Stefan Schantl [Sat, 23 Sep 2023 10:54:55 +0000 (12:54 +0200)]
extrahd.cgi: Add support for LVM and MDADM devices
This commit adds support for using LVM and mdadm based RAID devices
for the CGI page.
In case one or more drives/partitions are used by such a "grouped"
volume they still will displayed on the page, but can not be
configured/used. Instead the "master" volume of which the
drive/partition is part of is shown in the "mountpoint" input box.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 28 Sep 2023 10:37:01 +0000 (12:37 +0200)]
libslirp: Add the slirp library as this is required for the net user backend in qemu
- Looking through some of the changelog and some mail list communications it looks like
qemu decided they did noty want to maintain their own bundled version of libslirp when
the majority of OS's had their own version now in place. Ubuntu 18.04 did not have
libslirp but qemu stopped supporting that version from qemu-7.1
- So it looks like all OS's have a standard libslirp available now and qemu have taken
the decision to no longer have their own version but to use the system version. That
was always possible to do if use of the system version was explicitly defined but
the default was to use the bundled version.
- No evidence that libslirp is deprecated.
- The last version of libslirp was released a year ago but it looks like every month or
so there are a couple of commits merged. The last was a month ago.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 28 Sep 2023 10:36:59 +0000 (12:36 +0200)]
qemu: Update to version 8.1.1 and add libslirp for net user backend
- Update from version 8.0.3 to 8.1.1
- In CU179 the update of qemu caused at least one user to have a problem starting his
qemu system as the qemu bundled slirp library used for the net user backend was removed
in version 7.2. Unfortunately no user tested qemu in the CU179 Testing phase, or if they
did they are not using the net user backend.
- This patch adds the --enable-slirp option to configure and installs libslirp in a
separate patch.
- I can't test if this now works as I don't use qemu anywhere.
- Changelog is too large to include here.
8.1
https://wiki.qemu.org/ChangeLog/8.1
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.44/doc/arm/html/notes.html#notes-for-bind-9-16-44
Changes since 9.16.40:
9.16.44:
"Previously, sending a specially crafted message
over the control channel could cause the packet-parsing
code to run out of available stack memory, causing named
to terminate unexpectedly. This has been fixed. (CVE-2023-3341)"
9.16.43:
"Processing already-queued queries received over TCP could cause
an assertion failure, when the server was reconfigured at the
same time or the cache was being flushed. This has been fixed."
9.16.42:
"The overmem cleaning process has been improved, to prevent the
cache from significantly exceeding the configured max-cache-size
limit. (CVE-2023-2828)
A query that prioritizes stale data over lookup triggers a fetch
to refresh the stale data in cache. If the fetch is aborted for
exceeding the recursion quota, it was possible for named to enter
an infinite callback loop and crash due to stack overflow. This
has been fixed. (CVE-2023-2911)
Previously, it was possible for a delegation from cache to be
returned to the client after the stale-answer-client-timeout
duration. This has been fixed."
9.16.41:
"When removing delegations from an opt-out range, empty-non-terminal
NSEC3 records generated by those delegations were not cleaned up.
This has been fixed."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Security #6289: Crash in SMTP parser during parsing of email (6.0.x backport)
Security #6196: process exit in hyperscan error handling (6.0.x backport)
Security #6156: dcerpc: max-tx config parameter, also for UDP (6.0.x backport)
Bug #6285: community-id: Fix IPv6 address sorting not respecting byte order (6.0.x backport)
Bug #6248: Multi-tenancy: crash under test mode when tenant signature load fails (6.0.x backport)
Bug #6245: tcp: RST with data used in reassembly (6.0.x backport)
Bug #6236: if protocol dcerpc first packet type is Alter_context, it will not parse dcerpc (6.0.x backport)
Bug #6228: ips/af-packet: crash when copy-iface is the same as the interface (6.0.x backport)
Bug #6227: windows: lua script path truncated (6.0.x backport)
Bug #6226: Decode-events of IPv6 GRE are not triggered (6.0.x backport)
Bug #6224: base64: complete support for RFC2045 (6.0.x backport)
Bug #6220: Backport tenant_id conversion to uint32_t
Bug #6213: file.magic: rule reload can lead to crashes (6.0.x backport)
Bug #6193: smtp: Attachment not being md5 matched (6.0.x backport)
Bug #6192: smtp: use every byte to compute email.body_md5 (6.0.x backport)
Bug #6182: log-pcap: fix segfault on lz4 compressed pcaps (6.0.x backport)
Bug #6181: eve/alert: deprecated fields can have unexpected side affects (6.0.x backport)
Bug #6174: FTP bounce detection doesn't work for big-endian platforms (6.0.x backport)
Bug #6166: http2: fileinfo events log http2 object instead of http object as alerts and http2 do (6.0.x backport)
Bug #6139: smb: wrong offset when parse SMB_COM_WRITE_ANDX record (6.0.x backport)
Bug #6082: pcap: device reopen broken (6.0.x backport)
Bug #6068: pcap: memory leaks (6.0.x backport)
Bug #6045: detect: multi-tenancy leaks memory if more than 1 tenant registered (6.0.x backport)
Bug #6035: stream.midstream: if enabled breaks exception policy (6.0.x backport)
Bug #5915: rfb: parser returns error on unimplemented record types (6.0.x backport)
Bug #5794: eve: if alert and drop rules match for a packet, "alert.action" is ambigious (6.0.x backport)
Bug #5439: Invalid certificate when Issuer is not present.
Optimization #6229: Performance impact of Cisco Fabricpath (6.0.x backport)
Optimization #6203: detect: modernize filename fileext filemagic (6.0.x backport)
Optimization #6153: suricatasc: Gracefully handle unsupported commands (6.0.x backport)
Feature #6282: dns/eve: add 'HTTPS' type logging (6.0.x backport)
Feature #5935: ips: add 'master switch' to enable dropping on traffic (handling) exceptions (6.0.x backport)
Documentation #6234: userguide: add installation from Ubuntu PPA section (6.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
extrahd: use udev rule to mount extrahd partitions
the previous patches for
https://bugzilla.ipfire.org/show_bug.cgi?id=12863
introduce a new bug that slow devices are not mounted
at boot. So now udev calls the extrahd script with
the uuid.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Thu, 14 Sep 2023 17:45:12 +0000 (17:45 +0000)]
Tor: Do not attempt to establish connections via IPv6
To quote from the changelog of Tor 0.4.8.4:
o Minor feature (client, IPv6):
- Make client able to pick IPv6 relays by default now meaning
ClientUseIPv6 option now defaults to 1. Closes ticket 40785.
