Adolf Belka [Tue, 5 Mar 2024 11:24:00 +0000 (12:24 +0100)]
pciutils: Update to version 3.11.1
- Update from version 3.10.0 to 3.11.1
- Update of rootfile
- Changelog
3.11.1
* Fixed wrong API version in lib/pci.h.
* Updated README.Windows.
* Fix compilation on Windows.
3.11.0
* update-pciids now supports XZ compression. If libpci is configured
with support for compression, all downloaded files are recompressed
as gzip. Otherwise they are stored as plain text.
* update-pciids now sends itself as the User-Agent.
* Added a pcilmr utility for PCIe lane margining. Thanks to Nikita
Proshkin for contributing it.
* Re-factored access to i386 ports on all relevant platforms.
* Added i386 port access on OpenBSD.
* Back-ends for Windows received many bug fixes and improvements.
* ECAM back-end now scans ACPI and BIOS memory faster.
* Linux systems without pread/pwrite are no longer supported
as they are hopefully long gone. This helps avoid the tricky check
for presence of pread which was found to fail on musl libc.
* Improved decoding of PCIe control and status registers.
* Decoding of CXL capabilities now supports up to CXL 3.0.
* lspci now displays interrupt message numbers consistently across
different capabilities.
* Cache of IDs resolved via DNS, which was located in ~/.pci-ids
by default, is now stored according to the XDG base directory
specification in $XDG_CACHE_HOME/pci-ids.
* All source files now have SPDX license identifiers.
* Internal: The "aux" fields of structs pci_access and pci_dev
reserved for use by back-ends were renamed to backend_data to better
reflect their meaning.
* As usually, various minor bug fixes and updated pci.ids.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 5 Mar 2024 11:23:59 +0000 (12:23 +0100)]
pango: Update to version 1.52.0
- Update from version 1.50.13 to 1.52.0
- Update of rootfile
- Changelog
1.52.0
- Add pango_font_map_reload_font
- Improve formatting of font sizes
1.51.2
- Build improvements on Windows
- Use single fontconfig thread
- Fix problems with spaces at line ends
- Allow custom fonts on Windows
- pango-viewer: Fix hint-metrics options
- Pangofont: Add properties
1.51.0
- itemize: Improve script itemization
- build: Check for cairo DWrite dependency
- win32: Fix various issues and crashes
- layout: Add a missing switch case
1.50.14
- Fix underline thickness in scaled contexts
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 5 Mar 2024 11:23:58 +0000 (12:23 +0100)]
expat: Update to version 2.6.1
- Update from version 6.2.0 to 6.2.1
- Update of rootfile
- Changelog
2.6.1 Thu February 29 2024
Bug fixes:
#817 Make tests independent of CPU speed, and thus more robust
#828 #836 Expose billion laughs API with XML_DTD defined and
XML_GE undefined, regression from 2.6.0
Other changes:
#829 Hide test-only code behind new internal macro
#833 Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P
#819 Address compiler warnings
#832 #834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0)
to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/
for what these numbers do
Infrastructure:
#818 CI: Adapt to breaking changes in clang-format
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 5 Mar 2024 11:23:57 +0000 (12:23 +0100)]
ethtool: Update to version 6.7
- Update from version 6.3 to 6.7
- Update of rootfile not required
- Changelog
6.7 - January 29, 2024
* Feature: support for setting TCP data split
* Fix: fix new gcc14 warning
* Fix: fix SFF-8472 transceiver module identification (-m)
* Misc: code cleanup
6.6 - November 23, 2023
* Feature: support for more CMIS transceiver modules (-m)
* Fix: fix build on systems with old kernel uapi headers
6.5 - September 12, 2023
* Feature: register dump for hns3 driver (-d)
* Fix: fix fallback to ioctl for sset (-s)
* Fix: fix empty slot search in rmgr (-N)
6.4 - July 1, 2023
* Feature: get/set Tx push buffer length (-G)
* Feature: sff-8636 and cmis: report LOL / LOS / Tx Fault (-m)
* Fix: fix duplex setting parser (-s)
* Misc: check and require C11 language standard
* Misc: clean up obsolete pre-build checks
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 19 Feb 2024 14:16:32 +0000 (15:16 +0100)]
ovpn.cnf: Removal of SKID & AKID from server section - Fixes Bug#13595
- The update to openssl-3.2.x introduced a bug fix which now gives an error if the
subjectKeyIdentifier (SKID) or authorityKeyIdentifier (AKID) is in the x509 extensions
for a CSR.
