Peter Müller [Mon, 19 Sep 2022 12:35:41 +0000 (12:35 +0000)]
linux: Enable seccomp filter on ARM
Since last time we checked, the kernel's security features on ARM have
improved notably (see CONFIG_RANDOMIZE_BASE discussion). This patch
therefore proposes to give the seccomp filter on both 32- and 64-bit ARM
another try, since it provides significant security benefit to
applications using it.
Due to operational constraints, rootfile changes have been omitted, and
will be conducted, should this patch be approved.
Note to future self: Once this patch is approved, applications using
seccomp (OpenSSH, Tor) need to be updated/shipped on ARM.
Fixes: #12366 Fixes: #12370 Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org> Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Sun, 2 Oct 2022 14:47:52 +0000 (14:47 +0000)]
linux: Remove user-space probe support
From the kernels' documentation:
> Uprobes is the user-space counterpart to kprobes: they
> enable instrumentation applications (such as 'perf probe')
> to establish unintrusive probes in user-space binaries and
> libraries, by executing handler functions when the probes
> are hit by user-space applications.
>
> ( These probes come in the form of single-byte breakpoints,
> managed by the kernel and kept transparent to the probed
> application. )
To the best of the authors' understanding, no application on IPFire
needs this functionality, and given its abuse potential, we should
probably not enable it.
As expected, strace functionality is not impaired by this.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Security #5430: mqtt: DOS by quadratic with too many transactions in one parse (6.0.x backport)
Bug #5559: BUG_ON triggered from TmThreadsInjectFlowById (6.0.x backport)
Bug #5549: Failed assert DeStateSearchState (6.0.x)
Bug #5548: tcp: assertion failed in DoInsertSegment (BUG_ON) (6.0.x)
Bug #5547: rules: less strict parsing of unexpected flowbit options
Bug #5546: rules: don't error on bad hex in content
Bug #5540: detect: transform strip whitespace creates a 0-sized variable-length array: backport6
Bug #5505: http2: slow http2_frames_get_header_value_vec because of allocation [backport6]
Bug #5471: Reject action is no longer working (6.0.x backport)
Bug #5467: rules: more graceful handling of anomalies for stable versions
Bug #5459: Counters are not initialized in all places. (6.0.x backport)
Bug #5448: nfs: add maximum number of operations per compound (6.0.x backport)
Bug #5436: Infinite loop if the sniffing interface temporarily goes down (6.0.x backports)
Bug #5335: flow: vlan.use-for-tracking is not used for ICMPv4 (6.0.x backport)
Bug #4421: flow manager: using too much CPU during idle (6.0.x backport)
Feature #5535: ips: add "reject" action to exception policies (6.0.x backport)
Feature #5500: ips: midstream: add "exception policy" for midstream (6.0.x backport)
Task #5551: doc: add exception policy documentation (6.0.x)
Task #5533: detect/parse: add tests for parsing signatures with reject and drop action (6.0.x backport)
Task #5525: exceptions: error out when invalid configuration value is passed (6.0.x backport)
Task #5381: add `alert-queue-expand-fails` command-line option (6.0.x backport)
Task #5328: python: distutils deprecation warning (6.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Mon, 26 Sep 2022 18:50:08 +0000 (18:50 +0000)]
backup: Set owner of {ex,in}clude{,.user} files to "root"
Since these files are static, there is no legitimate reason why they
should be owned (hence writable) by "nobody". Also, according to
configroot's LFS file, this is the intended behaviour for the *.user
files, which is then overwritten by the backup LFS file. Therefore, set
the file mode of these statically - configroot does not feature other
files in /var/ipfire/backup/ anyway.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 Sep 2022 11:53:12 +0000 (13:53 +0200)]
ipblocklist-sources: Correct the info url - Fixes bug#12938
- With the .html ending the link gets a 404 Page not found error
Fixes: Bug#12938 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Adolf Belka [Wed, 21 Sep 2022 17:16:11 +0000 (19:16 +0200)]
expat: Update to version 2.4.9
- Update from version 2.4.8 to 2.4.9
- Update of rootfile
- Changelog
Release 2.4.9 Tue September 20 2022
Security fixes:
#629 #640 CVE-2022-40674 -- Heap use-after-free vulnerability in
function doContent. Expected impact is denial of service
or potentially arbitrary code execution.
Bug fixes:
#634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
#614 docs: Fix documentation on effect of switch XML_DTD on
symbol visibility in doc/reference.html
Other changes:
#638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output
#596 #625 Autotools: Sync CMake templates with CMake 3.22
#608 CMake: Migrate from use of CMAKE_*_POSTFIX to
dedicated variables EXPAT_*_POSTFIX to stop affecting
other projects
#597 #599 Windows|CMake: Add missing -DXML_STATIC to test runners
and fuzzers
#512 #621 Windows|CMake: Render .def file from a template to fix
linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
#611 #621 MinGW|CMake: Apply MSVC .def file when linking
#622 #624 MinGW|CMake: Sync library name with GNU Autotools,
i.e. produce libexpat-1.dll rather than libexpat.dll
by default. Filename libexpat.dll.a is unaffected.
#632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in
toolchain file "cmake/mingw-toolchain.cmake" to avoid
error "windres: Command not found" on e.g. Ubuntu 20.04
#597 #627 CMake: Unify inconsistent use of set() and option() in
context of public build time options to take need for
set(.. FORCE) in projects using Expat by means of
add_subdirectory(..) off Expat's users' shoulders
#626 #641 Stop exporting API symbols when building a static library
#644 Resolve use of deprecated "fgrep" by "grep -F"
#620 CMake: Make documentation on variables a bit more consistent
#636 CMake: Drop leading whitespace from a #cmakedefine line in
file expat_config.h.cmake
#594 xmlwf: Fix harmless variable mix-up in function nsattcmp
#592 #593 #610 Address Cppcheck warnings
#643 Address Clang 15 compiler warnings
#642 #644 Version info bumped from 9:8:8 to 9:9:8;
see https://verbump.de/ for what these numbers do
Infrastructure:
#597 #598 CI: Windows: Start covering MSVC 2022
#619 CI: macOS: Migrate off deprecated macOS 10.15
#632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work
#643 CI: Upgrade Clang from 14 to 15
#637 apply-clang-format.sh: Add support for BSD find
#633 coverage.sh: Exclude MinGW headers
#635 coverage.sh: Fix name collision for -funsigned-char
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.33/doc/arm/html/notes.html#notes-for-bind-9-16-33
"Security Fixes
Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be abused to
severely impact the performance of named running as a recursive
resolver. This has been fixed. (CVE-2022-2795)
ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
Bremler-Barr & Shani Stajnrod from Reichman University for bringing
this vulnerability to our attention. [GL #3394]
named running as a resolver with the stale-answer-client-timeout option
set to 0 could crash with an assertion failure, when there was a stale
CNAME in the cache for the incoming query. This has been fixed.