In order to avoid any malfunctions on IPFire installations,
set this option to "0" explicitly.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 14 Sep 2023 17:45:11 +0000 (17:45 +0000)]
Tor: Update to 0.4.8.5
Changes in version 0.4.8.5 - 2023-08-30
Quick second release after the first stable few days ago fixing minor
annoying bugfixes creating log BUG stacktrace. We also fix BSD compilation
failures and PoW unit test.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 30, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/08/30.
o Minor bugfix (NetBSD, compilation):
- Fix compilation issue on NetBSD by avoiding an unnecessary
dependency on "huge" page mappings in Equi-X. Fixes bug 40843;
bugfix on 0.4.8.1-alpha.
o Minor bugfix (NetBSD, testing):
- Fix test failures in "crypto/hashx" and "slow/crypto/equix" on
x86_64 and aarch64 NetBSD hosts, by adding support for
PROT_MPROTECT() flags. Fixes bug 40844; bugfix on 0.4.8.1-alpha.
o Minor bugfixes (conflux):
- Demote a relay-side warn about too many legs to ProtocolWarn, as
there are conditions that it can briefly happen during set
construction. Also add additional set logging details for all
error cases. Fixes bug 40841; bugfix on 0.4.8.1-alpha.
- Prevent non-fatal assert stacktrace caused by using conflux sets
during their teardown process. Fixes bug 40842; bugfix
on 0.4.8.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 7 Sep 2023 17:30:15 +0000 (19:30 +0200)]
sdl2: Update to version 2.28.3
- Update from version 2.28.1 to 2.28.3
- Update of rootfile
- Changelog
2.28.3
This is a stable bugfix release, with the following changes:
Added a gamepad mapping for the G-Shark GS-GP702
Fixed touchpad events for the Razer Wolverine V2 Pro in PS5 mode
Fixed getting key events from TV remotes on Android
Updated to Android minSdkVersion 19 and targetSdkVersion 34 to meet Google
Play Store requirements
2.28.2
This is a stable bugfix release, with the following changes:
Fixed occasionally failing to open the clipboard on Windows
Fixed crash at shutdown when using the D3D11 renderer
Fixed setting the viewport when using the D3D12 renderer
Fixed crash using SDL event functions before initializing SDL on Windows
Fixed Xbox controller trigger motion events on Windows
Fixed Xbox controller rumble in the background on Windows
Added the hint SDL_HINT_JOYSTICK_WGI to control whether to use
Windows.Gaming.Input for controllers
Fixed 8BitDo gamepad mapping when in XInput mode on Linux
Fixed controller lockup initializing some unofficial PS4 replica controllers
Fixed video initialization on headless Linux systems using VNC
Fixed large mouse jump when changing relative mouse mode on macOS
Fixed hardware keyboard text input on iPadOS
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 7 Sep 2023 17:30:14 +0000 (19:30 +0200)]
samba: Update to version 4.19.0
- Update from version 2.18.5 to 2.19.0
- Update of rootfile for x86_64
- Changelog is too large to include here
4.19.0
See the WHATSNEW.txt file in the soiurce tarball
4.18.6
* BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp
pointer.
* BUG 15430: Missing return in reply_exit_done().
* BUG 15289: post-exec password redaction for samba-tool is more reliable for
fully random passwords as it no longer uses regular expressions
containing the password value itself.
* BUG 9959: Windows client join fails if a second container CN=System exists
somewhere.
* BUG 15342: Spotlight sometimes returns no results on latest macOS.
* BUG 15417: Renaming results in NT_STATUS_SHARING_VIOLATION if previously
attempted to remove the destination.
* BUG 15427: Spotlight results return wrong date in result list.
* BUG 15414: "net offlinejoin provision" does not work as non-root user.
* BUG 15400: rpcserver no longer accepts double backslash in dfs pathname.
* BUG 15433: cm_prepare_connection() calls close(fd) for the second time.
* BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number:
bad message_id 2.
* BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
* BUG 15446: DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed.
* BUG 15390: Python tarfile extraction needs change to avoid a warning
(CVE-2007-4559 mitigation).
* BUG 15435: Regression DFS not working with widelinks = true.
* BUG 9959: Windows client join fails if a second container CN=System exists
somewhere.
* BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
* BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open().
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 7 Sep 2023 17:30:13 +0000 (19:30 +0200)]
procps: Update to version v4.0.4
- Update from version v4.0.3 to v4.0.4
- Update of rootfile
- Removal of patch to fix build failures with gettext-0.22 as this has been incorporated
into the source tarball.
- Changelog
procps-ng-4.0.4
* library (API & ABI unchanged)
increment revision: 0:2:0
tolerates all potential 'cpuinfo' formats issue #272
restore the proper main thread tics valuations issue #280
Remove myself from proc count merge #193
Refactor the escape code Debian #1035649
* free: -L one line output issue #156
* pgrep: Use only --signal option for signal Debian #1031765
* pgrep: suppress >15 warning if using regex Debian #1037450
* pidof: Add -t option to show threads merge #190
* pmap: Reset totals between processes issue #298
* ps: fixed missing or corrupted fields with -m option Debian #1036631, issue #279
* ps: Fix buffer overflow in -C option CVE-2023-4016 Debian #1042887, issue #297
* ps: Add --signames to show signal names in masks merge #98
* sysctl: -N show names merge #198, RH #2222056
* tests: dont compare floats with == issue #271
* tests: skips tests if maps missing merge #197, Gentoo #583036
* top: bad command line arguments yield EXIT_FAILURE issue #273
* top: avoids keystroke induced '%Cpu' distortions
* top: includes VM (guest) tics in 'system' overhead issue #274
* top: includes VM (guest) tics with '!' toggle merge #179
* top: lessen summary cpu distortions on first display merge #180
* top: better backspace handling wtth line edits issue #278
* vmstat: Print guest time in non-wide mode
* w: Fix musl UT_HOSTSIZE issue
* watch: Add color support at compile time issue #296
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 7 Sep 2023 17:30:12 +0000 (19:30 +0200)]
ncdu: Update to version 1.18.1
- Update from 1.17 to 1.18.1
- Update of rootfile not required
- Changelog
1.18.1 - 2023-02-12
- Fix build on non-Linux platforms
1.18 - 2022-12-06
- Fix 'dark-bg' color scheme to actually have a dark background
- Backport configuration file support from 2.x
- Backport many new CLI options from 2.x
- Negation of existing flags: --no-si, --no-confirm-quit, --no-follow-symlinks, --include-caches, --include-kernfs
- --[no-]extended in addition to -e
- --one-file-system and --cross-file-system in addition to -x
- --slow-ui-updates, --fast-ui-updates in addition to -q
- Column visibility options: --(show|hide)-(hidden|itemcount|mtime|graph|percent)
- Sorting: --sort, --[no-]group-directories-first
- Feature selection: --(enable|disable)-(shell|delete|refresh)
- Deletion confirmation: --[no-]confirm-delete
- Hidden file visibility: --show-hidden, --hide-hidden
- Size display: --apparent-size, --disk-usage
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 7 Sep 2023 17:30:10 +0000 (19:30 +0200)]
libnl-3: Update to version 3.8.0
- Update from 3.5.0 to 3.8.0
- Update of rootfile
- Changelog is no longer provided. Changes are available by reviewing the github commits
https://github.com/thom311/libnl/commits/main
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20221030-3.1 to 20230828-3.1
- Update of rootfile
- Changelog
2023-08-28 Jess Thrysoee
* src/chartype.c: Add missing stdint.h
Reported by Rui Chen
2023-08-27 Jess Thrysoee
* all: sync with upstream source
See also NetBSD changelog:
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libedit
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 7 Sep 2023 17:30:08 +0000 (19:30 +0200)]
gzip: Update to version 1.13
- Update from version 1.12 to 1.13
- Update of rootfile not required
- Changelog
Noteworthy changes in release 1.13 (2023-08-19) [stable]
Changes in behavior
zless now diagnoses gzip failures, if using less 623 or later.