- See the following discssion in the openssl github issues
https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738
- The SKID & AKID should never have been specified in the CSR but due to a bug they were
never flagged with an error, just ignored. Since the bug fix for that bug was put into
OpenSSL-3.2.0 the prescence of the SKID & AKID in the CSR causes an error to be flagged.
- The consequence of this is that in CU183 trying to create a new x509 root/host
certificate gives an error when the CSR is generated so only the root certificate is
created and not the host certificate.
- Tested out the removal of the SKID & AKID lines from the [ server ] section of the
ovpn.cnf file and the root/host certificate set was created without any issue.
- Then tested the creation of a RW client connection and that worked with no problems. Also
creating a fresh N2N connection worked without any problems.
- Also tested restoring from an earlier backup. The RW and N2N connections worked without
issues with the AKID and SKID missing from the [ server ] section.
- It would be good if this could be merged into CU184 for final testing.
Fixes: Bug#13595 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 22 Feb 2024 12:43:39 +0000 (13:43 +0100)]
update.sh: Fixes bug#13548 - make key 41 contain no-pass for N2N connections
- This code ensures that all existing N2N connections have no-pass in key 41 in place
of disabled for some of them.
- Tested out and confirmed on my vm testbed.
Fixes: Bug#13548 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 22 Feb 2024 12:43:38 +0000 (13:43 +0100)]
ovpnmain.cgi: Fixes bug#13548 - imported N2N client connections get disabled instead of no-pass
- When bug#11408 was fixed it was missed that key 41 has disabled inserted into it when
uploading into the N2N client. This replaced the no-pass entry for all N2N connections
resulting in the ovpnmain.cgi not being able to show the status correctly as the code
looks for pass or no-pass.
- The disabled entry has been present for a very long time and is not utilised anywhere
in the code.
- This fix ensures that key 41 in the uploaded N2N connection has no-pass entered
- Tested out and confirmed in my vm testbed.
Fixes: Bug#13548 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Wed, 28 Feb 2024 18:58:36 +0000 (19:58 +0100)]
zabbix_agentd: Add OpenVPN certificates items
- Adds Zabbix Agent userparameters `ipfire.ovpn.clientcert` and `ipfire.ovpn.cacert` for the agent to get details about openvpn client, server and ca certificates.
- Moves all `ipfire.ovpn.*` userparameters to a separate config file `userparameter_ovpn.conf` to enable users to selectively disable openvpn items when not needed
- Includes `ipfire_certificate_detail.sh` script in sudoers for Zabbix Agent as it needs root permission to read openvpn certificate details.
- Adapts lfs install script to install new script and configfile
- Adds new script and configfile to rootfiles Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Wed, 28 Feb 2024 18:58:35 +0000 (19:58 +0100)]
zabbix_agentd: Add helper script to get and verify certificate details
Add script to parse openssl output on certificates and return it as JSON for consumption by the Zabbix agent. Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Wed, 28 Feb 2024 18:58:34 +0000 (19:58 +0100)]
zabbix_agentd: Update to 6.0.27 (LTS)
- Update from version 6.0.22 to 6.0.27
- Update of rootfile not required
Bugs fixed:
- ZBX-23715: Fixed persistent directory path not following symlinks upon creation
- ZBX-22933: Improved vfs.file.regmatch and vfs.file.regexp items to use buffered file read
Full changelogs since 6.0.22:
- https://www.zabbix.com/rn/rn6.0.23
- https://www.zabbix.com/rn/rn6.0.24
- https://www.zabbix.com/rn/rn6.0.25
- https://www.zabbix.com/rn/rn6.0.26
- https://www.zabbix.com/rn/rn6.0.27 Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 28 Feb 2024 19:31:37 +0000 (20:31 +0100)]
shadow: Update to version 4.14.5
- Update from version 4.14.3 to 4.14.5
- Update of rootfile not required
- Changelog
4.14.5
Build system:
Fix regression introduced in 4.14.4, due to a typo. chgpasswd had
been deleted from a Makefile variable, but it should have been
chpasswd.
