Michael Tremer [Mon, 20 Jan 2025 14:06:19 +0000 (14:06 +0000)]
vpnmain.cgi: Reduce the number of offered ciphers
For new connections, we will now configure fewer ciphers by default. I
currently do not see any reason why we should support so many different
versions of AES-GCM and AES-128 by default.
The defaults should provide high security as well as decent
compatibility to solutions from other vendors.
I am currently not sure whether ChaCha20-Poly1305 should remain as
default as AES should usually outperform it by far. We can assume that
most hardware has support for AES-NI.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 19 Jan 2025 12:54:57 +0000 (13:54 +0100)]
strongswan: Update to version 6.0.0
- Update from version 5.9.14 to 6.0.0
- Update of rootfile
- The stroke plugin, which was deprecated in 2014 is no longer enabled by default.
So it is now enabled expolicitly in this patch.
The stroke plugin is recommended to be migrated to using the vici plugin but this
will require a re-write of the ipsec WUI page. Hopefully the removal of the stroke
plugin will also take many years as the time between deprecation and default
disabling.
- Also aes, curve25519, des, fips-prf, gmp, hmac, md5, pkcs12, rc2, sha1 & sha2 are no
longer enabled by default. Most of these don 't need to be enabled as they are
supported by the openssl plugin whicxh we have had explicitly enabled for some time.
The openssl plugin is now enabled by default. After some checks to see which plugins
I needed to enable to match the current set of algorithms I ended up only needing\
to explicitly enable fips-prf, mgf1 & hmac.
- The ml plugin has also been enbabled so that we have the ML_KEM post quantum key
exchange algorithms enabled so they can be made available in the ipsec WUI.
- All existing algorithms are available together with the following new ones.
XOF_MGF1_SHA3_224
XOF_MGF1_SHA3_256
XOF_MGF1_SHA3_384
XOF_MGF1_SHA3_512
ML_KEM_512
ML_KEM_768
ML_KEM_10245
- I also installed the build using 6.0.0 into a vm testbed system and confirmed that my
existing ipsec connection using the default crypto values from the WUI worked without
any problems. So existing connections should all be fine.
- Changelog
6.0.0
New Feature Additions
Support for multiple IKEv2 key exchanges (RFC 9370) has been added
(3a850ae). IKE_INTERMEDIATE exchanges (RFC 9242) are used to transport
additional KE payloads between the IKE_SA_INIT and IKE_AUTH exchanges. To
rekey IKE and Child SAs with multiple key exchanges, IKE_FOLLOWUP_KE
exchanges are used, as defined in RFC 9370.
In proposals, additional key exchange methods are configured via
keX_ prefix, where X is a number between 1 and 7. For example,
ke1_mlkem768 adds ML-KEM-768 as additional KE method (works with any key
exchange method, whether post-quantum or classic). As with regular key
exchanges, peers have to agree on a method for each round unless no
algorithms are defined by both or keX_none is configured to make that
round explicitly optional.
Support for the Module-Lattice-Based Key-Encapsulation Mechanism
(ML-KEM, FIPS 203), a key exchange method that, at present, is believed
to be secure even against adversaries who possess a quantum computer, has
been added via Botan 3.6.0+ (botan plugin), wolfSSL 5.7.4+
(wolfssl plugin), AWS-LC 1.37.0+ (openssl plugin), and the new ml plugin.
The keywords for ML-KEM-512 (128 bits security strength), ML-KEM-768
(192 bits), ML-KEM-1024 (256 bits) are mlkem512, mlkem768 and mlkem1024,
respectively.
AF_VSOCK sockets can be used on Linux to communicate with a daemon that
runs in a VM (e.g. via the vici plugin).
The file logger can optionally log messages as JSON objects (a2fba6d, bea1f11, see the docs for details), and can add timestamps in
microseconds via the new time_precision setting (#2475).
Enhancements and Optimizations
Handling of CHILD_SA rekey collisions has been improved (d2b2e1b). This
makes CHILD_SAs properly trackable via child_rekey() hook and some corner
cases are also handled correctly e.g. if a responder's DELETE for the new
CHILD_SA arrives before its CREATE_CHILD_SA response that creates that SA
in the first place. Also handled properly are responders of rekeyings
that incorrectly send a DELETE for the old CHILD_SA (previously, this
caused both, the new and the old SA, to get deleted).
