Adolf Belka [Mon, 18 Dec 2023 17:28:55 +0000 (18:28 +0100)]
iptables: Update to version 1.8.10
- Update from version 1.8.9 to 1.8.10
- Update of rootfile not required
- Changelog
1.8.10
build: use pkg-config for libpcap
iptables-test.py: make explicit use of python3
xtables-eb: fix crash when opts isn't reallocated
iptables-nft: make builtin tables static
iptables-nft: remove unused function argument
include: update nf_tables uapi header
ebtables-nft: add broute table emulation
nft-ruleparse: parse meta mark set as MARK target
iptables: Fix setting of ipv6 counters
iptables: Fix handling of non-existent chains
xshared: dissolve should_load_proto
nft: move processing logic out of asserts
man: string: document BM false negatives
ip6tables: Fix checking existence of rule
nft: check for source and destination address in first place
nft: use payload matching for layer 4 protocol
nft-bridge: pass context structure to ops->add() to improve anonymous set support
configure: Bump version for 1.8.10 release
extensions: NAT: Fix for -Werror=format-security
etc: Drop xtables.conf
Proper fix for "unknown argument" error message
ebtables: Refuse unselected targets' options
ebtables-translate: Drop exec_style
ebtables-translate: Use OPT_* from xshared.h
ebtables-translate: Ignore '-j CONTINUE'
ebtables-translate: Print flush command after parsing is finished
tests: xlate: Support testing multiple individual files
tests: CLUSTERIP: Drop test file
nft-shared: Lookup matches in iptables_command_state
nft-shared: Use nft_create_match() in one more spot
nft-shared: Simplify using nft_create_match()
tests: xlate: Properly split input in replay mode
tests: xlate: Print file names even if specified
extensions: libebt_redirect: Fix target translation
extensions: libebt_redirect: Fix for wrong syntax in translation
extensions: libebt_ip: Do not use 'ip dscp' for translation
extensions: libebt_ip: Translation has to match on ether type
ebtables: ip and ip6 matches depend on protocol match
xtables-translate: Support insert with index
include: Add missing linux/netfilter/xt_LOG.h
nft-restore: Fix for deletion of new, referenced rule
tests: shell: Test for false-positive rule check
utils: nfbpf_compile: Replace pcap_compile_nopcap()
nft-shared: Drop unused include
arptables: Fix parsing of inverted 'arp operation' match
arptables: Don't omit standard matches if inverted
xshared: Fix parsing of option arguments in same word
nft: Introduce nft-ruleparse.{c,h}
nft: Extract rule parsing callbacks from nft_family_ops
nft: ruleparse: Create family-specific source files
tests: shell: Sanitize nft-only/0009-needless-bitwise_0
nft: Special casing for among match in compare_matches()
nft: More verbose extension comparison debugging
nft: Do not pass nft_rule_ctx to add_nft_among()
nft: Include sets in debug output
*tables-restore: Enforce correct counters syntax if present
*tables: Reject invalid chain names when renaming
ebtables: Improve invalid chain name detection
tests: shell: Fix and extend chain rename test
iptables-restore: Drop dead code
iptables-apply: Eliminate shellcheck warnings
extensions: libipt_icmp: Fix confusion between 255/255 and any
tests: libipt_icmp.t: Enable tests with numeric output
man: iptables.8: Extend exit code description
man: iptables.8: Trivial spelling fixes
man: iptables.8: Fix intra page reference
man: iptables.8: Clarify --goto description
man: Use HTTPS for links to netfilter.org
man: iptables.8: Trivial font fixes
man: iptables-restore.8: Fix --modprobe description
man: iptables-restore.8: Consistently document -w option
man: iptables-restore.8: Drop -W option from synopsis
man: iptables-restore.8: Put 'file' in italics in synopsis
man: iptables-restore.8: Start paragraphs in upper-case
man: Trivial: Missing space after comma
man: iptables-save.8: Clarify 'available tables'
man: iptables-save.8: Fix --modprobe description
man: iptables-save.8: Start paragraphs in upper-case
extensions: libip6t_icmp: Add names for mld-listener types
nft-ruleparse: Introduce nft_create_target()
tests: iptables-test: Fix command segfault reports
nft: Create builtin chains with counters enabled
Revert "libiptc: fix wrong maptype of base chain counters on restore"
tests: shell: Test chain policy counter behaviour
Use SOCK_CLOEXEC/O_CLOEXEC where available
nft: Pass nft_handle to add_{target,action}()
nft: Introduce and use bool nft_handle::compat
Add --compat option to *tables-nft and *-nft-restore commands
tests: Test compat mode
Revert --compat option related commits
tests: shell: Fix for ineffective 0007-mid-restore-flush_0
nft: Fix for useless meta expressions in rule
include: linux: Update kernel.h
build: Bump dependency on libnftnl
extensions: Fix checking of conntrack --ctproto 0
doc: fix example of xt_cpu
xt_sctp: add the missing chunk types in sctp_help
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Mon, 18 Dec 2023 17:28:56 +0000 (18:28 +0100)]
lcms2: Update to version 2.16
- Update from version 2.14 to 2.16
- Update of rootfile
- Changelog
2.16 Featured release
New import .CUBE files as RGB devicelinks
New Read/Write MHC2 tags for Windows GPU access
New Support for UTF8 on multilocalized unicode functions
New Suppot for OkLab color space, built-in and formatter.