(CVE-2022-3080) [GL #3517]
A memory leak was fixed that could be externally triggered in the
DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177) [GL
#3487]
Memory leaks were fixed that could be externally triggered in the
DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL
#3487]
Feature Changes
Response Rate Limiting (RRL) code now treats all QNAMEs that are
subject to wildcard processing within a given zone as the same name, to
prevent circumventing the limits enforced by RRL. [GL #3459]
Zones using dnssec-policy now require dynamic DNS or inline-signing to
be configured explicitly. [GL #3381]
A backward-compatible approach was implemented for encoding
internationalized domain names (IDN) in dig and converting the domain
to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL
#3485]
Bug Fixes
A serve-stale bug was fixed, where BIND would try to return stale data
from cache for lookups that received duplicate queries or queries that
would be dropped. This bug resulted in premature SERVFAIL responses,
and has now been resolved. [GL #2982]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Thu, 22 Sep 2022 11:43:10 +0000 (13:43 +0200)]
manualpages: Correct link to wiki for Network (other)
- Network (other) help link was set to go to Network (internal) wiki page
Link modified
- Running the check_manualpages.pl script requires it to be executable so the build
changed the permissions mode from 644 to 755
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Jon Murphy [Thu, 25 Aug 2022 00:31:29 +0000 (19:31 -0500)]
crontab: add periodic cleanup the collectd RRD (graphs)
- Created (mostly) for old openvpn graphs
- RRD removed when no graph modification for +365 days
- chosen since graph max out is 365 days
- fcron job runs once per week
- chosen since this is just a cleanup and it doesnt need to run everyday
Note: logging can be added if needed.
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 19 Sep 2022 13:15:18 +0000 (15:15 +0200)]
log.dat: Add NUT entry for System Logs - Fixes bug#12921
- Also aligned all the code entries in %sections and %trsections
Suggested-by: Michael <ip.fire@die-fritzens.de> Tested-by: Michael <ip.fire@die-fritzens.de> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Adolf Belka [Wed, 21 Sep 2022 10:37:19 +0000 (12:37 +0200)]
cpufrequtils: Remove SERVICES entry for this package - fixes Bug#12933
- cpufrequtils is a set of "tools" to manage and set cpu freq settings.
- There is an initscript but this is only loading the cpu dependent kernel modules that
are required by cpufrequtils.
- Therefore cpufrequtils is not a service but a set of tools that are used when required.
- SERVICES line made blank so that this addon does not show up in the services addon table.
- Modified install initscript line to not use SERVICES variable
Fixes: Bug#12933 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
For details see:
https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-September/007885.html
"This release fixes CVE-2022-3204 Non-Responsive Delegation
Attack. It was reported by Yehuda Afek from Tel-Aviv
University and Anat Bremler-Barr and Shani Stajnrod from
Reichman University.
This fixes for better performance when under load, by cutting
promiscuous queries for nameserver discovery and limiting the
number of times a delegation point can look in the cache for
missing records.
Bug Fixes
- Patch for CVE-2022-3204 Non-Responsive Delegation Attack."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Mon, 19 Sep 2022 12:28:14 +0000 (12:28 +0000)]
linux: Update to 5.15.68
Please refer to https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.68
for the changelog of this release. Due to the lack of local build
hardware, ARM rootfile and configuration changes have been omitted.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Sat, 17 Sep 2022 19:24:46 +0000 (19:24 +0000)]
kernel: Disable CONFIG_DEBUG_FS
According to the kernel's documentation,
> debugfs is a virtual file system that kernel developers use to put
> debugging files into. Enable this option to be able to read and
> write to these files.
There is no legitimate reason why one has to do so on an IPFire machine.
Further, the vast debugging options (i.e. related to various drivers)
have never been enabled, limiting the use of this virtual file system
even further.
This patch therefore proposes to disable it entirely, since its
potential security impact outweights its benefits. Due to operational
constraints, changes to ARM kernel configurations will be made if this
patch is approved for x86_64.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 18 Sep 2022 11:45:17 +0000 (13:45 +0200)]
backupiso: Update to ISO file naming - bug#12932
- commit https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=fbd0608c2cb5372fff7857065ec7e605b1bf9cf7
aligned the ISO file name to the image file name. This change also needed to be added
to backupiso as the filename is used to download the iso from the IPFire server when
creating an ISO backup.
Fixes: Bug#12932 Suggested-by: Matthias Fischer <matthias.fischer@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Peter Müller [Sun, 18 Sep 2022 08:02:14 +0000 (08:02 +0000)]
Core Update 171: Stop Apache before applying the upgrade
Since we replace Perl, users most likely get to see some nasty "Internal
Server Error" messages during the upgrade. To suppres them, and to limit
the chance of side effects, stop Apache before applying the update, and
start it again afterwards.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Sat, 17 Sep 2022 16:50:22 +0000 (16:50 +0000)]
wireless-regdb: Update to 2022-08-12
No changelog is provided, please refer to
https://git.kernel.org/pub/scm/linux/kernel/git/sforshee/wireless-regdb.git/log/
for the commits since 2022-02-18.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Peter Müller [Sun, 11 Sep 2022 14:14:43 +0000 (14:14 +0000)]
Tor: Update to 0.4.7.10
Changes in version 0.4.7.10 - 2022-08-12
This version updates the geoip cache that we generate from IPFire location
database to use the August 9th, 2022 one. Everyone MUST update to this
latest release else circuit path selection and relay metrics are badly
affected.
o Major bugfixes (geoip data):
- IPFire informed us on August 12th that databases generated after
(including) August 10th did not have proper ARIN network allocations. We
are updating the database to use the one generated on August 9th, 2022.
