Adolf Belka [Sun, 21 Jan 2024 11:45:53 +0000 (12:45 +0100)]
optionsfw.cgi: Move Firewall Options Drop commands to before the logging section
- Moved the Firewall Options Drop commands to before the logging section, as discussed
at January 2024 Video Call.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:52 +0000 (12:45 +0100)]
graphs.pl: Fixes bug12981 - Creates in and outgoing drop hostile graph entries
- This v3 version of the patch set splits the single hostile networks graph entry into
incoming hostile networks and outgoing hostile networks entries.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:51 +0000 (12:45 +0100)]
collectd.conf: Fix bug12981 - This creates in and out drop hostile data collection
- In this v3 version of the patch set the splitting of drop hostile logging into incoming
and outgoing logging means that the data collection and graphs need to have drop hostile
also split into incoming and outgoing.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:50 +0000 (12:45 +0100)]
en.pl: Fixes bug12981 - adds english language input for choice of drop hostile logging
- In this v3 version have added translations for hostile networks in and hostile
networks out and log drop hostile in and log drop hostile out.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:49 +0000 (12:45 +0100)]
firewall: Fixes bug12981 - add if loop to log or not log dropped hostile traffic
- This v3 version now has two if loops allowing logging of incoming drop hostile or
outgoing drop hostile or both or neither.
- Dependent on the choice in optionsfw.cgi this loop will either log or not log the
dropped hostile traffic.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:48 +0000 (12:45 +0100)]
rules.pl: Fixes bug12981 - Add in and out specific actions for drop hostile
- This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and
HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each
independently.
Fixes: bug12981 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Acked-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 Jan 2024 11:45:47 +0000 (12:45 +0100)]
optionsfw.cgi: Fix bug12981 - Add option to log or not log dropped hostile traffic
- This v3 version has split the logging choice for drop hostile to separate the logging of
incoming drop hostile and outgoing drop hostile.
- The bug originator had no port forwards so all hostile would be dropped normally anyway.
However the logs were being swamped by the logging of drop hostile making analysis
difficult. So incoming drop hostile was desired to not be logged. However logging of
outgoing drop hostile was desired to identify if clients on the internal lan were
infected with malware trying to reach home.
- Added option with drop hostile section to decide if the dropped traffic should be
logged or not.
Fixes: bug12981 Tested-by: Adolf Belka <adolf.belka@ipfire.org Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Tested-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 1 Feb 2024 08:29:13 +0000 (09:29 +0100)]
lzip: Update to version 1.24
- Update from version 1.23 to 1.24
- Update of rootfile not required
- Changelog
1.24
The option '--empty-error', which forces exit status 2 if any empty member
is found, has been added.
The option '--marking-error', which forces exit status 2 if the first LZMA
byte is non-zero in any member, has been added.
File diagnostics have been reformatted as 'PROGRAM: FILE: MESSAGE'.
Diagnostics caused by invalid arguments to command-line options now show the
argument and the name of the option.
The option '-o, --output' now preserves dates, permissions, and ownership of
the file when (de)compressing exactly one file.
The option '-o, --output' now creates missing intermediate directories when
writing to a file.
The variable MAKEINFO has been added to configure and Makefile.in.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 1 Feb 2024 08:29:11 +0000 (09:29 +0100)]
gettext: Update to version 0.22.4
- Update from version 0.22 to 0.22.4
- Update of rootfile
- Changelog
0.22.4
* Bug fixes:
- AM_GNU_GETTEXT now recognizes a statically built libintl on macOS and AIX.
- Build fixes on AIX.
0.22.3
* Portability:
- The libintl library now works on macOS 14. (Older versions of libintl
crash on macOS 14, due to an incompatible change in macOS.)
0.22.2
* Bug fixes:
- The libintl shared library now exports again some symbols that were
accidentally missing.
<https://savannah.gnu.org/bugs/index.php?64323>
This bug was introduced in version 0.22.
0.22.1
* Bug fixes:
- xgettext's processing of large Perl files may have led to errors
<https://savannah.gnu.org/bugs/index.php?64552>
- "xgettext --join-existing" could encounter errors.
<https://savannah.gnu.org/bugs/index.php?64490>
These bugs were introduced in version 0.22.
* Portability:
- Building on Android is now supported.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 1 Feb 2024 08:29:10 +0000 (09:29 +0100)]
ed: Update to version 1.20
- Update from version 1.19 to 1.20
- Update of rootfile not required
- Changelog
1.20
New command-line options '+line', '+/RE', and '+?RE' have been implemented to
set the current line to the line number specified or to the first or last line
matching the regular expression 'RE'.
(Suggested by Matthew Polk and John Cowan).
File names containing control characters 1 to 31 are now rejected unless they
are allowed with the command-line option '--unsafe-names'.
File names containing control characters 1 to 31 are now printed using octal
escape sequences.
Ed now rejects file names ending with a slash.
Intervening commands that don't set the modified flag no longer make a second
'e' or 'q' command fail with a 'buffer modified' warning.
Tilde expansion is now performed on file names supplied to commands; if a file
name starts with '~/', the tilde (~) is expanded to the contents of the
variable HOME. (Suggested by John Cowan).
Ed now warns the first time that a command modifies a buffer loaded from a
read-only file. (Suggested by Dan Jacobson).
Ed now creates missing intermediate directories when writing to a file.
It has been documented that 'e' creates an empty buffer if file does not exist.
It has been documented that 'f' sets the default filename, whether or not its
argument names an existing file.
The description of the exit status has been improved in '--help' and in the
manual.
The variable MAKEINFO has been added to configure and Makefile.in.
It has been documented in INSTALL that when choosing a C standard, the POSIX
features need to be enabled explicitly:
./configure CFLAGS+='--std=c99 -D_POSIX_C_SOURCE=2'
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 1 Feb 2024 08:29:09 +0000 (09:29 +0100)]
diffutils: Update to version 3.10
- Update from version 3.9 to 3.10
- Update of rootfile not required
- Changelog
3.10
Bug fixes
cmp/diff can again work with file dates past Y2K38
[bug introduced in 3.9]
diff -D no longer fails to output #ifndef lines.
[bug#61193 introduced in 3.9]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3450000 to 3450100
- Update of rootfile not required
- Changelog
3.45.1
Restore the JSON BLOB input bug, and promise to support the anomaly in subsequent
releases, for backward compatibility.
Fix the PRAGMA integrity_check command so that it works on read-only databases
that contain FTS3 and FTS5 tables. This resolves an issue introduced in version
3.44.0 but was undiscovered until after the 3.45.0 release.
Fix issues associated with processing corrupt JSONB inputs:
Prevent exponential runtime when converting a corrupt JSONB into text.
Fix a possible read of one byte past the end of the JSONB blob when
converting a corrupt JSONB into text.
Enhanced testing using jfuzz to prevent any future JSONB problems such as the
above.
Fix a long-standing bug in which a read of a few bytes past the end of a
memory-mapped segment might occur when accessing a craftily corrupted database
using memory-mapped database.
Fix a long-standing bug in which a NULL pointer dereference might occur in the
bytecode engine due to incorrect bytecode being generated for a class of SQL
statements that are deliberately designed to stress the query planner but which
are otherwise pointless.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 31 Jan 2024 14:18:47 +0000 (15:18 +0100)]
readline: Update patches to patch 1 to patch 10
- Update from version 8.2 with patch 1 to 8.2 with patches 1 to 10
- Update of rootfile not required
- Changelog
Patch 10
Fix the case where text to be completed from the line buffer (quoted) is
compared to the common prefix of the possible matches (unquoted) and the
quoting makes the former appear to be longer than the latter. Readline
assumes the match doesn't add any characters to the word and doesn't display
multiple matches.
Patch 9
Fix issue where the directory name portion of the word to be completed (the
part that is passed to opendir()) requires both tilde expansion and dequoting.
Readline only performed tilde expansion in this case, so filename completion
would fail.
Patch 8
Add missing prototypes for several function declarations.
Patch 7
If readline is called with no prompt, it should display a newline if return
is typed on an empty line. It should still suppress the final newline if
return is typed on the last (empty) line of a multi-line command.
