carry-less mul instructions. E.g., benchmarks of the C
implementation on x86_64 showed a slowdown of 3 times.
Bug fixes:
* Fix bug in ecdsa and gostdsa signature verify operation, for
the unlikely corner case that point addition really is point
duplication.
* Fix for chacha on Power7, nettle's assembly used an
instruction only available on later processors. Fixed by
Mamone Tarsha.
* GHASH implementation should now be side-channel silent on
all architectures.
* A few portability fixes for *BSD.
New features:
* Support for the SM4 block cipher, contributed by Tianjia
Zhang.
* Support for the Balloon password hash, contributed by Zoltan
Fridrich.
* Support for SIV-GCM authenticated encryption mode,
contributed by Daiki Ueno.
* Support for OCB authenticated encryption mode.
* New exported functions md5_compress, sha1_compress,
sha256_compress, sha512_compress, based on patches from
Corentin Labbe.
Optimizations:
* Improved sha256 performance, in particular for x86_64 and
s390x.
* Use GMP's mpn_sec_tabselect, which is implemented in
assembly on many platforms, and delete the similar nettle
function. Gives a modest speedup to all ecc operations.
* Faster poly1305 for x86_64 and ppc64. New ppc code
contributed by Mamone Tarsha.
Miscellaneous:
* New ASM_FLAGS variable recognized by configure.
* Delete all arcfour assembly code. Affects 32-bit x86, 32-bit
and 64-bit sparc.
Known issues:
* Version 6.2.1 of GNU GMP (the most recent GMP release as of
this writing) has a known issue for MacOS on 64-bit ARM: GMP
assembly files use the reserved x18 register. On this
platform it is recommended to use a GMP snapshot where this
bug is fixed, and upgrade to a later GMP release when one
becomes available.
* Also on MacOS, Nettle's testsuite may still break due to
DYLD_LIBRARY_PATH being discarded under some circumstances.
As a workaround, use
* make check EMULATOR='env DYLD_LIBRARY_PATH=$(TEST_SHLIB_DIR)'
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 11:47:51 +0000 (13:47 +0200)]
libcap: Update to version 2.69
- Update from version 2.67 to 2.69
- Update of rootfile
- Changelog
Release notes for 2.69
2023-05-14 19:10:04 -0700
An audit was performed on libcap and friends by https://x41-dsec.de/
https://x41-dsec.de/news/2023/05/15/libcap-source-code-audit/
The audit (final report, 2023-05-10)
https://drive.google.com/file/d/1lsuC_tQbQ5pCE2Sy_skw0a7hTzQyQh2C/view?usp=sharing
was sponsored by the the Open Source Technology Improvement Fund,
https://ostif.org/ (blog). Five issues were found. Four of them are
addressed in this release. Each issue was labeled in the audit results as
follows:
LCAP-CR-23-01 (SEVERITY) LOW (CVE-2023-2602) - found by David Gstir
LCAP-CR-23-02 (SEVERITY) MEDIUM (CVE-2023-2603) - found by Richard Weinberger
LCAP-CR-23-100 (SEVERITY) NONE
LCAP-CR-23-101 (SEVERITY) NONE
Man page style improvement from Emanuele Torre
Partially revive the ability to build the binaries fully statically.
This was needed to make bleeding edge kernel debugging/testing via
qemu+busybox work again. Addressing an issue I realized only when I
tried to answer this stackexchange question.
https://unix.stackexchange.com/questions/741532/launch-process-with-limited-capabilities-on-minimal-busybox-based-system
Release notes for 2.68
2023-03-25 17:03:17 -0700
Force libcap internal functions to be hidden outside the library (Bug 217014)
Expanded the list of man page (links) to all of the supported API functions.
fixed some formatting issues with the libpsx(3) manpage.
Add support for a markdown preamble and postscript when generating .md
versions of the man pages (Bug 217007)
psx package clean up
fix some copy-paste errors with TestShared()
added a more complete psx testing into this test as well
cap package clean up
drop an unnecessary use of ", _" in the sources
cleaned up cap.NamedCount documentation
Converted goapps/web/README to .md format and fixed the instructions to
indicate go mod tidy is needed.
cap_compare test binary now cleans up after itself (Bug 217018)
Figured out how to cross compile Go programs for arm (i.e. RPi) that use C
code, don't use cgo but do use the psx package (all part of investigating
bug 216610).
Eliminate use of vendor directory
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 11:47:50 +0000 (13:47 +0200)]
harfbuzz: Update to version 7.3.0
- Update from 7.2.0 to 7.3.0
- Update of rootfile
- Changelog
Overview of changes leading to 7.3.0
Tuesday, May 9, 2023
- Speedup applying glyph variation in VarComposites fonts (over 40% speedup).
(Behdad Esfahbod)
- Speedup instancing some fonts (over 20% speedup in instancing RobotoFlex).
(Behdad Esfahbod)
- Speedup shaping some fonts (over 30% speedup in shaping Roboto).
(Behdad Esfahbod)
- Support subsetting VarComposites and beyond-64k fonts. (Behdad Esfahbod)
- New configuration macro HB_MINIMIZE_MEMORY_USAGE to favor optimizing memory
usage over speed. (Behdad Esfahbod)
- Supporting setting the mapping between old and new glyph indices during
subsetting. (Garret Rieger)
- Various fixes and improvements.