Fixes bug 40658; bugfix on 0.4.7.9.
Changes in version 0.4.7.9 - 2022-08-11
This version contains several major fixes aimed at reducing memory pressure on
relays and possible side-channel. It also contains a major bugfix related to
congestion control also aimed at reducing memory pressure on relays.
Finally, there is last one major bugfix related to Vanguard L2 layer node
selection.
We strongly recommend to upgrade to this version especially for Exit relays
in order to help the network defend against this ongoing DDoS.
o Major bugfixes (congestion control):
- Implement RFC3742 Limited Slow Start. Congestion control was
overshooting the congestion window during slow start, particularly
for onion service activity. With this fix, we now update the
congestion window more often during slow start, as well as dampen
the exponential growth when the congestion window grows above a
capping parameter. This should reduce the memory increases guard
relays were seeing, as well as allow us to set lower queue limits
to defend against ongoing DoS attacks. Fixes bug 40642; bugfix
on 0.4.7.5-alpha.
o Major bugfixes (relay):
- Remove OR connections btrack subsystem entries when the connections
close normally. Before this, we would only remove the entry on error and
thus leaking memory for each normal OR connections. Fixes bug 40604;
bugfix on 0.4.0.1-alpha.
- Stop sending TRUNCATED cell and instead close the circuit from which we
received a DESTROY cell. This makes every relay in the circuit path to
stop queuing cells. Fixes bug 40623; bugfix on 0.1.0.2-rc.
o Major bugfixes (vanguards):
- We had omitted some checks for whether our vanguards (second layer
guards from proposal 333) overlapped. Now make sure to pick each
of them to be independent. Also, change the design to allow them
to come from the same family. Fixes bug 40639; bugfix
on 0.4.7.1-alpha.
o Minor features (dirauth):
- Add a torrc option to control the Guard flag bandwidth threshold
percentile. Closes ticket 40652.
- Add an AuthDirVoteGuard torrc option that can allow authorities to
assign the Guard flag to the given fingerprints/country code/IPs.
This is a needed feature mostly for defense purposes in case a DoS
hits the network and relay start losing the Guard flags too fast.
- Make UPTIME_TO_GUARANTEE_STABLE, MTBF_TO_GUARANTEE_STABLE,
TIME_KNOWN_TO_GUARANTEE_FAMILIAR WFU_TO_GUARANTEE_GUARD tunable
from torrc.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 11, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/08/11.
o Minor bugfixes (congestion control):
- Add a check for an integer underflow condition that might happen
in cases where the system clock is stopped, the ORconn is blocked,
and the endpoint sends more than a congestion window worth of non-
data control cells at once. This would cause a large congestion
window to be calculated instead of a small one. No security
impact. Fixes bug 40644; bugfix on 0.4.7.5-alpha.
o Minor bugfixes (defense in depth):
- Change a test in the netflow padding code to make it more
_obviously_ safe against remotely triggered crashes. (It was safe
against these before, but not obviously so.) Fixes bug 40645;
bugfix on 0.3.1.1-alpha.
o Minor bugfixes (relay):
- Do not propagate either forward or backward a DESTROY remote reason when
closing a circuit in order to avoid a possible side channel. Fixes bug
40649; bugfix on 0.1.2.4-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Sat, 17 Sep 2022 09:41:06 +0000 (09:41 +0000)]
linux-firmware: Drop dedicated Bluetooth BLOBs
Since we disabled Bluetooth support in the kernel a long time ago due to
security reasons, these do not serve any purpose anymore. Therefore, do
not ship them and delete them on existing installations.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Thu, 15 Sep 2022 13:52:55 +0000 (15:52 +0200)]
lcdproc: Update to commit 0e2ce9b version - fixes bug#12920
- The lcd2usb portion of the hd44780 driver in in the latest release version of
lcdproc (0.5.9) are only coded for libusb-0.1, which was removed from IPFire in recent
times.
- Commits have been merged into the lcdproc repository that enable lcd2usb to work with
the libusb-1.0 series but no release has been made since 2017.
- This patch downloaded a zip archive from the status of the lcdproc repository at commit 0e2ce9b. This zip archive was then converted into a tar.gx archive. The lfs and
rootfile have been updated in line with this.
- The lcdproc-0e2ce9b-4.ipfire file created by this build has been tested by the bug
reporter, Rolf Schreiber, and confirmed to fix the issue raised with the bug.
- This patch brings lcdproc upto date with the 149 commits that have been made between
2017 and Dec 2021, the date of the last commit.
- The version number has been defined as the last commit number.
- The -enable-libusb option has to be left in place as it turned out that
-enable-libusb-1-0 only works if -enable-libusb is also set. It looks like this was
identified in the lcdproc issues list but has not yet been fixed.