Patch 6
This is a variant of the same issue as the one fixed by patch 5. In this
case, the signal arrives and is pending before readline calls rl_getc().
When this happens, the pending signal will be handled by the loop, but may
alter or destroy some state that the callback uses. Readline needs to treat
this case the same way it would if a signal interrupts pselect/select, so
compound operations like searches and reading numeric arguments get cleaned
up properly.
Patch 5
If an application is using readline in callback mode, and a signal arrives
after readline checks for it in rl_callback_read_char() but before it
restores the application's signal handlers, it won't get processed until the
next time the application calls rl_callback_read_char(). Readline needs to
check for and resend any pending signals after restoring the application's
signal handlers.
Patch 4
There are systems that supply one of select or pselect, but not both.
Patch 3
The custom color prefix that readline uses to color possible completions
must have a leading `.'.
Patch 2
It's possible for readline to try to zero out a line that's not null-
terminated, leading to a memory fault.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 31 Jan 2024 14:18:45 +0000 (15:18 +0100)]
help2man: Update to version 1.49.3
- Update from version 1.49.2 to 1.49.3
- Update of rootfile not required
- Changelog
1.49.3
* Cleanup whitespace in po-texi/help2man-texi.pot.
* Add Korean translation (thanks to Seong-ho Cho).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 31 Jan 2024 14:18:44 +0000 (15:18 +0100)]
file: Update to version 5.45
- Update from version 5.44 to 5.45
- Update of rootfile not required
- Changelog
5.45
* PR/465: psrok1: Avoid muslc asctime_r crash
* add SIMH tape format support
* bump the max size of the elf section notes to be read to 128K
and make it configurable
* PR/415: Fix decompression with program returning empty
* PR/408: fix -p with seccomp
* PR/412: fix MinGW compilation
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 31 Jan 2024 11:09:41 +0000 (11:09 +0000)]
glibc: Import latest patches from upstream
These include (amongst others) fixes for:
GLIBC-SA-2024-0001:
===================
syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6246)
__vsyslog_internal did not handle a case where printing a SYSLOG_HEADER
containing a long program name failed to update the required buffer
size, leading to the allocation and overflow of a too-small buffer on
the heap.
GLIBC-SA-2024-0002:
===================
syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6779)
__vsyslog_internal used the return value of snprintf/vsnprintf to
calculate buffer sizes for memory allocation. If these functions (for
any reason) failed and returned -1, the resulting buffer would be too
small to hold output.
GLIBC-SA-2024-0003:
===================
syslog: Integer overflow in __vsyslog_internal (CVE-2023-6780)
__vsyslog_internal calculated a buffer size by adding two integers, but
did not first check if the addition would overflow.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 30 Jan 2024 18:01:52 +0000 (18:01 +0000)]
collectd: Do not sync
Calling a global sync operation manually is generally a bad idea as it
can block for forever. If people have storage that does not retain
anything that is being written to it, they need to fix their hardware.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 30 Jan 2024 22:13:45 +0000 (23:13 +0100)]
zlib: Update to version 1.3.1
- Update from version 1.3 to 1.3.1
- Update of rootfile
- Changelog
1.3.1
- Reject overflows of zip header fields in minizip
- Fix bug in inflateSync() for data held in bit buffer
- Add LIT_MEM define to use more memory for a small deflate speedup
- Fix decision on the emission of Zip64 end records in minizip
- Add bounds checking to ERR_MSG() macro, used by zError()
- Neutralize zip file traversal attacks in miniunz
- Fix a bug in ZLIB_DEBUG compiles in check_match()
- Various portability and appearance improvements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 30 Jan 2024 22:13:44 +0000 (23:13 +0100)]
xz: Update to version 5.4.6
- Update from version 5.4.5 to 5.4.6
- Update of rootfile
- Changelog
5.4.6
* Fixed a bug involving internal function pointers in liblzma not
being initialized to NULL. The bug can only be triggered if
lzma_filters_update() is called on a LZMA1 encoder, so it does
not affect xz or any application known to us that uses liblzma.
* xz:
- Fixed a regression introduced in 5.4.2 that caused encoding
in the raw format to unnecessarily fail if --suffix was not
used. For instance, the following command no longer reports
that --suffix must be used:
echo foo | xz --format=raw --lzma2 | wc -c
- Fixed an issue on MinGW-w64 builds that prevented reading
from or writing to non-terminal character devices like NUL.
* Added a new test.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 30 Jan 2024 22:13:42 +0000 (23:13 +0100)]
libpng: Update to version 1.6.41
- Update from 1.6.39 to 1.6.41
- Update of rootfile
- Changelog
1.6.41
Added SIMD-optimized code for the Loongarch LSX hardware.
(Contributed by GuXiWei, JinBo and ZhangLixia)
Fixed the run-time discovery of MIPS MSA hardware.
(Contributed by Sui Jingfeng)
Fixed an off-by-one error in the function `png_do_check_palette_indexes`,
which failed to recognize errors that might have existed in the first
column of a broken palette-encoded image. This was a benign regression
accidentally introduced in libpng-1.6.33. No pixel was harmed.
(Contributed by Adam Richter; reviewed by John Bowler)
Fixed, improved and modernized the contrib/pngminus programs, i.e.,
png2pnm.c and pnm2png.c
Removed old and peculiar portability hacks that were meant to silence
warnings issued by gcc version 7.1 alone.
(Contributed by John Bowler)
Fixed and modernized the CMake file, and raised the minimum required
CMake version from 3.1 to 3.6.
(Contributed by Clinton Ingram, Timothy Lyanguzov, Tyler Kropp, et al.)
Allowed the configure script to disable the building of auxiliary tools
and tests, thus catching up with the CMake file.
(Contributed by Carlo Bramini)
Fixed a build issue on Mac.
(Contributed by Zixu Wang)
Moved the Autoconf macro files to scripts/autoconf.
Moved the CMake files (except for the main CMakeLists.txt) to
scripts/cmake and moved the list of their contributing authors to
scripts/cmake/AUTHORS.md
Updated the CI configurations and scripts.
Relicensed the CI scripts to the MIT License.
Improved the test coverage.
(Contributed by John Bowler)
1.6.40
Fixed the eXIf chunk multiplicity checks.
Fixed a memory leak in pCAL processing.
Corrected the validity report about tRNS inside png_get_valid().
Fixed various build issues on *BSD, Mac and Windows.
Updated the configurations and the scripts for continuous integration.
Cleaned up the code, the build scripts, and the documentation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 30 Jan 2024 22:13:40 +0000 (23:13 +0100)]
bash: Update to include patches 22 to 26
- Update from version 5.2 with patches 1 to 21 to 5.2 with patches 1 to 26
- Update of rootfile not required
- Changelog
Patch 26
The custom color prefix that readline uses to color possible completions
must have a leading `.'.
Patch 25
Make sure a subshell checks for and handles any terminating signals before
exiting (which might have arrived after the command completed) so the parent
and any EXIT trap will see the correct value for $?.
Patch 24
Fix bug where associative array compound assignment would not expand tildes
in values.
Patch 23
Running `local -' multiple times in a shell function would overwrite the
original saved set of options.