(Behdad Esfahbod, Denis Rochette, Garret Rieger, Han Seung Min, Qunxin Liu)
- New API:
+hb_subset_input_old_to_new_glyph_mapping()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 11:47:49 +0000 (13:47 +0200)]
ethtool: Update to version 6.3
- Update from version 6.2 to 6.3
- Update of rootfile not required
- Changelog
Version 6.3 - May 8, 2023
* Feature: PLCA support (--[gs]et-plca-cfg, --get-plca-status)
* Feature: MAC Merge layer support (--show-mm, --set-mm)
* Feature: pass source of statistics for port stats
* Feature: get/set rx push in ringparams (-g and -G)
* Feature: coalesce tx aggregation parameters (-c and -C)
* Feature: PSE and PD devices (--show-pse, --set-pse)
* Fix: minor fixes of help text (--help)
* Fix: fix build on systems with older system headers
* Fix: fix netlink support when PLCA is not present (no option)
* Fix: fixes for issues found with gcc13 -fanalyzer
* Fix: fix return code in rxclass_rule_ins (-N)
* Fix: more robust argc/argv handling
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 19 May 2023 11:47:47 +0000 (13:47 +0200)]
curl: Update to version 8.1.0
- Update from version 7.88.1 to 8.1.0
- Update of rootfile not required
- Changelog
Fixed in 8.1.0 - May 17 2023
Changes:
curl: add --proxy-http2
CURLPROXY_HTTPS2: for HTTPS proxy that may speak HTTP/2
hostip: refuse to resolve the .onion TLD
tool_writeout: add URL component variables
Bugfixes:
amiga: Fix CA certificate paths for AmiSSL and MorphOS
autotools: sync up clang picky warnings with cmake
aws-sigv4.d: fix region identifier in example
bufq: simplify since expression is always true
cf-h1-proxy: skip an extra NULL assign
cf-h2-proxy: fix processing ingress to stop too early
cf-socket: add socket recv buffering for most tcp cases
cf-socket: Disable socket receive buffer by default
cf-socket: remove dead code discovered by PVS
cf-socket: turn off IPV6_V6ONLY on Windows if it is supported
checksrc: check for spaces before the colon of switch labels
checksrc: find bad indentation in conditions without open brace
checksrc: fix SPACEBEFOREPAREN for conditions starting with "*"
ci: `-Wno-vla` no longer necessary
CI: fix brew retries on GHA
CI: Set minimal permissions on workflow ngtcp2-quictls.yml
CI: skip Azure for commits which change only GHA
CI: use another glob syntax for matching files on Appveyor
cmake: bring in the network library on Haiku
cmake: do not add zlib headers for openssl
CMake: make config version 8 compatible with 7
cmake: picky-linker fixes for openssl, ZLIB, H3 and more
cmake: set SONAME for SunOS too
cmake: speed up and extend picky clang/gcc options
CMakeLists.txt: fix typo for Haiku detection
compressed.d: clarify the words on "not notifying headers"
config-dos.h: fix SIZEOF_CURL_OFF_T for MS-DOS/DJGPP
configure: don't set HAVE_WRITABLE_ARGV on Windows
configure: fix detection of apxs (for httpd)
configure: make quiche require quiche_conn_send_ack_eliciting
connect: fix https connection setup to treat ssl_mode correctly
content_encoding: only do transfer-encoding compression if asked to
cookie: address PVS nits
cookie: clarify that init with data set to NULL reads no file
curl: do NOT append file name to path for upload when there's a query
curl_easy_getinfo.3: typo fix (duplicated "from the")
curl_easy_unescape.3: rename the argument
curl_path: bring back support for SFTP path ending in /~
curl_url_set.3: mention that users can set content rather freely
CURLOPT_IPRESOLVE.3: this for host names, not IP addresses
data.d: emphasize no conversion
digest: clear target buffer
doc: curl_mime_init() strong easy binding was relaxed in 7.87.0
docs/cmdline-opts: document the dotless config path
docs/examples/protofeats.c: outputs all protocols and features
docs/libcurl/curl_*escape.3: rename "url" argument to "input"/"string"
docs/SECURITY-ADVISORY.md: how to write a curl security advisory
docs: bump the minimum perl version to 5.6
docs: clarify that more backends have HTTPS proxy support
dynbuf: never allocate larger than "toobig"
easy_cleanup: require a "good" handle to act
ftp: fix 'portsock' variable was assigned the same value
ftp: remove dead code
ftplistparser: move out private data from public struct
ftplistparser: replace realloc with dynbuf
gen.pl: error on duplicated See-Also fields
getpart: better handle case of file not found
GHA-linux: add an address-sanitizer build
GHA: add a memory-sanitizer job
GHA: run all linux test jobs with valgrind
GHA: suppress git clone output
GIT-INFO: add --with-openssl
gskit: various compile errors in OS400
h2/h3: replace `state.drain` counter with `state.dselect_bits`
hash: fix assigning same value
headers: clear (possibly) lingering pointer in init
hostcheck: fix host name wildcard checking
hostip: add locks around use of global buffer for alarm()
hostip: enforce a maximum DNS cache size independent of timeout value
HTTP-COOKIES.md: mention the #HttpOnly_ prefix
http2: always EXPIRE_RUN_NOW unpaused http/2 transfers
http2: do flow window accounting for cancelled streams
http2: enlarge the connection window
http2: flow control and buffer improvements
http2: move HTTP/2 stream vars into local context
http2: pass `stream` to http2_handle_stream_close to avoid NULL checks
http2: remove unused Curl_http2_strerror function declaration
HTTP3/quiche: terminate h1 response header when no body is sent
http3: check stream_ctx more thoroughly in all backends
HTTP3: document the ngtcp2/nghttp3 versions to use for building curl
http3: expire unpaused transfers in all HTTP/3 backends
http3: improvements across backends
http: free the url before storing a new copy
http: skip a double NULL assign
ipv4.d/ipv6.d: they are "mutex", not "boolean"
KNOWN_BUGS: remove fixed or outdated issues, move non-bugs
lib/cmake: add HAVE_WRITABLE_ARGV check
lib/sha256.c: typo fix in comment (duplicated "is available")
lib1560: verify that more bad host names are rejected
lib: add `bufq` and `dynhds`
lib: remove CURLX_NO_MEMORY_CALLBACKS
lib: unify the upload/method handling
lib: use correct printf flags for sockets and timediffs
libssh2: fix crash in keyboard callback
libssh2: free fingerprint better
libssh: tell it to use SFTP non-blocking
man pages: simplify the .TH sections
MANUAL.md: add dict example for looking up a single definition
md(4|5): don't use deprecated iOS functions
md4: only build when used
mime: skip NULL assigns after Curl_safefree()
multi: add handle asserts in DEBUG builds
multi: add multi-ignore logic to multi_socket_action
multi: free up more data earleier in DONE
multi: remove a few superfluous assigns
multi: remove PENDING + MSGSENT handles from the main linked list
ngtcp2: adapted to 0.15.0
ngtcp2: adjust config and code checks for ngtcp2 without nghttp3
noproxy: pointer to local array 'hostip' is stored outside scope
ntlm: clear lm and nt response buffers before use
openssl: interop with AWS-LC
OS400: fix and complete ILE/RPG binding
OS400: implement EBCDIC support for recent features
OS400: improve vararg emulation
OS400: provide ILE/RPG usage examples
pingpong: fix compiler warning "assigning an enum to unsigned char"
pytest: improvements for suitable curl and error output
quiche: disable pacing while pacing is not actually performed
quiche: Enable IDLE egress handling
RELEASE-PROCEDURE: update to new schedule
rtsp: convert mallocs to dynbuf for RTP buffering
rtsp: skip malformed RTSP interleaved frame data
rtsp: skip NULL assigns after Curl_safefree()
runtests: die if curl version can be found
runtests: don't start servers if -l is given
runtests: fix -c option when run with valgrind
runtests: fix quoting in Appveyor and Azure test integration
runtests: lots of refactoring
runtests: refactor into more packages
runtests: show error message if file can't be written
runtests: spawn a new process for the test runner
rustls: fix error in recv handling
schannel: add clarifying comment
server/getpart: clear target buffer before load
smb: remove double assign
smbserver: remove temporary files before exit
socketpair: verify with a random value
ssh: Add support for libssh2 read timeout
telnet: simplify the implementation of str_is_nonascii()
test1169: fix so it works properly everywhere
test1592: add flaky keyword
test1960: point to the correct path for the precheck tool
test303: kill server after test
tests/http: add timeout to running curl in test cases
tests/http: fix log formatting on wrong exit code
tests/http: fix out-of-tree builds
tests/http: improved httpd detection
tests/http: more tests with specific clients
tests/http: relax connection check in test_07_02
tests/keywords.pl: remove
tests/libtest/lib1900.c: remove
tests/sshserver.pl: Define AddressFamily earlier
tests: 1078 1288 1297 use valid IPv4 addresses