The behavior when reloading or unloading connections that include start in
their start_action has been improved (#2324, #2418).
If no identity is configured but a certificate is available, the subject
DN is used instead of the IP address (#2353).
The cert-enroll script now supports three generations of CA certificates
(f59ca96).
IKE ports are now considered when matching connections (9228a51, 6928709).
The base address of in-memory IP address pools is now reported as
configured (#2264).
IKE fragment sizes can be configured for each address family explicitly
(84bd011).
The openssl plugin can use the EVP_DigestSqueeze() API for XOFs, which was
introduced with OpenSSL 3.3 (3d0f695).
The kernel-netlink plugin explicitly configures the direction of IPsec SAs
when running on 6.10+ kernels (abdc787).
The Android app was updated for compatibility with Android 14 (740cbb2), a
bug was fixed that affects importing already existing VPN profiles
(9b9cf20).
Fixes
The NetworkManager plugin (charon-nm) now uses a different routing table
than the regular IKE daemon to avoid conflicts if both are running (#2230).
TUN devices can properly handle IPv6 addresses (fccc764) and routes via
them are now correctly installed on FreeBSD (bf165af).
Reassigning a matching online lease is now preferred over an offline lease
by the in-memory IP address pool to avoid conflicts with make-before-break
reauthentication and multiple IKE_SAs per identity (#2472).
To avoid conflicts with other processes when using ephemeral UDP ports,
the socket-default plugin now always opens IPv4 sockets before IPv6
sockets (#2494).
Challenge passwords in PKCS#10 containers are again encoded as
PrintableString if possible to be compatible with older SCEP
implementations (8e88d56).
The vici plugin now uses the same ESP proposals (AEAD before regular) when
configuring default instead of not configuring esp_proposals at all
(8e020bc).
Fixed handling of adopted reqids during IKEv1 rekeying (d02aea9, bug was
introduced in 5.9.12).
A typo in the cert-enroll script prevented successful signalling of a
change of the sub CA certificate (957aae8).
Plugin and Configuration Changes
The legacy stroke plugin is no longer enabled by default and must be
enabled explicitly.
The openssl plugin is now enabled by default, while the following crypto
plugins are no longer enabled by default: aes, curve25519, des, fips-prf,
gmp, hmac, md5, pkcs12, rc2, sha1, sha2.
The following deprecated plugins have been removed: bliss (signature
scheme), newhope (key exchange method), ntru (key exchange method).
charon.make_before_break is now enabled by default, which initiates IKEv2
reauthentication with a make-before-break instead of a break-before-make
scheme. Make-before-break creates overlapping IKE and Child SA during
reauthentication by first recreating all SAs before deleting the old ones.
This behavior can be beneficial to avoid connectivity gaps during
reauthentication (unlike rekeying still not completely without
interruption), but requires support for overlapping SAs by the peer.
strongSwan can handle such overlapping SAs since version 5.3.0.
For Developers
Using the child_rekey() hook now allows tracking CHILD_SAs correctly in
case of rekey collisions. The event is generally only triggered once
after installing the outbound SA for the new/winning CHILD_SA. However,
in some cases the event is triggered twice, but it is now ensured that
listeners can properly transition to the winning SA.
Refer to the documentation of key_exchange_method_t interface to learn how
KEMs can be implemented in plugins.
The format of key exchange test vectors has been changed so they can be
used for KEMs and classic DH methods (4067678).
The NetworkManager frontend's build files have been updated to not rely on
gnome-common. It now also uses gettext directly instead of intltool
(5019e3e).
Performance of running tests in the testing environment has been improved.
Refer to the 6.0.0 milestone for a list of all closed issues and pull requests.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 13 Jan 2025 21:41:05 +0000 (22:41 +0100)]
freeradius: Update to version 3.2.6
- Update from version 3.2.5 to 3.2.6
- Update of rootfile
- Changelog
3.2.6
Configuration changes
* require_message_authenticator=auto and limit_proxy_state=auto
are not applied for wildcard clients. This likely will
leave your network in an insecure state. Upgrade all clients!
Feature improvements
* Allow for "auth+acct" dynamic home servers.
* Allow for setting "Home-Server-Pool", etc. for proxying
accounting packets, just like authentication packets.
