Adolf Belka [Thu, 15 Feb 2024 12:58:35 +0000 (13:58 +0100)]
ruleset-sources: removal of PT Attack & Secureworks + addition of ThreatFox
- The PT Attack ruleset has not been updated since 2021 and made read-only in 2022
The PT Attack website no longer has any reference to Suricata Rulesets. The PT Attack
ruleset is being removed.
- The Secureworks three rulesets are no longer available. The website path gives a 404
error. No mention of Suricata rulesets in the Secureworks website. The Secureworks three
rulesets are being removed.
- ThreatFox ruleset has been added to the list. Both a plain and archive version of the
rules are available but the plain version is being regularly updated while the archive
version was last updated 5 days ago. So this patch has implemented the plain version.
- All above was discussed in the January Developers Conference call.
- Tested out on my vm testbed. I had PT Attack selected as one of the providers. As
mentioned by Stefan removing PT Attack means it is not available in the list of
providers but the provider stays in the providers table but with the line shown in red.
I will update the wiki to mention the red highlight and what it means.
Suggested-by: Stefan Schantl <stefan.schantl@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 15 Feb 2024 20:47:57 +0000 (21:47 +0100)]
freeradius: Increment PAK_VER & ship freeradius to link to the updated libssl version
- OpenSSL was updated to 3.1.4 in CU181 and to 3.2.1 in CU183 but in both cases freeradius
was not incremented to cause it to be shipped.
- This patch increments the freeradius PAK_VER to ensure it will be shipped.
Fixes: Bug#13590 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 14 Feb 2024 10:34:36 +0000 (11:34 +0100)]
graphs.pl: Fixes graph failure when the DROP_HOSTILE directory is missing
- If a fresh install is done then only the DROP_HOSTILE_IN & DROP_HOSTILE_OUT
rrd directories are created.
- With the DROP_HOSTILE directory missing then when the fwhits graph is updated an error
message is caused by the inability to open the required files.
- This patch adds an if/else loop into the fwhits graph code to deal with the two cases
of the DROP_HOSTILE being present or not depending on the history and if a backup with
logs has been restored from when DROP_HOSTILE was in use.
- Tested on vm testbed and created a historical line for the hostile data when it was not
split
- There might be a simpler or better approach than this but it was the only option I
could identify. I couldn't find anything about being able to use if loops within the
RRD::Graph loop
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 14 Feb 2024 16:24:52 +0000 (17:24 +0100)]
unbound: Update to 1.19.1
For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-1
"Bug Fixes
Fix CVE-2023-50387, DNSSEC verification complexity can be exploited
to exhaust CPU resources and stall DNS resolvers.
Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 5 Feb 2024 16:47:35 +0000 (16:47 +0000)]
make.sh: Compile with minimal debug information
In IPFire 2, we don't make any use out of the debug information.
Therefore we can tell the compiler to generate as minimal debug
information as possible in order to have a faster compilation process.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
we had discussed this on december telco but it is not so
easy because our menusystem only shows entry's existing cgi's.
so i add a cgi redirect to http://$ENV{SERVER_ADDR}:3000
this add the entry under pakfire and also to service page.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 Feb 2024 21:27:33 +0000 (22:27 +0100)]
suricata: Update to version 7.0.2
- Update from version 6.0.15 to 7.0.2
- Update of rootfile
- suricata 7.0.2 requires libhtp >= 0.5.45
it also requires libelf.so.1 for execution. Previous suricata versions only required
libelf for building. libelf or elfutils are not mentioned anywhere in the changelog
- Without elfutils available during starting then suricata fails to start due to
libelf.so.1 not being available.
- Tested out suricata7 with elfutils on my vm testbed and it successfully started.
- The suricata-5.0.8 patch has been removed as it got applied to configure.ac but this
is not available in suricata-7.0.2. It looks like that patch was never actually used in
suricata as all the builds I checked used the configure file from the source tarball
and the configure was never created by running autoconf on the configure.ac
- Changelog is too large to include here. Details can be found in the ChangeLog file in
the source tarball
Fixes: Bug#13516 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://blog.clamav.net/2023/11/clamav-130-122-105-released.html
Excerpts from changelog:
"Major changes
Added support for extracting and scanning attachments found in
Microsoft OneNote section files. OneNote parsing will be enabled by
default, but may be optionally disabled using one of the following
options:
a. The clamscan command line option: --scan-onenote=no,
b. The clamd.conf config option: ScanOneNote no,
c. The libclamav scan option options.parse &= ~CL_SCAN_PARSE_ONENOTE;,
d. A signature change to the daily.cfg dynamic configuration (DCONF).