When SIGPIPE is ignored, gzip now exits with status 2 (warning)
instead of status 1 (error) when writing to a broken pipe. This is
more useful with programs like 'less' that treat gzip exit status 2
as a non-failure.
Bug fixes
'gzip -d' no longer fails to report invalid compressed data
that uses a dictionary distance outside the input window.
[bug present since the beginning]
Port to C23, which does not allow K&R-style function definitions
with parameters, and which does not define __alignas_is_defined.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 7 Sep 2023 17:30:06 +0000 (19:30 +0200)]
boost: Update to version 1_83_0
- Update from 1_81_0 to 1_83_0
- Update of rootfile for x86_64
- Changelog is a bit long to include here so providing links to the pages with changes
1_82_0
https://www.boost.org/users/history/version_1_82_0.html
1_83_0
https://www.boost.org/users/history/version_1_83_0.html
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 6 Sep 2023 13:41:59 +0000 (15:41 +0200)]
libgudev: Update to version 238
- Update from version 237 to 238
- Update of rootfile not required.
- With patches applied to eudev tarball, libgudev built without any problems. Testing
will need to focus on use of QMI to ensure that it executes with no problems with this
fix.
- Changelog
238:
* Fix newline stripping
* Add g_udev_device_get_current_tags()
* Add a number of tests, and devel docs
* Fix devhelp not being able to find the docs
* Skip locale test with locale isn't available
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 6 Sep 2023 13:41:58 +0000 (15:41 +0200)]
udev: Apply patches to update to version 251 and add dummies for current tags
- eudev-3.2.12 has udev version 243 and this causes the build of libgudev to fail as
it requires a newer version of udev.
- Just changing the version in eudev from 243 to 251 is insufficient as libgudev also
expects to see current tags which have been introduced in a more recent version of
systemd udev.
- Two patches applied from the eudev github issue #249 covering this problem.
- With the two patches applied libgudev built without any problems.
- Update to rootfile not required.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 5 Sep 2023 19:48:38 +0000 (21:48 +0200)]
bacula: Update to version 11.0.6
- Update from version 9.6.7 to 11.0.6
- Update of rootfile
- Ran find-dependencies for the sobump. All libraries are only linked into bacula
- All of the versions from 9.6.7 to 11.0.6 and up to 13.0.3 have no bug fixes relatred to
the bacula-fd daemon. With bacula-fd running on a separate machine to the bacula-dir and
bacula-sd daemons, older versions of bacula-fd will work with no bug issues with a newer
bacula-dir and bacula-sd.
- If we put a very new version of bacula-fd on IPFire then it will not work with older
versions of bacula-dir and bacula-sd.
- A new feature in the bacula 11 series is that communication between daemons will
automatically use TLS if OpenSSL is installed on the machines running bacula.
Therefore having a bacula 11 based bacula-fd on IPFire will automatically, with no user
configuration required, use TLS for communication to the IPFire bacula-fd from the other
bacula daemons on other machines.
- This has been shown to automatically work between the bacula-fd daemons on my laptop and
desktop machines and the bacula-dir/bacula-sd on my server machine.
Currently communication between mu bacula-dir/bacuila-sd daemons and the IPFire bacula-fd
daemon communication is still unencrypted.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Jonatan Schlag [Tue, 29 Aug 2023 08:52:39 +0000 (10:52 +0200)]
network initscripts: Remove code for old zone scheme
A long time ago (2007) there were more config types possible then 1, 2, 3
and 4. As our installer currently only accepts config type out of the set
1, 2, 3 and 4 we do not need to check if our CONFIG_TYPE is in this set.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Jonatan Schlag [Tue, 29 Aug 2023 08:52:38 +0000 (10:52 +0200)]
Use bash as shebang in network initscripts
/bin/sh is a symlink to /bin/bash on ipfire systems. Using /bin/sh in
the scripts as shebang hurts in two ways:
1. We use features which do not work with sh as shell. This is not
really a problem but if we rely on features of a real bash we can
state this clearly.
2. The syntay highlighting in vim does not work without a correct
shebang. As I want and need correct syntax highlighting I propose to
change the shebang.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 10:17:36 +0000 (12:17 +0200)]
hwdata: Update pci.ids to version 2023-08-12 and usb.ids to version 2023-08-24
- Update pci.ids from version 2023-01-18 to 2023-08-12
- Update usb.ids from version 2023-01-16 to 2023-08-24
- Update of rootfile not required
- No changelog available.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 4 Sep 2023 16:52:31 +0000 (18:52 +0200)]
apcupsd: Make apcupsd link in services page access its apcupsd WUI menu.
- In the services WUI page any addon that has a WUI menu page defined, such as Samba,
Guardian etc, has the addon name shown in underlined red which is a link to the addon
cgi page. This works for the other addons as the addon cgi name is the same as the
addon name. I have identified that this is not the case for apcupsd, because the cgi
page is called upsstats.cgi
- This patch adjusts the cgi name to allow apcupsd to also be shown in underlined red.
- The lfs file copies the upsstats.cgi file to one named apcupsd.cgi
- The apcupsd menu file has the cgi name changed from upsstats.cgi to apcupsd.cgi
- The rootfile is updated to also include the apcupsd.cgi file with the others.
- Tested in my vm testbed by making the above changes in the code and the apcupsd addon
was then shown in underlined red, which acted as a link to the apcupsd status WUI page.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 31 Aug 2023 11:01:08 +0000 (13:01 +0200)]
xinetd: Update to version 2.3.15.4
- This is v2 version of this patch with the locations for the sysconf and binaries
corrected so that all files are in the same locations as they were with version 2.3.15
Added sysconfdir and bindir to the configure options to achieve this.
