Michael Tremer [Mon, 24 Oct 2022 14:57:56 +0000 (15:57 +0100)]
clwarn.cgi: Remove XSS
Fixes: #12966 Reported-by: Arthur Naullet <arthur.naullet@epita.fr> Reported-by: Rafael Lima <isec-researcher@protonmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 21 May 2023 12:45:44 +0000 (14:45 +0200)]
ovpnmain.cgi: Fixes Bug#13117 - adds legacy option to openssl commands for cert & key extraction
- Any insecure connections made with openssl-3.x can have the cert and key extracted but
if the insecure connection was made from prior to CU175 Testing then it used
openssl-1.1.1 which causes an error under openssl-3.x due to the old version being able
to accept older ciphers no longer accepted by openssl-3.x
- Adding the -legacy option to the openssl commands enables openssl-3.x to successfully
open them and extract the cert and key
- Successfully tested on a vm system. Confirmed that the downloaded version under
openssl-3.x worked exactly the same as the version downloaded under openssl-1.1.1
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sun, 21 May 2023 12:45:43 +0000 (14:45 +0200)]
openssl: Fix for Bug#13117 - adds legacy option in for openssl extraction of cert & key
- OpenSSL-3.x gives an error when trying to open insecure .p12 files to extract the cert
and key for the insecure package download option.
- To make this work the -legacy option is needed in the openssl command, which requires
the legacy.so library to be available.
- Successfully tested on a vm system.
- Patch set built on Master (CU175 Testing)
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Jon Murphy [Tue, 11 Apr 2023 19:30:58 +0000 (14:30 -0500)]
rsnapshot: New addon
- What is it?
rsnapshot is a filesystem snapshot utility based on
rsync. rsnapshot makes it easy to make periodic snapshots of the
ipfire device. The code makes extensive use of hard links whenever
possible, to greatly reduce the disk space required. See:
https://rsnapshot.org
- Why is it needed?
Rsnapshot backups run multiple times per day
(e.g., once per day up to 24 times per day). Rsnapshot is much easier
to configure, setup and use than the borg backup add-on. (I found
borg somewhat confusing). Rsnapshot completes each backup very fast.
Unlike borg, rsnapshot does not compress each backup before storage.
During a complete rebuild, borg backup need installation of the borg
add-on to recover archived files. Rsnapshot backups can be copied
directly from the backup drive. Current backups (backup.pl or borg)
could corrupt sqlite3 databases by running a backup during a database
write. This add-on includes a script specifically for sqlite backups.
- IPFire Wiki
In process at: https://wiki.ipfire.org/addons/rsnapshot
Thanks to Gerd for creating a first build and a nice template for me!
Adolf Belka [Wed, 17 May 2023 09:56:52 +0000 (11:56 +0200)]
update.sh: Adds code to update an existing ovpnconfig with pass or no-pass
- The code checks first if ovpnconfig exists and is not empty.
- Then it makes all net2net connections no-pass since they do not use encryption
- Then it cycles through all .p12 files and checks with openssl if a password exists or not.
If a password is present then pass is added to index 41 and if not then no-pass is added
to index 41
- This code should be left in update.sh for future Core Updates in case people don't update
with Core Update 175 but leave it till later. This code works fine on code that already
has pass or no-pass entered into index 41 in ovpnconfig
Fixes: Bug#11048 Suggested-by: Erik Kapfer <ummeegge@ipfire.org> Suggested-by: Adolf Belka <adolf.belka@ipfire.org> Tested-by: Erik Kapfer <ummeegge@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 17 May 2023 09:56:51 +0000 (11:56 +0200)]
web-user-interface: Addition of new icon for secure connection certificate download
- This uses a padlock icon from https://commons.wikimedia.org/wiki/File:Encrypted.png
- The license for this image is the following:-
This library is free software; you can redistribute it and/or modify it under the terms
of the GNU Lesser General Public License as published by the Free Software Foundation;
either version 2.1 of the License, or (at your option) any later version. This library
is distributed in the hope that it will be useful, but without any warranty; without
even the implied warranty of merchantability or fitness for a particular purpose. See
version 2.1 and version 3 of the GNU Lesser General Public License for more details.
- Based on the above license I believe it can be used by IPFire covered by the GNU General
Public License that is used for it.
- The icon image was made by taking the existing openvpn.png file and superimposing the
padlock icon on top of it at a 12x12 pixel format and naming it openvpn_encrypted.png
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 17 May 2023 09:56:48 +0000 (11:56 +0200)]
ovpnmain.cgi: Fix for bug#11048 - insecure download icon shown for connections with a password
- The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig
is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the
connection is a host and if the first password entry is a null. Then it adds no-pass
to ovpnconfig.
- The same block of code is also used for when he connection is edited. However at this
stage the password entry is back to null because the password value is only kept until
the connection has been saved. Therefore doing an edit results in the password value
being taken as null even for connections with a password.
- This fix enters no-pass if the connection type is host and the password is null, pass if
the connection type is host and the password has characters. If the connection type is
net then no-pass is used as net2net connections dop not have encrypted certificates.
- The code has been changed to show a different icon for unencrypted and encrypted
certificates.
- Separate patches are provided for the language file change, the provision of a new icon
and the code for the update.sh script for the Core Update to update all existing
connections, if any exist, to have either pass or no-pass in index 41.
- This patch set was a joint collaboration between Erik Kapfer and Adolf Belka
- Patch set, including the code for the Core Update 175 update.sh script has been tested
on a vm testbed
Fixes: Bug#11048 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Tested-by: Erik Kapfer <ummeegge@ipfire.org> Suggested-by: Adolf Belka <adolf.belka@ipfire.org> Suggested-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 5 Apr 2023 12:28:35 +0000 (14:28 +0200)]
wio: remove unneeded or incorrect commands
- the helper programs in misc-progs get the correct permissions and ownerships
automatically so adjustment not required in this script.