Patch 22
It's possible for readline to try to zero out a line that's not null-
terminated, leading to a memory fault.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 30 Jan 2024 22:13:39 +0000 (23:13 +0100)]
acl: Update to version 2.3.2
- Update from version 2.3.1 to 2.3.2
- Update of rootfile
- Changelog is only available from reviewing the git commits
https://git.savannah.nongnu.org/cgit/acl.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Mon, 29 Jan 2024 16:25:55 +0000 (17:25 +0100)]
vnstat: Update to 2.12
For details see:
https://humdi.net/vnstat/CHANGES
"2.12 / 21-Jan-2024
- Fixed
- QueryMode documentation in configuration file didn't match implementation
or man page description
- Daemon didn't try to import legacy databases when --noadd was used and no
current version database initially existed resulting in the process
exiting even when something could have been done
- Daemon didn't try to import legacy databases when --initdb was used and
no current version database initially existed, this behaviour can still
be enabled by using --noadd in combination with --initdb
- Using --nodaemon and --initdb at the same time didn't result in an error
being shown
- New
- Add 95th percentile output as --95th, also available via --alert, --json,
--xml and image output, requires 5MinuteHours configuration to be set to
at least 744 for storing all the necessary data
- Add --json support for --alert
- Database queries resulting in error exit with status 1
- Show spinning animation at the beginning of -l / --live output line,
visibility configurable using LiveSpinner configuration option
- Add -ic / --invert-colors option to image output for facilitating for
example dark mode switching without needing to have multiple separate
color configurations
- Add dark mode option to image output example cgi (examples/vnstat.cgi)
- Add option 4 to QueryMode for selecting summary output of single
interface regardless of the number of interfaces in the database
- Add optional mode parameter to -q / --query for overriding QueryMode
for summary output and for enabling control of summary output style
regardless of the number of interfaces in the database
- Add --startempty option to daemon for starting and keeping the daemon
running even if no interfaces were discovered and the database is empty
- Add --noremove option to daemon for disabling the automatic removal of
interfaces from database that aren't currently visible and haven't seen
any traffic
- Add third mode option to --iflist and --dbiflist for getting only the
interface count as output"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Mon, 29 Jan 2024 16:25:05 +0000 (17:25 +0100)]
mc: Update to 4.8.31
For details see:
https://midnight-commander.org/wiki/NEWS-4.8.31
"Major changes since 4.8.30
Core
Minimal version of GLib is 2.32.0.
VFS
fish: drop support of native FISH server and protocol. Rename VFS to shell (#4232)
extfs;
uc1541 extfs: update up to 3.6 version (#4511)
s3+: port to Python3 (#4324)
Support for LZO/LZOP compression format (#4509)
...
Skins: add color for non-printable characters in editor (#4433)
Fixes
FTBFS on FreeBSD with ext2fs attribute support (#4493)
Broken stickchars (-a) mode (#4498)
Wrong timestamp after resuming of file copy operation (#4499)
Editor: wrong deletion of marked column (#3761)
Diff viewer: segfault when display of line numbers is enabled (#4500)
Tar VFS: broken handling of hard links (#4494)
Sftp VFS: failure establishing SSH session due hashed host names in ~/.ssh/known_hosts (#4506)
Shell VFS: incorrect file names with cyrillic or diacritic symbols (#4507)
mc.ext.ini: incorrect description of of how multiple sections and keys with same names are processed (#4497)
mc.ext.ini: unescaped backslash \ is treated as invalid escape sequence in glib-2.77.3 and glib-2.79 (#4502)
mc.ext.ini: file "Makefile.zip" is handled as Makefile not as zip-arhive (#4419)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 30 Jan 2024 15:09:54 +0000 (15:09 +0000)]
openssl: Update to 3.2.1
* A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
NULL, but OpenSSL did not correctly check for this case. A fix has been
applied to prevent a NULL pointer dereference that results in OpenSSL
crashing. If an application processes PKCS12 files from an untrusted source
using the OpenSSL APIs then that application will be vulnerable to this
issue prior to this fix.
OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security
significant.
([CVE-2024-0727])
*Matt Caswell*
* When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this
computation completes quickly. However, if n is an overly large prime,
then this computation would take a long time.
An application that calls EVP_PKEY_public_check() and supplies an RSA key
obtained from an untrusted source could be vulnerable to a Denial of Service
attack.
The function EVP_PKEY_public_check() is not called from other OpenSSL
functions however it is called from the OpenSSL pkey command line
application. For that reason that application is also vulnerable if used
with the "-pubin" and "-check" options on untrusted data.
To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
([CVE-2023-6237])
*Tomáš Mráz*
* Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
rather than SM2.
*Richard Levitte*
* The POLY1305 MAC (message authentication code) implementation in OpenSSL
for PowerPC CPUs saves the contents of vector registers in different
order than they are restored. Thus the contents of some of these vector
registers is corrupted when returning to the caller. The vulnerable code is
used only on newer PowerPC processors supporting the PowerISA 2.07
instructions.
The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the
application process. However unless the compiler uses the vector registers
for storing pointers, the most likely consequence, if any, would be an
incorrect result of some application dependent calculations or a crash
leading to a denial of service.
([CVE-2023-6129])
*Rohan McLure*
* Fix excessive time spent in DH check / generation with large Q parameter
value.
Applications that use the functions DH_generate_key() to generate an
X9.42 DH key may experience long delays. Likewise, applications that use
DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.
([CVE-2023-5678])
*Richard Levitte*
* Disable building QUIC server utility when OpenSSL is configured with
`no-apps`.
*Vitalii Koshura*
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Tue, 30 Jan 2024 15:09:54 +0000 (15:09 +0000)]
openssl: Update to 3.2.1
* A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
NULL, but OpenSSL did not correctly check for this case. A fix has been
applied to prevent a NULL pointer dereference that results in OpenSSL
crashing. If an application processes PKCS12 files from an untrusted source
using the OpenSSL APIs then that application will be vulnerable to this
issue prior to this fix.
OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security
significant.
([CVE-2024-0727])
*Matt Caswell*
* When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this
computation completes quickly. However, if n is an overly large prime,
then this computation would take a long time.
An application that calls EVP_PKEY_public_check() and supplies an RSA key
obtained from an untrusted source could be vulnerable to a Denial of Service
attack.
The function EVP_PKEY_public_check() is not called from other OpenSSL
functions however it is called from the OpenSSL pkey command line
application. For that reason that application is also vulnerable if used
with the "-pubin" and "-check" options on untrusted data.
To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
([CVE-2023-6237])
*Tomáš Mráz*
* Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
rather than SM2.
*Richard Levitte*
* The POLY1305 MAC (message authentication code) implementation in OpenSSL
for PowerPC CPUs saves the contents of vector registers in different
order than they are restored. Thus the contents of some of these vector
registers is corrupted when returning to the caller. The vulnerable code is
used only on newer PowerPC processors supporting the PowerISA 2.07
instructions.
The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the
application process. However unless the compiler uses the vector registers
for storing pointers, the most likely consequence, if any, would be an
incorrect result of some application dependent calculations or a crash
leading to a denial of service.
([CVE-2023-6129])
*Rohan McLure*
* Fix excessive time spent in DH check / generation with large Q parameter
value.
Applications that use the functions DH_generate_key() to generate an
X9.42 DH key may experience long delays. Likewise, applications that use
DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.
([CVE-2023-5678])
*Richard Levitte*
* Disable building QUIC server utility when OpenSSL is configured with
`no-apps`.
*Vitalii Koshura*
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:20 +0000 (14:41 +0100)]
python3-trio: Update to version 0.23.1
- Update from version 0.22.0 to 0.23.1
- Update of rootfile
- Changelog
0.23.0
Headline features
Add type hints. (#543)
Features
When exiting a nursery block, the parent task always waits for child tasks
to exit. This wait cannot be cancelled. However, previously, if you tried
to cancel it, it would inject a Cancelled exception, even though it wasn’t
cancelled. Most users probably never noticed either way, but injecting a
Cancelled here is not really useful, and in some rare cases caused
confusion or problems, so Trio no longer does that. (#1457)
If called from a thread spawned by trio.to_thread.run_sync,
trio.from_thread.run and trio.from_thread.run_sync now reuse the task and
cancellation status of the host task; this means that context variables and
cancel scopes naturally propagate ‘through’ threads spawned by Trio. You
can also use trio.from_thread.check_cancelled to efficiently check for
cancellation without reentering the Trio thread. (#2392)
trio.lowlevel.start_guest_run() now does a bit more setup of the guest run
before it returns to its caller, so that the caller can immediately make
calls to trio.current_time(), trio.lowlevel.spawn_system_task(),
trio.lowlevel.current_trio_token(), etc. (#2696)
Bugfixes
When a starting function raises before calling trio.TaskStatus.started(),
trio.Nursery.start() will no longer wrap the exception in an undocumented
ExceptionGroup. Previously, trio.Nursery.start() would incorrectly raise an
ExceptionGroup containing it when using trio.run(...,
strict_exception_groups=True). (#2611)
Deprecations and removals
To better reflect the underlying thread handling semantics, the keyword
argument for trio.to_thread.run_sync that was previously called cancellable
is now named abandon_on_cancel. It still does the same thing – allow the
thread to be abandoned if the call to trio.to_thread.run_sync is
cancelled – but since we now have other ways to propagate a cancellation
without abandoning the thread, “cancellable” has become somewhat of a
misnomer. The old cancellable name is now deprecated. (#2841)
Deprecated support for math.inf for the backlog argument in
open_tcp_listeners, making its docstring correct in the fact that only
TypeError is raised if invalid arguments are passed. (#2842)
Removals without deprecations
Drop support for Python3.7 and PyPy3.7/3.8. (#2668)
Removed special MultiError traceback handling for IPython. As of version
8.15 ExceptionGroup is handled natively. (#2702)
Miscellaneous internal changes
Trio now indicates its presence to sniffio using the sniffio.thread_local
interface that is preferred since sniffio v1.3.0. This should be less
likely than the previous approach to cause sniffio.current_async_library()
to return incorrect results due to unintended inheritance of contextvars.