- Update from version 2.3.15 (2012) to 2.3.15.4 (2018)
- Update of rootfile.
- The original site for xinetd is no longer accessible.
- Version 2.3.15 was the last version from https://github.com/xinetd-org/xinetd
OpenSUSE have forked the repo and have provided 2.3.15.3 and 2.3.15.4 to collect a range
of patches together from openSUSE, Debian, Fedora, Gentoo etc.
Last bug fix was done on this github repo in Sep 2022 and the last commit in Oct 2022.
- This is as up to date as there is currently available.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:40 +0000 (16:17 +0200)]
whois: Update to version 5.5.18
- Update from version 5.5.17 to 5.5.18
- Update of rootfile not required.
- Changelog
5.5.18
* Updated the .ga TLD server. (Closes: #1037288)
* Added new recovered IPv4 allocations.
* Removed the delegation of 43.0.0.0/8 to JPNIC.
* Removed 12 new gTLDs which are no longer active.
* Improved the man page source, courtesy of Bjarni Ingi Gislason.
(Closes: #1040613)
* Added the .edu.za SLD server.
* Updated the .alt.za SLD server.
* Added the -ru and -su NIC handles servers.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:38 +0000 (16:17 +0200)]
tzdata: Update to version 2023c
- Update from version 2023b to 2023c
- Update of rootfile not required.
- Changelog
Release 2023c - 2023-03-28 12:42:14 -0700
Changes to past and future timestamps
Model Lebanon's DST chaos by reverting data to tzdb 2023a.
(Thanks to Rany Hany for the heads-up.)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:37 +0000 (16:17 +0200)]
tshark: Update to version 4.0.8
- Update from version 3.6.3 to 4.0.8 covering 22 releases.
- Update of rootfile
- Ran find-dependencies due to sobump. Everything is linked to tshark files. No additional
bumping required.
- Changelog is too large to cover with 22 releases. For details see the release notes
page on the website - https://www.wireshark.org/docs/relnotes/
4.0.8 Four vulnerabilities fixed.
4.0.7 Two vulnerabilities fixed.
4.0.6 Nine vulnerabilities fixed.
4.0.5 Three vulnerabilities fixed.
4.0.4 One vulnerability fixed.
4.0.3 Seven vulnerabilities fixed.
Didn't check anymore. Based on above this package definitely needs to be regulalrly
updated as it is obviolusly susceptible to vulnerabilities.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:36 +0000 (16:17 +0200)]
transmission: Update to version 4.0.4
- Update from version 4.0.3 to 4.0.4
- Update of rootfile not required.
- Changelog
Transmission 4.0.4
This is a bugfix-only release. Everyone's feedback on 4.0.x has been very helpful -- thanks for all the suggestions, bug reports, and pull requests!
What's New in 4.0.4
All Platforms
* Fixed bug in sending torrent metadata to peers. ([#5460](https://github.com/transmission/transmission/pull/5460))
* Avoid unnecessary heap memory allocations. ([#5520](https://github.com/transmission/transmission/pull/5520), [#5527](https://github.com/transmission/transmission/pull/5527))
* Fixed filename collision edge case when renaming files. ([#5563](https://github.com/transmission/transmission/pull/5563))
* Fixed locale errors that broke number rounding when displaying statistics, e.g. upload / download ratios. ([#5587](https://github.com/transmission/transmission/pull/5587))
* Always use a fixed-length key query in tracker announces. This isn't required by the [spec](https://www.bittorrent.org/beps/bep_0007.html), but some trackers rely on that fixed length because it's common practice by other BitTorrent clients. ([#5652](https://github.com/transmission/transmission/pull/5652))
* Fixed potential Windows crash when [getstdhandle()](https://learn.microsoft.com/en-us/windows/console/getstdhandle) returns `NULL`. ([#5675](https://github.com/transmission/transmission/pull/5675))
* Fixed `4.0.0` bug where the port numbers in LDP announces are sometimes malformed. ([#5825](https://github.com/transmission/transmission/pull/5825))
* Fixed a bug that prevented editing the query part of a tracker URL. ([#5871](https://github.com/transmission/transmission/pull/5871))
* Fixed a bug where Transmission may not announce LPD on its listening interface. ([#5896](https://github.com/transmission/transmission/pull/5896))
* Made small performance improvements in libtransmission. ([#5715](https://github.com/transmission/transmission/pull/5715))
macOS Client
* Updated code that had been using deprecated API. ([#5633](https://github.com/transmission/transmission/pull/5633))
Qt Client
* Fixed torrent name rendering when showing magnet links in compact view. ([#5491](https://github.com/transmission/transmission/pull/5491))
* Fixed bug that broke the "Move torrent file to trash" setting. ([#5505](https://github.com/transmission/transmission/pull/5505))
* Fixed Qt 6.4 deprecation warning. ([#5552](https://github.com/transmission/transmission/pull/5552))
* Fixed poor resolution of Qt application icon. ([#5570](https://github.com/transmission/transmission/pull/5570))
GTK Client
* Fixed missing 'Remove torrent' tooltip. ([#5777](https://github.com/transmission/transmission/pull/5777))
Web Client
* Don't show `null` as a tier name in the inspector's tier list. ([#5462](https://github.com/transmission/transmission/pull/5462))
* Fixed truncated play / pause icons. ([#5771](https://github.com/transmission/transmission/pull/5771))
* Fixed overflow when rendering peer lists and made speed indicators honor `prefers-color-scheme` media queries. ([#5814](https://github.com/transmission/transmission/pull/5814))
* Made the main menu accessible even on smaller displays. ([#5827](https://github.com/transmission/transmission/pull/5827))
transmission-cli
* Fixed "no such file or directory" warning when adding a magnet link. ([#5426](https://github.com/transmission/transmission/pull/5426))
* Fixed bug that caused the wrong decimal separator to be used in some locales. ([#5444](https://github.com/transmission/transmission/pull/5444))
transmission-remote
* Fixed display bug that failed to show some torrent labels. ([#5572](https://github.com/transmission/transmission/pull/5572))
Everything Else
* Ran all PNG files through lossless compressors to make them smaller. ([#5586](https://github.com/transmission/transmission/pull/5586))
* Fixed potential build issue when compiling on macOS with gcc. ([#5632](https://github.com/transmission/transmission/pull/5632))
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:35 +0000 (16:17 +0200)]
traceroute: Update to version 2.1.2
- Update from version 2.1.0 to 2.1.2
- Update of rootfile not required.
- Updated ipfire traceroute patch.