tests: document that the unittest keyword is special
tests: increase sws timeout for more robust testing
tests: log a too-long Unix socket path in sws and socksd
tests: make test_12_01 a bit more forgiving on connection counts
tests: move pidfiles and portfiles under the log directory
tests: move server config files under the pid dir
tests: silence some Perl::Critic warnings in test suite
tests: stop using strndup(), which isn't portable
tests: switch to 3-argument open in test suite
tests: turn perl modules into full packages
tests: use %LOGDIR to refer to the log directory
tool_cb_hdr: Fix 'Location:' formatting for early VTE terminals
tool_operate: pass a long as CURLOPT_HEADEROPT argument
tool_operate: refuse (--data or --form) and --continue-at combo
transfer: refuse POSTFIELDS + RESUME_FROM combo
transfer: skip extra assign
url: fix null dispname for --connect-to option
url: fix PVS nits
url: remove call to Curl_llist_destroy in Curl_close
urlapi: cleanups and improvements
urlapi: detect and error on illegal IPv4 addresses
urlapi: prevent setting invalid schemes with *url_set()
urlapi: skip a pointless assign
urlapi: URL encoding for the URL missed the fragment
urldata: copy CURLOPT_AWS_SIGV4 value on handle duplication
urldata: shrink *select_bits int => unsigned char
vlts: use full buffer size when receiving data if possible
vtls and h2 improvements
Websocket: enhanced en-/decoding
wolfssl.yml: bump to version 5.6.0
write-out.d: Use response_code in example
ws: handle reads before EAGAIN better
Fixed in 8.0.1 - March 20 2023
Bugfixes:
fix crash in curl_easy_cleanup
Fixed in 8.0.0 - March 20 2023
Changes:
build: remove support for curl_off_t < 8 bytes
Bugfixes:
.cirrus.yml: Bump to FreeBSD 13.2
aws_sigv4: fall back to UNSIGNED-PAYLOAD for sign_as_s3
BINDINGS: add Fortran binding
build: drop the use of XC_AMEND_DISTCLEAN
build: fix stdint/inttypes detection with non-autotools
cf-socket: fix handling of remote addr for accepted tcp sockets
cf-socket: if socket is already connected, return CURLE_OK
cf-socket: use port 80 when resolving name for local bind
CI: don't run CI jobs if only another CI was changed
CI: update ngtcp2 and nghttp2 for pytest
cmake: delete unused HAVE__STRTOI64
cmake: fix enabling LDAPS on Windows
cmake: skip CA-path/bundle auto-detection in cross-builds
connect: fix time_connect and time_appconnect timer statistics
cookie: don't load cookies again when flushing
cookie: parse without sscanf()
curl.h: require gcc 12.1 for the deprecation magic
curl: make -w's %{stderr} use the file set with --stderr
curl_path: create the new path with dynbuf
CURLOPT_PIPEWAIT: allow waited reuse also for subsequent connections
CURLOPT_PROXY.3: curl+NSS does not handle HTTPS over unix domain socket
CURLSHOPT_SHARE.3: HSTS sharing is not thread-safe
DEPRECATE: the original legacy mingw version 1
doc: fix compiler warning in libcurl.m4
docs/cmdline-opts: mark all global options
docs/SECURITY-PROCESS.md: updates
docs: extend the URL API descriptions
docs: note '--data-urlencode' option
DYNBUF.md: note Curl_dyn_add* calls Curl_dyn_free on failure
easy: remove infof() debug leftover from curl_easy_recv
examples/http3.c: use CURL_HTTP_VERSION_3
ftp: active mode with SSL, add the filter
ftp: add more conditions for connection reuse
ftp: allocate the wildcard struct on demand
ftp: make the EPSV response parser not use sscanf
ftp: replace sscanf for MDTM 213 response parsing
ftp: replace sscanf for PASV parsing
gssapi: align `gss_OID_desc` to silence ld warnings on macOS ventura
headers: make curl_easy_header and nextheader return different buffers
hostip: avoid sscanf and extra buffer copies
http2: fix error handling during parallel operations
http2: fix for http2-prior-knowledge when reusing connections
http2: fix handling of RST and GOAWAY to recognize partial transfers
http2: fix upload busy loop
http: don't send 100-continue for short PUT requests
http: fix unix domain socket use in https connects
http: rewrite the status line parser without sscanf
http_proxy: parse the status line without sscanf
idn: return error if the conversion ends up with a blank host
krb5: avoid sscanf for parsing
lib1560: test parsing URLs with ridiculously large fields
lib2305: deal with CURLE_AGAIN
lib517: verify time stamps without leading zeroes plus some more
lib: silence clang/gcc -Wvla warnings in brotli headers
lib: skip Curl_llist_destroy calls
libcurl-errors.3: add the CURLHcode errors from curl_easy_header.3
libssh2: only set the memory callbacks when debugging
libssh2: remove unused variable from libssh2's struct
libssh: use dynbuf instead of realloc
Makefile.mk: delete redundant `HAVE_LDAP_SSL` macro
Makefile.mk: fix -g option in debug mode
mqtt: on send error, return error
multi: make multi_perform ignore/unignore signals less often
multi: remove PENDING + MSGSENT handles from the main linked list
ngtcp2-gnutls.yml: bump to gnutls 3.8.0
ngtcp2: fix unwanted close of file descriptor 0
page-footer: add explanation for three missing exit codes
parsedate: parse strings without using sscanf()
parsedate: replace sscanf( for time stamp parsing
quic/schannel: fix compiler warnings
rand: use arc4random as fallback when available
rate.d: single URLs make no sense in --rate example
RELEASE-PROCEDURE.md: update coming release dates
rtsp: avoid sscanf for parsing
runtests: use a hash table for server port numbers
sectransp: fix compiler warning c89 mixed code/declaration
sectransp: make read_cert() use a dynbuf when loading
secure-transport: fix recv return code handling
select: stop treating POLLRDBAND as an error
setopt: move the CURLOPT_CHUNK_DATA pointer to the set struct
socket: detect "dead" connections better, e.g. not fit for reuse
src: silence wmain() warning for all build methods
telnet: only accept option arguments in ascii
telnet: parse NEW_ENVIRON without sscanf
telnet: parse telnet options without sscanf
telnet: parse the WS= argument without sscanf
test1470: test socks proxy using unix sockets and connect to https
test1960: verify CURL_SOCKOPT_ALREADY_CONNECTED
test2600: detect when ALARM_TIMEOUT is in use and adjust
test422: verify --next used without a prior URL
tests/http: add pytest to GHA and improve tests
tests: add `cookies` features
tests: add timeout, SLOWDOWN and DELAY keywords to tests
tests: fix gnutls-serv check
tests: fix MSVC unreachable code warnings in unit tests
tests: hack to build most unit tests under cmake
tests: HTTP server fixups
tests: keep cmake unit tests names in sync
tests: make CPPFLAGS common to all unit tests
tests: make first.c the same for both lib tests and unit tests
tests: support for imaps/pop3s/smtps protocols
tests: sync option lists in runtests.pl & its man page
tests: test secure mail protocols with explicit SSL requests
tests: use AM_CPPFILES to modify flags in unit tests
tests: use dynamic ports numbers in pytest suite
tool: dump headers even if file is write-only
tool: improve --stderr handling
tool_getparam: don't add a new node for just --no-remote-name
tool_getparam: error if --next is used without a prior URL
tool_operate: avoid fclose(NULL) on bad header dump file
tool_operate: propagate error codes for missing URL after --next
tool_progress: shut off progress meter for --silent in parallel
tool_writeout_json. fix the output for duplicate header names
transfer: limit Windows SO_SNDBUF updates to once a second
url: fix cookielist memleak when curl_easy_reset
url: fix logic in connection reuse to deny reuse on "unclean" connections
url: fix the SSH connection reuse check
url: only reuse connections with same GSS delegation
url: remove dummy protocol handler
urlapi: '%' is illegal in host names
urlapi: avoid mutating internals in getter routine
urlapi: parse IPv6 literals without ENABLE_IPV6
urlapi: take const args in _dup and _get functions
wildcard: remove files and move functions into ftplistparser.c
winbuild: fix makefile clean
wolfssl: add quic/ngtcp2 detection in cmake, and fix builds
wolfSSL: ressurect the BIO `io_result`
ws: keep the socket non-blocking
x509asn1.c: use correct format specifier for infof() call
x509asn1: use plain %x, not %lx, when the arg is an int
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 May 2023 18:43:28 +0000 (20:43 +0200)]
whois: Update to version 5.5.17
- Update from version 5.5.13 to 5.5.17
- Update of rootfile not required
- Previous versions of whois were taken from debian files. However these are taken from
the whois github page and then repackaged from gz to xz. It therefore seemed sensible
to me that we should take the source from this package from the github repo that
the developer is using. Therefore some changes to naming convention of the source file.