Other improvements
Fixed issue when building ClamAV on the Haiku (BeOS-like) operating
system. Patch courtesy of Luca D'Amico
ClamD: When starting, ClamD will now check if the directory specified
by TemporaryDirectory in clamd.conf exists. If it doesn't, ClamD will
print an error message and will exit with exit code 1. Patch courtesy
of Andrew Kiggins.
CMake: If configured to build static libraries, CMake will now also
install the libclamav_rust, libclammspack, libclamunrar_iface, and
libclamunrar static libraries required by libclamav.
Note: These libraries are all linked into the clamscan, clamd, sigtool,
and freshclam programs, which is why they did not need to be installed
to function. However, these libraries would be required if you wish to
build some other program that uses the libclamav static library.
Added file type recognition for compiled Python (`.pyc`) files.
The file type appears as a string parameter for these callback
functions:
When scanning a `.pyc` file, the `type` parameter will now show
"CL_TYPE_PYTHON_COMPILED" instead of "CL_TYPE_BINARY_DATA".
Improved support for decrypting PDFs with empty passwords.
Assorted minor improvements and typo fixes.
Bug fixes
Fixed a warning when scanning some HTML files.
Fixed an issue decrypting some PDF's with an empty password.
ClamOnAcc: Fixed an infinite loop when a watched directory does not
exist.
ClamOnAcc: Fixed an infinite loop when a file has been deleted before a
scan.
Patch courtesy of gsuehiro.
Fixed a possible crash when processing VBA files on HP-UX/IA 64bit.
Patch courtesy of Albert Chin-A-Young.
ClamConf: Fixed an issue printing `MaxScanSize` introduced with the
change to allow a `MaxScanSize` greater than 4 GB.
Fix courtesy of teoberi.
Fixed an issue building a ClamAV RPM in some configurations.
The issue was caused by faulty CMake logic that intended to create an
empty database directory during the installation."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 7 Feb 2024 11:13:19 +0000 (12:13 +0100)]
expat: Update to version 2.6.0
- Update from version 2.5.0 to 2.6.0
- Update of rootfile
- This update fixes two CVE's. Not sure if IPFire would be vulnerable or not but safer
to update anyway.
- Changelog
2.6.0
Security fixes:
#789 #814 CVE-2023-52425 -- Fix quadratic runtime issues with big tokens
that can cause denial of service, in partial where
dealing with compressed XML input. Applications
that parsed a document in one go -- a single call to
functions XML_Parse or XML_ParseBuffer -- were not affected.
The smaller the chunks/buffers you use for parsing
previously, the bigger the problem prior to the fix.
Backporters should be careful to no omit parts of
pull request #789 and to include earlier pull request #771,
in order to not break the fix.
#777 CVE-2023-52426 -- Fix billion laughs attacks for users
compiling *without* XML_DTD defined (which is not common).
Users with XML_DTD defined have been protected since
Expat >=2.4.0 (and that was CVE-2013-0340 back then).
Bug fixes:
#753 Fix parse-size-dependent "invalid token" error for
external entities that start with a byte order mark
#780 Fix NULL pointer dereference in setContext via
XML_ExternalEntityParserCreate for compilation with
XML_DTD undefined
#812 #813 Protect against closing entities out of order
Other changes:
#723 Improve support for arc4random/arc4random_buf
#771 #788 Improve buffer growth in XML_GetBuffer and XML_Parse
#761 #770 xmlwf: Support --help and --version
#759 #770 xmlwf: Support custom buffer size for XML_GetBuffer and read
#744 xmlwf: Improve language and URL clickability in help output
#673 examples: Add new example "element_declarations.c"
#764 Be stricter about macro XML_CONTEXT_BYTES at build time
#765 Make inclusion to expat_config.h consistent
#726 #727 Autotools: configure.ac: Support --disable-maintainer-mode
#678 #705 ..