- Changelog
2.1.2
* Fix unprivileged ICMP tracerouting with Linux kernel >= 6.1
(Eric Dumazet, SF bug #14)
2.1.1
* Interpret ipv4-mapped ipv6 addresses (::ffff:A.B.C.D) as true ipv4.
There are no ipv4-mapped addresses in the real network which we
operate on, so use just ipv4 in such cases, but allow users
to specify it this way for convenience.
* Return back more robast poll(2) loop handling.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:34 +0000 (16:17 +0200)]
tor: Update to version 0.4.8.4
- Update from version 0.4.7.14 to 0.4.8.4
- Update of rootfile not required.
- Changelog
Changes in version 0.4.8.4 - 2023-08-23
Finally, this is the very first stable release of the 0.4.8.x series making,
among other features, Proof-of-Work (prop#327) and Conflux (prop#329)
available to the entire network. Several new features and a lot of bugfixes
detailed below.
o Major feature (denial of service):
- Extend DoS protection to partially opened channels and known relays.
Because re-entry is not allowed anymore, we can apply DoS protections
onto known IP namely relays. Fixes bug 40821; bugfix on 0.3.5.1-alpha.
o Major features (onion service, proof-of-work):
- Implement proposal 327 (Proof-Of-Work). This is aimed at thwarting
introduction flooding DoS attacks by introducing a dynamic Proof-Of-Work
protocol that occurs over introduction circuits. This introduces several
torrc options prefixed with "HiddenServicePoW" in order to control this
feature. By default, this is disabled. Closes ticket 40634.
o Major features (conflux):
- Implement Proposal 329 (conflux traffic splitting). Conflux splits
traffic across two circuits to Exits that support the protocol. These
circuits are pre-built only, which means that if the pre- built conflux
pool runs out, regular circuits will then be used. When using conflux
circuit pairs, clients choose the lower-latency circuit to send data to
the Exit. When the Exit sends data to the client, it maximizes
throughput, by fully utilizing both circuits in a multiplexed fashion.
Alternatively, clients can request that the Exit optimize for latency
when transmitting to them, by setting the torrc option 'ConfluxClientUX
latency'. Onion services are not currently supported, but will be in
arti. Many other future optimizations will also be possible using this
protocol. Closes ticket 40593.
o Major features (dirauth):
- Directory authorities and relays now interact properly with directory
authorities if they change addresses. In the past, they would continue to
upload votes, signatures, descriptors, etc to the hard-coded address in
the configuration. Now, if the directory authority is listed in the
consensus at a different address, they will direct queries to this new
address. Implements ticket 40705.
o Major bugfixes (conflux):
- Fix a relay-side crash caused by side effects of the fix for bug
40827. Reverts part of that fix that caused the crash and adds additional
log messages to help find the root cause. Fixes bug 40834; bugfix on
0.4.8.3-rc.
o Major bugfixes (conflux):
- Fix a relay-side assert crash caused by attempts to use a conflux circuit
between circuit close and free, such that no legs were on the conflux
set. Fixed by nulling out the stream's circuit back- pointer when the
last leg is removed. Additional checks and log messages have been added
to detect other cases. Fixes bug 40827; bugfix on 0.4.8.1-alpha.
o Major bugfixes (proof of work, onion service, hashx):
- Fix a very rare buffer overflow in hashx, specific to the dynamic
compiler on aarch64 platforms. Fixes bug 40833; bugfix on 0.4.8.2-alpha.
o Major bugfixes (vanguards):
- Rotate to a new L2 vanguard whenever an existing one loses the Stable or
Fast flag. Previously, we would leave these relays in the L2 vanguard
list but never use them, and if all of our vanguards end up like this we
wouldn't have any middle nodes left to choose from so we would fail to
make onion-related circuits. Fixes bug 40805; bugfix on 0.4.7.1-alpha.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/08/23.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 23, 2023.
o Minor features (testing):
- All Rust code is now linted (cargo clippy) as part of GitLab CI, and
existing warnings have been fixed. - Any unit tests written in Rust now
run as part of GitLab CI.
o Minor feature (CI):
- Update CI to use Debian Bullseye for runners.
o Minor feature (client, IPv6):
- Make client able to pick IPv6 relays by default now meaning
ClientUseIPv6 option now defaults to 1. Closes ticket 40785.
o Minor feature (compilation):
- Fix returning something other than "Unknown N/A" as libc version
if we build tor on an O.S. like DragonFlyBSD, FreeBSD, OpenBSD
or NetBSD.
o Minor feature (cpuworker):
- Always use the number of threads for our CPU worker pool to the
number of core available but cap it to a minimum of 2 in case of a
single core. Fixes bug 40713; bugfix on 0.3.5.1-alpha.
o Minor feature (lzma):
- Fix compiler warnings for liblzma >= 5.3.1. Closes ticket 40741.
o Minor feature (MetricsPort, relay):
- Expose time until online keys expires on the MetricsPort. Closes
ticket 40546.
o Minor feature (MetricsPort, relay, onion service):
- Add metrics for the relay side onion service interactions counting
seen cells. Closes ticket 40797. Patch by "friendly73".
o Minor features (directory authorities):
- Directory authorities now include their AuthDirMaxServersPerAddr
config option in the consensus parameter section of their vote.
Now external tools can better predict how they will behave.
Implements ticket 40753.
o Minor features (directory authority):
- Add a new consensus method in which the "published" times on
router entries in a microdesc consensus are all set to a
meaningless fixed date. Doing this will make the download size for
compressed microdesc consensus diffs much smaller. Part of ticket
40130; implements proposal 275.
o Minor features (network documents):
- Clients and relays no longer track the "published on" time
declared for relays in any consensus documents. When reporting
this time on the control port, they instead report a fixed date in
the future. Part of ticket 40130.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on June 01, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/06/01.
o Minor features (hs, metrics):
- Add tor_hs_rend_circ_build_time and tor_hs_intro_circ_build_time
histograms to measure hidden service rend/intro circuit build time
durations. Part of ticket 40757.
o Minor features (metrics):
- Add a `reason` label to the HS error metrics. Closes ticket 40758.
- Add service side metrics for REND and introduction request
failures. Closes ticket 40755.
- Add support for histograms. Part of ticket 40757.
o Minor features (pluggable transports):
- Automatically restart managed Pluggable Transport processes when
their process terminate. Resolves ticket 33669.
o Minor features (portability, compilation):
- Use OpenSSL 1.1 APIs for LibreSSL, fixing LibreSSL 3.5
compatibility. Fixes issue 40630; patch by Alex Xu (Hello71).
o Minor features (relay):
- Do not warn about configuration options that may expose a non-
anonymous onion service. Closes ticket 40691.
o Minor features (relays):
- Trigger OOS when bind fails with EADDRINUSE. This improves
fairness when a large number of exit connections are requested,
and properly signals exhaustion to the network. Fixes issue 40597;
patch by Alex Xu (Hello71).
o Minor features (tests):
- Avoid needless key reinitialization with OpenSSL during unit
tests, saving significant time. Patch from Alex Xu.
o Minor bugfix (hs):
- Fix compiler warnings in equix and hashx when building with clang.