Improved floating point transforms float -> integer are now honored as float
Improved MSYS2, mingw is now supported
Improved proferred CMM, platform and creator now survives profile edition.
Fixed tificc now can deal with Lab TIFF
Fixed code can now be compiled by a C++17 compiler, "register" keywork use detected at compile time.
Fixed Reverted postcript creation that corrupted some interpreters.
2.15 Maintenance release
New MESON build system, many thanks to amispark and Lovell Fuller for bringing this.
Fixed a bug that caused memory corruption on colord
cmsReadRawTag can read portions of tags again. Removing this caused colord to segfault when dumping profiles
Added more checks based of fuzzer discoveries.
MSYS2 can now compile lcms2
Checked on Apple Silicon M1 and M2
Fixed a bug of fastfloat plug-in that affected Krita CMYK color selector
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 18 Dec 2023 17:28:57 +0000 (18:28 +0100)]
libnl-3: Update to version 3.9.0
- Update from version 3.8.0 to 3.9.0
- Update of rootfile not required
- Changelog is not produced. Changes can be seen from the commits in the github repo
https://github.com/thom311/libnl/commits/main
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 18 Dec 2023 17:28:58 +0000 (18:28 +0100)]
lmdb: Update to version 0.9.31
- Update from version 0.9.30 to 0.9.31
- Update of rootfile not required
- Changelog
0.9.31 Release (2023/07/10)
ITS#8447 - Fix cursor_put(MDB_CURRENT) on DUPSORT DB with different sized data
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 18 Dec 2023 17:28:59 +0000 (18:28 +0100)]
lsof: Update to version 4.99.3
- Update from version 4.98.0 to 4.99.3
- Update of rootfile not required
- Changelog
4.99.3
Fix a spaces vs. tabs issue in 00DIST.
4.99.2
Fix version file for CI
4.99.1
Fix compilation error when HASIPv6 is not defined. (@chenrui333)
Add configure option --disable-liblsof to disable installation
of liblsof. (@subnut, #300)
[freebsd] fix segfault from fs info (FreeBSD bug 267760)
4.99.0
[netbsd] Get device numer of tmpfs instead of reporting zero
[openbsd] Rewrite OpenBSD support because OpenBSD disallows
kernel memory access and lsof has to switch to user mode API.
Currently, most features are working, but file path reporting
and lock status are not working for lack of kernel support.
As a consequence, OpenBSD dialect is separated in a new folder.
[darwin] Remove /dev/kmem backend because it no longer exists on
current macOS releases. Use libproc backend instead.
[linux] Do not hard-code fd numbers in epoll test, fixing tests
on Void Linux
[freebsd] Use kf_file_nlink if provided by kernel instead of
stat(). This commit requires kernel with
https://reviews.freebsd.org/D38169. It brings back the ability
to list deleted files via `lsof +L1`. Closes #264.
[linux] Add --with-selinux configure option.
[solaris] Re-introduce support for recent Solaris & OpenIndiana
releases.
[darwin] Display kern ctl info, learned from apple lsof version.