* Fix spelling in starent SN[1]-Subscriber-Acct-Mode attribute
value. Patch from John Thacker.
* Update dictionary.iea. Patch from John Thacker.
* Add warning for secrets that are too short.
* More debugging for SSL ciphers. Patch from Nick Porter.
* Update 3GPP dictionary. Patch from Nick Porter.
* Fix ZTE dictionary.
* Make radsecret more portable and avoid extra dependencies.
* Add timestamp for Client-Lost so we don't think it's 1970. Patch
from Alexander Clouter. #5353
Bug fixes
* Dynamic clients now inherit require_message_authenticator
and limit_proxy_state from dynamic client {...} definition.
* Fix radsecret build rules to better support parallel builds.
* Checkpoint systems should be reconfigured for the BlastRADIUS
attack: https://support.checkpoint.com/results/sk/sk182516
The Checkpoint systems drop packets containing Message-Authenticator,
which violates the RFCs and is completely ridiculous.
* Fix duplicate CoA packet issue. #5397
* Several fixes in the event code
* Don't leak memory in rlm_sql_sqlite. #5392
* Don't stop processing RadSec data too early.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 16 Jan 2025 17:19:10 +0000 (18:19 +0100)]
libxxhash: Update to version 0.8.3 and make available to rsync
- Update from version 0.8.2 to 0.8.3
- Update of rootfile
- Move libxxhash to before rsync in make.sh
- Changelog
0.8.3
- fix : variant `XXH3_128bits_withSecretandSeed()` could produce an invalid
result in some specific set of conditions, #894 by @hltj
- cli : vector extension detected at runtime on x86/x64, enabled by default
- cli : new commands `--filelist` and `--files-from`, by @Ian-Clowes
- cli : XXH3 64-bits GNU format can now be generated and checked (command `-H3`)
- portability: LoongArch SX SIMD extension, by @lrzlin
- portability: can build on AIX, suggested by @likema
- portability: validated for SPARC cpus
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 16 Jan 2025 17:19:09 +0000 (18:19 +0100)]
rsync: Update to version 3.4.1
- Update from version 3.3.0 to 3.4.1 as the previous patch which went from 3.3.0 to 3.4.0
has only been merged into CU190 and not into next where this patch is being done.
Not sure if this will cause problems or not. I updated the PAK_VER of rsynce from
19 to 21 so that it went over the PAK_VER of the version merged into CU190.
- If how I have done it is not the best or not correct just let me know how I should do
it and I will re-do it.
- Update of rootfile not required.
- Added in enabling xxhash as we have that available in IPFire as another addon.
- Ran rsync -V and confirmed that xxhash is now available to rsync.
- Changelog
3.4.1
Release 3.4.1 is a fix for regressions introduced in 3.4.0
BUG FIXES:
- fixed handling of -H flag with conflict in internal flag values
- fixed a user after free in logging of failed rename
- fixed build on systems without openat()
- removed dependency on alloca() in bundled popt
DEVELOPER RELATED:
- fix to permissions handling in the developer release script
3.4.0 (This was already in the previous patch that went from 3.3.0 to 3.4.0
Release 3.4.0 is a security release that fixes a number of important
vulnerabilities. For more details on the vulnerabilities please see the CERT
report https://kb.cert.org/vuls/id/952657
PROTOCOL NUMBER:
- The protocol number was changed to 32 to make it easier for
administrators to check their servers have been updated
SECURITY FIXES:
Many thanks to Simon Scannell, Pedro Gallegos, and Jasiel Spelman at
Google Cloud Vulnerability Research and Aleksei Gorban (Loqpa) for
discovering these vulnerabilities and working with the rsync project
to develop and test fixes.
- CVE-2024-12084 - Heap Buffer Overflow in Checksum Parsing.
- CVE-2024-12085 - Info Leak via uninitialized Stack contents defeats ASLR.
- CVE-2024-12086 - Server leaks arbitrary client files.
- CVE-2024-12087 - Server can make client write files outside of destination directory using symbolic links.
- CVE-2024-12088 - --safe-links Bypass.
- CVE-2024-12747 - symlink race condition.
BUG FIXES:
- Fixed the included popt to avoid a memory error on modern gcc versions.
- Fixed an incorrect extern variable's type that caused an ACL issue on macOS.
- Fixed IPv6 configure check
INTERNAL:
- Updated included popt to version 1.19.