Fixes: Bug#12920 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Michael Tremer [Thu, 15 Sep 2022 10:43:54 +0000 (10:43 +0000)]
Bump PAK_VER for all packages that use SERVICES
Since we have extended services.cgi that it reads the Services field
from the Pakfire metadata, we will need to make sure that that metadata
is going to be on those systems.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 24 Aug 2022 07:49:29 +0000 (09:49 +0200)]
efivar: Update to version 38
- Update from version 37 to 38
- Update of rootfile
- mandoc is now a build dependency for efivar
- Old compile fixes patches are no longer required with version 38
- Details for lfs build of version 38 obtained from Beyond Linux From Scratch
- Changelog
bug fixes
Rework some makefile bits to make overriding some options simpler. by @vathpela in #140
Handle /sys/devices/virtual/{nvme-fabrics,nvme-subsystem} devices by @vathpela in #139
guids.S: Include <cet.h> when CET is enabled by @hjl-tools in #149
Fix /sys/block sysfs parsing for eMMC-s by @jwrdegoede in #150
Properly check mmap return error by @hannob in #152
Fix s{yt,ty}le typo in efi_get_variable(3) by @nabijaczleweli in #162
Handle NULL set_variable() by @lcp in #159
Fix parsing for nvme-subsystem devices by @dannf in #158
Attempt to fix the identified thread safety bugs by @vathpela in #155
Make thread-test depend on libefivar.so by @hjl-tools in #176
Upstream a local patch from rawhide by @frozencemetery in #177
Fix conversion from UTF8 to UCS2 by @freedge in #171
efivar: make docs match current code for 'efivar -A' by @vathpela in #178
Migrate CI to Github actions by @frozencemetery in #179
Add code of conduct by @frozencemetery in #180
Misc minor fixes by @vathpela in #182
Add efi_time_t declarations and helper functions. by @vathpela in #183
More misc fixes by @vathpela in #185
Run CI on more targets by @vathpela in #187
Coverity fixes 20211208 by @vathpela in #189
CI: run abicheck by @frozencemetery in #190
Fix linux virtual root device parsing by @vathpela in #188
efivar.spec.in: fix license to be valid SPDX by @frozencemetery in #192
Add efisecdb tooling by @vathpela in #184
Fix linker string comparison for dash by @frozencemetery in #194
Full changelog diff between version 37 and 38 is available in github repo
https://github.com/rhboot/efivar/compare/37...38
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 24 Aug 2022 07:50:47 +0000 (09:50 +0200)]
nettle: Update to version 3.8.1
- Update from version 3.7.3 to 3.8.1
- Update of rootfile
- Changelog
3.8.1 release
This is a bugfix release, fixing a few portability issues
reported for Nettle-3.8.
Bug fixes:
* Avoid non-posix m4 argument references in the chacha
implementation for arm64, powerpc64 and s390x. Reported by
Christian Weisgerber, fix contributed by Mamone Tarsha.
* Use explicit .machine pseudo-ops where needed in s390x
assembly files. Bug report by Andreas K. Huettel, fix
contributed by Mamone Tarsha.
Optimizations:
* Implemented runtime detection of cpu features for OpenBSD on
arm64. Contributed by Christian Weisgerber.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.6 and libhogweed.so.6.6, with sonames
libnettle.so.8 and libhogweed.so.6.
3.8 release
This release includes a couple of new features, and many
performance improvements. It adds assembly code for two more
architectures: ARM64 and S390x.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.5 and libhogweed.so.6.5, with sonames
libnettle.so.8 and libhogweed.so.6.
New features:
* AES keywrap (RFC 3394), contributed by Nicolas Mora.
* SM3 hash function, contributed by Tianjia Zhang.
* New functions cbc_aes128_encrypt, cbc_aes192_encrypt,
cbc_aes256_encrypt.
On processors where AES is fast enough, e.g., x86_64 with
aesni instructions, the overhead of using Nettle's general
cbc_encrypt can be significant. The new functions can be
implemented in assembly, to do multiple blocks with reduced
per-block overhead.
Note that there's no corresponding new decrypt functions,
since the general cbc_decrypt doesn't suffer from the same
performance problem.
Bug fixes:
* Fix fat builds for x86_64 windows, these appear to never
have worked.
Optimizations:
* New ARM64 implementation of AES, GCM, Chacha, SHA1 and
SHA256, for processors supporting crypto extensions. Great
speedups, and fat builds are supported. Contributed by
Mamone Tarsha.
* New s390x implementation of AES, GCM, Chacha, memxor, SHA1,
SHA256, SHA512 and SHA3. Great speedups, and fat builds are
supported. Contributed by Mamone Tarsha.
* New PPC64 assembly for ecc modulo/redc operations,
contributed by Amitay Isaacs, Martin Schwenke and Alastair
D´Silva.
* The x86_64 AES implementation using aesni instructions has
been reorganized with one separate function per key size,
each interleaving the processing of two blocks at a time
(when the caller processes multiple blocks with each call).
This gives a modest performance improvement on some
processors.
* Rewritten and faster x86_64 poly1305 assembly.
Known issues:
* Nettle's testsuite doesn't work out-of-the-box on recent
MacOS, due to /bin/sh discarding the DYLD_LIBRARY_PATH
environment variable. Nettle's test scripts handle this in
some cases, but currently fails the test cases that are
themselves written as /bin/sh scripts. As a workaround, use
make check EMULATOR='env DYLD_LIBRARY_PATH=$(TEST_SHLIB_DIR)'
Miscellaneous:
* Updated manual to current makeinfo conventions, with no
explicit node pointers. Generate pdf version with texi2pdf,
to get working hyper links.
* Added square root functions for NIST ecc curves, as a
preparation for supporting compact point representation.
* Reworked internal GCM/ghash interfaces, simplifying assembly
implementations. Deleted unused GCM C implementation
variants with less than 8-bit lookup table.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 24 Aug 2022 07:50:20 +0000 (09:50 +0200)]
iproute2: Update to version 5.19.0
- Update from 5.17.0 to 5.19.0
- Update of rootfile
- Changelog is only available as the lsit fo commits from the git repository
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 24 Aug 2022 07:50:02 +0000 (09:50 +0200)]
fetchmail: Update to version 6.4.32
- Update from version 6.4.19 to 6.4.32
- Update of rootfile not required
- Changelog - range of security and bug fixes
fetchmail-6.4.32 (released 2022-07-30, 31696 LoC):
# FIXES:
* Use configure to find rst2html, some systems install it only with .py suffix,
others only without, and some install both.
* Update README.maintainer
# TRANSLATIONS: language translations were updated by these fine people:
(in alphabetical order of language codes so as not to prefer people):
* cs: Petr Pisar [Czech]
* es: Cristian Othón Martínez Vera [Spanish]
* ja: Takeshi Hamasaki [Japanese]
* pl: Jakub Bogusz [Polish]
* ro: Remus-Gabriel Chelu [Romanian]
* sq: Besnik Bleta [Albanian]
* sv: Göran Uddeborg [Swedish]
fetchmail-6.4.31 (released 2022-07-16, 31694 LoC):
# BUG FIXES:
* Try to fix ./configure --with-ssl=... for systems that have multiple OpenSSL
versions installed. Issues reported by Dennis Putnam.
* The netrc parser now reports its errors to syslog or logfile when appropriate,
previously it would always log to stderr.
* Add error checking to .netrc parser.