[linux] Improve performance by using closefrom(). Closes #281.
[aix] Fix compilation on AIX 7.2 and add autotools build system
support for AIX.
[aix] Suppress warnings properly on AIX version greater than
5.0. Closes #187.
Introduce alpha version of liblsof which allows users to use
lsof functionality via C functions instead of spawning a
subprocess and parsing the output. This version may contain BUGs
and memory leaks, and the API may change before it stablizes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 18 Dec 2023 17:29:01 +0000 (18:29 +0100)]
p11-kit: Update to version 0.25.3
- Update from version 0.25.2 to 0.25.3
- Update of rootfile
- Changelog
0.25.3
rpc: fix serialization of NULL mechanism pointer [PR#601]
fix meson build failure in macOS (appleframeworks not found) [PR#603]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 18 Dec 2023 17:29:02 +0000 (18:29 +0100)]
samba: Update to version 4.19.3
- Update from version 4.19.2 to 4.19.3
- Update of rootfile not required
- I don't believe that the CVE from this version will affect IPFire users as Samba on
IPFire is not run as an Active Directory Domain Controller. That functionality was
removed some time ago.
- Changelog
4.19.3
This is the latest stable release of the Samba 4.19 release series.
It contains the security-relevant bugfix CVE-2018-14628:
Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
allow read of object tombstones over LDAP
(Administrator action required!)
https://www.samba.org/samba/security/CVE-2018-14628.html
Description of CVE-2018-14628
All versions of Samba from 4.0.0 onwards are vulnerable to an
information leak (compared with the established behaviour of
Microsoft's Active Directory) when Samba is an Active Directory Domain
Controller.
When a domain was provisioned with an unpatched Samba version,
the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
instead of being very strict (as on a Windows provisioned domain).
This means also non privileged users can use the
LDAP_SERVER_SHOW_DELETED_OID control in order to view,
the names and preserved attributes of deleted objects.
No information that was hidden before the deletion is visible, but in
with the correct ntSecurityDescriptor value in place the whole object
is also not visible without administrative rights.
There is no further vulnerability associated with this error, merely an
information disclosure.
Action required in order to resolve CVE-2018-14628!
The patched Samba does NOT protect existing domains!
The administrator needs to run the following command
(on only one domain controller)
in order to apply the protection to an existing domain:
samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
The above requires manual interaction in order to review the
changes before they are applied. Typicall question look like this:
Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
Owner mismatch: SY (in ref) DA(in current)
Group mismatch: SY (in ref) DA(in current)
Part dacl is different between reference and current here is the detail:
(A;;LCRPLORC;;;AU) ACE is not present in the reference
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
(A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
(A;;LCRP;;;BA) ACE is not present in the current
[y/N/all/none] y
Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'
The change should be confirmed with 'y' for all objects starting with
'CN=Deleted Objects'.
Changes since 4.19.2
* BUG 15520: sid_strings test broken by unix epoch > 1700000000.
* BUG 15487: smbd crashes if asked to return full information on close of a
stream handle with delete on close disposition set.
* BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
smb_fname_fsp_destructor().
* BUG 15499: Improve logging for failover scenarios.
* BUG 15093: Files without "read attributes" NFS4 ACL permission are not
listed in directories.
* BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in
AD LDAP to normal users.
* BUG 15492: Kerberos TGS-REQ with User2User does not work for normal
accounts.
* BUG 15507: vfs_gpfs stat calls fail due to file system permissions.
* BUG 15513: Samba doesn't build with Python 3.12
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 18 Dec 2023 17:29:03 +0000 (18:29 +0100)]
sudo: Update to version 1.9.15p4
- Update from version 1.9.15p2 to 1.9.15p4
- Update of rootfile not required
- Changelog
1.9.15p4
* Fixed a bug introduced in sudo 1.9.15 that could prevent a user's
privileges from being listed by "sudo -l" if the sudoers entry
in /etc/nsswitch.conf contains "[SUCCESS=return]". This did not
affect the ability to run commands via sudo. Bug #1063.
1.9.15p3
* Always disable core dumps when sudo sends itself a fatal signal.
Fixes a problem where sudo could potentially dump core dump when
it re-sends the fatal signal to itself. This is only an issue
if the command received a signal that would normally result in
a core dump but the command did not actually dump core.