#706 #733 #792 Autotools: Sync CMake templates with CMake 3.26
#795 Autotools: Make installation of shipped man page doc/xmlwf.1
independent of docbook2man availability
#815 Autotools|CMake: Add missing -DXML_STATIC to pkg-config file
section "Cflags.private" in order to fix compilation
against static libexpat using pkg-config on Windows
#724 #751 Autotools|CMake: Require a C99 compiler
(a de-facto requirement already since Expat 2.2.2 of 2017)
#793 Autotools|CMake: Fix PACKAGE_BUGREPORT variable
#750 #786 Autotools|CMake: Make test suite require a C++11 compiler
#749 CMake: Require CMake >=3.5.0
#672 CMake: Lowercase off_t and size_t to help a bug in Meson
#746 CMake: Sort xmlwf sources alphabetically
#785 CMake|Windows: Fix generation of DLL file version info
#790 CMake: Build tests/benchmark/benchmark.c as well for
a build with -DEXPAT_BUILD_TESTS=ON
#745 #757 docs: Document the importance of isFinal + adjust tests
accordingly
#736 docs: Improve use of "NULL" and "null"
#713 docs: Be specific about version of XML (XML 1.0r4)
and version of C (C99); (XML 1.0r5 will need a sponsor.)
#762 docs: reference.html: Promote function XML_ParseBuffer more
#779 docs: reference.html: Add HTML anchors to XML_* macros
#760 docs: reference.html: Upgrade to OK.css 1.2.0
#763 #739 docs: Fix typos
#696 docs|CI: Use HTTPS URLs instead of HTTP at various places
#669 #670 ..
#692 #703 ..
#733 #772 Address compiler warnings
#798 #800 Address clang-tidy warnings
#775 #776 Version info bumped from 9:10:8 (libexpat*.so.1.8.10)
to 10:0:9 (libexpat*.so.1.9.0); see https://verbump.de/
for what these numbers do
Infrastructure:
#700 #701 docs: Document security policy in file SECURITY.md
#766 docs: Improve parse buffer variables in-code documentation
#674 #738 ..
#740 #747 ..
#748 #781 #782 Refactor coverage and conformance tests
#714 #716 Refactor debug level variables to unsigned long
#671 Improve handling of empty environment variable value
in function getDebugLevel (without visible user effect)
#755 #774 ..
#758 #783 ..
#784 #787 tests: Improve test coverage with regard to parse chunk size
#660 #797 #801 Fuzzing: Improve fuzzing coverage
#367 #799 Fuzzing|CI: Start running OSS-Fuzz fuzzing regression tests
#698 #721 CI: Resolve some Travis CI leftovers
#669 CI: Be robust towards absence of Git tags
#693 #694 CI: Set permissions to "contents: read" for security
#709 CI: Pin all GitHub Actions to specific commits for security
#739 CI: Reject spelling errors using codespell
#798 CI: Enforce clang-tidy clean code
#773 #808 ..
#809 #810 CI: Upgrade Clang from 15 to 18
#796 CI: Start using Clang's Control Flow Integrity sanitizer
#675 #720 #722 CI: Adapt to breaking changes in GitHub Actions Ubuntu images
#689 CI: Adapt to breaking changes in Clang/LLVM Debian packaging
#763 CI: Adapt to breaking changes in codespell
#803 CI: Adapt to breaking changes in Cppcheck
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 7 Feb 2024 11:21:49 +0000 (11:21 +0000)]
libvirt: Don't build for riscv64
There seems to be some problem that this package does not build from
source, but as we don't currently have any hardware that supports thise,
there is no point in debugging it.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 30 Jan 2024 17:45:44 +0000 (17:45 +0000)]
vpnmain.cgi: Add option to regenerate the host certificate
This is necessary since we now have a much shorter lifetime for the host
certificate. However, it is complicated to do this is which is why we
are copying the previous certificate and generate a new CSR. This is
then signed.