(#2700)
On windows, if SIO_BASE_HANDLE failed and SIO_BSP_HANDLE_POLL didn’t return
a different socket, runtime error will now raise from the OSError that
indicated the issue so that in the event it does happen it might help with
debugging. (#2807)
0.22.2
Bugfixes
Fix PermissionError when importing trio due to trying to access pthread.
(#2688)
0.22.1
Breaking changes
Timeout functions now raise ValueError if passed math.nan. This includes
trio.sleep, trio.sleep_until, trio.move_on_at, trio.move_on_after,
trio.fail_at and trio.fail_after. (#2493)
Features
Added support for naming threads created with trio.to_thread.run_sync,
requires pthreads so is only available on POSIX platforms with glibc
installed. (#1148)
trio.socket.socket now prints the address it tried to connect to upon
failure. (#1810)
Bugfixes
Fixed a crash that can occur when running Trio within an embedded Python
interpreter, by handling the TypeError that is raised when trying to
(re-)install a C signal handler. (#2333)
Fix sniffio.current_async_library() when Trio tasks are spawned from a
non-Trio context (such as when using trio-asyncio). Previously, a regular
Trio task would inherit the non-Trio library name, and spawning a system
task would cause the non-Trio caller to start thinking it was Trio. (#2462)
Issued a new release as in the git tag for 0.22.0, trio.__version__ is
incorrectly set to 0.21.0+dev. (#2485)
Improved documentation
Documented that Nursery.start_soon does not guarantee task ordering. (#970)
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:19 +0000 (14:41 +0100)]
python3-pyfuse3: Update to version 3.3.0
- Update from version 3.2.2 to 3.3.0
- Update of rootfile
- Changelog
3.3.0
Note: This is the first pyfuse3 release compatible with Cython 3.0.0 release.
Cython 0.29.x is also still supported.
Cythonized with latest Cython 3.0.0.
Drop Python 3.6 and 3.7 support and testing, #71.
CI: also test python 3.12. test on cython 0.29 and cython 3.0.
Tell Cython that callbacks may raise exceptions, #80.
Fix lookup in examples/hello.py, similar to #16.
Misc. CI, testing, build and sphinx related fixes.
3.2.3
cythonize with latest Cython 0.29.34 (brings Python 3.12 support)
add a minimal pyproject.toml, require setuptools
tests: fix integer overflow on 32-bit arches, fixes #47
test: Use shutil.which() instead of external which(1) program
setup.py: catch more generic OSError when searching Cython, fixes #63
setup.py: require Cython >= 0.29
fix basedir computation in setup.py (fix pip install -e .)
use sphinx < 6.0 due to compatibility issues with more recent versions
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:18 +0000 (14:41 +0100)]
python3-packaging: Update to version 23.2
- Update from version 23.0 to 23.2
- Update of rootfile
- Changelog
23.2
Document calendar-based versioning scheme (#716)
Enforce that the entire marker string is parsed (#687)
Requirement parsing no longer automatically validates the URL (#120)
Canonicalize names for requirements comparison (#644)
Introduce metadata.Metadata (along with metadata.ExceptionGroup and
metadata.InvalidMetadata; #570)
Introduce the validate keyword parameter to utils.normalize_name() (#570)
Introduce utils.is_normalized_name() (#570)
Make utils.parse_sdist_filename() and utils.parse_wheel_filename() raise
InvalidSdistFilename and InvalidWheelFilename, respectively, when the
version component of the name is invalid
23.1
Parse raw metadata (#671)
Import underlying parser functions as an underscored variable (#663)
Improve error for local version label with unsupported operators (#675)
Add dedicated error for specifiers with incorrect .* suffix
Replace spaces in platform names with underscores (#620)
Relax typing of _key on _BaseVersion (#669)
Handle prefix match with zeros at end of prefix correctly (#674)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:17 +0000 (14:41 +0100)]
python3-msgpack: Update to version 1.0.7
- Update from version 1.0.4 to 1.0.7
- Update of rootfile
- Changelog
1.0.7
Fix build error of extension module on Windows. (#567)
setup.py doesn't skip build error of extension module. (#568)
1.0.6
Add Python 3.12 wheels (#517)
Remove Python 2.7, 3.6, and 3.7 support
1.0.5
Use __BYTE_ORDER__ instead of __BYTE_ORDER for portability. (#513, #514)
Add Python 3.11 wheels (#517)
fallback: Fix packing multidimensional memoryview (#527)
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:16 +0000 (14:41 +0100)]
python3-exceptiongroup: Update to version 1.2.0
- Updated from version 1.1.0 to 1.2.0
- Update of rootfile
- Changelog
1.2.0
Added special monkeypatching if Apport has overridden sys.excepthook so it
will format exception groups correctly (PR by John Litborn)
Added a backport of contextlib.suppress() from Python 3.12.1 which also
handles suppressing exceptions inside exception groups
Fixed bare raise in a handler reraising the original naked exception rather
than an exception group which is what is raised when you do a raise in an
except* handler
1.1.3
catch() now raises a TypeError if passed an async exception handler instead
of just giving a RuntimeWarning about the coroutine never being awaited.
(#66, PR by John Litborn)
Fixed plain raise statement in an exception handler callback to work like a
raise in an except* block
Fixed new exception group not being chained to the original exception when
raising an exception group from exceptions raised in handler callbacks
Fixed type annotations of the derive(), subgroup() and split() methods to
match the ones in typeshed
1.1.2
Changed handling of exceptions in exception group handler callbacks to not
wrap a single exception in an exception group, as per CPython issue 103590
1.1.1
Worked around CPython issue #98778, urllib.error.HTTPError(..., fp=None)
raises KeyError on unknown attribute access, on affected Python versions.
(PR by Zac Hatfield-Dodds)
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:15 +0000 (14:41 +0100)]
python3-calver: New build dependency for python3-trove-classifiers
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used setup.py build approach as the pyproject.toml approach failed to build successfully
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:14 +0000 (14:41 +0100)]
python3-trove-classifiers: New build dependency for python3-hatchling
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used setup.py build approach as the pyproject.toml approach failed to build successfully.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:13 +0000 (14:41 +0100)]
python3-pluggy: New build dependency for python3-hatchling
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used setup.py build approach as pyproject.toml approach kept failing to build
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:12 +0000 (14:41 +0100)]
python3-pathspec: New build dependency for python3-hatchling
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:11 +0000 (14:41 +0100)]
python3-editables: New build dependency for python3-hatchling
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:10 +0000 (14:41 +0100)]
python3-hatch-fancy-pypi-readme: New build dependency for python3-attrs
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:09 +0000 (14:41 +0100)]
python3-hatch-vcs: New build dependency for python3-attrs
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:08 +0000 (14:41 +0100)]
python3-hatchling: New build dependency for python3-attrs
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:07 +0000 (14:41 +0100)]
python3-attrs: Update to version 23.2.0
- Update from version 22.1.0 to 23.2.0
- Update of rootfile
- setup.py is no longer available so build to use pyproject.toml was used.