* Fixed a bug matching a command with a relative path name when
the sudoers rule uses shell globbing rules for the path name.
Bug #1062.
* Permit visudo to be run even if the local host name is not set.
GitHub issue #332.
* Fixed an editing error introduced in sudo 1.9.15 that could
prevent sudoreplay from replaying sessions correctly.
GitHub issue #334.
* Fixed a bug introduced in sudo 1.9.15 where "sudo -l > /dev/null"
could hang on Linux systems. GitHub issue #335.
* Fixed a bug introduced in sudo 1.9.15 where Solaris privileges
specified in sudoers were not applied to the command being run.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Fri, 22 Dec 2023 12:37:47 +0000 (13:37 +0100)]
firewalllog.dat: Fix for bug#13492 - include chain in the exported output
- The regex code does not extract out the chain and so it is missed off from the log output
when it is exported.
- Changed code tested out on my vm testbed and confirmed to work and include the chain in
the output.
Fixes: Bug13492 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfre.org>
Adolf Belka [Tue, 26 Dec 2023 13:10:32 +0000 (14:10 +0100)]
openssh: Update to version 9.6p1
- Update from version 9.5p1 to 9.6p1
- Update of rootfile not required
- Changelog is too large to include here. See details in the file ChangeLog in the
source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Tue, 26 Dec 2023 13:10:33 +0000 (14:10 +0100)]
openssl: Update to version 3.2.0
- Update from version 3.1.4 to 3.2.0
- Update of rootfile
- Changelog
3.2.0
This release incorporates the following potentially significant or incompatible
changes:
* The default SSL/TLS security level has been changed from 1 to 2.
* The `x509`, `ca`, and `req` apps now always produce X.509v3 certificates.
* Subject or issuer names in X.509 objects are now displayed as UTF-8 strings
by default.
From my understanding these above changes should not create any problem for
IPFire.
This release adds the following new features:
* Support for client side QUIC, including support for
multiple streams (RFC 9000)
* Support for Ed25519ctx, Ed25519ph and Ed448ph in addition
to existing support for Ed25519 and Ed448 (RFC 8032)
* Support for deterministic ECDSA signatures (RFC 6979)
* Support for AES-GCM-SIV, a nonce-misuse-resistant AEAD (RFC 8452)
* Support for the Argon2 KDF, along with supporting thread pool
functionality (RFC 9106)
* Support for Hybrid Public Key Encryption (HPKE) (RFC 9180)
* Support for SM4-XTS
* Support for Brainpool curves in TLS 1.3
* Support for TLS Raw Public Keys (RFC 7250)
* Support for TCP Fast Open on Linux, macOS and FreeBSD,
where enabled and supported (RFC 7413)
* Support for TLS certificate compression, including library
support for zlib, Brotli and zstd (RFC 8879)
* Support for provider-based pluggable signature algorithms
in TLS 1.3 with supporting CMS and X.509 functionality
With a suitable provider this enables the use of post-quantum/quantum-safe
cryptography.
* Support for using the Windows system certificate store as a source of
trusted root certificates
This is not yet enabled by default and must be activated using an
environment variable. This is likely to become enabled by default
in a future feature release.
* Support for using the IANA standard names in TLS ciphersuite configuration
* Multiple new features and improvements to CMP protocol support
The following known issues are present in this release and will be rectified
in a future release:
* Provider-based signature algorithms cannot be configured using the
SignatureAlgorithms configuration file parameter (#22761)
This release incorporates the following documentation enhancements:
* Added multiple tutorials on the OpenSSL library and in particular
on writing various clients (using TLS and QUIC protocols) with libssl
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Tue, 26 Dec 2023 13:10:35 +0000 (14:10 +0100)]
qpdf: Update to version 11.7.0
- Update from version 11.6.1 to 11.7.0
- Update of rootfile
- Changelog
11.7.0
* Define CPACK_NSIS_MODIFY_PATH for the Windows builds so the
official installers will offer to modify PATH when installing
qpdf. Fixes #1054.
* Add QPDFAcroFormDocumentHelper::disableDigitalSignatures, which
disables any digital signature fields, leaving their visual
representations intact. The --remove-restrictions command-line
argument now calls this. Fixes #1015.