- Changelog
whois (5.5.17) unstable; urgency=medium
* Added the .cd TLD server.
* Updated the -kg NIC handles server name.
* Removed 2 new gTLDs which are no longer active.
whois (5.5.16) unstable; urgency=medium
* Add bash completion support, courtesy of Ville Skyttä.
* Updated the .tr TLD server.
* Removed support for -metu NIC handles.
whois (5.5.15) unstable; urgency=medium
* Updated the .bd, .nz and .tv TLD servers.
* Added the .llyw.cymru, .gov.scot and .gov.wales SLD servers.
* Updated the .ac.uk and .gov.uk SLD servers.
* Recursion has been enabled for whois.nic.tv.
* Updated the list of new gTLDs with four generic TLDs assigned in
October 2013 which were missing due to a bug.
* Removed 4 new gTLDs which are no longer active.
* Added the Georgian translation, contributed by Temuri Doghonadze.
* Updated the Finnish translation, contributed by Lauri Nurmi.
whois (5.5.14) unstable; urgency=medium
* Added the .bf and .sd TLD servers.
* Removed the .gu TLD server.
* Updated the .dm, .fj, .mt and .pk TLD servers.
* Updated the charset for whois.nic.tr.
* Updated the list of new gTLDs.
* Removed whois.nic.fr from the list of RIPE-like servers, because it
is not one anymore. (Closes: #1021110)
* Renamed whois.arnes.si to whois.register.si in the list of RIPE-like
servers.
* Added the hiding string for whois.auda.org.au.
* Fixed uclibc builds, because uclibc does not have NLS support.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 May 2023 18:43:27 +0000 (20:43 +0200)]
texinfo: Update to version 7.0.3
- Update from version 7.0.2 to 7.0.3
- Update of rootfile not required
- Changelog
7.0.3 (26 March 2023)
This is a bug-fix release with minimal changes.
* texi2any
. fix performance regression when Perl binary extension (XS) modules
are not being used (e.g. with TEXINFO_XS=omit)
* info
. further fix of recoding of UTF-8 files to ASCII to avoid text
disappearing from nodes
. avoid possible freeze at start of a file with `-v nodeline=pointers'
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3410200 to 3420000
- Update of rootfile not required
- Changelog is mostly new functions but there are also a range of unnamed bug fixes and
performance improvements
version 3420000
Add the FTS5 secure-delete command. This option causes all forensic traces to be removed from the FTS5 inverted index when content is deleted.
Enhance the JSON SQL functions to support JSON5 extensions.
The SQLITE_CONFIG_LOG and SQLITE_CONFIG_PCACHE_HDRSZ calls to sqlite3_config() are now allowed to occur after sqlite3_initialize().
New sqlite3_db_config() options: SQLITE_DBCONFIG_STMT_SCANSTATUS and SQLITE_DBCONFIG_REVERSE_SCANORDER.
Query planner improvements:
Enable the "count-of-view" optimization by default.
Avoid computing unused columns in subqueries.
Improvements to the push-down optimization.
Enhancements to the CLI:
Add the --unsafe-testing command-line option. Without this option, some dot-commands (ex: ".testctrl") are now disabled because those commands that are intended for testing only and can cause malfunctions misused.
Allow commands ".log on" and ".log off", even in --safe mode.
"--" as a command-line argument means all subsequent arguments that start with "-" are interpreted as normal non-option argument.
Magic parameters ":inf" and ":nan" bind to floating point literals Infinity and NaN, respectively.
The --utf8 command-line option omits all translation to or from MBCS on the Windows console for interactive sessions, and sets the console code page for UTF-8 I/O during such sessions. The --utf8 option is a no-op on all other platforms.
Add the ability for application-defined SQL functions to have the same name as join keywords: CROSS, FULL, INNER, LEFT, NATURAL, OUTER, or RIGHT.
Enhancements to PRAGMA integrity_check:
Detect and raise an error when a NaN value is stored in a NOT NULL column.
Improved error message output identifies the root page of a b-tree when an error is found within a b-tree.
Allow the session extension to be configured to capture changes from tables that lack an explicit ROWID.
Added the subsecond modifier to the date and time functions.
Negative values passed into sqlite3_sleep() are henceforth interpreted as 0.
The maximum recursion depth for JSON arrays and objects is lowered from 2000 to 1000.
Extended the built-in printf() function so the comma option now works with floating-point conversions in addition to integer conversions.
Miscellaneous bug fixes and performance optimizations
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 May 2023 18:43:25 +0000 (20:43 +0200)]
procps: Update to version v4.0.3
- Update from version v4.0.0 to v4.0.3
- Update of rootfile
- Changed souce from gz to bz2
- Changelog
procps-ng-4.0.3
* library
Only changes were in copyright headers and tests
* docs: Don't install English manpages twice
* pgrep: Add -H match on userspace signal handler merge #165
* pgrep: make --terminal respect other criteria
* ps: c flag shows command name again Debian #1026326
* ps.1: Match drs description from top.1 merge #156
* skill: Match on -p again Debian #1025915
* top: E/P-core toggle ('5' key) added to help
* vmstat: Referesh memory statistics Debian #1027963
* vmstat: Fix initial si,so,bi,bo,in & cs values issue #15
Debian #668580
* vmstat: Fix conversion errors due to precision merge #75
* w: Add --pids option merge #159
* watch: Pass through beep issue #104
* watch: -r option to not re-exec on SIGWINCH merge #125
* watch: find eol with --no-linewrap merge #157
procps-ng-4.0.2
* library revision - 0:1:0
Handle absent 'core_id' in /proc/cpuinfo
* w: Show time with D_TIME_BITS=64 on 32bit env issue #256
procps-ng-4.0.1
* library
Re-add elogind support merge #151
Used memory is Total - Available
Renaming, it is now libproc2
* free: Use --kilo when only specifying --si merge #163
* pgrep: Add -A to ignore ancestors merge #160
* pidwait: Better warning if pidfd_open not implemented
* pmap: Dont reuse stdin filehandle issue #231
* ps: threads again display when -L is used with -q issue #234
* ps: proper aix format string behavior was restored
* sysctl: print dotted keys again
* top: fix 'smaps' bug preventing build under clang issue #235
* top: column highlighting allowed under 'L' or 'O'
* top: can alter autogroup nice value (like 'r' renice)
* top: can display the following with no need to scroll
* cmdline, control groups, environment,
supplimentary groups, namespaces
* top: adds a 'message log' recall capability
* top: will accept utf8 multi-byte input with support
for full line editing and previous line recall
* top: can show more than 2 abreast in summary display
* top: can distinguish P-Core and E-core cpus
* top: can filter both P-Core and E-core cpus
* watch: Add equexit no-change and exit option merge #153
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 May 2023 18:43:24 +0000 (20:43 +0200)]
man: Update to version 2.11.2
- Update from version 2.10.2 to 2.11.2
- Update of rootfile
- Changelog
man-db 2.11.2 (8 January 2023)
Fixes:
* Fix compile and test failures when `troff` is not `groff`.