DEVELOPER RELATED:
- Various improvements to the release scripts and git setup.
- Improved packaging/var-checker to identify variable type issues.
- added FreeBSD and Solaris CI builds
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 9 Jan 2025 15:08:22 +0000 (15:08 +0000)]
kernel: Strip modules
The kernel does not strip modules by default. This can be enabled by
passing INSTALL_MOD_STRIP=1 when installing the modules.
Since we are not actually building the kernel with debuginfo and we are
comressing the modules afterwards, there is not a huge saving on disk
space, but there is a small saving of memory when loading the modules.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 8 Jan 2025 12:18:54 +0000 (13:18 +0100)]
fr.pl: Additional update to French translations for the optionsfw.cgi page
Reported-by: Phil SCAR <p27m@orange.fr> Fixes: Bug13800 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 6 Jan 2025 13:52:26 +0000 (14:52 +0100)]
speedtest-cli: Fix for bug13805 - error message if run on hour or half hour
- Created a self consistent patch set out of four patches on the speedtest-cli
github site. Slight changes needed in each to allow them to be successfully applied
in sequence.
- Additional comments added to top of the various patches.
- Tested out this modified package on my vm testbed and it fixes the bug of
speedtest-cli giving an error message if run on the hour or on the half hour. I
tested it out with the original system first and it failed with the error message
for 7 half hour tests. With this modified version it ran for 9 half hour slots with
no problems at all. Tested with the command being run via fcrontab.
- None of these patches have ben merged by the speedtest-cli github owner as the last
commit was July 2021 and the patches were proposed in Feb 2023. There has been no
resposne to anything on the speedtest-cli github site by the owner.
- I have reviewed all the patches and the content looks fine to me with no concerns
from a security point of view although it would be good to get feedback from
alternative eyes.
- Update of rootfile not required.
Fixes: Bug13805 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Tested-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 21 Dec 2024 12:55:39 +0000 (13:55 +0100)]
clamav: Update to version 1.4.1
- Update from version 1.3.2 to 1.4.1
- Update of rootfile
- Changelog
1.4.1
ClamAV 1.4.1 is a critical patch release with the following fixes:
- [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506):
Changed the logging module to disable following symlinks on Linux and Unix
systems so as to prevent an attacker with existing access to the 'clamd' or
'freshclam' services from using a symlink to corrupt system files.
This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to Detlef for identifying this issue.
- [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505):
Fixed a possible out-of-bounds read bug in the PDF file parser that could
cause a denial-of-service (DoS) condition.
This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to OSS-Fuzz for identifying this issue.
- Removed unused Python modules from freshclam tests including deprecated
'cgi' module that is expected to cause test failures in Python 3.13.
1.4.0
Major changes
- Added support for extracting ALZ archives.
The new ClamAV file type for ALZ archives is `CL_TYPE_ALZ`.
Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html)
option to enable or disable ALZ archive support.
> _Tip_: DCONF (Dynamic CONFiguration) is a feature that allows for some
> configuration changes to be made via ClamAV `.cfg` "signatures".
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1183)
- Added support for extracting LHA/LZH archives.
The new ClamAV file type for LHA/LZH archives is `CL_TYPE_LHA_LZH`.
Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html)
option to enable or disable LHA/LZH archive support.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1192)
- Added the ability to disable image fuzzy hashing, if needed. For context,
image fuzzy hashing is a detection mechanism useful for identifying malware
by matching images included with the malware or phishing email/document.
New ClamScan options:
```
--scan-image[=yes(*)/no]
--scan-image-fuzzy-hash[=yes(*)/no]
```
New ClamD config options:
```
ScanImage yes(*)/no
ScanImageFuzzyHash yes(*)/no
```
New libclamav scan options:
```c
options.parse &= ~CL_SCAN_PARSE_IMAGE;
options.parse &= ~CL_SCAN_PARSE_IMAGE_FUZZY_HASH;
```
Added a [DCONF](https://docs.clamav.net/manual/Signatures/DynamicConfig.html)
option to enable or disable image fuzzy hashing support.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1186)
Other improvements
- Added cross-compiling instructions for targeting ARM64/aarch64 processors for
[Windows](https://github.com/Cisco-Talos/clamav/blob/main/INSTALL-cross-windows-arm64.md)
and
[Linux](https://github.com/Cisco-Talos/clamav/blob/main/INSTALL-cross-linux-arm64.md).