* Generate a more complete qpdf "man page" from the same source as
qpdf --help. Fixes #1064.
* Allow the syntax "--encrypt --user-password=user-password
--owner-password=owner-password --bits={40,128,256}" when
encrypting PDF files. This is an alternative to the syntax
"--encrypt user-password owner-password {40,128,256}", which will
continue to be supported. The new syntax works better with shell
completion and allows creation of passwords that start with "-".
Fixes #874.
* When setting a check box value, allow any value other than /Off
to mean checked. This is permitted by the spec. Previously, any
value other than /Yes or /Off was rejected. Fixes #1056.
* Fix to QPDF JSON: a floating point number that appears in
scientific notation will be converted to fixed-point notation,
rounded to six digits after the decimal point. Fixes #1079.
* Fix to QPDF JSON: the syntax "n:/pdf-syntax" is now accepted as
an alternative way to represent names. This can be used for any
name (e.g. "n:/text#2fplain"), but it is necessary when the name
contains binary characters. For example, /one#a0two must be
represented as "n:/one#a0two" since the single byte a0 is not
valid in JSON. Fixes #1072.
* From M. Holger: Refactor QPDFParser for performance. See #1059
for a discussion.
* Update code and tests so that qpdf's test suite no longer
depends on the output of any specific zlib implementation. This
makes it possible to get a fully passing test suite with any
API-compatible zlib library. CI tests with the default zlib as
well as zlib-ng (including verifying that zlib-ng is not the
default), but any zlib implementation should work. Fixes #774.
* Bug fix: with --compress-streams=n, don't compress object, XRef,
or linearization hint streams.
* Add new C++ functions "qpdf_c_get_qpdf" and "qpdf_c_wrap" to
qpdf-c.h that make it possible to write your own extern "C"
functions in C++ that interoperate with the C API. See
examples/extend-c-api for more information.
* Bug fix from M. Holger: the default for /Columns in PNG filter
is 1, but libqpdf was acting like it was 0.
* Enhancement from M. Holger: add methods to Buffer to work more
easily with std::string.
11.6.4
* Install fix: include cmake files with the dev component.
* Build AppImage with an older Linux distribution to support AWS
Lambda. Fixes #1086.
11.6.3
* Tweak linearization code to better handle files between 2 GB and
4 GB in size. Fixes #1023.
* Fix data loss bug: qpdf could discard a the character after an
escaped octal string consisting of less than three digits. For
content, this would only happen with QDF or when normalizing
content. Outside of content, it could have happened in any binary
string, such as /ID, if the encoding software used octal escape
strings with less than three digits. This bug was introduced
between 10.6.3 and 11.0.0. Fixes #1050.
11.6.2
* Bug fix: when piping stream data, don't call finish on failure
if the failure was caused by a previous call to finish. Fixes
#1042.
* Push .idea directory with the beginning of a sharable JetBrains
CLion configuration.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 18 Dec 2023 17:28:53 +0000 (18:28 +0100)]
git: Update to version 2.43.0
- Update from version 2.42.1 to 2.43.0
- Update of rootfile not required
- Changelog
2.43.0
Backward Compatibility Notes
* The "--rfc" option of "git format-patch" used to be a valid way to
override an earlier "--subject-prefix=<something>" on the command
line and replace it with "[RFC PATCH]", but from this release, it
merely prefixes the string "RFC " in front of the given subject
prefix. If you are negatively affected by this change, please use
"--subject-prefix=PATCH --rfc" as a replacement.
* In Git 2.42, "git rev-list --stdin" learned to take non-revisions
(like "--not") from the standard input, but the way such a "--not" was
handled was quite confusing, which has been rethought. The updated
rule is that "--not" given from the command line only affects revs
given from the command line that comes but not revs read from the
standard input, and "--not" read from the standard input affects
revs given from the standard input and not revs given from the
command line.
UI, Workflows & Features
* A message written in olden time prevented a branch from getting
checked out, saying it is already checked out elsewhere. But these
days, we treat a branch that is being bisected or rebased just like
a branch that is checked out and protect it from getting modified
with the same codepath. The message has been rephrased to say that
the branch is "in use" to avoid confusion.
* Hourly and other schedules of "git maintenance" jobs are randomly
distributed now.
