Stefan Schantl [Wed, 30 Jun 2021 18:40:31 +0000 (20:40 +0200)]
Firewall: Proper allow to create REDIRECT rules.
This patch now proper allows to create rules for redirecting requests of a
given host, group or network(s) to a specified port or service to the
local IPFire system.
So it implements a very generic and easy to use feature to redirect
(for example all DNS, NTP, or whatever) requests to the a local running
instance and so to force usage of that local hosted service.
* The feature supports specifiying a single port and redirect the requests to another given one.
( For example requests to UDP 123 can be redirected to local UDP 1234
if you run an NTP server on that port.)
* It also supports direct usage of services or even service groups.
( So you can create a service group for DNS and redirect them to the
local recursor, or create a "redirected services" group which easily
can be managed...)
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 30 Jun 2021 17:47:07 +0000 (19:47 +0200)]
iperf3: Update to version 3.10.1
- Update from 3.9 to 3.10.1
- Update of rootfile not required
- Changelog
iperf-3.10.1 2021-06-03
* Notable user-visible changes
* Fixed a problem with autoconf scripts that made builds fail in
some environments (#1154 / #1155).
* Developer-visible changes
* GNU autoconf 2.71 or newer is now required to regenerate iperf3's
configure scripts.
iperf 3.10 2021-05-26
* Notable user-visible changes
* Fix a bug where some --reverse tests didn't terminate (#982 /
#1054).
* Responsiveness of control connections is slightly improved (#1045
/ #1046 / #1063).
* The allowable clock skew when doing authentication between client
and server is now configurable with the new --time-skew-threshold
(#1065 / #1070).
* Bitrate throttling using the -b option now works when a burst size
is specified (#1090).
* A bug with calculating CPU utilization has been fixed (#1076 /
#1077).
* A --bind-dev option to support binding sockets to a given network
interface has been added to make iperf3 work better with
multi-homed machines and/or VRFs (#817 / #1089 / #1097).
* --pidfile now works with --client mode (#1110).
* The server is now less likely to get stuck due to network errors
(#1101, #1125), controlled by the new --rcv-timeout option.
* Fixed a few bugs in termination conditions for byte or
block-limited tests (#1113, #1114, #1115).
* Added tcp_info.snd_wnd to JSON output (#1148).
* Some bugs with garbled JSON output have been fixed (#1086, #1118,
#1143 / #1146).
* Support for setting the IPv4 don't-fragment (DF) bit has been
added with the new --dont-fragment option (#1119).
* A failure with not being able to read the congestion control
algorithm under WSL1 has been fixed (#1061 / #1126).
* Error handling and error messages now make more sense in cases
where sockets were not successfully opened (#1129 / #1132 /
#1136, #1135 / #1138, #1128 / #1139).
* Some buffer overflow hazards were fixed (#1134).
* Notable developer-visible changes
* It is now possible to use the API to set/get the congestion
control algorithm (#1036 / #1112).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 30 Jun 2021 17:46:50 +0000 (19:46 +0200)]
intltool: Update to version 0.51.0
- Update from 0.40.5 (2008) to 0.51.0 (2015 - latest release)
- Update of rootfile3 not required
- Changelog is too long to include here
Changes from version 0.41.0 to 0.51.0 can be found at https://launchpad.net/intltool/+download
and in the ChangeLog files in the Source Tarballs
Changes prior to 0.41.0 can be found at https://download.gnome.org/sources/intltool/
in the ChangeLog files in the Source Tarballs
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 30 Jun 2021 17:46:31 +0000 (19:46 +0200)]
ghostscript: Update version to 9.54.0
- Update from 9.53.3 to 9.54.0
- Update rootfile
- delete patch related to FT_CALLBACK_DEF as fix has been implemented in the source
tarball
- Changelog highlights
Version 9.54.0 (2021-03-30)
The 9.54.0 release is a maintenance release, and also adds new functionality.
Highlights in this release include:
Overprint simulation is now available to all output devices, allowing quality previewing/proofing of PostScript and PDF jobs that rely on overprint. See the -dOverprint option documentation in: Overprint
The "docxwrite" device adds the ability to output to Microsoft Word "docx" format. See: docxwrite
The pdfwrite device is now capable of using the Tesseract OCR engine when it is built into Ghostscript to improve searchability and copy and paste functionality when the input lacks the metadata for that purpose. See: UseOCR
Ghostscript/GhostPDL now includes a "map text to black" function, where text drawn by an input job (except when drawn using a Type 3 font) can be forced to draw in solid black. See: BlackText
Ghostscript/GhostPDL now supports simple N-up imposition "internally". See: NupControl
Our efforts in code hygiene and maintainability continue.