- A new series of build dependencies are also now required for python3-attrs
- Changelog
23.2.0
Changes
The type annotation for attrs.resolve_types() is now correct. #1141
Type stubs now use typing.dataclass_transform to decorate dataclass-like
decorators, instead of the non-standard __dataclass_transform__ special
form, which is only supported by Pyright. #1158
Fixed serialization of namedtuple fields using attrs.asdict/astuple() with
retain_collection_types=True. #1165
attrs.AttrsInstance is now a typing.Protocol in both type hints and code.
This allows you to subclass it along with another Protocol. #1172
If attrs detects that __attrs_pre_init__ accepts more than just self, it
will call it with the same arguments as __init__ was called. This allows
you to, for example, pass arguments to super().__init__(). #1187
Slotted classes now transform functools.cached_property decorated methods to
support equivalent semantics. #1200
Added class_body argument to attrs.make_class() to provide additional
attributes for newly created classes. It is, for example, now possible to
attach methods. #1203
23.1.0
Backwards-incompatible Changes
Python 3.6 has been dropped and packaging switched to static package data
using Hatch. #993
Deprecations
The support for zope-interface via the attrs.validators.provides validator
is now deprecated and will be removed in, or after, April 2024.
The presence of a C-based package in our developement dependencies has
caused headaches and we’re not under the impression it’s used a lot.
Let us know if you’re using it and we might publish it as a separate
package. #1120
Changes
attrs.filters.exclude() and attrs.filters.include() now support the passing
of attribute names as strings. #1068
attrs.has() and attrs.fields() now handle generic classes correctly. #1079
Fix frozen exception classes when raised within e.g.
contextlib.contextmanager, which mutates their __traceback__ attributes. #1081
@frozen now works with type checkers that implement PEP-681 (ex. pyright).
#1084
Restored ability to unpickle instances pickled before 22.2.0. #1085
attrs.asdict()’s and attrs.astuple()’s type stubs now accept the
attrs.AttrsInstance protocol. #1090
Fix slots class cellvar updating closure in CPython 3.8+ even when
__code__ introspection is unavailable. #1092
attrs.resolve_types() can now pass include_extras to typing.get_type_hints()
on Python 3.9+, and does so by default. #1099
Added instructions for pull request workflow to CONTRIBUTING.md. #1105
Added type parameter to attrs.field() function for use with attrs.make_class().
Please note that type checkers ignore type metadata passed into
make_class(), but it can be useful if you’re wrapping attrs. #1107
It is now possible for attrs.evolve() (and attr.evolve()) to change fields
named inst if the instance is passed as a positional argument.
Passing the instance using the inst keyword argument is now deprecated and
will be removed in, or after, April 2024. #1117
attrs.validators.optional() now also accepts a tuple of validators
(in addition to lists of validators). #1122
22.2.0
Backwards-incompatible Changes
Python 3.5 is not supported anymore. #988
Deprecations
Python 3.6 is now deprecated and support will be removed in the next
release. #1017
Changes
attrs.field() now supports an alias option for explicit __init__ argument
names.
Get __init__ signatures matching any taste, peculiar or plain! The PEP 681
compatible alias option can be use to override private attribute name
mangling, or add other arbitrary field argument name overrides. #950
attrs.NOTHING is now an enum value, making it possible to use with e.g.
typing.Literal. #983
Added missing re-import of attr.AttrsInstance to the attrs namespace. #987
Fix slight performance regression in classes with custom __setattr__ and
speedup even more. #991
Class-creation performance improvements by switching performance-sensitive
templating operations to f-strings.
You can expect an improvement of about 5% – even for very simple classes. #995
attrs.has() is now a TypeGuard for AttrsInstance. That means that type
checkers know a class is an instance of an attrs class if you check it
using attrs.has() (or attr.has()) first. #997
Made attrs.AttrsInstance stub available at runtime and fixed type errors
related to the usage of attrs.AttrsInstance in Pyright. #999
On Python 3.10 and later, call abc.update_abstractmethods() on dict classes
after creation. This improves the detection of abstractness. #1001
attrs’s pickling methods now use dicts instead of tuples. That is safer and
more robust across different versions of a class. #1009
Added attrs.validators.not_(wrapped_validator) to logically invert
wrapped_validator by accepting only values where wrapped_validator rejects
the value with a ValueError or TypeError (by default, exception types
configurable). #1010
The type stubs for attrs.cmp_using() now have default values. #1027
To conform with PEP 681, attr.s() and attrs.define() now accept unsafe_hash
in addition to hash. #1065
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 13:41:06 +0000 (14:41 +0100)]
borgbackup: Update to version 1.2.7
- Update from version 1.2.3 to 1.2.7
- Update of rootfile
- Patch set put together to also update the dependency packages where they have been
updated.
- Changelog
1.2.7
Fixes:
- docs: CVE-2023-36811 upgrade steps: consider checkpoint archives, #7802
- check/compact: fix spurious reappearance of orphan chunks since borg
1.2, #6687 -
this consists of 2 fixes:
- for existing chunks: check --repair: recreate shadow index, #6687
- for newly created chunks: update shadow index when doing a
double-put, #5661
- LockRoster.modify: no KeyError if element was already gone, #7937
- create --X-from-command: run subcommands with a clean environment, #7916
- list --sort-by: support "archive" as alias of "name", #7873
- fix rc and msg if arg parsing throws an exception, #7885
Other changes:
- support and test on Python 3.12
- include unistd.h in _chunker.c (fix for Python 3.13)
- allow msgpack 1.0.6 and 1.0.7
- TAM issues: show tracebacks, improve borg check logging, #7797
- replace "datetime.utcfromtimestamp" with custom helper to avoid
deprecation warnings when using Python 3.12
- vagrant:
- use generic/debian9 box, fixes #7579
- add VM with debian bookworm / test on OpenSSL 3.0.x.
- docs:
- not only attack/unsafe, can also be a fs issue, #7853
- point to CVE-2023-36811 upgrade steps from borg 1.1 to 1.2 upgrade
steps, #7899
- upgrade steps needed for all kinds of repos (including "none"
encryption mode), #7813
- upgrade steps: talk about consequences of borg check, #7816
- upgrade steps: remove period that could be interpreted as part of
the command
- automated-local.rst: use GPT UUID for consistent udev rule
- create disk/partition sector backup by disk serial number, #7934
- update macOS hint about full disk access
- clarify borg prune -a option description, #7871
- readthedocs: also build offline docs (HTMLzip), #7835
- frontends: add "check.rebuild_refcounts" message
1.2.6
Fixes:
- The upgrade procedure docs as published with borg 1.2.5 did not work,
if the repository had archives resulting from a borg rename or borg
recreate operation.
The updated docs now use BORG_WORKAROUNDS=ignore_invalid_archive_tam
at some places to avoid that issue, #7791.
See: fix pre-1.2.5 archives spoofing vulnerability (CVE-2023-36811),
details and necessary upgrade procedure described above.
Other changes:
- updated 1.2.5 changelog entry: 1.2.5 already has the fix for
rename/recreate.
- remove cython restrictions. recommended is to build with
cython 0.29.latest, because borg 1.2.x uses this since years and it
is very stable. You can also try to build with cython 3.0.x, there is
a good chance that it works. As a 3rd option, we also bundle the
`*.c` files cython outputs in the release pypi package, so you can
also just use these and not need cython at all.
1.2.5
Fixes:
- Security: fix pre-1.2.5 archives spoofing vulnerability (CVE-2023-36811),
see details and necessary upgrade procedure described above.
- rename/recreate: correctly update resulting archive's TAM, see #7791
- create: do not try to read parent dir of recursion root, #7746
- extract: fix false warning about pattern never matching, #4110
- diff: remove surrogates before output, #7535
- compact: clear empty directories at end of compact process, #6823
- create --files-cache=size: fix crash, #7658
- keyfiles: improve key sanity check, #7561
- only warn about "invalid" chunker params, #7590
- ProgressIndicatorPercent: fix space computation for wide chars, #3027
- improve argparse validator error messages
New features:
- mount: make up volname if not given (macOS), #7690.
macFUSE supports a volname mount option to give what finder displays on
the desktop / in the directory view. if the user did not specify it,
we make something up, because otherwise it would be "macFUSE Volume 0
(Python)" and hide the mountpoint directory name.