* Fix segfault in typical uses of `man` when `nroff` is not installed.
* Fix crash in `mandb` when processing stray cats.
Improvements:
* Check for stray cats even if no manual pages in a given manpath were
changed.
man-db 2.11.1 (15 November 2022)
Build:
* Transfer Git repository to https://gitlab.com/man-db/man-db.
Fixes:
* SECURITY: Replace `$` characters in page names with `?` when constructing
`less` prompts.
* Silence error message when processing an empty manual page hierarchy with
a nonexistent cache directory.
* `man(1)` now sorts whatis references below real pages, even if the whatis
references are from a section with higher priority.
Improvements:
* Add section `3type` to the default section list just after `2`. This is
used by the Linux man-pages package.
* Recognize more Hungarian translations of the `NAME` section.
man-db 2.11.0 (15 October 2022)
Fixes:
* `mandb` now correctly records filters in the database if it uses cached
whatis information.
* Upgrade Gnulib, fixing syntax error on glibc systems with GCC 11.
* The `CATWIDTH` configuration file directive now overrides `MINCATWIDTH`
and `MAXCATWIDTH`.
* Database entries for links were often incorrectly stored as if they were
entries for the ultimate source of the page. They are now stored with
the correct type.
* Store links in the database using the section and extension of the link
rather than of the ultimate source file.
* Consider pages for adding to the database even if they seem to already
exist; this performance optimization is no longer needed due to caching,
and it produced inconsistent results in some unusual cases.
* `man` now runs any required preprocessors in the same order that `groff`
does, rather than trusting the order of filters in a page's preprocessor
string.
* Fix building on MinGW. (I haven't been able to test this; help from
MinGW experts would be welcome.)
Improvements:
* Add more recognized case variants for localized versions of the `NAME`
section.
* Maintain multi keys in sorted order, improving database reproducibility.
* Pick a more consistent name for the target of a whatis entry in the
database.
* Extend rules for when to replace one database entry with another,
producing more stable behaviour.
* Fully reorganize databases after writing them, allowing the reproduction
of bitwise-identical databases regardless of scan order (at least with
GDBM).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 May 2023 18:43:22 +0000 (20:43 +0200)]
grep: Update to version 3.11
- Update from version 3.10 to 3.11
- Update of rootfile not required
- Changelog
* Noteworthy changes in release 3.11 (2023-05-13) [stable]
** Bug fixes
With -P, patterns like [\d] now work again. Fixing this has caused
grep to revert to the behavior of grep 3.8, in that patterns like \w
and \b go back to using ASCII rather than Unicode interpretations.
However, future versions of GNU grep and/or PCRE2 are likely to fix
this and change the behavior of \w and \b back to Unicode again,
without breaking [\d] as 3.10 did.
[bug introduced in grep 3.10]
grep no longer fails on files dated after the year 2038,
when running on 32-bit x86 and ARM hosts using glibc 2.34+.
[bug introduced in grep 3.9]
grep -P no longer fails to match patterns using negated classes
like \D or \W when linked with PCRE2 10.34 or newer.
[bug introduced in grep 3.8]
** Changes in behavior
grep --version now prints a line describing the version of PCRE2 it uses.
For example, it prints this when built with the very latest from git:
grep -P uses PCRE2 10.43-DEV 2023-04-14
or this with what's currently available in Fedora 37:
grep -P uses PCRE2 10.40 2022-04-14
previous versions of grep wouldn't respect the user provided settings for
PCRE_CFLAGS and PCRE_LIBS when building if a libpcre2-8 pkg-config module
was found.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 May 2023 18:43:20 +0000 (20:43 +0200)]
gawk: Update to vesrion 5.2.2
- Update from version 5.1.1 to 5.2.2
- Update of rootfile
- Changelog
Changes from 5.2.1 to 5.2.2
1. Infrastructure upgrades: makeinfo 7.0.1 must be used to format
the manual. As a result, the manual can also now be formatted
with LaTeX by running it through `makeinfo --latex'.
2. Gawk no longer builds an x86_64 executable on M1 macOS systems.
This means that PMA is unavailable on those systems.
3. Gawk will now diagnose if a heap file was created with a different
setting of -M/--bignum than in the current invocation and exit with
a fatal message if so.
4. Gawk no longer "leaks" its free list of NODEs in the heap file, resulting
in much more efficient usage of persistent storage.
5. PROCINFO["pma"] exists if the PMA allocator is compiled into gawk.
Its value is the PMA version.
6. The time extension is no longer deprecated. The strptime() function
from gawkextlib's timex extension has been added to it.
7. Better information is passed to input parsers for when they want to
decide whether or not to take control of a file. In particular, the
readdir extension is simplified for Windows because of this.
8. The various PNG files are now installed for Info and HTML. The
images files now have gawk_ prefixed names to avoid any conflicts
with other installed PNG file names.
9. As usual, there have been several minor code cleanups and bug fixes.
See the ChangeLog for details.
Changes from 5.2.0 to 5.2.1
1. Infrastructure upgrades: PMA version Avon 8.
2. Issues related to the sign of NaN and Inf values on RiscV have
been fixed; gawk now gives identical results on that platform as
it does on others.
3. A few issues with the debugger have been fixed.
4. More subtle issues with untyped array elements being passed to
functions have been fixed.
5. The rwarray extension's readall() function has had some bugs fixed.
6. The PMA allocator is now supported on FreeBSD, OpenBSD and Linux on S/390x.
It is now supported also on both Intel and M1 macOS systems.
7. There have been several minor code cleanups and bug fixes. See the
ChangeLog for details.
Changes from 5.1.x to 5.2.0
*****************************************************************************
* MPFR mode (the -M option) is now ON PAROLE. This feature is now being *
* supported by a volunteer in the development team and not by the primary *
* maintainer. If this situation changes, then the feature will be removed. *
* For more information see this section in the manual: *
* https://www.gnu.org/software/gawk/manual/html_node/MPFR-On-Parole.html *
*****************************************************************************
1. Infrastructure upgrades: Libtool 2.4.7, Bison 3.8.2.
2. Numeric scalars now compare in the same way as C for the relational
operators. Comparison order for sorting has not changed. This only
makes a difference when comparing Infinity and NaN values with
regular numbers; it should not be noticeable most of the time.
3. If the AWK_HASH environment variable is set to "fnv1a" gawk will
use the FNV1-A hash function for associative arrays.
4. The CMake infrastructure has been removed. In the five years it was in
the tree, nobody used it, and it was not updated.
5. There is now a new function, mkbool(), that creates Boolean-typed
values. These values *are* numbers, but they are also tagged as
Boolean. This is mainly for use with data exchange to/from languages
or environments that support real Boolean values. See the manual
for details.