The usual round of bug fixes, compatibility changes, and incremental improvements.
Full details of above highlights can be found at https://www.ghostscript.com/doc/9.54.0/History9.htm
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 30 Jun 2021 17:46:07 +0000 (19:46 +0200)]
alsa: Update to version 1.2.5.1
- Not really sure if a sound support capability is really appropriate for a firewall. I
wouldn't have it. However if it stays as an add-on then it should be up to date.
- Update alsa-lib from 1.0.27.1 (2013) to 1.2.5.1 (2021)
- Update alsa-utils from 1.0.27.1 (2013) to 1.2.5.1 (2021)
- Update alsa-firmware from 1.0.27 (2013) to 1.2.4 (2020)
- Update rootfile
- Changelog is too large to include here. Changes back to 2019-11-20 can be found at
https://www.alsa-project.org/wiki/Main_Page
Earlier changes have to be found from the git commits at
https://github.com/alsa-project/alsa-lib and
https://github.com/alsa-project/alsa-utils
There is no changelog or git commits that I have been able to find for alsa-firmware
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Previously, the getcolor() function did not correctly process IPsec
N2N connections with more than one remote network configured, resulting
in networks mistakenly marked as being part of a VPN connection, or vice
versa.
Fixes: #11235 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Thu, 22 Apr 2021 16:15:22 +0000 (18:15 +0200)]
general-functions.pl: do not miscalculate when enumerating IPsec N2N subnet membership
Fixes: #11235 Cc: Alexander Marx <alexander.marx@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Mon, 19 Jul 2021 10:54:50 +0000 (10:54 +0000)]
README: Update installation URL
Reported-by: Konrad Panzlaff <konrad.panzlaff@pa-bu.de> Fixes: #12661 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 14 Jul 2021 20:41:39 +0000 (22:41 +0200)]
tshark: Update to version 3.4.6
- Update from 3.4.3 to 3.4.6
- Update rootfile
- Changelog
Wireshark 3.4.6 Release Notes
What’s New
The Windows installers now ship with Npcap 1.31. They previously
shipped with Npcap 1.10.
The Windows installers now ship with Qt 5.15.2. They previously
shipped with Qt 5.12.1.
Bug Fixes
• wnpa-sec-2021-04[1] DVB-S2-BB dissector infinite loop
The following bugs have been fixed:
• Macro filters can’t handle escaped characters Issue 17160[2].
• Display filter crashes Wireshark Issue 17316[3].
• IEEE-1588 Signalling Unicast TLV incorrectly reported as being
malformed Issue 17355[4].
• IETF QUIC TLS decryption error with extraneous packets during the
handshake Issue 17383[5].
• Statistics → Resolved Addresses: multi-protocol (TCP/UDP/…)
ports not displayed Issue 17395[6].
New and Updated Features
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
DNP, DVB-S2-BB, ProtoBuf, PTP, QUIC, RANAP, and TACACS
New and Updated Capture File Support
Ascend, ERF, K12, NetScaler, and pcapng
Wireshark 3.4.5 Release Notes
What’s New
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2021-04[1] MS-WSP dissector excessive memory
consumption. Issue 17331[2].
The following bugs have been fixed:
• TShark does not print GeoIP information Issue 14691[3].
• TShark error when piping to "head" Issue 16192[4].
• Parts of ASCII representation in Packet Bytes pane are missing
Issue 17087[5].
• Buildbot crash output: fuzz-2021-02-22-1012761.pcap Issue
17254[6].
• NDPE attribute of NAN packet is not dissected Issue 17278[7].
• TECMP: reserved flag interpreted as part of timestamp Issue
17279[8].
• Master branch does not compile at least with gcc-11 Issue
17281[9].
• DNS IXFR/AXFR multiple response Issue 17293[10].
• File too large Issue 17301[11].
• Build fails with CMake 3.20 Issue 17314[12].
New and Updated Features
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
DECT, DNS, EAP, Kerberos, LDAP, MS-WSP, SMB2, Sysdig, TECMP, and WiFi
NAN
New and Updated Capture File Support
pcapng
Wireshark 3.4.4 Release Notes
What’s New
Bug Fixes
The following vulnerabilities have been fixed:
• wnpa-sec-2021-03[1] Wireshark could open unsafe URLs. Issue
17232[2]. CVE-2021-22191[3].