4.14.4
Build system:
Link correctly with libdl.
Install pam configs for chpasswd(8) and newusers(8) when using
./configure --with-libpam --disable-account-tools-setuid.
libshadow:
Fix build error (parameter name omitted).
Fix off-by-one bug.
Remove warning.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 28 Feb 2024 19:31:36 +0000 (20:31 +0100)]
samba: Update to version 4.19.5
- Update from version 4.19.3 to 4.19.5
- Update of rootfile not required
- Changelog
4.19.5
* BUG 13688: Windows 2016 fails to restore previous version of a file from a
shadow_copy2 snapshot.
* BUG 15549: Symlinks on AIX are broken in 4.19 (and a few version before
that).
* BUG 12421: Fake directory create times has no effect.
* BUG 15550: ctime mixed up with mtime by smbd.
* BUG 15548: samba-gpupdate --rsop fails if machine is not in a site.
* BUG 15557: gpupdate: The root cert import when NDES is not available is
broken.
* BUG 15552: samba-gpupdate should print a useful message if cepces-submit
can't be found.
* BUG 15558: samba-gpupdate logging doesn't work.
* BUG 15555: smbpasswd reset permissions only if not 0600.
4.19.4
* BUG 13577: net changesecretpw cannot set the machine account password if
secrets.tdb is empty.
* BUG 15540: For generating doc, take, if defined, env XML_CATALOG_FILES.
* BUG 15541: Trivial C typo in nsswitch/winbind_nss_netbsd.c.
* BUG 15542: vfs_linux_xfs is incorrectly named.
* BUG 15377: systemd stumbled over copyright-message at smbd startup.
* BUG 15505: Following intermediate abolute share-local symlinks is broken.
* BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to
a non-public address disconnects first.
* BUG 15544: shadow_copy2 broken when current fileset's directories are
removed.
* BUG 15377: systemd stumbled over copyright-message at smbd startup.
* BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to
a non-public address disconnects first.
* BUG 15534: smbd does not detect ctdb public ipv6 addresses for multichannel
exclusion.
* BUG 15469: 'force user = localunixuser' doesn't work if 'allow trusted
domains = no' is set.
* BUG 15525: smbget debug logging doesn't work.
* BUG 15532: smget: username in the smburl and interactive password entry
doesn't work.
* BUG 15538: smbget auth function doesn't set values for password prompt
correctly.
* BUG 15523: ctdb RELEASE_IP causes a crash in release_ip if a connection to
a non-public address disconnects first.
* BUG 15440: Unable to copy and write files from clients to Ceph cluster via
SMB Linux gateway with Ceph VFS module.
* BUG 15547: Multichannel refresh network information.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 28 Feb 2024 19:31:35 +0000 (20:31 +0100)]
libpng: Update to version 1.6.42
- Update from version 1.4.61 to 1.4.62
- Update of rootfile not required
- Changelog
1.6.42
Fixed the implementation of the macro function png_check_sig().
This was an API regression, introduced in libpng-1.6.41.
(Reported by Matthieu Darbois)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 28 Feb 2024 19:31:34 +0000 (20:31 +0100)]
libgpg-error: Update to version 1.48
- Update from version 1.47 to 1.48
- Update of rootfile
- Changelog
1.48
* New configure option --with-libtool-modification. [T6619]
* New option parser flag to detect commands given without a double
dash. There is also the new meta command "command-mode" to set
this flag via a config file. [T6978]
* Added an es_fopen mode flag "sequential" with support on Windows.
[rE7a42ff0ec9]
* Added an es_fopen mode flag "wipe" to cleanup internal buffers at
close time. [T6954]
* New function gpgrt_wipememory. [T6964]
* Improvements to setenv on Windows. [rE89e53ad90f]
* Fixed call to estream-printf string filters. [T6737]
* Many improvements to the yat2m tool.
* Updates to the build system.