- BORG_WORKAROUNDS=authenticated_no_key to extract from authenticated repos
without key, #7700
Other changes:
- add `utcnow()` helper function to avoid deprecated `datetime.utcnow()`
- stay on latest Cython 0.29 (0.29.36) for borg 1.2.x (do not use
Cython 3.0 yet)
- docs:
- move upgrade notes to own section, see #7546
- mount -olocal: how to show mount in finder's sidebar, #5321
- list: fix --pattern examples, #7611
- improve patterns help
- incl./excl. options, path-from-stdin exclusiveness
- obfuscation docs: markup fix, note about MAX_DATA_SIZE
- --one-file-system: add macOS apfs notes, #4876
- improve --one-file-system help string, #5618
- rewrite borg check docs
- improve the docs for --keep-within, #7687
- fix borg init command in environment.rst.inc
- 1.1.x upgrade notes: more precise borg upgrade instructions, #3396
-tests:
- fix repo reopen
- avoid long ids in pytest output
- check buzhash chunksize distribution, see #7586
1.2.4
New features:
- import-tar: add --ignore-zeros to process concatenated tars, #7432.
- debug id-hash: computes file/chunk content id-hash, #7406
- diff: --content-only does not show mode/ctime/mtime changes, #7248
- diff: JSON strings in diff output are now sorted alphabetically
Bug fixes:
- xattrs: fix namespace processing on FreeBSD, #6997
- diff: fix path related bug seen when addressing deferred items.
- debug get-obj/put-obj: always give chunkid as cli param, see #7290
(this is an incompatible change, see also borg debug id-hash)
- extract: fix mtime when ResourceFork xattr is set (macOS specific), #7234
- recreate: without --chunker-params, do not re-chunk, #7337
- recreate: when --target is given, do not detect "nothing to do".
use case: borg recreate -a src --target dst can be used to make a copy
of an archive inside the same repository, #7254.
- set .hardlink_master for ALL hardlinkable items, #7175
- locking: fix host, pid, tid order.
tid (thread id) must be parsed as hex from lock file name.
- update development.lock.txt, including a setuptools security fix, #7227
Other changes:
- requirements: allow msgpack 1.0.5 also
- upgrade Cython to 0.29.33
- hashindex minor fixes, refactor, tweaks, tests
- use os.replace not os.rename
- remove BORG_LIBB2_PREFIX (not used any more)
- docs:
- BORG_KEY_FILE: clarify docs, #7444
- update FAQ about locale/unicode issues, #6999
- improve mount options rendering, #7359
- make timestamps in manual pages reproducible
- installation: update Fedora in distribution list, #7357
- tests:
- fix test_size_on_disk_accurate for large st_blksize, #7250
- add same_ts_ns function and use it for relaxed timestamp comparisons
- "auto" compressor tests: don't assume a specific size,
do not assume zlib is better than lz4, #7363
- add test for extracted directory mtime
- vagrant:
- upgrade local freebsd 12.1 box -> generic/freebsd13 box (13.1)
- use pythons > 3.8 which work on freebsd 13.1
- pyenv: also install python 3.11.1 for testing
- pyenv: use python 3.10.1, 3.10.0 build is broken on freebsd
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 29 Jan 2024 11:22:18 +0000 (12:22 +0100)]
dhcpcd: Update to version 10.0.6 + fix issue experinced by some community users.
- Update from version 10.0.4 to 10.0.6
- Update of rootfile not required.
- In version 10.0.4 a bug was found
https://github.com/NetworkConfiguration/dhcpcd/issues/260
which was fixed in version 10.0.5. From the community forum it looks like some people
have experienced this issue with the update to 10.0.4 in CU182
https://community.ipfire.org/t/core-update-182-aarch64-red0-interface-stops/10827
- According to the dhcpcd issue report this problem can affect both x86_64 and aarch64
but it seems to affect aarch64 systems much more often and the reports in the community
forum are related to aarch64.
- This patch updates to version 10.0.6 because that is the current latest version and
includes the fix commits for the above issue that were built into 10.0.5
- Changelog
10.0.6
privsep: Stop proxying stderr to console and fix some detachment issues
non-privsep: Fix launcher hangup
DHCP6: Allow the invalid interface name - to mean don't assign an address
from a delegated prefix
DHCP6: Load the configuration for the interface being activated from prefix
delegation
10.0.5
DHCP: re-enter DISCOVER phase if server doesn't reply to our REQUEST
privsep: Allow __NR_dup3 syscall as some libc's use that instead of the dup2
dhcpcd uses
dev: Fix an issue where not opening the dev plugin folder if configured
returned the wrong fd
privsep: Harden the launcher process detecting daemonisation.
compat: arc4random uses explicit_bzero if available
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 24 Jan 2024 21:09:41 +0000 (22:09 +0100)]
libyang: Update to version 2.1.148
- Update from version 2.1.4 to 2.1.148
- Update of rootfile
- Minimum version of 2.1.128 will be required in a future frr release and currently needs
to be a minimum of 2.1.80 but not 2.1.111
- Changelog
2.1.148
Main changes of this release are:
lots of bugfixes and improvements in various parts of the library
2.1.128
Main changes of this release are:
revert of identityref canonical value change
the identity always printed with the module name as the prefix
data tree and hash table optimizations
opaque node handling fixes and improvements
lots of other bug fixes
2.1.111
Main changes of this release are:
opaque node parsing improved
native RESTCONF operation parsing support
union value error reporting improved
new yanglint and yangre tests
optional support for leafref with XPath functions
lots of other fixes and improvements
2.1.80
Main changes of this release are:
RESTCONF message parsing
JSON parser refactor
timezone DST handling
public hash table API
stored union value bugfix
many other clarifications, improvements, and bugfixes
2.1.55
Main changes of this release are:
type compilation fixes
multi-error validation support
JSON parser fixes
portability improvements
schema-mount support improvements
minor optimizations
other minor fixes
2.1.30
Main changes of this release are:
many JSON printer/parser fixes and improvements
unintentionally large library size reduced
thread safety improvements
big-endian compatibility fix
uncrustify updated
lots of other fixes and improvements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 24 Jan 2024 21:09:40 +0000 (22:09 +0100)]
frr: Update to version 9.1
- Update from version 8.5.2 to 9.1
- Update of rootfile
- Build dependencies of frr now include protobuf-c. protobuf-c requires protobuf.
protobuf requires abseil-cpp.
- Build dependency of libyang will have a minimum version requirement of 2.1.128 coming
out of an issue. Minimum version for frr-9.1 is 2.1.80 but excluding 2.1.111 due to
API issues. Based on the near future requirement being 2.1.128 will move to current
latest version of 2.1.148
- This patch set includes the above build dependencies
- Changelog
9.1
FRR 9.1 brings a long list of enhancements and fixes with 941 commits from 73
developers.
OSPFv2 HMAC-SHA Cryptographic Authentication
Specify that HMAC cryptographic authentication must be used on a
specific interface using a key chain.
BGP MAC-VRF Site-Of-Origin support
In some EVPN deployments, it is useful to associate a logical VTEP’s
Layer 2 domain (MAC-VRF) with a Site-of-Origin “site” identifier. This
provides a BGP topology-independent means of marking and
import-filtering EVPN routes originating from a particular L2 domain.
One situation where this is valuable is when deploying EVPN using
anycast VTEPs, i.e. Active/Active MLAG, as it can be used to avoid
ownership conflicts between the two control planes (EVPN vs MLAG).
BGP Dynamic capability support
Added support for Graceful-Restart, Long-lived Graceful-Restart,
Software-version, and Role BGP capabilities to be adjusted dynamically
using BGP dynamic capability.
Dynamic BGP capability allows the dynamic update of capabilities over an
established BGP session. This capability would facilitate
non-disruptive capability changes by BGP speakers.
IS-IS SRv6 uSID support (RFC 9352)
The Segment Routing (SR) architecture allows a flexible definition of
the end-to-end path by encoding it as a sequence of topological
elements called "segments". It can be implemented over the MPLS or the
IPv6 data plane. This feature enables extensions in IS-IS to support
Segment Routing over the IPv6 data plane (SRv6) as per RFC 9352.
Next-hop resolution via the default route
Changed the default for a traditional profile to be enabled. The
datacenter profile is left as disabled.