* "git cmd -h" learned to signal which options can be negated by
listing such options like "--[no-]opt".
* The way authentication related data other than passwords (e.g.,
oauth token and password expiration data) are stored in libsecret
keyrings has been rethought.
* Update the libsecret and wincred credential helpers to correctly
match which credential to erase; they erased the wrong entry in
some cases.
Git GUI updates.
* "git format-patch" learned a new "--description-file" option that
lets cover letter description to be fed; this can be used on
detached HEAD where there is no branch description available, and
also can override the branch description if there is one.
* Use of the "--max-pack-size" option to allow multiple packfiles to
be created is now supported even when we are sending unreachable
objects to cruft packs.
* "git format-patch --rfc --subject-prefix=<foo>" used to ignore the
"--subject-prefix" option and used "[RFC PATCH]"; now we will add
"RFC" prefix to whatever subject prefix is specified.
* "git log --format" has been taught the %(decorate) placeholder for
further customization over what the "--decorate" option offers.
* The default log message created by "git revert", when reverting a
commit that records a revert, has been tweaked, to encourage people
to describe complex "revert of revert of revert" situations better in
their own words.
* The command-line completion support (in contrib/) learned to
complete "git commit --trailer=" for possible trailer keys.
* "git update-index" learned the "--show-index-version" option to
inspect the index format version used by the on-disk index file.
* "git diff" learned the "diff.statNameWidth" configuration variable,
to give the default width for the name part in the "--stat" output.
* "git range-diff --notes=foo" compared "log --notes=foo --notes" of
the two ranges, instead of using just the specified notes tree,
which has been corrected to use only the specified notes tree.
* The command line completion script (in contrib/) can be told to
complete aliases by including ": git <cmd> ;" in the alias to tell
it that the alias should be completed in a similar way to how "git
<cmd>" is completed. The parsing code for the alias has been
loosened to allow ';' without an extra space before it.
* "git for-each-ref" and friends learned to apply mailmap to
authorname and other fields in a more flexible way than using
separate placeholder letters like %a[eElL] every time we want to
come up with small variants.
* "git repack" machinery learned to pay attention to the "--filter="
option.
* "git repack" learned the "--max-cruft-size" option to prevent cruft
packs from growing without bounds.
* "git merge-tree" learned to take strategy backend specific options
via the "-X" option, like "git merge" does.
* "git log" and friends learned the "--dd" option that is a
short-hand for "--diff-merges=first-parent -p".
* The attribute subsystem learned to honor the "attr.tree"
configuration variable that specifies which tree to read the
.gitattributes files from.
* "git merge-file" learns a mode to read three variants of the
contents to be merged from blob objects.
Performance, Internal Implementation, Development Support etc.
* "git check-attr" has been taught to work better with sparse-index.
* It may be tempting to leave the help text NULL for a command line
option that is either hidden or too obvious, but "git subcmd -h"
and "git subcmd --help-all" would have segfaulted if done so. Now
the help text is truly optional.
* Tests that are known to pass with LSan are now marked as such.
* Flaky "git p4" tests, as well as "git svn" tests, are now skipped
in the (rather expensive) sanitizer CI job.
* Tests with LSan from time to time seem to emit harmless messages
that make our tests unnecessarily flaky; we work around it by
filtering the uninteresting output.
* Unused parameters to functions are marked as such, and/or removed,
in order to bring us closer to "-Wunused-parameter" clean.
* The code to keep track of existing packs in the repository while
repacking has been refactored.
* The "streaming" interface used for bulk-checkin codepath has been
narrowed to take only blob objects for now, with no real loss of
functionality.
* GitHub CI workflow has learned to trigger Coverity check.
* Test coverage for trailers has been improved.
* The code to iterate over loose references has been optimized to
reduce the number of lstat() system calls.
* The codepaths that read "chunk" formatted files have been corrected
to pay attention to the chunk size and notice broken files.
* Replace macos-12 used at GitHub CI with macos-13.
(merge 682a868f67 js/ci-use-macos-13 later to maint).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Tue, 26 Dec 2023 13:10:36 +0000 (14:10 +0100)]
tzdata: Update to version 2023d
- Update from version 2023c to 2023d
- Update of rootfile not required
- Changelog
2023d
Briefly:
Ittoqqortoormiit, Greenland changes time zones on 2024-03-31.