# CHANGES:
* manpage: use .UR/.UE macros instead of .URL for URIs.
* manpage: fix contractions. Found with FreeBSD's igor tool.
* manpage: HTML now built with pandoc -> python-docutils
(manServer.pl was dropped)
fetchmail-6.4.30 (released 2022-04-26, 31666 LoC):
# BREAKING CHANGES:
* Bump wolfSSL minimum required version to 5.2.0 to pull in security fix.
# CHANGES:
* Using OpenSSL 1.* before 1.1.1n elicits a compile-time warning.
* Using OpenSSL 3.* before 3.0.2 elicits a compile-time warning.
* configure.ac was tweaked in order to hopefully fix cross-compilation issues
report, and different patch suggested, by Fabrice Fontaine,
https://gitlab.com/fetchmail/fetchmail/-/merge_requests/42
# TRANSLATIONS: language translations were updated by this fine person:
* ro: Remus-Gabriel Chelu [Romanian]
fetchmail-6.4.29 (released 2022-03-20, 31661 LoC):
# TRANSLATIONS: language translations were updated by this fine person:
* vi: Trần Ngọc Quân [Vietnamese]
fetchmail-6.4.28 (released 2022-03-05, 31661 LoC):
# DOCUMENTATION:
* Fix a typo in the manual page, courtesy of Jeremy Petch.
# TRANSLATIONS: language translations were updated by this fine person:
* es: Cristian Othón Martínez Vera [Spanish]
fetchmail-6.4.27 (released 2022-01-26, 31661 LoC):
# BREAKING CHANGES:
* Bump wolfSSL minimum required version to 5.1.1 to pull in security fix.
# TRANSLATIONS: language translations were updated by this fine person:
* ro: Remus-Gabriel Chelu [Romanian]
fetchmail-6.4.26 (released 2021-12-26, 31661 LoC):
# FIXES:
* When using wolfSSL 5.0.0, work around a bug that appears to hit wolfSSL when
receiving handshake records while still in SSL_peek(). Workaround is to read
1 byte and cache it, then call SSL_peek() again.
This affects only some servers. https://github.com/wolfSSL/wolfssl/issues/4593
# TRANSLATIONS: language translations were updated by this fine person:
* sr: Мирослав Николић (Miroslav Nikolić) [Serbian]
fetchmail-6.4.25 (released 2021-12-10, 31653 LoC):
# BREAKING CHANGES:
* Since distributions continue patching for LibreSSL use, which cannot be
linked legally, block out LibreSSL in configure.ac and socket.c, and
refer to COPYING, unless on OpenBSD (which ships it in the base system).
OpenSSL and wolfSSL 5 can be used. SSL-related documentation was updated, do
re-read COPYING, INSTALL, README, README.packaging, README.SSL.
* Bump OpenSSL version requirement to 1.0.2f in order to safely remove
the obsolete OpenSSL flag SSL_OP_SINGLE_DH_USE. This blocks out 1.0.2e and
older 1.0.2 versions. 1.0.2f was a security fix release, and 1.0.2u is
publicly available from https://www.openssl.org/source/old/1.0.2/
* Some of the configure.ac fiddling MIGHT have broken cross-compilation
again. The maintainer does not test cross-compiling fetchmail; if you
have difficulties, try setting PKG_CONFIG_LIBDIR to the pkg-config path
containing your target/host libraries, or see if --with-ssl-prefix or
--with-wolfssl-prefix, or overriding LDFLAGS/LIBS/CPPFLAGS, can help.
Feedback solicited on compliant systems that are before end-of-life.
# BUG FIXES:
* 6.4.24's workaround for OpenSSL 1.0.2's X509_V_FLAG_TRUSTED_FIRST flag
contained a typo and would not kick in properly.
* Library and/or rpath setting from configure.ac was fixed.
# ADDITIONS:
* Added an example systemd unit file and instructions to contrib/systemd/
which runs fetchmail as a daemon with 5-minute poll intervals.
Courteously contributed by Barak A. Pearlmutter, Debian Bug#981464.
* fetchmail can now be used with wolfSSL 5's OpenSSL compatibility layer,
see INSTALL and README.SSL. This is considered experimental.
Feedback solicited.
# CHANGES:
* The getstats.py dist-tool now counts lines of .ac and .am files.
* ./configure --with-ssl now supports pkg-config module names, too. See INSTALL.
# TRANSLATIONS: language translations were updated by these fine people:
(in reverse alphabetical order of language codes so as not to prefer people):
* sv: Göran Uddeborg [Swedish]
* sq: Besnik Bleta [Albanian]
* pl: Jakub Bogusz [Polish]
* ja: Takeshi Hamasaki [Japanese]
* fr: Frédéric Marchal [French]
* eo: Keith Bowes [Esperanto]
* cs: Petr Pisar [Czech]
fetchmail-6.4.24 (released 2021-11-20, 30218 LoC):
# OPENSSL AND LICENSING NOTE:
> see fetchmail-6.4.22 below, and the file COPYING.
Note that distribution of packages linked with LibreSSL is not feasible
due to a missing GPLv2 clause 2(b) exception.
# COMPATIBILITY:
* Bison 3.8 dropped yytoknum altogether, breaking compilation due to a
warning workaround. Remove the cast of yytoknum to void. This may cause
a compiler warning to reappear with older Bison versions.
* OpenSSL 1.0.2: Workaround for systems that keep the expired DST Root CA X3
certificate in its trust store because OpenSSL by default prefers the
untrusted certificate and fails. Fetchmail now sets the
X509_V_FLAG_TRUSTED_FIRST flag (on OpenSSL 1.0.2 only).
This is workaround #2 from the OpenSSL Blog. For details, see both:
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
NOTE: OpenSSL 1.0.2 is end of life, it is assumed that the OpenSSL library
is kept up to date by a distributor or via OpenSSL support contract.
Where this is not the case, please upgrade to a supported OpenSSL version.
# DOCUMENTATION:
* The manual page was revised after re-checking with mandoc -Tlint, aspell,
igor. Some more revisions were made for clarity.