- permissions of menus in menu.d are provided automatically. Historically, these were
root:root but were changed a while back but did not get applied to wio as it was
modified by this script.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 5 Apr 2023 12:28:25 +0000 (14:28 +0200)]
wio: This is a patch series relocating wio into the standard ipfire directories
- This patch is the changes to the wio lfs file related to the relocations
- The modified patch series was built and the generated wio-1.3.2-17.ipfire file was
used to install wio on a testbed vm system. Everything worked. Tested out with various
hosts on the system, tested the graphs, tested adding hosts from a network scan and
from the arp table and everything worked fine. So all the relocations look to have
worked.
- Files were only relocated, the wio code was not modified in any way.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
As the list of symbolic links was not sorted at all I sorted it now by
the order of start or stop.
This seems to be the most useful way as you can now understand the
startup sequence from this file and add/remove scripts at a useful
place.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 10 May 2023 13:04:22 +0000 (15:04 +0200)]
make.sh: Fixes Bug#13076
- Adds borgbackup run time dependency - python3-exceptiongroup
- Adds python3-exceptiongroup build time dependency - python3-flit_scm
- Removes python3-attr that is no longer required in borgbackup dependency chain
Fixes: Bug#13076 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 10 May 2023 13:04:16 +0000 (15:04 +0200)]
python3-trio: Fixes Bug#13076 - allows fuse mount to work again
- In Core 173 python3-trio was updated to version 0.22.0 when python was upgraded to 3.10.8
Although the build of python3-trio was successful it was missed that there was a new
run-time dependency of python3-exceptiongroup for python3-pyfuse3 to work.
python2-flit_scm is required as a build dependency for python3-exceptiongroup.
- The modified packages were installed in my vm testbed and confirmed that borg mount then
worked again.
- It was also noted that python3-attr was no longer needed neither as a runtime
dependency nor as a build time dependency.
- Dependencies line of python3-trio updated for these two changes.
Fixes: Bug#13076 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
this lower the compression ratio sligtly (the ramdlisk is 100kb
larger) and use only a single thread now. (it's still faster than
before on a dual core.)
fixes: #13091
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Thu, 11 May 2023 12:39:42 +0000 (14:39 +0200)]
mpfr: Update to include the latest four bug patches
- The base version has not changed but patches to fix 4 bugs have been released.
- Update to rootfile not required.
- Bug fix changelog
1 A test of the thousands separator in tsprintf.c is based on the output from
the GNU C Library up to 2.36, which is incorrect. The output has changed in
2.37 (partly fixed), so that tsprintf fails with glibc 2.37. The
tsprintf-thousands patch modifies the test to conform to POSIX and also
avoid the buggy case in 2.36 and below. However, this new test, which was
expected to succeed, triggers a serious bug in 2.37
(bug 30068 / CVE-2023-25139). We did not modify the test again since this
bug affects MPFR's mpfr_sprintf function, with a possible buffer overflow
in particular cases. This bug has been fixed in the 2.37 branch. In short,
this patch is useful (and needed) for a fixed glibc 2.37 and some other
libraries, depending on the current locales.
Corresponding changesets in the 4.2 branch: 4f03d40b5, 78ff7526d, e66bb7121.
2 The mpfr_ui_pow_ui function has infinite loop in case of overflow. This can
affect mpfr_log10, which uses this function (this is how this bug was
found). This bug is fixed by the ui_pow_ui-overflow patch (with testcases).
Corresponding changeset in the 4.2 branch: 0216f40ed.
3 The tfprintf and tprintf tests may fail in locales where decimal_point has
several bytes, such as ps_AF. This is fixed by the multibyte-decimal_point
patch, which makes the tests aware of the length of decimal_point.
Corresponding changeset in the 4.2 branch: 0383bea85.
4 In particular cases that are very hard to round, mpfr_rec_sqrt may yield a
stack overflow due to many small allocations in the stack, based on alloca().
This is due to the fact that the working precision is increased each step
(Ziv loop) by 32 or 64 bits only, until the approximate result can be
rounded (thus we have an arithmetic progression here, while a geometric
progression is used for the other functions), and that at each iteration,
the previous allocations in the stack cannot be freed. Individual
allocations in the stack are limited to 16384 bytes, so that the issue can
occur only when there are many iterations in working precisions that are
not too large, which is possible with an arithmetic progression. This bug
is fixed by the rec_sqrt-zivloop patch, which changes the Ziv loop to use
the standard MPFR_ZIV_* macros; the patch also provides a testcase obtained
by a function that constructs a hard-to-round case involving large enough
precisions (this function is commonly used in the MPFR testsuite, but not
with so large precisions). This bug was originally reported by Fredrik
Johansson.
Corresponding changeset in the 4.2 branch: 934dd8842.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Since lvmetad was removed then the configure option --enable-lvmetad is no longer valid.
A warning is now shown - configure: WARNING: unrecognized options: --enable-lvmetad
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 10 May 2023 20:41:10 +0000 (22:41 +0200)]
libcap: Adjust the lfs file to place pkg-config files in the correct place
- libcap places the files by default in /lib and not /usr/lib etc. To fix this libcap made
a symlink for the library file from /lib to /usr/lib. However the .pc files were left
in /lib/pkgconfig and not /usr/lib/pkgconfig and were therefore not found by the update
of rng-tools which now required libcap to be found.
- Changed the prefix settings for libcap which placed the libraries and .pc files in the
correct locations while keeping the executables in their existing location.
- This removed the need for symlinking /usr/lib/libcap.so to /lib/libcap.so.2.67 as the
libraries are now placed in /usr/lib
- Installed the ipfire build with these changes into a vm system and confirmed that
everything worked. Input from Michael Tremer that if ping worked then libcap was
functioning correctly.