The following bugs have been fixed:
• NTP Version 3 Client Decode PDML output issue (Reference ID
Issue) Issue 17112[4].
• 3.4.2: public wireshark include files are including build time
"config.h" Issue 17190[5].
• wireshark-3.4.3/epan/dissectors/packet-s7comm.c:3521: bad array
index ? Issue 17198[6].
• SIP protocol: P-Called-Party-ID header mixed up with
P-Charge-Info header Issue 17215[7].
• Asterix CAT010 Decode Error Issue 17226[8].
• _ws.expert columns not populated for IPv4 Issue 17228[9].
• Buildbot crash output: fuzz-2021-02-12-1651908.pcap Issue
17233[10].
• gQUIC: Wireshark 3.4.3 fails to dissect a packet (gQUIC q024)
that v3.2.6 succeeds. Issue 17250[11].
New and Updated Features
New Protocol Support
There are no new protocols in this release.
Updated Protocol Support
ASTERIX, Frame Relay, GQUIC, NTP, NVMe Fabrics RDMA, S7COMM, and SIP
New and Updated Capture File Support
iSeries
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 14 Jul 2021 20:41:23 +0000 (22:41 +0200)]
tftpd: Update to version 5.2
- Update from 0.48 (2007) to 5.2 (2011)
Version 5.2 is the last update made to this program
- Update to rootfile
- Changelog
Changes in 5.2:
Fix breakage on newer Linux when a single interface has
multiple IP addresses.
Changes in 5.1:
Add -P option to write a PID file. Patch by Ferenc Wagner.
Bounce the syslog socket in standalone mode, in case the
syslog daemon has been restarted. Patch by Ferenc Wagner.
Build fixes.
Fix handling of block number wraparound after a successful
options negotiation.
Fix a buffer overflow in option parsing.
Changes in 5.0:
Try to on platforms with getaddrinfo() without AI_ADDRCONFIG or
AI_CANONNAME.
Implement the "rollover" option, for clients which want block
number to rollover to anything other than zero.
Correctly disable PMTU in standalone mode. Patch by Florian
Lohoff.
Changes in 0.49:
Add IPv6 support. Patch by Karsten Keil.
Support systems with editline instead of readline.
Support long options in the server.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 14 Jul 2021 11:37:12 +0000 (13:37 +0200)]
samba: Update version to 4.14.6
- Update from 4.14.4 to 4.14.6
- Update of rootfile not required
- Changelog
Release Notes for Samba 4.14.6
* BUG 14722: s3: lib: Fix talloc heirarcy error in parent_smb_fname().
* BUG 14732: smbd: Fix pathref unlinking in create_file_unixpath().
* BUG 14734: s3: VFS: default: Add proc_fd's fallback for vfswrap_fchown().
* BUG 14736: s3: smbd: Remove erroneous TALLOC_FREE(smb_fname_parent) in
change_file_owner_to_parent() error path.
* BUG 14730: NT_STATUS_FILE_IS_A_DIRECTORY error messages when using
glusterfs VFS module.
* BUG 14734: s3/modules: fchmod: Fallback to path based chmod if pathref.
* BUG 14740: Spotlight RPC service doesn't work with vfs_glusterfs.
* BUG 14750: gensec_krb5: Restore ipv6 support for kpasswd.
* BUG 14752: smbXsrv_{open,session,tcon}: protect
smbXsrv_{open,session,tcon}_global_traverse_fn against invalid records.
* BUG 14027: samba-tool domain backup offline doesn't work against bind DLZ
backend.
* BUG 14669: netcmd: Use next_free_rid() function to calculate a SID for
restoring a backup.
Release Notes for Samba 4.14.5
* BUG 14696: s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
* BUG 14708: s3: smbd: Ensure POSIX default ACL is mapped into returned
Windows ACL for directory handles.
* BUG 14721: s3: smbd: Fix uninitialized memory read in
process_symlink_open() when used with vfs_shadow_copy2().
* BUG 14689: docs: Expand the "log level" docs on audit logging.
* BUG 14714: smbd: Correctly initialize close timestamp fields.
* BUG 14699: Fix gcc11 compiler issues.
* BUG 14718: docs-xml: Update smbcacls manpage.
* BUG 14719: docs: Update list of available commands in rpcclient.
* BUG 14475: ctdb: Fix a crash in run_proc_signal_handler().
* BUG 14695: s3:winbind: For 'security = ADS' require realm/workgroup to be
set.