* Interface changes relative to the 1.47 release:
ARGPARSE_FLAG_COMMAND NEW.
gpgrt_wipememory NEW.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 28 Feb 2024 19:31:33 +0000 (20:31 +0100)]
libffi: Update to version 3.4.6
- Update from version 3.4.4 to 3.4.6
- Update of rootfile
- Changelog
3.4.6
Fix long double regression on mips64 and alpha.
3.4.5
Add support for wasm32.
Add support for aarch64 branch target identification (bti).
Add support for ARCv3: ARC32 & ARC64.
Add support for HPPA64, and many HPPA fixes.
Add support for Haikuos on PowerPC.
Fixes for AIX, loongson, MIPS, power, sparc64, and x86 Darwin.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 28 Feb 2024 19:31:32 +0000 (20:31 +0100)]
gptfdisk: Update to version 1.0.10
- Update from version 1.0.9 to 1.0.10
- Update of rootfile not required
- Changelog
1.0.10
- Fixed problem that caused sgdisk to crash with errors about being unable
to read the disk's partition table when compiled with the latest popt
(commit 740, which is pre-release as I type; presumably version 1.19 and
later once released).
- Updated guid.cc to deal with minor change in libuuid.
- Fixed potential NULL derefernce bug in sgdisk. Thanks to Damian Kurek
for this fix.
- The partition number of "0" can now be used to reference newly-created
partitions when the --largest-new=0 option to sgdisk is used. Thanks to
David Joaquín Shourabi Porcel for this improvement.
- Make explicit casts in gptcurses.cc to eliminate compiler warnings about
mis-matched types in printw() statements.
- Minor code cleanup based on valgrind analysis.
- In previous versions, GPT fdisk accepted only integer values for partition
start points, end points, and sizes, and it interpreted decimal values
incorrectly. That is, if you typed "+9.5G" as the partition end point,
you'd end up with something just 9 sectors in size. This version now
truncates decimal numbers to their integral values, so you'd get a 9 GiB
partition instead.
- Changes to optimize disk handling, particularly on Windows, courtesy of
Frediano Ziglio.
- Added numerous new partition type codes from Discoverable Partitions
Specification
(https://uapi-group.org/specifications/specs/discoverable_partitions_specification/).
- Added new sgdisk -k/--move-backup-table and gdisk k (on the experts' menu)
option to relocate the backup partition table. This is the counterpart of
the sgdisk -j/--move-main-table and gdisk j (on the experts' menu) option
to move the main partition table. This code comes from Niklas Gollenstede.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 28 Feb 2024 19:31:31 +0000 (20:31 +0100)]
git: Update to version 2.44.0
- Update from version 2.43.0 to 2.44.0
- Update of rootfile
- Changelog is too large to include here.
See the files 2.43.1.txt, 2.43.2.txt, 2.43.3.txt & 2.44.0.txt in the source tarball in
directory Documentation/RelNotes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 26 Feb 2024 15:05:01 +0000 (16:05 +0100)]
backup.pl: Fixes bug#13404 - Clear out OpenVPN certs before doing restore
- Existing situation is if four new client connections are created and then it is decided
to restore to an earlier stage the new certficates will be in the certs directory but
not usable from the WUI page as they are no longer shown in the client connection table
as that now shows the ones from the restored backup.
- This patch clears the /var/ipfire/ovpn/certs/ directory before restoring the contents
of the backup so that the certs directory only holds what was in the backup.
Fixes: Bug#13404 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 26 Feb 2024 15:05:00 +0000 (16:05 +0100)]
ovpnmain.cgi: Fixes bug#13404 - prevents certs being saved if common name is already used
- This was fixed by moving the code for checking if the common name is already used, to
the same location as the code for checking if the connection name is already used.
- Tested out on vm testbed and confirmed that the certificates are not created and the
index.txt not updated if the common name is flagged as already being used. If the
entry is changed to use a new CN and Save pressed then the certs are saved and the
index.txt updated. If Cancel is pressed then no certs are saved and index.txt is not
updated.
Fixes: Bug#13404 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 24 Feb 2024 14:51:14 +0000 (15:51 +0100)]
dhcp.cgi: Fixes bug#11774 - allows dhcp option of array of integer 8
- This v2 version is to correct the bug number. I entered a wronn bug number in the first
version
- This extends the allowed options from just array of ip-address to also include
integer 8 or integer 16 or integer 32.