Add support for VLAN, ECN, DSCP mangling/filtering
PBR maps are a way to specify a set of rules that are applied to packets
received on individual interfaces. If a received packet matches a rule,
the rule’s next-hop-group or next-hop is used to forward it; any other
actions specified in the rule are also applied to the packet.
With this change, we added more commands for PBR maps, like matching
src-ip, dst-ip, src-port, dst-port, vlan, dscp, ecn, and more.
libyang 2.1.80 related breaking changes
prefix-list matching in route-maps is fundamentally broken with
libyang 2.1.111. If you have this version, please downgrade to the most
stable version 2.1.80.
More details CESNET/libyang#2090
Other significant changes
Zebra support for route replace semantics in FPM link
New command for BGP neighbor x addpath-tx-best-selected link
New command for BGP mpls bgp l3vpn-multi-domain-switching link
A couple more new BGP route-map commands:
set as-path exclude all link
set as-path exclude as-path-access-list link
set extended-comm-list delete link
set as-path replace <any|ASN> [<ASN>] link
set as-path replace as-path-access-list WORD [<ASN>] link
match community-list X any UPDATE
Deprecations
Deprecate pre-standard outbound route filtering capability
Deprecate pre-standard route refresh capability
Drop deprecated capability
A complete log of changes can be found by browsing the commit history of the
FRR 9.1 tag
9.0.2
Fixed CVE-2023-47235
More details: https://frrouting.org/security/cve-2023-47235
Bug Fixes
bgpd
Fix aggregate-address summary-only suppressed export to EVPN
Allow using attribute number 255 for path attr discard/withdraw cmds
Check mandatory attributes more carefully for the UPDATE message
Do not suppress conditional advertisement updates if triggered
Fix Extended community memory leak
Fix the no set as-path prepend command
Fix heap-use-after-free for bgp_best_selection()
Fix crash in SNMP BGP4V2-MIB bgpv2PeerErrorsTable()
Fix clear bgp ipv6 unicast ... command
Flush attributes only if we don't have to announce a conditional route
(avoid use-after-free)
Free memory for SRv6 functions and locator chunks
Handle MP_UNREACH_NLRI malformed packets with session reset
Ignore handling NLRIs if we received the MP_UNREACH_NLRI attribute
Initialise timebuf arrays to zeros for dampening reuse timer
Initialise buffer in bgp_notify_admin_message() before using it
LTTng add EVPN route trace events
Make sure dampening is enabled for the specified AFI/SAFI
Use proper AFI when dumping information for dampening stuff
Treat the AS4-PATH attribute as withdrawn if malformed
Treat PMSI tunnel attribute as withdrawn if malformed
Treat EOR as withdrawn to avoid unwanted handling of malformed attrs
eigrpd
Use the correct memory pool on interface deletion
mgmtd
Change mgmtd_vty_port to 2623
Fix crash on show mgmtd datastore-contents
ospf6d
Fix setting of the forwarding address in as-external LSAs
Set loopback interface cost to 0
ospfd
Fixing infinite loop when listing OSPF interfaces
pathd
Add no msd command
Add no pcep command
pbrd
Fix show pbr map detail json command
Free memory in pbr_map_delete()
pim6d
Fix valgrind issues
pimd
Fix missing pimreg interface
tools
Fix the frr-reload interface description command
Fix the frr-reload route-map description command
Make --quiet actually suppress output
vtysh
Fix entering configuration node in file-lock mode
Fix configure terminal argument descriptions
Fix working in file-lock mode
Fix show route map json output
zebra
Add encap type when building packet for FPM
Display ptmStatus order in interface JSON
Fix connected route deletion when multiple entry exists
Fix FPM multipath encap addition
Fix link update for veth interfaces
Fix zebra crash when replacing nhe during shutdown
Prevent null pointer dereference
9.0.1
Bug Fixes
bgpd
Add peers back to peer hash when peer_xfer_conn fails
Check the length of the rcv software version
Do not explicitly print maxttl value for ebgp-multihop vty output
Do not process nlris if the attribute length is zero
Don't read the first byte of orf header if we are ahead of stream
Evpn code was not properly unlocking rd_dest
Fix show bgp all rpki notfound
Make sure we have enough data to read two bytes when validating aigp
Use treat-as-withdraw for tunnel encapsulation attribute
zebra
Fix evpn nexthop config order
lib
Allow unsetting walltime-warning and cpu-warning
ospfd
Prevent use after free( and crash of ospf ) when no router ospf
pimd
Prevent crash when receiving register message when the rp() is unknown
When receiving a packet be more careful with length in pim_pim_packet
vtysh
Print uniq lines when parsing no service ...
8.5.4
Fixed CVE-2023-47235
More details: https://frrouting.org/security/cve-2023-47235
Bug Fixes
bgpd
Check mandatory attributes more carefully for the UPDATE message
Do not suppress conditional advertisement updates if triggered
Fix crash in SNMP BGP4V2-MIB bgpv2PeerErrorsTable()
Handle MP_UNREACH_NLRI malformed packets with session reset
Ignore handling NLRIs if we received the MP_UNREACH_NLRI attribute
Initialise timebuf arrays to zeros for dampening reuse timer
Initialise buffer in bgp_notify_admin_message() before using it
Make sure dampening is enabled for the specified AFI/SAFI
Use proper AFI when dumping information for dampening stuff
Treat EOR as withdrawn to avoid unwanted handling of malformed attrs
eigrpd
Use the correct memory pool on interface deletion
vtysh
Fix show route map JSON output
ospfd
Fix infinite loop when listing OSPF interfaces
pbrd
Fix show pbr map detail json output
zebra
Add encap type when building packet for FPM
Display ptmStatus order in interface JSON
Fix connected route deletion when multiple entry exists
Fix FPM multipath encap addition
Fix link update for veth interfaces
Fix zebra crash when replacing nhe during shutdown
Prevent null pointer dereference
8.5.3
Bug Fixes
bgpd
Add peers back to peer hash when peer_xfer_conn fails
Do not explicitly print maxttl value for ebgp-multihop vty output
Do not process nlris if the attribute length is zero
Do not try to redistribute routes if we are shutting down
Don't read the first byte of orf header if we are ahead of stream
Evpn code was not properly unlocking rd_dest
Fix show bgp all rpki notfound
Fix session reset issue caused by malformed core attributes
Free bgp vpn policy
Free previously dup'ed aspath attribute for aggregate routes
Free temporary memory after using argv_concat()
Intern attributes before putting into rib-out
Make sure we have enough data to read two bytes when validating aigp
Prevent use after free
Rfapi memleak fixes, clean ce tables at exit
Unlock dest if we return earlier for aggregate install
Use treat-as-withdraw for tunnel encapsulation attribute
zebra
Fix evpn nexthop config order
Abstract dplane_ctx_route_init to init route without copying
Fix crash when dplane_fpm_nl fails to process received routes
Further handle route replace semantics
Fix command ipv6 nht xxx
lib
Allow unsetting walltime-warning and cpu-warning
Skip route-map optimization if !af_inet(6)
Use max_bitlen instead of magic number
ospf6d
Fix crash because neighbor structure was freed
Stop crash in ospf6_write
ospfd
Check for nulls in vty code
Prevent use after free( and crash of ospf ) when no router ospf
pbrd
Fix crash with match command
pimd
Prevent crash when receiving register message when the rp() is unknown
When receiving a packet be more careful with length in pim_pim_packet
ripd, ripngd
Revert "Cleanup memory allocations on shutdown"
tools
Add what frr thinks as the fib routes for support_bundle
vtysh
Print uniq lines when parsing no service ...
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3440100 to 3450000
- Update of rootfile not required
- Does IPFire have apopliocation defined SQL functions that invoke sqlite3_result_subtype()
as per the first part of the below Changelog.
- Changelog
3.45.0
Added the SQLITE_RESULT_SUBTYPE property for application-defined SQL functions.