6. As BWK awk has supported interval expressions since 2019, they are
now enabled even if --traditional is supplied. The -r/--re-interval option
remains, but it does nothing.
7. The rwarray extension has two new functions, writeall() and readall(),
for saving / restoring all of gawk's variables and arrays.
8. The new `gawkbug' script should be used for reporting bugs.
9. The manual page (doc/gawk.1) has been considerably reduced in size.
Wherever possible, details were replaced with references to the online
copy of the manual.
10. Gawk now supports Terence Kelly's "persistent malloc" (pma),
allowing gawk to preserve its variables, arrays and user-defined
functions between runs. THIS IS AN EXPERIMENTAL FEATURE!
For more information, see the manual. A new pm-gawk.1 man page
is included, as is a separate user manual that focuses on the feature.
11. Support for OS/2 has been removed. It was not being actively
maintained.
12. Similarly, support for DJGPP has been removed. It also was not
being actively maintained.
13. VAX/VMS is no longer supported, as it can no longer be tested.
The files for it remain in the distribution but will be removed
eventually.
14. Some subtle issues with untyped array elements being passed to
functions have been fixed.
15. Syntax errors are now immediately fatal. This prevents problems
with errors from fuzzers and other such things.
16. There have been numerous minor code cleanups and bug fixes. See the
ChangeLog for details.
Changes from 5.1.1 to 5.1.x
1. Infrastructure upgrades: Automake 1.16.5, Texinfo 6.8.
2. The rwarray extension now supports writing and reading GMP and
MPFR values. As a result, a bug in the API code was fixed.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 May 2023 18:43:19 +0000 (20:43 +0200)]
ed: Update to version 1.19
- Update from version 1.17 to 1.19
- Update of rootfile not required
- Changelog
2023-01-11 Antonio Diaz Diaz <antonio@gnu.org>
* Version 1.19 released.
* main_loop.c (exec_command): Fix commands 'e', 'E'; they did set
the 'modified' flag if file not found. (Reported by Harry Graf).
(main_loop): Print script error line to stdout instead of stderr.
* Change long name of option '-s' to '--script'.
(Suggested by Andrew L. Moore).
* Assign short name '-q' to options '--quiet' and '--silent'.
* main.c (show_strerror) Use '!quiet' to enable diagnostics.
* Do not process file names for backslash escapes.
(Suggested by Andrew L. Moore).
* ed.texi: Document 0 as starting point for searches '0;/RE/'.
Document how to achieve the effect of ex style '!' filtering.
2022-02-04 Antonio Diaz Diaz <antonio@gnu.org>
* Version 1.18 released.
* main_loop.c (get_shell_command): Flush stdout after printing cmd.
(Reported by Sören Tempel).
* signal.c (sighup_handler): Fix a memory leak just before exiting.
* carg_parser.c (ap_init): Likewise.
(Both reported by Xosé Vázquez Pérez).
* io.c (read_file, write_file): Check ptr returned by strip_escapes.
* main_loop.c (get_shell_command, exec_command): Likewise.
* main_loop.c (get_shell_command): Remove backslash from escaped '%'.
(Reported by Martin Thomsen).
* main_loop.c, regex.c: Implement case-insensitive REs.
* regex.c (compile_regex): Don't overwrite previous regex if error.
* main.c: New option '--strip-trailing-cr'.
* buffer.c (push_undo_atom): Fail if stack grows larger than INT_MAX.
(too_many_lines): Fail if buffer grows larger than INT_MAX lines.
* global.c (set_active_node): Fail if list grows larger than INT_MAX.
* signal.c (resize_buffer): Fail if a line grows longer than INT_MAX.
* io.c (read_file): Return -2 for fatal errors.
* main_loop.c (main_loop): Set error status if fatal error from main.
* main.c [restricted_]: New message "Directory access restricted".
* ed.texi: New chapter "The 's' Command".
* COPYING: Restored. (I forgot to do it in 1.11).
* TODO: Removed.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 18 May 2023 18:43:18 +0000 (20:43 +0200)]
diffutils: Update to version 3.9
- Update from version 3.8 to 3.9
- Update of rootfile not required
- Changelog
version 3.9
* NEWS: Record release date.
build: update gnulib to latest
2023-01-05 Jim Meyering <meyering@fb.com>
tests: avoid large-subopt XPASS on systems without perl
* tests/large-subopt: Use $PERL, rather than hard-coding "perl".
* bootstrap.conf (gnulib_modules): Add "perl" to the list.
Reported by Bruno Haible in
https://lists.gnu.org/r/diffutils-devel/2023-01/msg00000.html
2023-01-05 Bruno Haible <bruno@clisp.org>
tests: avoid a test failure when using Solaris 11.4's old grep
* tests/colors (nanosecond_zeros): Use a dumbed-down grep '\.'
in place of "grep -F ." to accommodate Solaris 11.4's old versions
of grep in the default PATH. Reported here:
https://lists.gnu.org/r/diffutils-devel/2023-01/msg00001.html
2023-01-01 Jim Meyering <meyering@fb.com>
build: update gnulib to latest
maint: update copyright dates
2022-12-31 Paul Eggert <eggert@cs.ucla.edu>
build: simplify GCC 12 false alarm workaround
* src/util.c (print_message_queue): Pacify GCC in a
more-straightforward way.
maint: fix assumption typo
Fix a typo I introduced in my August 2021 signal handling fixes.
Problem reported by Sam James (Bug#60457).
* src/util.c (xsigismember): Don’t assume sigismember cannot return 0.
2022-12-30 Jim Meyering <meyering@fb.com>
build: update gnulib to latest
build: temp?-disable -Wanalyzer-use-of-uninitialized-value
* src/util.c (print_message_queue): This function triggers false
positive warnings from GCC12, so add pragmas to ignore that new warning
in this one function. Required when using either of these:
- gcc version 12.2.1 20221121
- gcc version 13.0.0 20221229 (experimental)
2022-12-11 Jim Meyering <meyering@fb.com>
build: update gnulib to latest
2022-11-12 Jim Meyering <meyering@fb.com>
build: update gnulib to latest
2022-02-14 Paul Eggert <eggert@cs.ucla.edu>
doc: mark up SEE ALSO (Bug#53976)
2022-01-24 Jim Meyering <meyering@fb.com>
tests: fix false-failure on systems without valgrind
* tests/init.cfg (require_valgrind_): Use exit status of subshell,
not that of the "local" declaration.
2022-01-14 Paul Eggert <eggert@cs.ucla.edu>
build: update gnulib submodule to latest
2022-01-03 Jim Meyering <meyering@fb.com>
maint: avoid new syntax-check failure
* cfg.mk (local-checks-to-skip): Add sc_indent, to skip it.
Otherwise, "make syntax-check" would fail.
maint: make update-copyright
build: update gnulib to latest; also bootstrap and init.sh
2021-10-30 Paul Eggert <eggert@cs.ucla.edu>
maint: modernize README-{hacking,prereq}
2021-10-16 Paul Eggert <eggert@cs.ucla.edu>
doc: copy fdl.texi into git
This pacifies this notice from ./bootstrap: “Notice from module
fdl: Don't use this module! Instead, copy the referenced license
file into your version control repository.”
* bootstrap.conf (gnulib_modules): Remove fdl.