A caveat of this patch is that we do not rollover the key.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:53 +0000 (12:45 +0100)]
optionsfw.cgi: Move Firewall Options Drop commands to before the logging section
- Moved the Firewall Options Drop commands to before the logging section, as discussed
at January 2024 Video Call.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:52 +0000 (12:45 +0100)]
graphs.pl: Fixes bug12981 - Creates in and outgoing drop hostile graph entries
- This v3 version of the patch set splits the single hostile networks graph entry into
incoming hostile networks and outgoing hostile networks entries.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:51 +0000 (12:45 +0100)]
collectd.conf: Fix bug12981 - This creates in and out drop hostile data collection
- In this v3 version of the patch set the splitting of drop hostile logging into incoming
and outgoing logging means that the data collection and graphs need to have drop hostile
also split into incoming and outgoing.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:50 +0000 (12:45 +0100)]
en.pl: Fixes bug12981 - adds english language input for choice of drop hostile logging
- In this v3 version have added translations for hostile networks in and hostile
networks out and log drop hostile in and log drop hostile out.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:49 +0000 (12:45 +0100)]
firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic
- This v3 version now has two if loops allowing logging of incoming drop hostile or
outgoing drop hostile or both or neither.
- Dependent on the choice in optionsfw.cgi this loop will either log or not log the
dropped hostile traffic.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:48 +0000 (12:45 +0100)]
rules.pl: Fixes bug12981 - Add in and out specific actions for drop hostile
- This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and
HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each
independently.
Fixes: bug12981 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Acked-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:47 +0000 (12:45 +0100)]
optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic
- This v3 version has split the logging choice for drop hostile to separate the logging of
incoming drop hostile and outgoing drop hostile.
- The bug originator had no port forwards so all hostile would be dropped normally anyway.
However the logs were being swamped by the logging of drop hostile making analysis
difficult. So incoming drop hostile was desired to not be logged. However logging of
outgoing drop hostile was desired to identify if clients on the internal lan were
infected with malware trying to reach home.
- Added option with drop hostile section to decide if the dropped traffic should be
logged or not.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Tested-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 Feb 2024 21:27:39 +0000 (22:27 +0100)]
strace: elfutils moved from addon dependency to core program
Fixes: Bug#13516 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 Feb 2024 21:27:38 +0000 (22:27 +0100)]
qemu: elfutils moved from addon dependency to core program
Fixes: Bug#13516 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 Feb 2024 21:27:37 +0000 (22:27 +0100)]
ltrace: elfutils moved from addon dependency to core program
Fixes: Bug#13516 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 Feb 2024 21:27:36 +0000 (22:27 +0100)]
frr: elfutils moved from addon dependency to core program
Fixes: Bug#13516 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 Feb 2024 21:27:35 +0000 (22:27 +0100)]
elfutils: Move from addon to core program. Required by suricata-7.0.2 for execution
- Updated lfs file to core program type
- Moved rootfile from packages to common
- Older suricata versions required elfutils only for building but suricata-7.0.2 fails to
start if elfutils is not present due to libelf.so.1 being missing.
- The requirement for elfutils is not mentioned at all in the changelog.
Fixes: Bug#13516 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 1 Feb 2024 08:29:13 +0000 (09:29 +0100)]
lzip: Update to version 1.24
- Update from version 1.23 to 1.24
- Update of rootfile not required
- Changelog
1.24
The option '--empty-error', which forces exit status 2 if any empty member
is found, has been added.
The option '--marking-error', which forces exit status 2 if the first LZMA
byte is non-zero in any member, has been added.
File diagnostics have been reformatted as 'PROGRAM: FILE: MESSAGE'.
Diagnostics caused by invalid arguments to command-line options now show the
argument and the name of the option.
The option '-o, --output' now preserves dates, permissions, and ownership of
the file when (de)compressing exactly one file.
The option '-o, --output' now creates missing intermediate directories when
writing to a file.
The variable MAKEINFO has been added to configure and Makefile.in.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 1 Feb 2024 08:29:11 +0000 (09:29 +0100)]
gettext: Update to version 0.22.4
- Update from version 0.22 to 0.22.4
- Update of rootfile
- Changelog
0.22.4
* Bug fixes:
- AM_GNU_GETTEXT now recognizes a statically built libintl on macOS and AIX.
- Build fixes on AIX.
0.22.3
* Portability:
- The libintl library now works on macOS 14. (Older versions of libintl
crash on macOS 14, due to an incompatible change in macOS.)
0.22.2
* Bug fixes:
- The libintl shared library now exports again some symbols that were
accidentally missing.
<https://savannah.gnu.org/bugs/index.php?64323>
This bug was introduced in version 0.22.