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1116)
- Improved the Freshclam warning messages when being blocked or rate limited
so as to include the Cloudflare Ray ID, which helps with issue triage.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1195)
- Removed unnecessary memory allocation checks when the size to be allocated
is fixed or comes from a trusted source.
We also renamed internal memory allocation functions and macros, so it is
more obvious what each function does.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1137)
- Improved the Freshclam documentation to make it clear that the `--datadir`
option must be an absolute path to a directory that already exists, is
writable by Freshclam, and is readable by ClamScan and ClamD.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1199)
- Added an optimization to avoid calculating the file hash if the clean file
cache has been disabled. The file hash may still be calculated as needed to
perform hash-based signature matching if any hash-based signatures exist that
target a file of the same size, or if any hash-based signatures exist that
target "any" file size.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1167)
- Added an improvement to the SystemD service file for ClamOnAcc so that the
service will shut down faster on some systems.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1164)
- Added a CMake build dependency on the version map files so that the build
will re-run if changes are made to the version map files.
Work courtesy of Sebastian Andrzej Siewior.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1294)
- Added an improvement to the CMake build so that the RUSTFLAGS settings
are inherited from the environment.
Work courtesy of liushuyu.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1301)
Bug fixes
- Silenced confusing warning message when scanning some HTML files.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1252)
- Fixed minor compiler warnings.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1197)
- Since the build system changed from Autotools to CMake, ClamAV no longer
supports building with configurations where bzip2, libxml2, libz, libjson-c,
or libpcre2 are not available. Libpcre is no longer supported in favor of
libpcre2. In this release, we removed all the dead code associated with those
unsupported build configurations.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1217)
- Fixed assorted typos. Patch courtesy of RainRat.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1228)
- Added missing documentation for the ClamScan `--force-to-disk` option.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1186)
- Fixed an issue where ClamAV unit tests would prefer an older
libclamunrar_iface library from the install path, if present, rather than
the recently compiled library in the build path.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1258)
- Fixed a build issue on Windows with newer versions of Rust.
Also upgraded GitHub Actions imports to fix CI failures.
Fixes courtesy of liushuyu.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1307)
- Fixed an unaligned pointer dereference issue on select architectures.
Fix courtesy of Sebastian Andrzej Siewior.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1293)
- Fixed a bug that prevented loading plaintext (non-CVD) signature files
when using the `--fail-if-cvd-older-than=DAYS` / `FailIfCvdOlderThan` option.
Fix courtesy of Bark.
- [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1309)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Sat, 21 Dec 2024 12:55:08 +0000 (13:55 +0100)]
rust: Update to version 1.83.0
- Update from version 1.67.0 to 1.83.0
- Update x86_64, aarch64 & riscv64 rootfiles
- This version of rust hasd the fix to ensure that ruby builds okay with aarch64 &
riscv64. This required a fix to be applied to the LLVM and then for the updated
LLVM to be built into rust. That has occurred with this version.
- Tested out the build on aarch64 and riscv64 and confirmed that ruby built without
any problems with this version of rust.
- The update of rust required a range of updates of other rust crates plus the
inclusion of new crates and the pinning of some crates to older versions. This patch
set includes all the rust crate changes.
- The download-rust-crate script results in source tarballs that have a Cargo.toml.orig
file included in them. This is not allowed in the rust building so the rust-rand file
which is used as a template for the rust crate script has been modified to remove
this .orig file so that the build can complete.
- With this updated version of rust the clamav addon can also now be updated and so is
also included in this patch set.
- There are 29 rust crate changes.
- Changelog is too large to include here. Details can be found at
https://releases.rs/docs/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:17 +0000 (18:51 +0200)]
samba: Modification to disable cups for samba build and install
- As discussed at IPFire conf call on 7th Oct
- disable cups for the samba configure stage
- Update of rootfiles
- Update of samba.cgi to remove the printing of a printer share into the samba
configuration file.
- Tested out on vm system. Installed samba with only avahi, perl-Parse-Yapp, perl-JSON
and wsdd as dependencies. Installed without any problems. Existing share was able
to be accessed without any problems and a new share was created and was also able
to be accessed without problems.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:16 +0000 (18:51 +0200)]
perl-Imager: Removal of all tiff related lines in rootfile
- With removal of libtiff, the perl-Imager rootfile has to have tiff related lines
removed.