Closes ticket 40800.
o Minor bugfix (FreeBSD, compilation):
- Fix compilation issue on FreeBSD by properly importing
sys/param.h. Fixes bug 40825; bugfix on 0.4.8.1-alpha.
o Minor bugfixes (compression):
- Right after compression/decompression work is done, check for
errors. Before this, we would consider compression bomb before
that and then looking for errors leading to false positive on that
log warning. Fixes bug 40739; bugfix on 0.3.5.1-alpha. Patch
by "cypherpunks".
o Minor bugfixes (compilation):
- Fix all -Werror=enum-int-mismatch warnings. No behavior change.
Fixes bug 40824; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (protocol warn):
- Wrap a handful of cases where ProtocolWarning logs could emit IP
addresses. Fixes bug 40828; bugfix on 0.3.5.1-alpha.
o Minor bugfix (congestion control):
- Reduce the accepted range of a circuit's negotiated 'cc_sendme_inc'
to be +/- 1 from the consensus parameter value. Fixes bug 40569;
bugfix on 0.4.7.4-alpha.
- Remove unused congestion control algorithms and BDP calculation
code, now that we have settled on and fully tuned Vegas. Fixes bug
40566; bugfix on 0.4.7.4-alpha.
- Update default congestion control parameters to match consensus.
Fixes bug 40709; bugfix on 0.4.7.4-alpha.
o Minor bugfixes (compilation):
- Fix "initializer is not a constant" compilation error that
manifests itself on gcc versions < 8.1 and MSVC. Fixes bug 40773;
bugfix on 0.4.8.1-alpha
o Minor bugfixes (conflux):
- Count leg launch attempts prior to attempting to launch them. This
avoids inifinite launch attempts due to internal circuit building
failures. Additionally, double-check that we have enough exits in
our consensus overall, before attempting to launch conflux sets.
Fixes bug 40811; bugfix on 0.4.8.1-alpha.
- Fix a case where we were resuming reading on edge connections that
were already marked for close. Fixes bug 40801; bugfix
on 0.4.8.1-alpha.
- Fix stream attachment order when creating conflux circuits, so
that stream attachment happens after finishing the full link
handshake, rather than upon set finalization. Fixes bug 40801;
bugfix on 0.4.8.1-alpha.
- Handle legs being closed or destroyed before computing an RTT
(resulting in warns about too many legs). Fixes bug 40810; bugfix
on 0.4.8.1-alpha.
- Remove a "BUG" warning from conflux_pick_first_leg that can be
triggered by broken or malicious clients. Fixes bug 40801; bugfix
on 0.4.8.1-alpha.
o Minor bugfixes (KIST):
- Prevent KISTSchedRunInterval from having values of 0 or 1, neither
of which work properly. Additionally, make a separate
KISTSchedRunIntervalClient parameter, so that the client and relay
KIST values can be set separately. Set the default of both to 2ms.
Fixes bug 40808; bugfix on 0.3.2.1-alpha.
o Minor bugfix (relay, logging):
- The wrong max queue cell size was used in a protocol warning
logging statement. Fixes bug 40745; bugfix on 0.4.7.1-alpha.
o Minor bugfixes (logging):
- Avoid ""double-quoting"" strings in several log messages. Fixes
bug 22723; bugfix on 0.1.2.2-alpha.
- Correct a log message when cleaning microdescriptors. Fixes bug
40619; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (metrics):
- Decrement hs_intro_established_count on introduction circuit
close. Fixes bug 40751; bugfix on 0.4.7.12.
o Minor bugfixes (pluggable transports, windows):
- Remove a warning `BUG()` that could occur when attempting to
execute a non-existing pluggable transport on Windows. Fixes bug
40596; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (relay):
- Remove a "BUG" warning for an acceptable race between a circuit
close and considering that circuit active. Fixes bug 40647; bugfix
on 0.3.5.1-alpha.
- Remove a harmless "Bug" log message that can happen in
relay_addr_learn_from_dirauth() on relays during startup. Finishes
fixing bug 40231. Fixes bug 40523; bugfix on 0.4.5.4-rc.
o Minor bugfixes (sandbox):
- Allow membarrier for the sandbox. And allow rt_sigprocmask when
compiled with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha.
- Fix sandbox support on AArch64 systems. More "*at" variants of
syscalls are now supported. Signed 32 bit syscall parameters are
checked more precisely, which should lead to lower likelihood of
breakages with future compiler and libc releases. Fixes bug 40599;
bugfix on 0.4.4.3-alpha.
o Minor bugfixes (state file):
- Avoid a segfault if the state file doesn't contains TotalBuildTimes
along CircuitBuildAbandonedCount being above 0. Fixes bug 40437;
bugfix on 0.3.5.1-alpha.
o Removed features:
- Remove the RendPostPeriod option. This was primarily used in
Version 2 Onion Services and after its deprecation isn't needed
anymore. Closes ticket 40431. Patch by Neel Chauhan.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:33 +0000 (16:17 +0200)]
tcl: Update to version 8.6.13
- Update from version 8.6.12 to 8.6.13
- Update of rootfile
- Changelog
Last changelog in the source tarball is from 2008.
There is no changelog on the tcl website or the tcl github repository. The only option
is the commits log - https://github.com/tcltk/tcl/commits/main
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:32 +0000 (16:17 +0200)]
foomatic: Update engine to 4.0.13 and db to 20230828
- Update foomatic-db-engine from version 4.0.9 (2013) to 4.0.13 (2018)
- Update foomatic-db from version 20131023 to 20230828
- Update of rootfile
- Changelog
foomatic-db
See the ChangeLog file in the foomatic-db source tarball. Too long to include here.
foomatic-db-engine
4.0.13.
* README, USAGE, configure.ac: Updated for release 4.0.13.
* Makefile.in: Add support for LDFLAGS variable (bug #1422).
* configure.ac: Allow user-configurable PERLPREFIX via environment
variable (Bug #1294).
4.0.12.
* README, USAGE, configure.ac: Updated for release 4.0.12.
* foomatic-ppdfile.in: Foomatic doesn't provide some offered PPD
files. Thanks to Marek Kasik for the patch (bug #1238).
* foomatic-ppd-to-xml.in: Let missing XML files be added when to a
PPD with already existing XML files new "*Product:" lines get
added.