- The prefixes have to be applied to both make and make install to end up with the files
in the correct places.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 10 May 2023 20:41:09 +0000 (22:41 +0200)]
rng-tools: Update to version 2.16
- This v2 version corrects an error where a debug echo statement was left in the lfs file
- Update from version 2.14 to 2.16
- Update of rootfile not required
- Version 2.16 required libcap to be available, which it is, but it could not be found by
rng-tools. This is because rng-tools is using pkg-config and the required libcap.pc file
was not stored in the standard directory location for .pc files. Therefore a patch for
libcap is bundled together with this update to fix this.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 10 May 2023 17:17:46 +0000 (19:17 +0200)]
initscripts: removal of lvmetad initscript
- With the last update of lvm2 lvmetad was removed from lvm2. I did not recognise that
lvmetad had been setup as an automatic initscript, so it no longer works as the
binary is no longer provided.
- This patch removes the lvmetad initscript, the reference to lvmetad in the initscript
lfs file and the lvmetad initscript entries in the rootfile for each architecture.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 8 May 2023 17:07:23 +0000 (19:07 +0200)]
alsa: Uncomment the conf file names in the rootfile
- Based on input from Arne Fitzenreiter there are conf files that alsa complains about if
they are not present. This patch uncomments all the default conf files
- The backup include file is also added to the rootfile.
Suggested-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- start_service added to install.sh and stop_service to uninstall.sh
This ensures that the modules are loaded after install
- The /etc/asound.state file was touched by the install.sh cript but the alsactl store and
restore commands have default location of /var/lib/alsa/ so the touch command created
an asound.state file that was then not used subsequently. It also meant that the first
start of alsa would fail as it would try and restore from /var/lib/alsa/asound.state
but the file did not exist.
- This patch corrects the path for the touch command for asound.state
- The install.sh script also checks if /etc/asound.state, that was never used, exists and
if it does removes it.
- Uninstalling alsa left the sound modules installed until a reboot was carried out.
Uninstallation should unload the alsa kernel modules.
This patch adds the modprobe -r commands to the uninstall.sh file to unload all the snd
modules when alsa is uninstalled.
- make_backup and restore_backup commands added to ther install.sh and uninstall.sh scripts
Fixes: Bug#13087 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 8 May 2023 17:07:21 +0000 (19:07 +0200)]
alsa: Add in a backup include file for alsa specifying the asound.state file
- This will backup the sound card status with the asound.state file when the addon is
uninstalled so that if it is re-installed in the future the status can be rerstored.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Mon, 8 May 2023 17:07:20 +0000 (19:07 +0200)]
alsa: Fix bug#13087 remove services entry
- alsa has an initscript but it is not starting and stopping a traditional daemon service.
The initscript loads some alsa modules and then restores the asound.state file
- This patch updates the PAK_VER number and removes the services entry and explicitly
adds alsa in for the initscript installation.
- Additionally this patch also adds the installation of a backup include file for alsa
which savces the soundcards status file asound.state
Fixes: Bug#13087 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Peter Müller [Tue, 18 Apr 2023 20:52:00 +0000 (20:52 +0000)]
linux: Compile "Intel XHCI USB Role Switch" as a module on x86_64
From the kernel documentation:
> Driver for the internal USB role switch for switching the USB data
> lines between the xHCI host controller and the dwc3 gadget controller
> found on various Intel SoCs. [...]
This may unblock USB-LAN-adaptor usage on certain boards, as reported
once in #12750. Overall affected devices seem to be scanty;
nevertheless, enabling this as a module only is highly unlikely to cause
any harm, so let's give it a try.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Robin Roevens [Tue, 18 Apr 2023 18:45:12 +0000 (20:45 +0200)]
Add Zabbix Agent to logviewer
- Configure Zabbix Agent to log to syslog instead of its own logs.
- Remove old zabbix log-dir and logrotate settings from rootfile, lfs
and install-script.
- Update log.dat to view Zabbix Agent logging from syslog.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Robin Roevens [Tue, 18 Apr 2023 18:45:11 +0000 (20:45 +0200)]
Bugfix: compatibility with grep 3.8+
Fix "grep: warning: stray \ before /" message on
Zabbix Agent ipfire.net.fw.hits item introduced by
grep 3.8 in
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=40b5df3942149738529c22c9cfcd067cd672b605
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Robin Roevens [Tue, 18 Apr 2023 18:45:10 +0000 (20:45 +0200)]
zabbix_agentd: Update to 6.0.16 (LTS)
- Update from version 6.0.6 to 6.0.16
- Update of rootfile not required
- Changelog
No substantial changes for Agent Linux version
Changelogs since 6.0.6:
- https://www.zabbix.com/rn/rn6.0.7
- https://www.zabbix.com/rn/rn6.0.8
- https://www.zabbix.com/rn/rn6.0.9
- https://www.zabbix.com/rn/rn6.0.10
- https://www.zabbix.com/rn/rn6.0.11
- https://www.zabbix.com/rn/rn6.0.12
- https://www.zabbix.com/rn/rn6.0.13
- https://www.zabbix.com/rn/rn6.0.14
- https://www.zabbix.com/rn/rn6.0.15
- https://www.zabbix.com/rn/rn6.0.16
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
For details see:
https://github.com/OISF/libhtp/releases/tag/0.5.43
"htp: do not log content-encoding: none
htp: do not error on multiple 100 Continue
readme: remove note on libhtp not being stable
uri: fix compile warning strict-prototypes
bstr: fix compile warning strict-prototypes
fuzz_diff: Free the rust test object.