All application defined SQL functions that invokes sqlite3_result_subtype() must
be registered with this new property. Failure to do so might cause the call to
sqlite3_result_subtype() to behave as a no-op. Compile with
-DSQLITE_STRICT_SUBTYPE=1 to cause an SQL error to be raised if a function that
is not SQLITE_RESULT_SUBTYPE tries invokes sqlite3_result_subtype(). The use of
-DSQLITE_STRICT_SUBTYPE=1 is a recommended compile-time option for every
application that makes use of subtypes.
Enhancements to the JSON SQL functions:
All JSON functions are rewritten to use a new internal parse tree format
called JSONB. The new parse-tree format is serializable and hence can be
stored in the database to avoid unnecessary re-parsing whenever the JSON
value is used.
New versions of JSON-generating functions generate binary JSONB instead of
JSON text.
The json_valid() function adds an optional second argument that specifies
what it means for the first argument to be "well-formed".
Add the FTS5 tokendata option to the FTS5 virtual table.
The SQLITE_DIRECT_OVERFLOW_READ optimization is now enabled by default. Disable
it at compile-time using -DSQLITE_DIRECT_OVERFLOW_READ=0.
Query planner improvements:
Do not allow the transitive constraint optimization to trick the query
planner into using a range constraint when a better equality constraint
is available. (Forum post 2568d1f6e6.)
The query planner now does a better job of disregarding indexes that ANALYZE
identifies as low-quality. (Forum post 6f0958b03b.)
Increase the default value for SQLITE_MAX_PAGE_COUNT from 1073741824 to 4294967294.
Enhancements to the CLI:
Improvements to the display of UTF-8 content on Windows
Automatically detect playback of ".dump" scripts and make appropriate changes
to settings such as ".dbconfig defensive off" and ".dbconfig dqs_dll on".
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 23 Jan 2024 11:26:46 +0000 (12:26 +0100)]
shadow: Updated to version 4.14.3
- Updated from version 4.14.2 to 4.14.3
- Update of rootfile not required
- Patch renamed to new version number
- Changelog
4.14.3
libshadow:
Avoid null pointer dereference.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 23 Jan 2024 11:26:45 +0000 (12:26 +0100)]
pam: Update to version 1.6.0
- Update from version 1.5.3 to 1.6.0
- Update of rootfile
- A build bug was found with 1.6.0 if --enable-read-both-confs was set in the configure.
A commit fixing this has been released and converted into a patch for IPFire. This
will end up in the next pam release version and the IPFire patch can then be removed.
- Changelog
1.6.0
* Added support of configuration files with arbitrarily long lines.
* build: fixed build outside of the source tree.
* libpam: added use of getrandom(2) as a source of randomness if available.
* libpam: fixed calculation of fail delay with very long delays.
* libpam: fixed potential infinite recursion with includes.
* libpam: implemented string to number conversions validation when parsing
controls in configuration.
* pam_access: added quiet_log option.
* pam_access: fixed truncation of very long group names.
* pam_canonicalize_user: new module to canonicalize user name.
* pam_echo: fixed file handling to prevent overflows and short reads.
* pam_env: added support of '\' character in environment variable values.
* pam_exec: allowed expose_authtok for password PAM_TYPE.
* pam_exec: fixed stack overflow with binary output of programs.
* pam_faildelay: implemented parameter ranges validation.
* pam_listfile: changed to treat \r and \n exactly the same in configuration.
* pam_mkhomedir: hardened directory creation against timing attacks.
Please note that using *at functions leads to more open file handles
during creation.
* pam_namespace: fixed potential local DoS (CVE-2024-22365).
* pam_nologin: fixed file handling to prevent short reads.
* pam_pwhistory: helper binary is now built only if SELinux support is enabled.
* pam_pwhistory: implemented reliable usernames handling when remembering
passwords.
* pam_shells: changed to allow shell entries with absolute paths only.
* pam_succeed_if: fixed treating empty strings as numerical value 0.
* pam_unix: added support of disabled password aging.
* pam_unix: synchronized password aging with shadow.
* pam_unix: implemented string to number conversions validation.
* pam_unix: fixed truncation of very long user names.
* pam_unix: corrected rounds retrieval for configured encryption method.
* pam_unix: implemented reliable usernames handling when remembering passwords.
* pam_unix: changed to always run the helper to obtain shadow password entries.
* pam_unix: unix_update helper binary is now built only if SELinux support
is enabled.
* pam_unix: added audit support to unix_update helper.
* pam_userdb: added gdbm support.
* Multiple minor bug fixes, portability fixes, documentation improvements,
and translation updates.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 23 Jan 2024 11:26:44 +0000 (12:26 +0100)]
lvm2: Update to version 2.03.23
- Update from version 2.03.22 to 2.03.23
- Update of rootfile not required
- Changelog
2.03.23
Set the first lv_attr flag for raid integrity images to i or I.
Add -A option for pvs and pvscan to show PVs outside devices file.
Improve searched_devnames temp file usage to prevent redundant scanning.
Change default search_for_devnames from auto to all.
Add lvmdevices --refresh to search for missing PVIDs on all devices.
Add comparison between old and new entries in lvmdevices --check.
Fix device_id matching order - match non-devname first.
Fix "lvconvert -m 0" when there is other than first in-sync leg.
Use system.devices as default for dmeventd when dmeventd.devices is undefined.
Accept WWIDs containing QEMU HARDDISK for device_id.
Improve handling of non-standard WWID prefixes used for device_id.
Configure automatically enables cmdlib for dmeventd and notify-dbus for dbus.
Fix hint calculation for pools with zero or error segment.
Configure supports --disable-shared to build only static binaries.
Configure supports --without-{blkid|systemd|udev} for easier static build.
Refresh device ids if the system changes.
Fix pvmove when specifying raid components as moved LVs.
Enhance error detection for lvm_import_vdo.
Support PV lists with thin lvconvert.
Fix support for lvm_import_vdo with SCSI VDO volumes.
Fix locking issue leading to hanging concurrent vgchange --refresh.
Recognize lvm.conf report/headings=2 for full column names in report headings.
Add --headings none|abbrev|full cmd line option to set report headings type.
Fix conversion to thin pool using lvmlockd.
Fix conversion from thick into thin volume using lvmlockd.
Require writable LV for conversion to vdo pool.
Fix return value from lvconvert integrity remove.
Preserve UUID for pool metadata spare.
Preserve UUID for swapped pool metadata.
Rewrite validation of device name entries used as device_id.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 23 Jan 2024 11:26:43 +0000 (12:26 +0100)]
libidn: Update to version 1.42
- Update from version 1.41 to 1.42
- Update of rootfile
- Changelog
1.42
** Bump required gettext version to 0.19.8 for musl-libc.
** Compiler warning improvements.
As before, compiler warnings are enabled by default. You may disable
them using ./configure --disable-gcc-warnings or turn them into fatal
errors using ./configure --enable-gcc-warnings=error to add -Werror
and sensible -Wno-error='s. Based on gnulib's manywarnings, see
<https://www.gnu.org/software/gnulib//manual/html_node/manywarnings.html>.
** Fix type confusion on LLP64/Windows platforms.
While libidn has worked using cygwin libc, it has never worked on
ucrt/msvcrt libc. Report and tiny patch by Francesco Pretto in
<https://lists.gnu.org/archive/html/help-libidn/2022-02/msg00000.html>.
** tests: Added script tests/standalone.sh suitable for integrators.
The main purpose is to test a system-installed libidn, suitable for
distributor checking (a'la Debian's autopkgtest/debci). It may also
be used to test a newly built libidn outside the usual 'make check'
infrastructure. To check that your system libidn is working, invoke
the script with `srcdir` as an environment variable indicating where
it can be find the source code for libidn's tests/ directory (it will
use the directory name where the script is by default):
tests/standalone.sh
To check that a newly built static libidn behaves, invoke:
env STANDALONE_CFLAGS="-Ilib lib/.libs/libidn.a"
tests/standalone.sh
To check that a newly built shared libidn behaves, invoke:
env srcdir=tests STANDALONE_CFLAGS="-Ilib -Wl,-rpath
lib/.libs lib/.libs/libidn.so" tests/standalone.sh
If the libidn under testing is too old and has known bugs, that
should cause tests to fail, which is intentional.
** Updated translations.
** Update gnulib files and build fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / people / ms / ipfire-2.x.git / log