Vostok, Antarctica changed time zones on 2023-12-18.
Casey, Antarctica changed time zones five times since 2020.
Code and data fixes for Palestine timestamps starting in 2072.
A new data file zonenow.tab for timestamps starting now.
Changes to future timestamps
Ittoqqortoormiit, Greenland (America/Scoresbysund) joins most of
the rest of Greenland's timekeeping practice on 2024-03-31, by
changing its time zone from -01/+00 to -02/-01 at the same moment
as the spring-forward transition. Its clocks will therefore not
spring forward as previously scheduled. The time zone change
reverts to its common practice before 1981.
Fix predictions for DST transitions in Palestine in 2072-2075,
correcting a typo introduced in 2023a.
Changes to past and future timestamps
Vostok, Antarctica changed to +05 on 2023-12-18. It had been at
+07 (not +06) for years. (Thanks to Zakhary V. Akulov.)
Change data for Casey, Antarctica to agree with timeanddate.com,
by adding five time zone changes since 2020. Casey is now at +08
instead of +11.
Changes to past tm_isdst flags
Much of Greenland, represented by America/Nuuk, changed its
standard time from -03 to -02 on 2023-03-25, not on 2023-10-28.
This does not affect UTC offsets, only the tm_isdst flag.
(Thanks to Thomas M. Steenholdt.)
New data file
A new data file zonenow.tab helps configure applications that use
timestamps dated from now on. This simplifies configuration,
since users choose from a smaller Zone set. The file's format is
experimental and subject to change.
Changes to code
localtime.c no longer mishandles TZif files that contain a single
transition into a DST regime. Previously, it incorrectly assumed
DST was in effect before the transition too. (Thanks to Alois
Treindl for debugging help.)
localtime.c's timeoff no longer collides with OpenBSD 7.4.
The C code now uses _Generic only if __STDC_VERSION__ says the
compiler is C11 or later.
tzselect now optionally reads zonenow.tab, to simplify when
configuring only for timestamps dated from now on.
tzselect no longer creates temporary files.
tzselect no longer mishandles the following:
Spaces and most other special characters in BUGEMAIL, PACKAGE,
TZDIR, and VERSION.
TZ strings when using mawk 1.4.3, which mishandles regular
expressions of the form /X{2,}/.
ISO 6709 coordinates when using an awk that lacks the GNU
extension of newlines in -v option-arguments.
Non UTF-8 locales when using an iconv command that lacks the GNU
//TRANSLIT extension.
zic no longer mishandles data for Palestine after the year 2075.
Previously, it incorrectly omitted post-2075 transitions that are
predicted for just before and just after Ramadan. (Thanks to Ken
Murchison for debugging help.)
zic now works again on Linux 2.6.16 and 2.6.17 (2006).
(Problem reported by Rune Torgersen.)
Changes to build procedure
The Makefile is now more compatible with POSIX:
* It no longer defines AR, CC, CFLAGS, LDFLAGS, and SHELL.
* It no longer uses its own 'cc' in place of CC.
* It now uses ARFLAGS, with default specified by POSIX.
* It does not use LFLAGS incompatibly with POSIX.
* It uses the special .POSIX target.
* It quotes special characters more carefully.
* It no longer mishandles builds in an ISO 8859 locale.
Due to the CC changes, TZDIR is now #defined in a file tzfile.h
built by 'make', not in a $(CC) -D option. Also, TZDEFAULT is
now treated like TZDIR as they have similar roles.
Changes to commentary
Limitations and hazards of the optional support for obsolescent
C89 platforms are documented better, along with a tentative
schedule for removing this support.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
rtl8xxx: remove unused or replaced external modules
rtl8189es and rtl8189fs are used at my knowledge only on 32bit arm boards.
If there is any 64bit board i can restore it.
rtl8822bu and rtl8821cu are both supported in mainline kernel 6.6.x so
no separate module is needed anymore.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Erik Kapfer [Thu, 30 Nov 2023 07:56:04 +0000 (08:56 +0100)]
tor.cgi: Fixes deprecated tor option 'ExitNode' to 'ExitNodes'
If fingerprints in the Exit Node section are in usage, tor.cgi prints the
deprecated option 'ExitNode' into torrc which leads to the following warning
"The abbreviation ‘ExitNode’ is deprecated. Please use ‘ExitNodes’ instead".