# TRANSLATIONS: language translations were updated by these fine people:
* sv: Göran Uddeborg [Swedish]
* pl: Jakub Bogusz [Polish]
* fr: Frédéric Marchal [French]
* cs: Petr Pisar [Czech]
* eo: Keith Bowes [Esperanto]
* ja: Takeshi Hamasaki [Japanese]
fetchmail-6.4.23 (released 2021-10-31, 30206 LoC):
# USABILITY:
* For common ssh-based IMAP PREAUTH setups (i. e. those that use a plugin
- no matter its contents - and that set auth ssh), change the STARTTLS
error message to suggest sslproto '' instead.
This is a commonly reported issue after the CVE-2021-39272 fix in 6.4.22.
Fixes Redhat Bugzilla 2008160. Fixes GitLab #39.
# TRANSLATIONS: language translations were updated by these fine people:
* ja: Takeshi Hamasaki [Japanese]
* sr: Мирослав Николић (Miroslav Nikolić) [Serbian]
fetchmail-6.4.22 (released 2021-09-13, 30201 LoC):
# OPENSSL AND LICENSING NOTE:
* fetchmail 6.4.22 is compatible with OpenSSL 1.1.1 and 3.0.0.
OpenSSL's licensing changed between these releases from dual OpenSSL/SSLeay
license to Apache License v2.0, which is considered incompatible with GPL v2
by the FSF. For implications and details, see the file COPYING.
# SECURITY FIXES:
* CVE-2021-39272: fetchmail-SA-2021-02: On IMAP connections, without --ssl and
with nonempty --sslproto, meaning that fetchmail is to enforce TLS, and when
the server or an attacker sends a PREAUTH greeting, fetchmail used to continue
an unencrypted connection. Now, log the error and abort the connection.
--Recommendation for servers that support SSL/TLS-wrapped or "implicit" mode on
a dedicated port (default 993): use --ssl, or the ssl user option in an rcfile.
--Reported by: Andrew C. Aitchison, based on the USENIX Security 21 paper "Why
TLS is better without STARTTLS - A Security Analysis of STARTTLS in the Email
Context" by Damian Poddebniak, Fabian Ising, Hanno Böck, and Sebastian
Schinzel. The paper did not mention fetchmail.
* On IMAP and POP3 connections, --auth ssh no longer prevents STARTTLS
negotiation.
* On IMAP connections, fetchmail does not permit overriding a server-side
LOGINDISABLED with --auth password any more.
* On POP3 connections, the possibility for RPA authentication (by probing with
an AUTH command without arguments) no longer prevents STARTTLS negotiation.
* For POP3 connections, only attempt RPA if the authentication type is "any".
# BUG FIXES:
* On IMAP connections, when AUTHENTICATE EXTERNAL fails and we have received the
tagged (= final) response, do not send "*".
* On IMAP connections, AUTHENTICATE EXTERNAL without username will properly send
a "=" for protocol compliance.
* On IMAP connections, AUTHENTICATE EXTERNAL will now check if the server
advertised SASL-IR (RFC-4959) support and otherwise refuse (fetchmail <= 6.4
has not supported and does not support the separate challenge/response with
command continuation)
* On IMAP connections, when --auth external is requested but not advertised by
the server, log a proper error message.
* Fetchmail no longer crashes when attempting a connection with --plugin "" or
--plugout "".
* Fetchmail no longer leaks memory when processing the arguments of --plugin or
--plugout on connections.
* On POP3 connections, the CAPAbilities parser is now caseblind.
* Fix segfault on configurations with "defaults ... no envelope". Reported by
Bjørn Mork. Fixes Debian Bug#992400. This is a regression in fetchmail 6.4.3
and happened when plugging memory leaks, which did not account for that the
envelope parameter is special when set as "no envelope". The segfault happens
in a constant strlen(-1), triggered by trusted local input => no vulnerability.
* Fix program abort (SIGABRT) with "internal error" when invalid sslproto is
given with OpenSSL 1.1.0 API compatible SSL implementations.
# CHANGES:
* IMAP: When fetchmail is in not-authenticated state and the server volunteers
CAPABILITY information, use it and do not re-probe. (After STARTTLS, fetchmail
must and will re-probe explicitly.)
* For typical POP3/IMAP ports 110, 143, 993, 995, if port and --ssl option
do not match, emit a warning and continue. Closes Gitlab #31.
(cherry-picked from 6.5 beta branch "legacy_6x")
* fetchmail.man and README.SSL were updated in line with RFC-8314/8996/8997
recommendations to prefer Implicit TLS (--ssl/ssl) and TLS v1.2 or newer,
placing --sslproto tls1.2+ more prominently.
The defaults shall not change between 6.4.X releases for compatibility.
# TRANSLATIONS: language translations were updated by these fine people:
* sq: Besnik Bleta [Albanian]
* cs: Petr Pisar [Czech]
* eo: Keith Bowes [Esperanto]
* fr: Frédéric Marchal [French]
* pl: Jakub Bogusz [Polish]
* sv: Göran Uddeborg [Swedish]
fetchmail-6.4.21 (released 2021-08-09, 30042 LoC):
# REGRESSION FIX:
* The new security fix in 6.4.20 for CVE-2021-36386 caused truncation of
messages logged to buffered outputs, from --logfile and --syslog.
This also caused lines in the logfile to run into one another because
the fragment containing the '\n' line-end character was usually lost.
Reason is that on all modern systems (with <stdarg.h> header and vsnprintf()
interface), the length of log message fragments was added up twice, so
that these ended too deep into a freshly allocated buffer, after the '\0'
byte. Unbuffered outputs flushed the fragments right away, which masked the
bug.
fetchmail-6.4.20 (released 2021-07-28, 30042 LoC):
# SECURITY FIX:
* When a log message exceeds c. 2 kByte in size, for instance, with very long
header contents, and depending on verbosity option, fetchmail can crash or
misreport each first log message that requires a buffer reallocation.