- perl-Imager works without the tiff lines in place. Only no tiff images will be able
to be processed by perl-Imager but that is not required for its use in IPFire.
- Tested out creating an OpenVPN connection with OTP enabled and the OTP QR code was
produced and able to be viewed.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:15 +0000 (18:51 +0200)]
make.sh: All removed packages removed from make.sh
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:14 +0000 (18:51 +0200)]
qpdf: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:13 +0000 (18:51 +0200)]
poppler-data: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:12 +0000 (18:51 +0200)]
poppler: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:11 +0000 (18:51 +0200)]
openjpeg: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:10 +0000 (18:51 +0200)]
libtiff: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:09 +0000 (18:51 +0200)]
lcms2: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:08 +0000 (18:51 +0200)]
hplip: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:07 +0000 (18:51 +0200)]
gutenprint: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:06 +0000 (18:51 +0200)]
ghostscript: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:05 +0000 (18:51 +0200)]
foomatic: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:04 +0000 (18:51 +0200)]
epson-inkjet-printer-escpr: Removal of package
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:03 +0000 (18:51 +0200)]
cups-pdf: Removal of cups-pdf
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:02 +0000 (18:51 +0200)]
cups-filters: Removal of cups-filters
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Mon, 14 Oct 2024 16:51:01 +0000 (18:51 +0200)]
cups: Removal of cups and associated packages
- As discussed at IPFire conf call on 7th Oct
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 2 Jan 2025 16:29:26 +0000 (17:29 +0100)]
miniupnpc: revert the addition of this package due to transmission reversion
- As transmission has been reverted back to version 4.0.5 then miniupnpc is no longer
needed for building or runtime.
- This removes the minupnpc lfs and rootfile files. It also removes miniupnpc from
the make.sh file.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 2 Jan 2025 16:29:25 +0000 (17:29 +0100)]
transmission: revert version back to 4.0.5
- Revert back from 4.0.6 to 4.0.5 due to a bug in 4.0.6 that has resulted in a variety
of torrent mirrors banning transmission-4.0.6
- The update from 4.0.5 to 4.0.6 did not have any security fixes in it so there is no
issue in moving backward to 4.0.5
- A fix has been created but it is unclear when (and if) version 4.0.7 will be released.
The fix has also been included in version 4.1.0 but this is still in beta development
form.
- Version 4.0.6 required minupnpc for building and run time. This reversion is also
removing miniupnpc in an associated patch in this patch set.
- No change required in the rootfile.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Fri, 27 Dec 2024 09:10:00 +0000 (09:10 +0000)]
Tor: Update to 0.4.8.13
Full changelog according to
https://gitlab.torproject.org/tpo/core/tor/-/blob/tor-0.4.8.13/ChangeLog :
Changes in version 0.4.8.13 - 2024-10-24
This is minor release fixing an important client circuit building (Conflux
related) bug which lead to performance degradation and extra load on the
network. Some minor memory leaks fixes as well as an important minor feature
for pluggable transports. We strongly recommend to update as soon as possible
for clients in order to neutralize this conflux bug.
o Major bugfixes (circuit building):
- Conflux circuit building was ignoring the "predicted ports"
feature, which aims to make Tor stop building circuits if there
have been no user requests lately. This bug led to every idle Tor
on the network building and discarding circuits every 30 seconds,
which added overall load to the network, used bandwidth and
battery from clients that weren't actively using their Tor, and
kept sockets open on guards which added connection padding
essentially forever. Fixes bug 40981; bugfix on 0.4.8.1-alpha;
o Minor feature (bridges, pluggable transport):
- Add STATUS TYPE=version handler for Pluggable Transport. This
allows us to gather version statistics on Pluggable Transport
usage from bridge servers on our metrics portal. Closes
ticket 11101.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on October 24, 2024.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2024/10/24.
o Minor bugfixes (memleak, authority):
- Fix a small memleak when computing a new consensus. This only
affects directory authorities. Fixes bug 40966; bugfix
on 0.3.5.1-alpha.
o Minor bugfixes (memory):
- Fix memory leaks of the CPU worker code during shutdown. Fixes bug
833; bugfix on 0.3.5.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
projects / people / ms / ipfire-2.x.git / log