0.22.1
* Bug fixes:
- xgettext's processing of large Perl files may have led to errors
<https://savannah.gnu.org/bugs/index.php?64552>
- "xgettext --join-existing" could encounter errors.
<https://savannah.gnu.org/bugs/index.php?64490>
These bugs were introduced in version 0.22.
* Portability:
- Building on Android is now supported.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 1 Feb 2024 08:29:10 +0000 (09:29 +0100)]
ed: Update to version 1.20
- Update from version 1.19 to 1.20
- Update of rootfile not required
- Changelog
1.20
New command-line options '+line', '+/RE', and '+?RE' have been implemented to
set the current line to the line number specified or to the first or last line
matching the regular expression 'RE'.
(Suggested by Matthew Polk and John Cowan).
File names containing control characters 1 to 31 are now rejected unless they
are allowed with the command-line option '--unsafe-names'.
File names containing control characters 1 to 31 are now printed using octal
escape sequences.
Ed now rejects file names ending with a slash.
Intervening commands that don't set the modified flag no longer make a second
'e' or 'q' command fail with a 'buffer modified' warning.
Tilde expansion is now performed on file names supplied to commands; if a file
name starts with '~/', the tilde (~) is expanded to the contents of the
variable HOME. (Suggested by John Cowan).
Ed now warns the first time that a command modifies a buffer loaded from a
read-only file. (Suggested by Dan Jacobson).
Ed now creates missing intermediate directories when writing to a file.
It has been documented that 'e' creates an empty buffer if file does not exist.
It has been documented that 'f' sets the default filename, whether or not its
argument names an existing file.
The description of the exit status has been improved in '--help' and in the
manual.
The variable MAKEINFO has been added to configure and Makefile.in.
It has been documented in INSTALL that when choosing a C standard, the POSIX
features need to be enabled explicitly:
./configure CFLAGS+='--std=c99 -D_POSIX_C_SOURCE=2'
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 1 Feb 2024 08:29:09 +0000 (09:29 +0100)]
diffutils: Update to version 3.10
- Update from version 3.9 to 3.10
- Update of rootfile not required
- Changelog
3.10
Bug fixes
cmp/diff can again work with file dates past Y2K38
[bug introduced in 3.9]
diff -D no longer fails to output #ifndef lines.
[bug#61193 introduced in 3.9]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 31 Jan 2024 11:09:41 +0000 (11:09 +0000)]
glibc: Import latest patches from upstream
These include (amongst others) fixes for:
GLIBC-SA-2024-0001:
===================
syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6246)
__vsyslog_internal did not handle a case where printing a SYSLOG_HEADER
containing a long program name failed to update the required buffer
size, leading to the allocation and overflow of a too-small buffer on
the heap.
GLIBC-SA-2024-0002:
===================
syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6779)
__vsyslog_internal used the return value of snprintf/vsnprintf to
calculate buffer sizes for memory allocation. If these functions (for
any reason) failed and returned -1, the resulting buffer would be too
small to hold output.
GLIBC-SA-2024-0003:
===================
syslog: Integer overflow in __vsyslog_internal (CVE-2023-6780)
__vsyslog_internal calculated a buffer size by adding two integers, but
did not first check if the addition would overflow.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3450000 to 3450100
- Update of rootfile not required
- Changelog
3.45.1
Restore the JSON BLOB input bug, and promise to support the anomaly in subsequent
releases, for backward compatibility.
Fix the PRAGMA integrity_check command so that it works on read-only databases
that contain FTS3 and FTS5 tables. This resolves an issue introduced in version
3.44.0 but was undiscovered until after the 3.45.0 release.
Fix issues associated with processing corrupt JSONB inputs:
Prevent exponential runtime when converting a corrupt JSONB into text.
Fix a possible read of one byte past the end of the JSONB blob when
converting a corrupt JSONB into text.
Enhanced testing using jfuzz to prevent any future JSONB problems such as the
above.
Fix a long-standing bug in which a read of a few bytes past the end of a
memory-mapped segment might occur when accessing a craftily corrupted database
using memory-mapped database.
Fix a long-standing bug in which a NULL pointer dereference might occur in the
bytecode engine due to incorrect bytecode being generated for a class of SQL
statements that are deliberately designed to stress the query planner but which
are otherwise pointless.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