fetchmail then reallocates memory and re-runs vsnprintf() without another
call to va_start(), so it reads garbage. The exact impact depends on
many factors around the compiler and operating system configurations used and
the implementation details of the stdarg.h interfaces of the two functions
mentioned before. To fix CVE-2021-36386.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 24 Aug 2022 07:49:04 +0000 (09:49 +0200)]
efibootmgr: Update to version 18
- Update from version 17 to 18
- Update of rootfile not required
- Changelog
bug fixes
fixed the simple run example by @Katana-Steel in #88
Restore activation error message in efibootmgr by @rbisewski in #89
Android: correct the sources list by @cwhuang in #124
remove-dupes: update error message by @raharper in #127
Fix typo in manual page by @ferivoz in #136
README: Note efivarfs as the current required kernel module by @cjmayo in #145
Fix possible read out of bounds in ucs2_to_utf8 by @dlrobertson in #147
Migrate CI by @frozencemetery in #153
Add code of conduct by @frozencemetery in #154
Fix help messages by @robert-scheck in #156
Add option for insertion location of new entries by @frozencemetery in #166
Full changelog can be found from the github repository comparing versio 17 to 18
https://github.com/rhboot/efibootmgr/compare/17...18
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Sun, 21 Aug 2022 20:01:41 +0000 (22:01 +0200)]
elfutils: Update to version 0.187
- Update from version 0.186 to 0.187
- Update of rootfile
- Changelog
0.187
* NEWS *
debuginfod: Support -C option for connection thread pooling.
debuginfod-client: Negative cache file are now zero sized instead of
no-permission files.
addr2line: The -A, --absolute option, which shows file names including
the full compilation directory is now the default. To get the
old behavior use the new option --relative.
readelf, elflint: Recognize FDO Packaging Metadata ELF notes
libdw, debuginfo-client: Load libcurl lazily only when files need to
be fetched remotely. libcurl is now never
loaded when DEBUGINFOD_URLS is unset. And when
DEBUGINFOD_URLS is set, libcurl is only loaded
when the debuginfod_begin function is called.
* GIT SHORTLOG *
debuginfod: Include "IPv4 IPv6" in server startup message
PR29022: 000-permissions files cause problems for backups
debuginfod: Use the debuginfod-size response header
debuginfod: ensure X-DEBUGINFOD-SIZE contains file size
config: simplify profile.*sh.in
debuginfod/debuginfod-client.c: use long for cache time configurations
readelf: Don't consider padding DT_NULL as dynamic section entry
debuginfod: correct concurrency bug in fdcache metrics
PR28661: debuginfo connection thread pool support
man debuginfod-client-config.7: Elaborate $DEBUGINFOD_URLS
PR28708: debuginfod: use MHD_USE_EPOLL for microhttpd threads
debuginfod: use single ipv4+ipv6 microhttpd daemon configuration
AUTHORS: Use generator script & git mailmap
libebl: recognize FDO Packaging Metadata ELF note
tests: Don't set DEBUGINFOD_TIMEOUT
tests: Add -rdynamic to dwfl_proc_attach_LDFLAGS
debuginfod: Use gmtime_r instead of gmtime to avoid data race
debuginfod: sqlite3_sharedprefix_fn should not compare past end of string
debuginfod: Fix some memory leaks on debuginfod-client error paths.
debuginfod: Clear and reset debuginfod_client winning_headers on reuse
libdwfl: Don't read beyond end of file in dwfl_segment_report_module
debuginfod: Check result of calling MHD_add_response_header.
readelf: Workaround stringop-truncation error
tests: varlocs workaround format-overflow errors
debuginfod: Fix debuginfod_pool leak
configure: Add --enable-sanitize-address
debuginfod: Don't format clog using 'right' or 'setw(20)'.
libdwfl: Don't try to convert too many bytes in dwfl_link_map_report
libdwfl: Make sure we know the phdr entry size before searching phdrs.
libdwfl: Don't trust e_shentsize in dwfl_segment_report_module
libdwfl: Don't install an Elf handle in a Dwfl_Module twice
libdwfl: Don't try to convert too many dyns in dwfl_link_map_report
libdwfl: Don't allocate more than SIZE_MAX in dwfl_segment_report_module.
libelf: Use offsetof to get field of unaligned
libdwfl: Make sure phent is sane and there is at least one phdr
libdwfl: Add overflow check while iterating in dwfl_segment_report_module
tests: Use /bin/sh instead of /bin/ls as always there binary
libdwfl: Make sure there is at least one dynamic entry
libdwfl: Make sure there is at least one phdr
libdwfl: Make sure note data is properly aligned.
libdwfl: Make dwfl_segment_report_module aware of maximum Elf size
libdwfl: Make sure the note len increases each iteration
libelf: Only set shdr state when there is at least one shdr
libdwfl: Make sure that ph_buffer_size has room for at least one phdr
libdwfl: Make sure dyn_filesz has a sane size
libdwfl: Rewrite GElf_Nhdr reading in dwfl_segment_report_module
libdwfl: Handle unaligned Ehdr in dwfl_segment_report_module
libdwfl: Handle unaligned Phdr in dwfl_segment_report_module
libdwfl: Handle unaligned Nhdr in dwfl_segment_report_module
libdwfl: Always clean up build_id.memory
libdwfl: Make sure dwfl_elf_phdr_memory_callback returns at least minread
libdwfl: Call xlatetom on aligned buffers in dwfl_link_map_report
libdwfl: Calculate addr to read by hand in link_map.c read_addrs.
libdwfl: Fix overflow check in link_map.c read_addrs
libdwfl: Handle unaligned Dyns in dwfl_segment_report_module
libdwfl: Declare possible zero sized arrays only when non-zero
backends: Use PTRACE_GETREGSET for ppc_set_initial_registers_tid
configure: Test for _FORTIFY_SOURCE=3 support.
addr2line: Make --absolute the default, add --relative option.
configure: Use AS_HELP_STRING instead of AC_HELP_STRING.
libelf: Take map offset into account for Shdr alignment check in elf_begin
libelf: Make sure ar_size starts with a digit before calling atol.
libelf: Check alignment of Verdef, Verdaux, Verneed and Vernaux offsets
libdwfl: Close ar members when they cannot be processed.
libdwfl: Use memcpy to assign image header field values
libelf: Don't overflow offsets in elf_cvt_Verneed and elf_cvt_Verdef
libelf: Correct alignment of ELF_T_GNUHASH data for ELFCLASS64
tests: Check addsections test binary is 64bit for run-large-elf-file.sh
configure: Don't check whether -m64 works for 32bit host biarch check
libelf: Sync elf.h from glibc.