Fix has been found and tested in the community for reference please see -->
https://community.ipfire.org/t/the-abbreviation-exitnode-is-deprecated-please-use-exitnodes-instead/10582/10
Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
Michael Tremer [Mon, 27 Nov 2023 11:24:00 +0000 (11:24 +0000)]
apache2: Properly re-execute Apache on restart
Previously, we sent Apache a signal to relaunch itself which caused
Apache to kill all child processes, and re-execute them.
However, when updating glibc, any newly compiled modules could not be
loaded as Apache was running with the previous version of glibc until
the next reboot.
This change will now properly stop Apache and restart it which solves
this problem.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 27 Nov 2023 11:24:00 +0000 (11:24 +0000)]
apache2: Properly re-execute Apache on restart
Previously, we sent Apache a signal to relaunch itself which caused
Apache to kill all child processes, and re-execute them.
However, when updating glibc, any newly compiled modules could not be
loaded as Apache was running with the previous version of glibc until
the next reboot.
This change will now properly stop Apache and restart it which solves
this problem.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 11 Nov 2023 10:58:44 +0000 (11:58 +0100)]
man: Update to version 2.12.0
- Update from version 2.11.2 to 2.12.0
- Update of rootfile
- Changelog
2.12.0
Fixes:
* Fix some manual page portability issues with groff 1.23.0.
* Fix test failures when a working `iconv` is not available.
* Ensure that timestamps read from the database can go past the year 2038,
even on systems where this is not the default.
* Fix `manpath` not parsing `PATH` entries with trailing slash correctly
for guessing `MANPATH` entries.
* More accurately document the behaviour of passing file names as arguments
to `man` without the `-l`/`--local-file` option.
* Avoid duplicate cleanup of old cat pages by both `man-db.service` and
`systemd-tmpfiles-clean.service`.
Improvements:
* Update system call lists in `seccomp` sandbox from `systemd`.
* Upgrade to Gnulib `stable-202307`.
* Work around the Firebuild accelerator in `seccomp` sandbox: if this is in
use then we need to allow some socket-related system calls.
* `man -K` now deduplicates search results that point to the same page.
* Warn if `mandb` drops to `--user-db` mode due to running as the wrong
user.
* Change section title recommendations in `man(1)` to mention `STANDARDS`
rather than `CONFORMING TO`, in line with `man-pages(7)`.
* Add a `STANDARDS` section to `man(1)` itself.
* Document that `man -K` may suffer from false negatives as well as false
positives.
* Take advantage of newer `groff` facilities to implement `man
--no-hyphenation` and `man --no-justification`, if available.
* `man -f` and `man -k` now pass any `-r`/`--regex` or `-w`/`--wildcard`
options on to `whatis` and `apropos` respectively.
* Always pass a line length to `nroff`, even if we believe that it matches
the default.
* Allow disabling `groff` warnings via `man --warnings`, by prefixing a
warning name with `!`.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
dhcp.cgi: Add column with resolved hostname by IP address
In web interface, on page DHCP Server, in table Current fixed leases, add column with resolved hostname by IP address Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Thu, 9 Nov 2023 08:24:06 +0000 (09:24 +0100)]
connections.cgi: Fix Expires time Heading in Connections cgi page
- The Expires time heading for the Connections WUI page has seconds listed. However the
code is converting the seconds to hours:minutes:seconds.
- This patch is changing the heading to H:M:S in English and the equivalent in the other
languages. I have basewd this on the initial letter for Hours, Minutes & Seconds in
each of the languages.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 8 Nov 2023 21:58:03 +0000 (22:58 +0100)]
iproute2: Update to version 6.6.0
- Update from version 6.4.0 to 6.6.0
- Update of rootfile
- iproute2 has implemented stateless configuration pattern. This now puts all the files
that were in /etc/iproute2 into /usr/lib/iproute2. Therefore command added to lfs to
move /usr/lib/iproute2 to /etc/iproute2 to match the previous situation.
- Changelog is only provided by the git commits.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
projects / ipfire-2.x.git / log