- Tested out on vm testbed. The array of integer 8 (or 16 or 32) is acceptewd by the dhcp
options section. I am not able to test out that the function actually works as I don't
have any dhcp situation set up to use that capability.
- Records or array of records is still not included. It was only an expansion of the array
of section to include integers.
Fixes: bug#11774 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 28 Feb 2024 13:35:26 +0000 (14:35 +0100)]
dns.cgi: Fixes bug#12395 - German umlauts not correctly displayed in remarks
- If Freifunk München e.V. is entered as a remark it gets converted to
Freifunk München e.V.
- This is because cleanhtml is used on the remark text before saving it to the file and
the HTML::Entities::encode_entities command that is run on that remark text encodes all
higher bit characters as unsafe characters and replaces them with their HTML entity
representation.
- Have tested out the remark with a range of different characters with diacritical marks
and all of the ones tested were re-written.
- The use of the cleanhtml makes sense when used on URL's or on text that is going to be
printed as part of the HTML code for a page but it doesn't seem to make sense for text
used in a remark.
- The cleanhtml function is only used on the remark text in dns.cgi and not on any other
entries on the page.
- Removing the call to the cleanhtml function results in the German umlauts being printed
in the remark section.
- Many of the WUI pages have the cleanhtml function used on remark or comment text.
- fwhosts.cgi does not use cleanhtml anywhere. So all its remark sections work with
characters with diacritical marks.
- If this patch is accepted, I will then submit patches for the other WUI pages where
characters with diacritical marks are re-written in remark or comment sections.
Fixes: Bug#12395 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
We disable cores if the are affected by some cpu vulnerabilities
this cores report errors if you try to change the settings.
So only print the output for core0 and hide it for all cores.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 15 Feb 2024 12:58:35 +0000 (13:58 +0100)]
ruleset-sources: removal of PT Attack & Secureworks + addition of ThreatFox
- The PT Attack ruleset has not been updated since 2021 and made read-only in 2022
The PT Attack website no longer has any reference to Suricata Rulesets. The PT Attack
ruleset is being removed.
- The Secureworks three rulesets are no longer available. The website path gives a 404
error. No mention of Suricata rulesets in the Secureworks website. The Secureworks three
rulesets are being removed.
- ThreatFox ruleset has been added to the list. Both a plain and archive version of the
rules are available but the plain version is being regularly updated while the archive
version was last updated 5 days ago. So this patch has implemented the plain version.
- All above was discussed in the January Developers Conference call.
- Tested out on my vm testbed. I had PT Attack selected as one of the providers. As
mentioned by Stefan removing PT Attack means it is not available in the list of
providers but the provider stays in the providers table but with the line shown in red.
I will update the wiki to mention the red highlight and what it means.
Suggested-by: Stefan Schantl <stefan.schantl@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 15 Feb 2024 20:47:57 +0000 (21:47 +0100)]
freeradius: Increment PAK_VER & ship freeradius to link to the updated libssl version
- OpenSSL was updated to 3.1.4 in CU181 and to 3.2.1 in CU183 but in both cases freeradius
was not incremented to cause it to be shipped.
- This patch increments the freeradius PAK_VER to ensure it will be shipped.
Fixes: Bug#13590 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 14 Feb 2024 10:34:36 +0000 (11:34 +0100)]
graphs.pl: Fixes graph failure when the DROP_HOSTILE directory is missing
- If a fresh install is done then only the DROP_HOSTILE_IN & DROP_HOSTILE_OUT
rrd directories are created.
- With the DROP_HOSTILE directory missing then when the fwhits graph is updated an error
message is caused by the inability to open the required files.
- This patch adds an if/else loop into the fwhits graph code to deal with the two cases
of the DROP_HOSTILE being present or not depending on the history and if a backup with
logs has been restored from when DROP_HOSTILE was in use.
- Tested on vm testbed and created a historical line for the hostile data when it was not
split
- There might be a simpler or better approach than this but it was the only option I
could identify. I couldn't find anything about being able to use if loops within the
RRD::Graph loop
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Wed, 14 Feb 2024 16:24:52 +0000 (17:24 +0100)]
unbound: Update to 1.19.1
For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-1
"Bug Fixes
Fix CVE-2023-50387, DNSSEC verification complexity can be exploited
to exhaust CPU resources and stall DNS resolvers.
