- Update from version 20240910 to 20241029
- Update of rootfile not required
- Changelog 20241029
Update for functional issues. Refer to 14th/13th Generation Intel® Core™
Processor Specification Update for details at
https://cdrdv2.intel.com/v1/dl/getContent/740518
Updated Platforms
Processor Stepping F-M-S/PI Old Ver New Ver Products
RPL-E/HX/S B0 06-b7-01/32 000001290000012b Core Gen13/Gen14
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
When we import all static leases, their remark will be used as hostname
(because WTF?) and might be overwritten if the device is not sending any
or even the same hostname.
This patch avoids that static leases will be modified.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 21 Oct 2024 16:38:47 +0000 (16:38 +0000)]
unbound-dhcp-leases-bridge: Fix typo
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 21 Oct 2024 16:38:46 +0000 (16:38 +0000)]
unbound-dhcp-leases-bridge: Don't export expired leases to Unbound
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This option needs to be configurable since some (braindead) ISPs have
started running broken DHCP servers to be bug-compatible with cheap
broken plastic routers.
By default we keep this option enabled, but it can now be turned off
whenever needed.
Suggested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Thu, 17 Oct 2024 14:54:16 +0000 (14:54 +0000)]
chown: Replace . with : on all shipped scripts
I don't like this messy bootup screen that we have with all sorts of
warnings that actually don't cause any problems, but make the boot
messy and send the wrong message to users.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 15 Oct 2024 07:35:22 +0000 (09:35 +0200)]
dhcpcd: Update to version 10.1.0
- Update from version 10.0.10 to 10.1.0
- Update of rootfile not required
- Changelog
10.1.0
Bug Fixes
dhcp: get_option_uint32/16 only accept options with correct len by
@taoyl-g in #357
Include frame header in buffer length by @acst1223 in #371
For full changelog see commits delta in
https://github.com/NetworkConfiguration/dhcpcd/compare/v10.0.10...v10.1.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 10 Oct 2024 16:01:11 +0000 (18:01 +0200)]
tshark: Update to version 4.4.1
- Update from version 4.2.7 to 4.4.1
- The 4.4.x series is the new Stable Release replascing the 4.2.x series which becomes
the Old Stable Release.
- There is an sobump so find-dependencies was run for the three libraries with changes
but all linked programs are within tshark.
- Changelog is too large to include here. Links provided
4.4.1
https://www.wireshark.org/docs/relnotes/wireshark-4.4.1.html
4.4.0
https://www.wireshark.org/docs/relnotes/wireshark-4.4.0.html
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 8 Oct 2024 16:45:59 +0000 (18:45 +0200)]
mpfire: removal as discussed in Conf call 7th Oct
- removal of lfs, rootfile, backup, paks, misc-progs, mpfire perl, language file
content, mpfire.cgi, mpfire menu references and files, mpfire specific image,
web-user-interface references and references in manualpages.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 8 Oct 2024 12:24:24 +0000 (14:24 +0200)]
ppp: Update to version 2.5.1
- Update from version commit e1266c7 to 2.5.1
- Version 2.5.1 has around 34 additional commits from e1266c7. To me all look minor
changes, some related to other system types such as Solaris that we don't use.
- Update of rootfile
- They have added example to the configuration files to prevent accidental overwriting
of configuration systems.
- Changelog - There is no longer any changelog provided. Even the one that used to
exist for version 2.5.0 has been removed. The only option now is to look through the
commits - https://github.com/ppp-project/ppp/commits/master/?before=d5aeec65752d4a9b3bb46771d0b221c4a4a6539e+35
- Some of the patches had to be updated as the changes were enough that some hunks did
not get found for patching. Patch file number 6 has been removed as the sed lines are
no longer to be found in the configure file. The other files that patched successfully
were renamed to 2.5.1
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Security #7289: http: missing hashtable random seed leads to potential DoS(CRITICAL - CVE 2024-47188)
Security #7268: ja4: non alphanumeric characters in alpn lead to panic (7.0.x backport)(HIGH - CVE 2024-47522)
Security #7258: thash: random factor not used; possible abusive hash collisions (7.0.x backport)(CRITICAL - CVE 2024-47187)
Security #7215: defrag: off by one leads to possible evasion (7.0.x backport)(HIGH - CVE 2024-45796)
Security #7196: datasets: rule with unset makes suricata abort (7.0.x backport)(HIGH - CVE 2024-45795)
Security #7192: http: quadratic complexity in headers processing/finding (7.0.x backport)(CRITICAL - CVE 2024-45797)
Bug #7290: tls: a rule stops working since 7.0.5 (7.0.x backport)