github: add CIFuzz workflow"
Security #5947: byte_math: Division by zero possible. (6.0.x backport)
Bug #5970: detect: reload can stall if flow housekeeping takes too long (6.0.x backport)
Bug #5967: flowworker: Assertion in CheckWorkQueue (6.0.x backport)
Bug #5953: http: multipart data is not filled up to request.body-limit (6.0.x backport)
Bug #5951: detect: multi-tenancy crash (6.0.x backport)
Bug #5950: http2: quadratic complexity when reducing dynamic headers table size (6.0.x backport)
Bug #5949: smtp: quadratic complexity for tx iterator with linked list (6.0.x backport)
Bug #5948: fast_pattern assignment of specific content in combination with urilen results in FN (6.0.x backport)
Bug #5946: flow/manager: fix unhandled division by 0 (prealloc: 0) (6.0.x backport)
Bug #5942: exception/policy: flow action doesn't fall back to packet action when there's no flow (6.0.x backports)
Bug #5933: smb: tx logs sometimes have duplicate `tree_id` output (6.0.x backport)
Bug #5932: rfb/eve: depth in pixel format logged twice (6.0.x backport)
Bug #5906: dns: unused events field can overflow as an integer
Bug #5903: UBSAN: undefined shift in DetectByteMathDoMatch (6.0.x backport)
Bug #5899: smb: no consistency check between NBSS length and length field for some SMB operations (6.0.x backport)
Bug #5898: smb: possible evasion with trailing nbss data (6.0.x backport)
Bug #5896: base64_decode not populating up to an invalid character (6.0.x backport)
Bug #5895: stream: connections time out too early (6.0.x backport)
Bug #5889: stream: SYN/ACK timestamp checking blocks valid traffic (6.0.x backport)
Bug #5888: false-positive drop event_types possible on passed packets (6.0.x backport)
Bug #5887: stream: overlap with different data false positive (6.0.x backport)
Bug #5886: mime: debug assertion on fuzz input (6.0.x backport)
Bug #5879: netmap: Module registration displays whether info about new API usage
Bug #5863: netmap: packet stalls (6.0.x backport)
Bug #5854: SMTP does not handle LF post line limit properly (6.0.x backport)
Bug #5852: tcp/stream: session reuse on tcp flows w/o sessions (6.0.x backport)
Feature #5853: yaml: set suricata version in generated config (6.0.x backport)
Task #5985: libhtp 0.5.43 (6.0.x backport)"
For details see:
https://downloads.isc.org/isc/bind9/9.16.40/doc/arm/html/notes.html#notes-for-bind-9-16-40
"Notes for BIND 9.16.40
Bug Fixes
Logfiles using timestamp-style suffixes were not always correctly
removed when the number of files exceeded the limit set by versions.
This has been fixed for configurations which do not explicitly specify
a directory path as part of the file argument in the channel
specification. [GL #3959] [GL #3991]
Performance of DNSSEC validation in zones with many DNSKEY records has
been improved. [GL #3981]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://blog.clamav.net/2023/05/clamav-110-released.html
"Major changes
Added the ability to extract images embedded in HTML CSS <style> blocks.
Updated to Sigtool so that the --vba option will extract VBA code from
Microsoft Office documents the same way that libclamav extracts VBA.
This resolves several issues where Sigtool could not extract VBA.
Sigtool will also now display the normalized VBA code instead of the
pre-normalized VBA code.
Added a new ClamScan and ClamD option: --fail-if-cvd-older-than=days.
Additionally, we introduce FailIfCvdOlderThan as a clamd.conf synonym
for --fail-if-cvd-older-than. When passed, it causes ClamD to exit on
startup with a non-zero return code if the virus database is older than
the specified number of days.
Added a new function cl_cvdgetage() to the libclamav API. This function
will retrieve the age in seconds of the youngest file in a database
directory, or the age of a single CVD (or CLD) file.
Added a new function cl_engine_set_clcb_vba() to the libclamav API. Use
this function to set a cb_vba callback function. The cb_vba callback
function will be run whenever VBA is extracted from office documents.
The provided data will be a normalized copy of the extracted VBA. This
callback was added to support Sigtool so that it can use the same VBA
extraction logic that ClamAV uses to scan documents.
Other improvements
Removed the vendored TomsFastMath library in favor of using OpenSSL to
perform "big number"/multiprecision math operations. Work courtesy of
Sebastian Andrzej Siewior.
Build system: Added CMake option DO_NOT_SET_RPATH to avoid setting
RPATH on Unix systems. Feature courtesy of Sebastian Andrzej Siewior.
Build system: Enabled version-scripts with CMake to limit symbol
exports for libclamav, libfreshclam, libclamunrar_iface, and
libclamunrar shared libraries on Unix systems, excluding macOS.
Improvement courtesy of Orion Poplawski and Sebastian Andrzej Siewior.
Build system: Enabled users to pass in custom Rust compiler flags using
the RUSTFLAGS CMake variable. Feature courtesy of Orion Poplawski.
Removed a hard-coded alert for CVE-2004-0597. The CVE is old enough
that it is no longer a threat and the detection had occasional
false-positives.
Set Git attributes to prevent Git from altering line endings for Rust
vendored libraries. Third-party Rust libraries are bundled in the
ClamAV release tarball. We do not commit them to our own Git
repository, but community package maintainers may now store the tarball
contents in Git. The Rust build system verifies the library manifest,
and this change ensures that the hashes are correct. Improvement
courtesy of Nicolas R.
Fixed compile time warnings. Improvement courtesy of Razvan Cojocaru.
Added a minor optimization when matching domain name regex signatures
for PDB, WDB and CDB type signatures.
Build system: Enabled the ability to select a specific Python version.
When building, you may use the CMake option -D
PYTHON_FIND_VER=<version> to choose a specific Python version. Feature
courtesy of Matt Jolly.
Added improvements to the ClamOnAcc process log output so that it is
easier to diagnose bugs.
Windows: Enabled the MSI installer to upgrade between feature versions
more easily when ClamAV is installed to a location different from the
default (i.e., not C:\Program Files\ClamAV). This means that the MSI
installer can find a previous ClamAV 1.0.x installation to upgrade to
ClamAV 1.1.0.
Sigtool: Added the ability to change the location of the temp directory
using the --tempdir option and added the ability to retain the temp
files created by Sigtool using the --leave-temps option.
Other minor improvements.
Bug fixes
Fixed the broken ExcludePUA / --exclude-pua feature. Fix courtesy of
Ged Haywood and Shawn Iverson.
Fixed an issue with integer endianness when parsing Windows executables
on big-endian systems. Fix courtesy of Sebastian Andrzej Siewior.
Fixed a possible stack overflow read when parsing WDB signatures. This
issue is not a vulnerability.
Fixed a possible index out of bounds when loading CRB signatures. This
issue is not a vulnerability.