* doc/fdl.texi: New file, taken from Gnulib.
maint: direct dependency on time_rz now
Now that diff calls tzalloc, it depends directly on time_rz.
* bootstrap.conf (gnulib_modules): Add time_rz.
build: update gnulib submodule to latest
2021-10-15 Paul Eggert <eggert@cs.ucla.edu>
diff: fix timezone bug on Solaris
Problem reported by Vladimir Marek (bug#51228).
* NEWS: Mention this.
* src/context.c (print_context_label): Pass localtz to nstrftime,
instead of always passing 0.
* src/diff.c (main) [!HAVE_TM_GMTOFF]:
Initialize localtz if time_format uses %z.
* src/diff.h (localtz): New decl.
* tests/Makefile.am (TESTS): Add timezone.
* tests/timezone: New test.
2021-08-31 Paul Eggert <eggert@cs.ucla.edu>
diff3: port better to MS-Windows
* src/diff3.c (enum diff_type): Prefix constants like ADD with
"DIFF_" to avoid collisions with unwise system headers.
2021-08-30 Paul Eggert <eggert@cs.ucla.edu>
maint: port better to non-POSIX
Problem privately reported by Gisle Vanem for MS-Windows.
* src/util.c (sig, install_signal_handlers):
Don’t assume SIGTSTP, SIGALRM, SIGQUIT.
(is_tstp_index): New function, for use in SIGTSTP avoidance.
maint: prefer attribute.h attributes
Prefer the macros used in attribute.h, and _Noreturn,
to the by-hand use of __attribute__, as this is more portable.
* bootstrap.conf (gnulib_modules): Add attribute.
* src/system.h: Include attribute.h. All uses of
attributes changed to use the attribute.h macros.
Plus, use _Noreturn.
(FALLTHROUGH): Remove; attribute.h now defines this.
build: update gnulib submodule to latest
diff: avoid double translation
* src/analyze.c (briefly_report): Do not translate here,
as ‘message’ translates its format.
diff: use variable arg list for messages
This simplifies the code by using varargs.
* bootstrap.conf (gnulib_modules): Add flexmember.
(XGETTEXT_OPTIONS): Do not flag message5.
* src/util.c: Include flexmember.h, stdarg.h.
(struct msg): New members msgid, argbytes. args is now
FLEXIBLE_ARRAY_MEMBER, and does not contain msgid.
All uses changed.
(message): Now varargs. Detect number of args by counting '%'s.
Use FLEXSIZEOF, to avoid problems on systems with buggy
allocators. Avoid redundant ‘*p = 0’ when *p is already zero
after stpcpy.
(message5): Remove; all callers changed to use ‘message’.
(print_message_queue): Abort if too many args were passed;
this cannot happen with current diffutils.
2021-08-29 Paul Eggert <eggert@cs.ucla.edu>
diff: port better to MS-Windows
Problem reported by Gisle Vanem (Bug#36488#30).
* src/util.c (xsigaction) [SA_NOCLDSTOP]: Remove; no longer needed.
(install_signal_handlers): If the first call to sigaction or
signal fails, do not exit; just skip the signal and continue,
in case the runtime does not support the signal even though the
corresponding SIG* macro is defined.
2021-08-28 Paul Eggert <eggert@cs.ucla.edu>
diff: cleanup signal handling just before exit
This should fix an unlikely signal handling bug with colored
output, and should also fix a Debian FTBFS (Fails To Build From
Source) on powerpc64le-linux. See Bug#34519 and Frédéric
Bonnard’s report in:
https://bugs.debian.org/922552#19
* bootstrap.conf (gnulib_modules): Add raise, sigprocmask.
* src/diff.c (main): Call cleanup_signal_handlers before exiting.
Don’t bother calling ‘exit’; no longer needed nowadays.
* src/util.c (sigprocmask, siginterrupt) [!SA_NOCLDSTOP]:
Define to 0 instead of empty, since the results are now used.
(sigset_t) [!SA_NOCLDSTOP]: Remove; we now rely on Gnulib.
(xsigaction) [SA_NOCLDSTOP]: New function.
(xsigaddset, xsigismember, xsignal, xsigprocmask): New functions.
(some_signals_caught): New static var.
(process_signals): Omit a conditional branch.
Don’t bother loading interrupt_signal if stop_signal_count is nonzero.
(process_signals, install_signal_handlers):
Check for failures from sigprocmask etc.
(sig, nsig): Now at top level, since multiple functions need them.
(install_signal_handlers): No need for caught_sig array;
just use caught_signals. However, set some_signals_caught.
(cleanup_signal_handlers): New function.
2021-08-22 Paul Eggert <eggert@cs.ucla.edu>
diff: add integer overflow checking
* src/diff.c (option_list, main): Check for integer overflow
in some unlikely and hard-to-test cases.
maint: refactor integer overflow checking
Rely on more-modern Gnulib capabilities instead of doing
integer overflow checking by hand, in some cases.
* lib/cmpbuf.c (buffer_lcm):
* src/io.c (slurp, find_identical_ends):
Use INT_ADD_WRAPV and INT_MULTIPLY_WRAPV rather than checking
overflow by hand.
* src/diff3.c (process_diff):
* src/dir.c (dir_read):
* src/io.c (find_identical_ends, read_files):
Use xnmalloc rather than checking overflow by hand.
(read_files): Rely on xcalloc to do overflow checking.
diff: avoid sprintf %s
sprintf fails if the result contains more than INT_MAX bytes,
so rework the code to avoid usage of sprintf %s where the
string might be longer than that.
* bootstrap.conf (gnulib_modules): Remove xvasprintf.
* src/diff.c (specify_style):
* src/util.c (begin_output):
Rewrite to avoid sprintf %s.
* src/util.c: Do not include xvasprintf.h.
(concat): Remove, as it uses sprintf %s. All uses rewritten.
diff: use mempcpy
* bootstrap.conf (gnulib_modules): Add mempcpy, stpcpy.
* src/ifdef.c (do_printf_spec):
* src/sdiff.c (expand_name, lf_snarf, temporary_file):
* src/util.c (message5):
Prefer mempcpy to memcpy plus manual size-updating.
Prefer stpcpy to mempcpy plus manual size-spec.
sdiff: fix unlikely memory leak
* src/sdiff.c (temporary_file): Fix memory leak when mkstemp fails.
Don’t assume temporary file name length fits in ‘int’.
diff3: simplify process_diff
* src/diff3.c (process_diff): Remove LAST_BLOCK arg, since callers
no longer needed it. All callers changed. This removes an
unnecessary initialization of bptr to NULL.
maint: modernize IF_LINT for GCC 11.2.1
* src/cmp.c (cmp):
* src/dir.c (find_dir_file_pathname):
* src/sdiff.c (edit):
Mention which GCC bug this IF_LINT works around.
* src/diff3.c (process_diff):
Always initialize to NULL, to avoid problems on mostly-theoretical
hosts where accessing uninitialized variables traps. The next
patch will have a better fix for this.
* src/ifdef.c (do_printf_spec):
No need for IF_LINT in GCC 11.2.1.
maint: lint → GCC_LINT
‘lint’ is for traditional lint and perhaps some other tools;
‘GCC_LINT’ is targeted more for what we do.
Gnulib accepts either, but we might as well be more accurate.
* configure.ac (GCC_LINT): Define this instead of ‘lint’.