Fix CVE-2023-50868, NSEC3 closest encloser proof can exhaust CPU."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 5 Feb 2024 16:47:35 +0000 (16:47 +0000)]
make.sh: Compile with minimal debug information
In IPFire 2, we don't make any use out of the debug information.
Therefore we can tell the compiler to generate as minimal debug
information as possible in order to have a faster compilation process.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
we had discussed this on december telco but it is not so
easy because our menusystem only shows entry's existing cgi's.
so i add a cgi redirect to http://$ENV{SERVER_ADDR}:3000
this add the entry under pakfire and also to service page.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 6 Feb 2024 21:27:33 +0000 (22:27 +0100)]
suricata: Update to version 7.0.2
- Update from version 6.0.15 to 7.0.2
- Update of rootfile
- suricata 7.0.2 requires libhtp >= 0.5.45
it also requires libelf.so.1 for execution. Previous suricata versions only required
libelf for building. libelf or elfutils are not mentioned anywhere in the changelog
- Without elfutils available during starting then suricata fails to start due to
libelf.so.1 not being available.
- Tested out suricata7 with elfutils on my vm testbed and it successfully started.
- The suricata-5.0.8 patch has been removed as it got applied to configure.ac but this
is not available in suricata-7.0.2. It looks like that patch was never actually used in
suricata as all the builds I checked used the configure file from the source tarball
and the configure was never created by running autoconf on the configure.ac
- Changelog is too large to include here. Details can be found in the ChangeLog file in
the source tarball
Fixes: Bug#13516 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://blog.clamav.net/2023/11/clamav-130-122-105-released.html
Excerpts from changelog:
"Major changes
Added support for extracting and scanning attachments found in
Microsoft OneNote section files. OneNote parsing will be enabled by
default, but may be optionally disabled using one of the following
options:
a. The clamscan command line option: --scan-onenote=no,
b. The clamd.conf config option: ScanOneNote no,
c. The libclamav scan option options.parse &= ~CL_SCAN_PARSE_ONENOTE;,
d. A signature change to the daily.cfg dynamic configuration (DCONF).
Other improvements
Fixed issue when building ClamAV on the Haiku (BeOS-like) operating
system. Patch courtesy of Luca D'Amico
ClamD: When starting, ClamD will now check if the directory specified
by TemporaryDirectory in clamd.conf exists. If it doesn't, ClamD will
print an error message and will exit with exit code 1. Patch courtesy
of Andrew Kiggins.
CMake: If configured to build static libraries, CMake will now also
install the libclamav_rust, libclammspack, libclamunrar_iface, and
libclamunrar static libraries required by libclamav.
Note: These libraries are all linked into the clamscan, clamd, sigtool,
and freshclam programs, which is why they did not need to be installed
to function. However, these libraries would be required if you wish to
build some other program that uses the libclamav static library.
Added file type recognition for compiled Python (`.pyc`) files.
The file type appears as a string parameter for these callback
functions:
When scanning a `.pyc` file, the `type` parameter will now show
"CL_TYPE_PYTHON_COMPILED" instead of "CL_TYPE_BINARY_DATA".
Improved support for decrypting PDFs with empty passwords.
Assorted minor improvements and typo fixes.
Bug fixes
Fixed a warning when scanning some HTML files.
Fixed an issue decrypting some PDF's with an empty password.
ClamOnAcc: Fixed an infinite loop when a watched directory does not
exist.
ClamOnAcc: Fixed an infinite loop when a file has been deleted before a
scan.
Patch courtesy of gsuehiro.
Fixed a possible crash when processing VBA files on HP-UX/IA 64bit.
Patch courtesy of Albert Chin-A-Young.
ClamConf: Fixed an issue printing `MaxScanSize` introduced with the
change to allow a `MaxScanSize` greater than 4 GB.
Fix courtesy of teoberi.
Fixed an issue building a ClamAV RPM in some configurations.
The issue was caused by faulty CMake logic that intended to create an
empty database directory during the installation."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>