Fixed a possible use after free when reading logical signatures. This
issue is not a vulnerability.
Fixed a possible heap overflow read when reading PDB signatures. This
issue is not a vulnerability.
Fixed a possible heap overflow read in javascript normalizer module.
This issue is not a vulnerability.
Fixed two bugs that would cause Freshclam to fail update when applying
a CDIFF database patch if that patch adds a file to the database
archive or removes a file from the database archive. This bug also
caused Sigtool to fail to create such a patch.
Fixed an assortment of complaints identified by Coverity static analysis.
Fixed one of the Freshclam tests that was failing on some Fedora
systems due to a bug printing debug-level log messages to stdout. Fix
courtesy of Arjen de Korte.
Correctly remove temporary files generated by the VBA and XLM
extraction modules so that the files are not leaked in patched versions
of ClamAV where temporary files are written directly to the
temp-directory instead of writing to a unique subdirectory."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:57 +0000 (19:53 +0200)]
ffmpeg: Update to version 6.0
- Update from version 5.1.2 to 6.0
- Update of rootfile
- sobump occurs so find-dependencies checked and the addons mpd, shairport-sync &
minidlna will be bumped to the next PAK_VER as a patch set with this change.
- Changelog
version 6.0:
- Radiance HDR image support
- ddagrab (Desktop Duplication) video capture filter
- ffmpeg -shortest_buf_duration option
- ffmpeg now requires threading to be built
- ffmpeg now runs every muxer in a separate thread
- Add new mode to cropdetect filter to detect crop-area based on motion vectors and edges
- VAAPI decoding and encoding for 10/12bit 422, 10/12bit 444 HEVC and VP9
- WBMP (Wireless Application Protocol Bitmap) image format
- a3dscope filter
- bonk decoder and demuxer
- Micronas SC-4 audio decoder
- LAF demuxer
- APAC decoder and demuxer
- Media 100i decoders
- DTS to PTS reorder bsf
- ViewQuest VQC decoder
- backgroundkey filter
- nvenc AV1 encoding support
- MediaCodec decoder via NDKMediaCodec
- MediaCodec encoder
- oneVPL support for QSV
- QSV AV1 encoder
- QSV decoding and encoding for 10/12bit 422, 10/12bit 444 HEVC and VP9
- showcwt multimedia filter
- corr video filter
- adrc audio filter
- afdelaysrc audio filter
- WADY DPCM decoder and demuxer
- CBD2 DPCM decoder
- ssim360 video filter
- ffmpeg CLI new options: -stats_enc_pre[_fmt], -stats_enc_post[_fmt],
-stats_mux_pre[_fmt]
- hstack_vaapi, vstack_vaapi and xstack_vaapi filters
- XMD ADPCM decoder and demuxer
- media100 to mjpegb bsf
- ffmpeg CLI new option: -fix_sub_duration_heartbeat
- WavArc decoder and demuxer
- CrystalHD decoders deprecated
- SDNS demuxer
- RKA decoder and demuxer
- filtergraph syntax in ffmpeg CLI now supports passing file contents
as option values, by prefixing option name with '/'
- hstack_qsv, vstack_qsv and xstack_qsv filters
For more details about the changes you have to review the commits in the git repo
https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n6.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:21 +0000 (19:53 +0200)]
zstd: Update to version 1.5.5
- Update from version 1.5.4 to 1.5.5
- Update of rootfile
- Changelog
v1.5.5 (Apr 2023)
fix: fix rare corruption bug affecting the high compression mode, reported by @danlark1 (#3517, @terrelln)
perf: improve mid-level compression speed (#3529, #3533, #3543, @yoniko and #3552, @terrelln)
lib: deprecated bufferless block-level API (#3534) by @terrelln
cli: mmap large dictionaries to save memory, by @daniellerozenblit
cli: improve speed of --patch-from mode (~+50%) (#3545) by @daniellerozenblit
cli: improve i/o speed (~+10%) when processing lots of small files (#3479) by @felixhandte
cli: zstd no longer crashes when requested to write into write-protected directory (#3541) by @felixhandte
cli: fix decompression into block device using -o, reported by @georgmu (#3583)
build: fix zstd CLI compiled with lzma support but not zlib support (#3494) by @Hello71
build: fix cmake does no longer require 3.18 as minimum version (#3510) by @kou
build: fix MSVC+ClangCL linking issue (#3569) by @tru
build: fix zstd-dll, version of zstd CLI that links to the dynamic library (#3496) by @yoniko
build: fix MSVC warnings (#3495) by @embg
doc: updated zstd specification to clarify corner cases, by @Cyan4973
doc: document how to create fat binaries for macos (#3568) by @rickmark
misc: improve seekable format ingestion speed (~+100%) for very small chunk sizes (#3544) by @Cyan4973
misc: tests/fullbench can benchmark multiple files (#3516) by @dloidolt
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:20 +0000 (19:53 +0200)]
opus: Update to version 1.4
- Updsate from version 1.3.1 to 1.4
- Update of rootfile
- Changelog
opus 1.4 major release brings the following improvements and fixes:
Improved tuning of the Opus in-band FEC (LBRR).
See https://gitlab.xiph.org/xiph/opus/-/issues/2360 for details
Added a OPUS_SET_INBAND_FEC(2) option that turns on FEC, but does not force
SILK mode (FEC will be disabled in CELT mode)
Improved tuning and various fixes to DTX
Added Meson support, improved CMake support In addition to the improvements
above, this release includes many minor bug fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:19 +0000 (19:53 +0200)]
nfs: Update to version 2.6.3
- Update from version 2.6.2 to 2.6.3
- Update of rootfile
- Changelog is available in sourceforge at the following url
https://sourceforge.net/projects/nfs/files/nfs-utils/2.6.3/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:18 +0000 (19:53 +0200)]
lvm2: Update to version 2.03.21
- Update from version 2.02.188 to 2.03.21
- Update of rootfile
- Changelog
version 2.03.21 - 21st April 2023
Fix activation of vdo-pool for with 0 length headers (converted pools).