elflint: Recognize NT_FDO_PACKAGING_METADATA
Introduce error_exit as a noreturn variant of error (EXIT_FAILURE, ...)
libelf: Also copy/convert partial datastructures in xlate functions
libelf: Return already gotten Elf_Data from elf_getdata_rawchunk
config: Add versioned requires on libs/libelf for debuginfod-client
libdw: Add DWARF5 package file section identifiers, DW_SECT_*
tests: Don't try to corrupt sqlite database during test.
libdw: Remove unused atomics.h include from libdwP.h
readelf: Define dyn_mem outside the while loop.
tests: Lower parallel lookups in run-debuginfod-webapi-concurrency.sh
debuginfod: Use MHD_USE_ITC in MHD_start_daemon flags
elfclassify: Fix --no-stdin flag
libelf: Check for mremap, elf_update needs it for ELF_C_RDWR_MMAP
debuginfod, libdwfl: Initialize libcurl and dlopen debuginfod-client lazily
dwfl: fix potential overflow when reporting on kernel modules
debuginfod: fix compilation on platforms without <error.h>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 24 Aug 2022 07:50:34 +0000 (09:50 +0200)]
libarchive: Update to version 3.6.1
- Update from version 3.6.0 to 3.6.1
- Update of rootfile
- Changelog
Libarchive 3.6.1 is a bugfix and security release.
Security fixes:
7zip reader: fix PPMD read beyond boundary (#1671)
ZIP reader: fix possible out of bounds read (OSS-Fuzz 38766 #1672)
ISO reader: fix possible heap buffer overflow in read_children() (OSS-Fuzz 38764, #1685)
RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0)
fix heap use after free in archive_read_format_rar_read_data() (OSS-Fuzz 44547, 52efa50)
fix null dereference in read_data_compressed() (OSS-Fuzz 44843, 1271f77)
fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 24 Aug 2022 07:51:01 +0000 (09:51 +0200)]
openvpn: Update to version 2.5.7
- Update from version 2.5.6 to 2.5.7
- Update of rootfile not required
- Changelog
2.5.7. This is mostly a bugfix release, but adds limited support for OpenSSL 3.0. Full
support will arrive in OpenVPN 2.6.
networking: use OPENVPN_ETH_ALEN instead of ETH_ALEN
networking_iproute2: don't pass M_WARN to openvpn_execve_check()
t_net.sh: delete dummy iface using iproute command
auth-pam.c: add missing include limits.h
Add insecure tls-cert-profile options
Refactor early initialisation and uninitialisation into methods
Allow loading of non default providers
Add ubuntu 22.04 to Github Actions
Add macos OpenSSL 3.0 and ASAN builds
Add --with-openssl-engine autoconf option (auto|yes|no)
Fix allowing/showing unsupported ciphers and digests
Remove dependency on BF-CBC existance from test_ncp
Add message when decoding PKCS12 file fails.
Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names
Fix client-pending-auth error message to say ERROR instead of SUCCESS
cipher-negotiation.rst missing from doc/Makefile.am
vcpkg-ports\pkcs11-helper: shorten patch filename
msvc: adjust build options to harden binaries
vcpkg-ports: remove openssl port
vcpkg: switch to manifest
Fix M_ERRNO behavior on Windows
vcpkg-ports/pkcs11-helper: bump to release 1.29
tapctl: Resolve MSVC C4996 warnings
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 3390000 to 3390200
- Update of rootfile not required
- Changelog
version 3.39.2 (2022-07-21):
Fix a performance regression in the query planner associated with rearranging
the order of FROM clause terms in the presences of a LEFT JOIN.
Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and 1345947, forum post 3607259d3c, and other minor problems discovered by internal testing.
version 3.39.1 (2022-07-13):
Fix an incorrect result from a query that uses a view that contains a
compound SELECT in which only one arm contains a RIGHT JOIN and where the
view is not the first FROM clause term of the query that contains the view.
forum post 174afeae5734d42d.
Fix some harmless compiler warnings.
Fix a long-standing problem with ALTER TABLE RENAME that can only arise if
the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set to a very small value.
Fix a long-standing problem in FTS3 that can only arise when compiled with
the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time option.
Fix the build so that is works when the SQLITE_DEBUG and
SQLITE_OMIT_WINDOWFUNC compile-time options are both provided at the same time.
Fix the initial-prefix optimization for the REGEXP extension so that it works
correctly even if the prefix contains characters that require a 3-byte UTF8
encoding.
Enhance the sqlite_stmt virtual table so that it buffers all of its output.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Matthias Fischer [Sat, 27 Aug 2022 07:02:00 +0000 (09:02 +0200)]
bind: Update to 9.16.32
For details see:
https://downloads.isc.org/isc/bind9/9.16.32/doc/arm/html/notes.html#notes-for-bind-9-16-32
Excerpt from changelog:
"5934. [func] Improve fetches-per-zone fetch limit logging to log
the final allowed and spilled values of the fetch
counters before the counter object gets destroyed.
[GL #3461]
5933. [port] Automatically disable RSASHA1 and NSEC3RSASHA1 in
named on Fedorda 33, Oracle Linux 9 and RHEL9 when
they are disabled by the security policy. [GL #3469]
5932. [bug] Fix rndc dumpdb -expired and always include expired
RRsets, not just for RBTDB_VIRTUAL time window.
[GL #3462]
5929. [bug] The "max-zone-ttl" option in "dnssec-policy" was
not fully effective; it was used for timing key
rollovers but did not actually place an upper limit
on TTLs when loading a zone. This has been
corrected, and the documentation has been clarified
to indicate that the old "max-zone-ttl" zone option
is now ignored when "dnssec-policy" is in use.
[GL #2918]
5924. [func] When it's necessary to use AXFR to respond to an
IXFR request, a message explaining the reason
is now logged at level info. [GL #2683]
5923. [bug] Fix inheritance for dnssec-policy when checking for
inline-signing. [GL #3438]
5922. [bug] Forwarding of UPDATE message could fail with the
introduction of netmgr. This has been fixed. [GL #3389]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
projects / ipfire-2.x.git / log