* BUG 14699: lib:replace: Do not build strndup test with gcc 11 or newer.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 16 Jul 2021 11:12:58 +0000 (13:12 +0200)]
libcdada: Patch file to allow build to work with GCC 11 and update version to 0.3.5
- Update from 0.3.4 to 0.3.5
- Created libcdada-0.3.5-Werror.patch based on the gentoo 0.3.5 patch to remove -Werror
flags from the configure. This was flagging up warnings as errors and stopping
the build
- Removed the SUP_ARCH line to allow it to build again
- Added --without-tests and --without-checks to the ./configure statement. This prevents
the test and checks being built
- Removed libcdada-0.3.4-use-shared-library-for-tests-and-examples-build.patch as no
longer needed with the tests and checks no longer being built
- No update required for rootfile
- Changelog
v0.3.5 (20th April 2021)
New
- Improved public API documentation
- build: add --without-tests --without-examples build options
Bug fix
- Fix `E_EMPTY` return codes set/map/list/stack/queue
- Fix `make check` when valgrind is not installed
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Fri, 16 Jul 2021 11:12:57 +0000 (13:12 +0200)]
pmacct: Patch file to allow build to work with GCC 11
- Created pmacct-1.7.6-Werror.patch to remove -Werror flags from the configure
This was flagging up warnings as errors and stopping the build
- Removed the SUP_ARCH line to allow it to build again
- No update required to the rootfile
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Sun, 11 Jul 2021 13:12:15 +0000 (14:12 +0100)]
make.sh: Explicitely call zstd to extract toolchain
Some older versions of tar do not recognise Zstandard, yet.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Tested-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 13 Jul 2021 16:27:59 +0000 (16:27 +0000)]
cdrom: Compress file system image using Zstandard
This patch uses the new Zstandard algorithm to compress the file system
image on the ISO image. This comes with these advantages:
* Compression is about twice as fast than XZ with the parameters we have
selected here
* We use a lot less memory during compression and can therefore utilise
all processor cores of the build machines
* Decompression (when installing IPFire and when creating the
flash-image) is substantically faster
The downside is that the generated ISO image is slighty larger (~10MiB)
which I am okay with as a trade-off for the points mentioned above.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 13 Jul 2021 15:44:20 +0000 (15:44 +0000)]
installer: Fix reading /proc/cmdline when launched by GRUB
The installer was reading the kernel command line and was looking for
certain values which configured the installer.
GRUB appended a trailing newline character which was not accounted for
and caused that the last parameter was not correctly compared to the
list of possible keys.
Fixes: #12656 - core 157: unattended installation don't work as expected on EFI Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Tue, 13 Jul 2021 10:11:31 +0000 (10:11 +0000)]
aws: Enable serial console by default
AWS for some time now has a serial console feature which is enabled by
default on all systems. The VGA console is not enabled for any new
non-x86 instance types and not interactive.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
with kernel 5.10.x also the reading of s.m.a.r.t. data to update
the temperatur graphs is countet as disk read so update the stored
value after reading.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Michael Tremer [Fri, 9 Jul 2021 16:17:43 +0000 (16:17 +0000)]
stripper: Handle capabilities
During the build process, we set capabilities to elevate privileges of
certain progrems (e.g. ping). These have been removed during the build
process because of strip.
This patch collects any capabilities from all files that are being
stripped and restores them after calling strip.
Fixes: #12652 Reported-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 7 Jul 2021 17:27:14 +0000 (19:27 +0200)]
Pakfire: call "sync" in function.sh after having extracted archives
After upgrading to Core Update 157, a few number of users reported their
systems to be unworkable after a reboot. Most of them (the systems, not
the users) were apparently missing the new Linux kernel in their Grub
configuration, causing a non-functional bootloader written to disk.
While we seem to be able to rule out issues related to poor storage
(SDDs, flash cards, etc.) or very high I/O load, it occurred to me we
are not calling "sync" after having extracted a Core Update's .tar.gz
file.
This patch therefore proposes to do so. It is a somewhat homeopathic
approach, though, but might ensure all parts of the system to have
properly processed the contents of an extracted archive. While we cannot
even reasonably guess it will solve the problem(s) mentioned initially,
doing so cannot hurt either.
See also:
https://community.ipfire.org/t/after-update-ipfire-to-157-no-boot/5641/45
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Tue, 6 Jul 2021 16:08:29 +0000 (18:08 +0200)]
ddns.cgi: Fix sanity check logic.
The input validation did not work in the proper way. It allways
reported "No password" when using a provider which supports token and
the token has been given.
This of course is wrong and leaded to unuseable providers.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