Avoid printing internal init messages when creation integration devices.
Allow (write)cache over raid+integrity LV.
version 2.03.20 - 21st March 2023
Fix segfault if using -S|--select with log/report_command_log=1 setting.
Configure now fails when requested lvmlockd dependencies are missing.
Add some configure Gentoo enhancements for static builds.
version 2.03.19 - 21st February 2023
Configure supports --with-systemd-run executed from udev rules.
Enhancement for build with MuslC systemd and non-bash system shells (dash).
Do not reset SYSTEMD_READY variable in udev for PVs on MD and loop devices.
Ensure udev is processing origin LV before its thick snapshots LVs.
Fix and improve runtime memory size detection for VDO volumes.
version 2.03.18 - 22nd December 2022
Fix issues reported by coverity scan.
Fix warning for thin pool overprovisioning on lvextend (2.03.17).
Add support for writecache metadata_only and pause_writeback settings.
Fix missing error messages in lvmdbusd.
Version 2.03.17 - 10th November 2022
Add new options (--fs, --fsmode) for FS handling when resizing LVs.
Fix 'lvremove -S|--select LV' to not also remove its historical LV right away.
Fix lv_active field type to binary so --select and --binary applies properly.
Switch to use mallinfo2 and use it only with glibc.
Error out in lvm shell if using a cmd argument not supported in the shell.
Fix lvm shell's lastlog command to report previous pre-command failures.
Extend VDO and VDOPOOL without flushing and locking fs.
Add --valuesonly option to lvmconfig to print only values without keys.
Updates configure with recent autoconf tooling.
Fix lvconvert --test --type vdo-pool execution.
Add json_std output format for more JSON standard compliant version of output.
Fix vdo_slab_size_mb value for converted VDO volume.
Fix many corner cases in device_id, including handling of S/N duplicates.
Fix various issues in lvmdbusd.
Version 2.03.16 - 18th May 2022
Fix segfault when handling selection with historical LVs.
Add support --vdosettings with lvcreate, lvconvert, lvchange.
Filtering multipath devices respects blacklist setting from multipath
configuration.
lvmdevices support for removing by device id using --deviceidtype and
--deldev.
Display writecache block size with lvs -o writecache_block_size.
Improve cachesettings description in man lvmcache.
Fix lossing of delete message on thin-pool extension.
Version 2.03.15 - 07th February 2022
Remove service based autoactivation. global/event_activation = 0 is NOOP.
Improve support for metadata profiles for --type writecache.
Use cache or active DM device when available with new kernels.
Introduce function to utilize UUIDs from DM_DEVICE_LIST.
Increase some hash table size to better support large device sets.
Version 2.03.14 - 20th October 2021
Device scanning is skipping directories on different filesystems.
Print info message with too many or too large archived files.
Reduce metadata readings during scanning phase.
Optimize computation of crc32 check sum with multiple PVs.
Enhance recover path on cache creation failure.
Filter out unsupported MQ/SMQ cache policy setting.
Fix memleak in mpath filter.
Support newer location for VDO statistics.
Add support for VDO async-unsafe write policy.
Improve lvm_import_vdo script.
Support VDO LV with lvcreate -ky.
Fix lvconvert for VDO LV bigger then 2T.
Create VDO LVs automatically without zeroing.
Rename vdoimport to lvm_import_vdo.
Version 2.03.13 - 11th August 2021
Changes in udev support:
- obtain_device_list_from_udev defaults to 0.
- see devices/external_device_info_source,
devices/obtain_device_list_from_udev, and devices/multipath_wwids_file help
in lvm.conf
Fix devices file handling of loop with deleted backing file.
Fix devices file handling of scsi_debug WWIDs.
Fix many static analysis issues.
Support --poolmetadataspare with vgsplit and vgmerge.
Fix detection of active components of external origin volume.
Add vdoimport tool to support conversion of VDO volumes.
Support configurable allocation/vdo_pool_header_size.
Fix handling of lvconvert --type vdo-pool --virtualsize.
Simplified handling of archive() and backup() internal calls.
Add 'idm' locking type for IDM lock manager.
Fix load of kvdo target when it is not present in memory (2.03.12).
Version 2.03.12 - 07th May 2021
Allow attaching cache to thin data volume.
Fix memleak when generating list of outdated pvs.
Better hyphenation usage in man pages.
Replace use of deprecated security_context_t with char*.
Configure supports AIO_LIBS and AIO_CFLAGS.
Improve build process for static builds.
New --setautoactivation option to modify LV or VG auto activation.
New metadata based autoactivation property for LVs and VGs.
Improve signal handling with lvmpolld.
Signal handler can interrupt command also for SIGTERM.
Lvreduce --yes support.
Add configure option --with/out-symvers for non-glibc builds.
Report error when the filesystem is missing on fsadm resized volume.
Handle better blockdev with --getsize64 support for fsadm.
Do not include editline/history.h when using editline library.
Support error and zero segtype for thin-pool data for testing.
Support mixed extension for striped, error and zero segtypes.
Support resize also for stacked virtual volumes.
Skip dm-zero devices just like with dm-error target.
Reduce ioctl() calls when checking target status.
Merge polling does not fail, when LV is found to be already merged.
Poll volumes with at least 100ms delays.
Do not flush dm cache when cached LV is going to be removed.
New lvmlockctl_kill_command configuration option.
Support interruption while waiting on device close before deactivation.
Flush thin-pool messages before removing more thin volumes.
Improve hash function with less collisions and make it faster.
Reduce ioctl count when deactivating volumes.
Reduce number of metadata parsing.
Enhance performance of lvremove and vgremove commands.
Support interruption when taking archive and backup.
Accelerate large lvremoves.
Speedup search for cached device nodes.
Speedup command initialization.
Add devices file feature, off by default for now.
Support extension of writecached volumes.
Fix problem with unbound variable usage within fsadm.
Fix IMSM MD RAID detection on 4k devices.
Check for presence of VDO target before starting any conversion.