4.0.11.
* README, USAGE, configure.ac: Updated for release 4.0.11.
* lib/Foomatic/DB.pm: Do not interpret option default values set to
"0" in PPD files as no default setting defined. Thanks to Deng
Pang from Ricoh (DengPang at rst dot ricoh dot com) for the report.
4.0.10.
* README, USAGE, configure.ac: Updated for release 4.0.10.
* foomatic-addpjloptions.in: Make foomatic-addpjloptions work with
the system's Foomatic database, too.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Sun, 27 Aug 2023 22:33:55 +0000 (00:33 +0200)]
zabbix_agentd: Update to 6.0.21 (LTS)
- Update from version 6.0.19 to 6.0.21
- Update of rootfile not required
Bugs fixed:
- ZBX-23097:
Fixed use of uninitialised value when verifying subject and issuer with
TLS
- ZBX-22871:
Fixed regular expression crash with invalid utf-8 sequences when pcre2
is used
- ZBX-23221:
Fixed memory leaks when using certificate-based encryption
- ZBX-18168:
Added regexp runtime error logging for log*[] items
Full changelogs since 6.0.19:
- https://www.zabbix.com/rn/rn6.0.20
- https://www.zabbix.com/rn/rn6.0.21
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 13:43:11 +0000 (15:43 +0200)]
wget: Update to version 1.21.4
- Update from version 1.21.3 to 1.21.4
- Update of rootfile not required
- Changelog
Noteworthy changes in release 1.21.4 (2023-05-11)
Document --retry-on-host-error in help text
Increase read buffer size to 64k. This should speed up downloads on gigabit and
faster connections
Update deprecated option '--html-extension' to '--adjust-extension' in
documentation
Update gnulib compatibility layer.
Fixes HSTS test failures on i686. (Thanks to Andreas Enge for ponting it out)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 13:43:10 +0000 (15:43 +0200)]
krb5: Update to version 1.21.2
- Update from version 1.20.1 to 1.21.2
- Update of rootfile
- Changelog
Major changes in 1.21.2 (2023-08-14)
This is a bug fix release.
* Fix double-free in KDC TGS processing [CVE-2023-39975].
Changes by ticket ID
9101 Fix double-free in KDC TGS processing
Major changes in 1.21.1 (2023-07-10)
This is a bug fix release.
* Fix potential uninitialized pointer free in kadm5 XDR parsing
[CVE-2023-36054].
Changes by ticket ID
9099 Ensure array count consistency in kadm5 RPC
Major changes in 1.21 (2023-06-05)
User experience:
* Added a credential cache type providing compatibility with the macOS
11 native credential cache.
Developer experience:
* libkadm5 will use the provided krb5_context object to read
configuration values, instead of creating its own.
* Added an interface to retrieve the ticket session key from a GSS
context.
Protocol evolution:
* The KDC will no longer issue tickets with RC4 or triple-DES session
keys unless explicitly configured with the new allow_rc4 or
allow_des3 variables respectively.
* The KDC will assume that all services can handle aes256-sha1 session
keys unless the service principal has a session_enctypes string
attribute.
* Support for PAC full KDC checksums has been added to mitigate an
S4U2Proxy privilege escalation attack.
* The PKINIT client will advertise a more modern set of supported CMS
algorithms.
Code quality:
* Removed unused code in libkrb5, libkrb5support, and the PKINIT
module.
* Modernized the KDC code for processing TGS requests, the code for
encrypting and decrypting key data, the PAC handling code, and the
GSS library packet parsing and composition code.
* Improved the test framework's detection of memory errors in daemon
processes when used with asan.
Changes by ticket ID
9052 Support macOS 11 native credential cache
9053 Make kprop work for dump files larger than 4GB
9054 Replace macros with typedefs in gssrpc types.h
9055 Use SHA-256 instead of SHA-1 for PKINIT CMS digest
9057 Omit LDFLAGS from krb5-config --libs output
9058 Add configure variable for default PKCS#11 module
9059 Use context profile for libkadm5 configuration
9066 Set reasonable supportedCMSTypes in PKINIT
9069 Update error checking for OpenSSL CMS_verify
9071 Add and use ts_interval() helper
9072 Avoid small read overrun in UTF8 normalization
9076 Use memmove() in Unicode functions
9077 Fix aclocal.m4 syntax error for autoconf 2.72
9078 Fix profile crash on memory exhaustion
9079 Fix preauth crash on memory exhaustion
9080 Fix gic_keytab crash on memory exhaustion
9082 Fix policy DB fallback error handling
9083 Fix kpropd crash with unrecognized option
9084 Add PAC full checksums
9085 Fix read overruns in SPNEGO parsing
9086 Fix possible double-free during KDB creation
9087 Fix meridian type in getdate.y
9088 Use control flow guard flag in Windows builds
9089 Add pac_privsvr_enctype string attribute
9090 Convey realm names to certauth modules
9091 Add GSS_C_INQ_ODBC_SESSION_KEY
9092 Fix maintainer-mode build for binutils 2.37
9093 Add PA-REDHAT-PASSKEY padata type
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 10:17:40 +0000 (12:17 +0200)]
zlib: Update to version 1.3
- Update from version 1.2.13 to 1.3
- Update of rootfile
- Changelog
1.3 (18 Aug 2023)
- Remove K&R function definitions and zlib2ansi
- Fix bug in deflateBound() for level 0 and memLevel 9
- Fix bug when gzungetc() is used immediately after gzopen()
- Fix bug when using gzflush() with a very small buffer
- Fix crash when gzsetparams() attempted for transparent write
- Fix test/example.c to work with FORCE_STORED
- Rewrite of zran in examples (see zran.c version history)
- Fix minizip to allow it to open an empty zip file
- Fix reading disk number start on zip64 files in minizip
- Fix logic error in minizip argument processing
- Add minizip testing to Makefile
- Read multiple bytes instead of byte-by-byte in minizip unzip.c
- Add memory sanitizer to configure (--memory)
- Various portability improvements
- Various documentation improvements
- Various spelling and typo corrections
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 10:17:39 +0000 (12:17 +0200)]
openssh: Update to version 9.4p1
- Update from version 9.3p2 to 9.4p1
- Update of rootfile not required.
- The openssh check for zlib version incorrectly identifies version 1.3 as being older
than the buggy zlib version. This bug was found on the oipenssh github pull request page
but merged after openssh-9.4p1 was issued. Patch implemented to fix zlib version
identification. This and the autoconf line can be removed when the next version of
openssh is released.
- Changelog
9.4p1
This release fixes a number of bugs and adds some small features.
Potentially incompatible changes
* This release removes support for older versions of libcrypto.
OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
Note that these versions are already deprecated by their upstream
vendors.
* ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system
library directories.
New features
* ssh(1): allow forwarding Unix Domain sockets via ssh -W.
* ssh(1): add support for configuration tags to ssh(1).
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.
* ssh(1): add a "match localnetwork" predicate. This allows matching
on the addresses of available network interfaces and may be used to
vary the effective client configuration based on network location.
* ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
extensions. This defines wire formats for optional KRL extensions
and implements parsing of the new submessages. No actual extensions
are supported at this point.
* sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
accept two additional %-expansion sequences: %D which expands to
the routing domain of the connected session and %C which expands
to the addresses and port numbers for the source and destination
of the connection.
* ssh-keygen(1): increase the default work factor (rounds) for the
bcrypt KDF used to derive symmetric encryption keys for passphrase
protected key files by 50%.
Bugfixes
* ssh-agent(1): improve isolation between loaded PKCS#11 modules
by running separate ssh-pkcs11-helpers for each loaded provider.
* ssh(1): make -f (fork after authentication) work correctly with
multiplexed connections, including ControlPersist. bz3589 bz3589
* ssh(1): make ConnectTimeout apply to multiplexing sockets and not
just to network connections.
* ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
modules being loaded by checking that the requested module
contains the required symbol before loading it.
* sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
appears before it in sshd_config. Since OpenSSH 8.7 the
AuthorizedPrincipalsCommand directive was incorrectly ignored in
this situation. bz3574
* sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
signatures When the KRL format was originally defined, it included
support for signing of KRL objects. However, the code to sign KRLs
and verify KRL signatues was never completed in OpenSSH. This
release removes the partially-implemented code to verify KRLs.
All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
KRL files.
* All: fix a number of memory leaks and unreachable/harmless integer
overflows.
* ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
modules; GHPR406
* sshd(8), ssh(1): better validate CASignatureAlgorithms in
ssh_config and sshd_config. Previously this directive would accept
certificate algorithm names, but these were unusable in practice as
OpenSSH does not support CA chains. bz3577
* ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
algorithms that are valid for CA signing. Previous behaviour was
to list all signing algorithms, including certificate algorithms.
* ssh-keyscan(1): gracefully handle systems where rlimits or the
maximum number of open files is larger than INT_MAX; bz3581
* ssh-keygen(1): fix "no comment" not showing on when running
`ssh-keygen -l` on multiple keys where one has a comment and other
following keys do not. bz3580
* scp(1), sftp(1): adjust ftruncate() logic to handle servers that
reorder requests. Previously, if the server reordered requests then
the resultant file would be erroneously truncated.
* ssh(1): don't incorrectly disable hostname canonicalization when
CanonicalizeHostname=yes and ProxyJump was expicitly set to
"none". bz3567
* scp(1): when copying local->remote, check that the source file
exists before opening an SFTP connection to the server. Based on
GHPR#370
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 10:17:38 +0000 (12:17 +0200)]
json-c: Update to version 0.17
- Update from version 0.16 to 0.17
- Update of rootfile
- Changelog
0.17 (up to commit 077661f, 2023-08-08)
Deprecated and removed features:
* None
New features
* json_patch: add first implementation only with patch application
* Add --disable-static and --disable-dynamic options to the cmake-configure
script.
* Add -DBUILD_APPS=NO option to disable app build
* Minimum cmake version is now 3.9
Significant changes and bug fixes
* When serializing with JSON_C_TO_STRING_PRETTY set, keep the opening and
closing curly or square braces on same line for empty objects or arrays.
* Disable locale handling when targeting a uClibc system due to problems
with its duplocale() function.
* When parsing with JSON_TOKENER_STRICT set, integer overflow/underflow
now result in a json_tokener_error_parse_number. Without that flag
values are capped at INT64_MIN/UINT64_MAX.
* Fix memory leak with emtpy strings in json_object_set_string
* json_object_from_fd_ex: fail if file is too large (>=INT_MAX bytes)
* Add back json_number_chars, but only because it's part of the public API.
* Entirely drop mode bits from open(O_RDONLY) to avoid warnings on certain
platforms.
* Specify dependent libraries, including -lbsd, in a more consistent way so
linking against a static json-c works better
* Fix a variety of build problems and add & improve tests
* Update RFC reference to https://www.rfc-editor.org/rfc/rfc8259
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 10:17:35 +0000 (12:17 +0200)]
git: Update to version 2.42.0
- Update from version 2.41.0 to 2.42.0
- Update of rootfile not required
- Changelog is too large to include here. See the contents of
Documentation/RelNotes/2.42.0.txt in the source tar ball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3420000 to 3430000
- Update of rootfile not required.
- Changelog 3430000
Add support for Contentless-Delete FTS5 Indexes. This is a variety of FTS5
full-text search index that omits storing the content that is being indexed while
also allowing records to be deleted.
Enhancements to the date and time functions:
Added new time shift modifiers of the form ±YYYY-MM-DD HH:MM:SS.SSS.
Added the timediff() SQL function.
Added the octet_length(X) SQL function.
Added the sqlite3_stmt_explain() API.
Query planner enhancements:
Generalize the LEFT JOIN strength reduction optimization so that it works for
RIGHT and FULL JOINs as well. Rename it to OUTER JOIN strength reduction.
Enhance the theorem prover in the OUTER JOIN strength reduction optimization
so that it returns fewer false-negatives.
Enhancements to the decimal extension:
New function decimal_pow2(N) returns the N-th power of 2 for integer N between
-20000 and +20000.
New function decimal_exp(X) works like decimal(X) except that it returns the
result in exponential notation - with a "e+NN" at the end.
If X is a floating-point value, then the decimal(X) function now does a full
expansion of that value into its exact decimal equivalent.
Performance enhancements to JSON processing results in a 2x performance
improvement for some kinds of processing on large JSON strings.
New makefile target "verify-source" checks to ensure that there are no
unintentional changes in the source tree. (Works for canonical source code only
- not for precompiled amalgamation tarballs.)
Added the SQLITE_USE_SEH compile-time option that enables Structured Exception
Handling on Windows while working with the memory-mapped shm file that is part of
WAL mode processing. This option is enabled by default when building on Windows
using Makefile.msc.
The VFS for unix now assumes that the nanosleep() system call is available unless
compiled with -DHAVE_NANOSLEEP=0.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Fri, 25 Aug 2023 09:42:23 +0000 (09:42 +0000)]
pakfire: Don't give up mirror search on status code 500
The WWW library seems to report status code 500 for issues like DNS
resolving problems and connection timeouts. In that case, we won't go on
searching for another functioning mirror, which we should.
This patch removes that special break clause.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / people / mlorenz / ipfire-2.x.git / log