Bug #7286: eve/tls: enabling JA4 breaks custom field selection
Bug #7276: ja3: Error: ja3: Buffer should not be NULL (7.0.x backport)
Bug #7271: pgsql: track 'progress' in tx per direction (7.0.x backport)
Bug #7265: detect/flow: ACK with data on 3whs fails to match 'flow:established' (7.0.x backport)
Bug #7257: fuzz: CIFuzz is not fuzzing PRs as it is supposed to (7.0.x backport)
Bug #7242: app-layer-protocol: negated matching false positive (7.0.x backport)
Bug #7239: tls: Invalid ja3 due to double client hello (7.0.x backport)
Bug #7225: dataset: lookup function is not working with ip type (7.0.x backport)
Bug #7214: frames: stream frame is not always the first one registered (7.0.x backport)
Bug #7207: cbindgen: comptability with newer version 0.27 (7.0.x backport)
Bug #7198: log/rfb: inconsistent key value security_result or security-result
Bug #7194: output: jb context not closed on error in EvePacket
Bug #7188: detect: dcerpc logging and matching issues (7.0.x backport)
Bug #7182: fuzz: File confyaml.c is missing (7.0.x backport)
Bug #7173: detect/integers: do not bother to free NULL pointer on setup/parse failure (7.0.x backport)
Bug #7166: profiling: rule profiling doesn't support absolute paths (7.0.x backport)
Bug #7159: tcp: 'broken ack' event set on flow timeout (7.0.x backport)
Bug #7136: util/thash: debug assertion for memuse (7.0.x backport)
Bug #7122: smb/ntlmssp: nonsense smb.ntlmssp.version values (7.0.x backport)
Bug #7116: dpdk: timestamping packets through TSC does not yield the same time as kernel time (7.0.x backport)
Bug #7066: alert/metadata: no pgsql object encapsulation (7.0.x backport)
Bug #7054: bypass: cannot bypass udp flow from first packet (7.0.x backport)
Bug #7001: pgsql: trigger raw stream reassembly (7.0.x backport)
Bug #6608: file: do not store if filestore:both,flow is triggered after the file was set to nostore (7.0.x backport)
Bug #6555: eve/alert: payload/payload_printable misrepresent data in case of overlaps (7.0.x backport)
Bug #6541: landlock: coverity warnings (7.0.x backport)
Optimization #7134: detect/snmp.version: do not free NULL pointer
Optimization #7075: dns/tcp: allow triggering raw stream reassembly (7.0.x backport)
Feature #7102: iprep: support seeing if rule is part of a rep list (7.0.x backport)
Feature #6674: detect: allow alert-then-pass logic (7.0.x backport)
Task #7249: libhtp 0.5.49 (7.0.x backport)
Task #7168: dns: make the version field in a dns object required (7.0.x backport)
Documentation #6641: doc: add tcp timeout fix to upgrade guide (7.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 24 Sep 2024 10:33:36 +0000 (12:33 +0200)]
dnsdist: Update to version 1.9.6
- Update from version 1.9.4 to 1.9.6
- Tested building on riscv64 and it built without issues and rootfile is sam as for
x86_64 & aarch64. So supported architectures has been removed and dnsdist is available
on all three architectures.
- Update of rootfile not required
- Changelog
1.9.6
New Features
Add support for a callback when a new tickets key is added
References: pull request 14449
Improvements
Make the logging functions available to all Lua environments
References: pull request 14438
Handle Quiche >= 0.22.0
References: pull request 14450
Don’t include openssl/engine.h if it’s not going to be used (Sander Hoentjen)
References: pull request 14452
Bug Fixes
Dedup Prometheus help and type lines for custom metrics with labels¶
References: #14395, pull request 14439
Fix a race in the XSK/AF_XDP backend handling code
References: pull request 14436
dns.cc: use pdns::views::UnsignedCharView
References: pull request 14437
1.9.5
New Features
Add a Lua FFI function to set proxy protocol values
References: pull request 14338
Add Lua FFI bindings to generate SVC responses
References: pull request 14339
Bug Fixes
Use the correct source IP for outgoing QUIC datagrams
References: pull request 14166
Reply to HTTP/2 PING frames immediately
References: pull request 14163
Log the correct amount of bytes sent for DoH w/ nghttp2
References: pull request 14332
Prevent a race when calling registerWebHandler at runtime
References: pull request 14170
Enforce a maximum number of HTTP request fields and a maximum HTTP request line size
References: pull request 14333
Fix a race condition with custom Lua web handlers
References: pull request 14342
Syslog should be enabled by default
References: pull request 14331
Fix a warning when compiling the unit tests without XSK¶
References: pull request 14334
autoconf: allow prerelease systemd versions (Chris Hofstaedtler)
References: pull request 14335
Edit the systemd unit file, CAP_BPF is no longer enough
References: #14279, pull request 14336
Fix ‘Error creating TCP worker’ error message
References: pull request 14337
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>