Support metatadata profiles with volume VDO pool conversions.
Support -Zn for conversion of already formated VDO pools.
Avoid removing LVs on error path of lvconvert during creation volumes.
Fix crashing lvdisplay when thin volume was waiting for merge.
Support option --errorwhenfull when converting volume to thin-pool.
Improve thin-performance profile support conversion to thin-pool.
Add workaround to avoid read of internal 'converted' devices.
Prohibit merging snapshot into the read-only thick snapshot origin.
Restore support for flipping rw/r permissions for thin snapshot origin.
Support resize of cached volumes.
Disable autoactivation with global/event_activation=0.
Check if lvcreate passes read_only_volume_list with tags and skips zeroing.
Allocation prints better error when metadata cannot fit on a single PV.
Pvmove can better resolve full thin-pool tree move.
Limit pool metadata spare to 16GiB.
Improves conversion and allocation of pool metadata.
Support thin pool metadata 15.88GiB, adds 64MiB, thin_pool_crop_metadata=0.
Enhance lvdisplay to report raid available/partial.
Support online rename of VDO pools.
Improve removal of pmspare when last pool is removed.
Fix problem with wiping of converted LVs.
Fix memleak in scanning (2.03.11).
Fix corner case allocation for thin-pools.
Version 2.03.11 - 08th January 2021
Fix pvck handling MDA at offset different from 4096.
Partial or degraded activation of writecache is not allowed.
Enhance error handling for fsadm and handle correct fsck result.
Dmeventd lvm plugin ignores higher reserved_stack lvm.conf values.
Support using BLKZEROOUT for clearing devices.
Support interruption when wipping LVs.
Support interruption for bcache waiting.
Fix bcache when device has too many failing writes.
Fix bcache waiting for IO completion with failing disks.
Configure use own python path name order to prefer using python3.
Add configure --enable-editline support as an alternative to readline.
Enhance reporting and error handling when creating thin volumes.
Enable vgsplit for VDO volumes.
Lvextend of vdo pool volumes ensure at least 1 new VDO slab is added.
Use revert_lv() on reload error path after vg_revert().
Configure --with-integrity enabled.
Restore lost signal blocking while VG lock is held.
Improve estimation of needed extents when creating thin-pool.
Use extra 1% when resizing thin-pool metadata LV with --use-policy.
Enhance --use-policy percentage rounding.
Configure --with-vdo and --with-writecache as internal segments.
Improving VDO man page examples.
Allow pvmove of writecache origin.
Report integrity fields.
Integrity volumes defaults to journal mode.
Switch code base to use flexible array syntax.
Fix 64bit math when calculation cachevol size.
Preserve uint32_t for seqno handling.
Switch from mmap to plain read when loading regular files.
Update lvmvdo man page and better explain DISCARD usage.
Version 2.03.10 - 09th August 2020
Add writecache and integrity support to lvmdbusd.
Generate unique cachevol name when default required from lvcreate.
Converting RAID1 volume to one with same number of legs now succeeds with a
warning.
Fix conversion to raid from striped lagging type.
Fix conversion to 'mirrored' mirror log with larger regionsize.
Zero pool metadata on allocation (disable with allocation/zero_metadata=0).
Failure in zeroing or wiping will fail command (bypass with -Zn, -Wn).
Add lvcreate of new cache or writecache lv with single command.
Fix running out of free buffers for async writing for larger writes.
Add integrity with raid capability.
Fix support for lvconvert --repair used by foreign apps (i.e. Docker).
Version 2.03.09 - 26th March 2020
Fix formatting of vdopool (vdo_slab_size_mb was smaller by 2 bits).
Fix showing of a dm kernel error when uncaching a volume with cachevol.
Version 2.03.08 - 11th February 2020
Prevent problematic snapshots of writecache volumes.
Add error handling for failing allocation in _reserve_area().
Fix memleak in syncing of internal cache.
Fix pvck dump_current_text memleak.
Fix lvmlockd result code on error path for _query_lock_lv().
Update pvck man page and help output.
Reject invalid writecache high/low_watermark setting.
Report writecache status.
Accept more output lines from vdo_format.
Prohibit reshaping of stacked raid LVs.
Avoid running cache input arg validation when creating vdo pool.
Prevent raid reshaping of stacked volumes.
Added VDO lvmdbusd methods for enable/disable compression & dedupe.
Added VDO lvmdbusd method for converting LV to VDO pool.
Version 2.03.07 - 30th November 2019
Subcommand in vgck for repairing headers and metadata.
Ensure minimum required region size on striped RaidLV creation.
Fix resize of thin-pool with data and metadata of different segtype.
Improve mirror type leg splitting.
Improve error path handling in daemons on shutdown.
Fix activation order when removing merged snapshot.
Experimental VDO support for lvmdbusd.
Version 2.03.06 - 23rd October 2019
Add _cpool suffix to cache-pool LV name when used by caching LV.
No longer store extra UUID for cmeta and cdata cachevol layer.
Enhance activation of cache devices with cachevols.
Add _cvol in list of protected suffixes and start use it with DM UUID.
Rename LV converted to cachevol to use _cvol suffix.
Use normal LVs for wiping of cachevols.
Reload cleanered cache DM only with cleaner policy.
Fix cmd return when zeroing of cachevol fails.
Extend lvs to show all VDO properties.
Preserve VDO write policy with vdopool.
Increase default vdo bio threads to 4.
Continue report when cache_status fails.
Add support for DM_DEVICE_GET_TARGET_VERSION into device_mapper.
Fix cmirrord usage of header files from device_mapper subdir.
Allow standalone activation of VDO pool just like for thin-pools.
Activate thin-pool layered volume as 'read-only' device.
Ignore crypto devices with UUID signature CRYPT-SUBDEV.
Enhance validation for thin and cache pool conversion and swapping.
Improve internal removal of cached devices.
Synchronize with udev when dropping snapshot.
Add missing device synchronization point before removing pvmove node.
Correctly set read_ahead for LVs when pvmove is finished.