All uses changed.
diff: remove printint
* src/system.h (printint): Remove. All uses removed. This type
was only for porting to pre-C89 hosts, and is no longer needed.
diff: remove INT_MAX limit on -F/-p searches
* src/context.c (find_function): Don’t limit function-line
searches to INT_MAX bytes, removing a FIXME.
maint: .gitignore updates
* .gitignore: Remove lib/unused-parameter.h. Add all of m4, since
no files there need to be committed; this lets us remove
m4/.gitignore and m4/gnulib-cache.m4. Add *.orig, *.patch, .Tpo,
/*.diff, lib/*/ (which lets us remove /lib/sys/), lib/ctype.h,
lib/errno.h, lib/float.h, lib/fnmatch.h, lib/getopt-cdefs.h,
lib/getopt.h, lib/limits.h, lib/sigsegv.h, lib/stdalign.h,
lib/stdarg.h, lib/stdbool.h, lib/stddef.h, lib/stdint.h,
lib/stdopen.[ch], vc-dwim-log-*. Add slashes to autom4te.cache,
build-aux. Remove redundant initial slashes from patterns that
also have internal slashes. Remove plain ABOUT-NLS, since
/ABOUT-NLS suffices. Sort using LC_ALL=C.
maint: omit unused function if not debugging
* src/util.c (debug_script): Compile only if DEBUG.
maint: remove prepargs
* lib/Makefile.am (noinst_HEADERS): Remove prepargs.h.
(libdiffutils_a_SOURCES): Remove prepargs.c.
* lib/prepargs.c, lib/prepargs.h: Remove. Hasn’t been
needed for many years.
* src/diff.c: Do not include prepargs.h.
maint: zalloc → xzalloc
* src/util.c (zalloc): Remove. All uses replaced
by xzalloc, which means the same thing.
2021-08-22 Paul Eggert <eggert@cs.ucla.edu>
diff3: suppress -fanalyzer alarms
* src/diff3.c: Add pragma to suppress -Wanalyzer-null-dereference
alarms.
* src/diff.h (find_dir_file_pathname): Add malloc-related
attributes, to pacify gcc -Wsuggest-attribute=malloc.
2021-08-22 Paul Eggert <eggert@cs.ucla.edu>
maint: remove January workaround for Gnulib issue
* configure.ac: Don’t add -Wno-analyzer-null-argument, since
the issue is now fixed in Gnulib.
build: update gnulib submodule to latest
2021-08-01 Paul Eggert <eggert@cs.ucla.edu>
maint: remove stray init.cfg
* init.cfg: Remove. I guess this file was a stray, since it was a
copy of tests/init.cfg when it was checked in, and it hasn’t been
maintained since.
tests: port to valgrind 3.16.0 + GCC 11.2
* tests/init.cfg (stderr_fileno_): Reject valgrind if it reports a
"Serious error" on a trival use of ‘diff’. Without this patch, on
RHEL 8.4 when I compile diffutils with a GCC 11.2.0 that I built
myself, ‘valgrind diff’ spits out messages like WARNING: Serious
error when reading debug info / When reading debug info from diff:
Ignoring non-Dwarf2/3/4 block in .debug_info’ and this causes the
strip-trailing-cr test to fail. I guess valgrind complains
because the valgrind version 3.16.0 that came with RHEL 8.4 cannot
grok the debug entries generated by GCC 11.2.0.
2021-08-01 Jim Meyering <meyering@fb.com>
maint: post-release administrivia
* NEWS: Add header line for next release.
* .prev-version: Record previous version.
* cfg.mk (old_NEWS_hash): Auto-update.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 2 Jun 2023 19:57:52 +0000 (21:57 +0200)]
dhcpcd: Update to version 10.0.1
- Update from version 9.4.1 to 10.0.1
- Update of rootfile not required
- Changelog is no longer provided. For details of changes you have to look at the commits
log - https://github.com/NetworkConfiguration/dhcpcd/commits
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
the flashimage is build without journal to not destroy
usb thumbdrives or sd cards. On real ssd's and virtual
machines it should enabled for higher data security.
So this patch add the journal is drive support smart.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 Jun 2023 10:40:50 +0000 (12:40 +0200)]
update.sh: Fixes bug#13138 - root/host certificate set fails to be created
- The fix applied in vpnmain.cgi only adds the unique_subject = yes to the index.txt.attr
file after the first time that the root/host certificates are attempted to be created.
- Without this line in update.sh, the first attempt to create the root/host certificate set
will still have the original error code. If the creation is attempted again then it will
work because the unique_subject = yes will have then been added into the file.
- This patch ensures that the first attempt to create a root/host certificate set in CU175
will work.
- Confirmed on vm testbed with freshly updated CU175.
Fixes: Bug#13138 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Jun 2023 14:21:48 +0000 (16:21 +0200)]
ovpnmain.cgi: Updated fix for Bug#13137
- This now only adds "providers legacy default" to the config files of connections that
have legacy certificates, both for n2n and roadwarrior.
- This new approach also removes the requirement to have code in the update.sh script
or in backup.pl so those earlier modifications are removed in two additional patches
combined with this one in a set.
- The -legacy option has been removed from the pkcs12 creation part of the code as
otherwise this creates a certificate in legacy format, which is not wanted. All new
connection certificates being created will be based on openssl-3.x
Fixes: Bug#13137 Suggested-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 3 Jun 2023 14:05:41 +0000 (16:05 +0200)]
vpnmain.cgi: Fixes bug#13138 - root/host certificate set fails to be created
- The change to openssl-3.x results in the openssl commands that start with ca failing
with the error message
OpenSSL produced an error: <br>40E7B4719B730000:error:0700006C:configuration file
routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:315:group=<NULL>
name=unique_subject
- The fix for this is to include the unique_subject = yes line into
/var/ipfire/certs/index.txt.attr
- Additionally, based on the learnings from bug#13137 on OpenVPN, any openssl commands
dealing with pkcs12 (.p12) files that were created with openssl-1.1.1x fail when being
accessed with openssl-3.x due to the no longer supported algorithm. These can be
accessed if the -legacy option is added to every openssl command dealing with pkcs12
Fixes: Bug#13138 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 5 Jun 2023 11:55:29 +0000 (13:55 +0200)]
backup.pl: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
- This code adds the "providers legacy default" line into OpenVPN N2N Client config files
when restoring them in case it is missing from a backup earlier than CU175.
Only adds the line if it is not already present.
- Tested out on my vm testbed system
Fixes: Bug#13137 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 4 Jun 2023 18:57:09 +0000 (20:57 +0200)]
update.sh: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
- This modification will check if ovpnconfig exists and is not empty. If so then it will
check for all n2n connections and if they are Client configs will check if
"providers legacy default" is not already present and if so will add it.
Fixes: Bug#13137 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 4 Jun 2023 18:57:08 +0000 (20:57 +0200)]
ovpnmain.cgi: Fixes Bug#13137 - Existing n2n client connection created with openssl-1.1.1x fails to start with openssl-3.x
- With a n2n connection .p12 certificate created wityh openssl-1.1.1x the line
providers legacy default is required in the n2nconf file to enable it to start.
- Any openssl-3.x attempt to open a .p12 file created with openssl-1.1.1x will result in
a failure and an error message. All the openssl commands dealing with pkcs12 (.p12)
files need to have the -legacy option added to them.
Fixes: Bug#13137 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>