Remove unsupported OPTIONS+="event_timeout" udev rule from 11-dm-lvm.rules.
Prevent creating VGs with PVs with different logical block sizes.
Fix metadata writes from corrupting with large physical block size.
Version 2.03.05 - 15th June 2019
Fix command definition for pvchange -a.
Add vgck --updatemetadata command that will repair metadata problems.
Improve VG reading to work if one good copy of metadata is found.
Report/display/scan commands that read VGs will no longer write/repair.
Move metadata repairs from VG reading to VG writing.
Add config setting md_component_checks to control MD component checks.
Add end of device MD component checks when dev has no udev info.
Version 2.03.04 - 10th June 2019
Remove unused_duplicate_devs from cmd causing segfault in dmeventd.
Version 2.03.03 - 07th June 2019
Report no_discard_passdown for cache LVs with lvs -o+kernel_discards.
Add pvck --dump option to extract metadata.
Fix signal delivery checking race in libdaemon (lvmetad).
Add missing Before=shutdown.target to LVM2 services to fix shutdown ordering.
Skip autoactivation for a PV when PV size does not match device size.
Remove first-pvscan-initialization which should no longer be needed.
Add remote refresh through lvmlockd/dlm for shared LVs after lvextend.
Ignore foreign and shared PVs for pvscan online files.
Add config setting to control fields in debug file and verbose output.
Add command[pid] and timestamp to debug file and verbose output.
Fix missing growth of _pmsmare volume when extending _tmeta volume.
Automatically grow thin metadata, when thin data gets too big.
Add synchronization with udev before removing cached devices.
Add support for caching VDO LVs and VDOPOOL LVs.
Add support for vgsplit with cached devices.
Query mpath device only once per command for its state.
Use device INFO instead of STATUS when checking for mpath device uuid.
Change default io_memory_size from 4 to 8 MiB.
Add config setting io_memory_size to set bcache size.
Fix pvscan autoactivation for concurrent pvscans.
Change scan_lvs default to 0 so LVs are not scanned for PVs.
Thin-pool selects power-of-2 chunk size by default.
Cache selects power-of-2 chunk size by default.
Support reszing for VDOPoolLV and VDOLV.
Improve -lXXX%VG modifier which improves cache segment estimation.
Ensure migration_threshold for cache is at least 8 chunks.
Restore missing man info lvcreate --zero for thin-pools.
Drop misleadning comment for metadata minimum_io_size for VDO segment.
Add device hints to reduce scanning.
Introduce LVM_SUPPRESS_SYSLOG to suppress syslog usage by generator.
Fix generator quering lvmconfig unpresent config option.
Fix memleak on bcache error path code.
Fix missing unlock on lvm2 dmeventd plugin error path initialization.
Improve Makefile dependency tracking.
Move VDO support towards V2 target (6.2) support.
Version 2.03.02 - 18th December 2018
Fix missing proper initialization of pv_list struct when adding pv.
Fix (de)activation of RaidLVs with visible SubLVs.
Prohibit mirrored 'mirror' log via lvcreate and lvconvert.
Use sync io if async io_setup fails, or use_aio=0 is set in config.
Fix more issues reported by coverity scan.
Version 2.03.01 - 31st October 2018
Version 2.03.00 - 10th October 2018
Add hot fix to avoiding locking collision when monitoring thin-pools.
Allow raid4 -> linear conversion request.
Fix lvconvert striped/raid0/raid0_meta -> raid6 regression.
Add 'lvm2-activation-generator:' prefix for kmsg messages logged by generator.
Add After=rbdmap.service to {lvm2-activation-net,blk-availability}.service.
Reduce max concurrent aios to avoid EMFILE with many devices.
Fix lvconvert conversion attempts to linear.
Fix lvconvert raid0/raid0_meta -> striped regression.
Fix lvconvert --splitmirror for mirror type (2.02.178).
Do not pair cache policy and cache metadata format.
lvconvert: reject conversions on raid1 LVs with split tracked SubLVs
lvconvert: reject conversions on raid1 split tracked SubLVs
Add basic creation support for VDO target.
Never send any discard ioctl with test mode.
Fix thin-pool alloc which needs same PV for data and metadata.
Extend list of non-memlocked areas with newly linked libs.
Enhance vgcfgrestore to check for active LVs in restored VG.
Configure supports --disable-silent-rules for verbose builds.
Fix unmonitoring of merging snapshots.
Cache can uses metadata format 2 with cleaner policy.
Fix check if resized PV can also fit metadata area.
Avoid showing internal error in lvs output or pvmoved LVs.
Remove clvmd
Remove lvmlib (api)
Remove lvmetad
Use versionsort to fix archive file expiry beyond 100000 files.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:17 +0000 (19:53 +0200)]
libxml2: Update to version 2.11.1
- Update from version 2.10.3 to 2.11.1
- Update of rootfile
- Changelog
There were two CVE's in version 2.10.4
v2.11.1: Apr 30 2023
Fixes build and ABI issues.
- cmake: Fix va_copy detection (Luca Niccoli)
- libxml.m4: Fix quoting
- Link with --undefined-version
- libxml2.syms: Revert removal of version information
v2.11.0: Apr 28 2023
### Major changes
Protection against entity expansion attacks, also known as "billion laughs"
has been greatly improved. Malicious files should be detected reliably now
and false positives should be reduced. It is possible though that large
documents which make heavy use of entities are rejected now.
This release finally fixes symbol visibility on UNIX systems. Internal
symbols will now be hidden. While these symbols were never declared in public
headers, it was still possible to declare them manually. Now this won't work.
All symbol information has been removed from the ELF version script to fix
link errors with --no-undefined-version. The version nodes are kept so it
should still be possible to run binaries linked against older versions.
About 90 memory errors in code paths handling malloc failures have been fixed.
While these issues shouldn't impact security, this improves robustness under
memory pressure.
The XInclude engine has been reworked to properly support nested includes.
Several cases of quadratic behavior in the XML push parser have been fixed.
Refactoring has begun on some buffering and encoding code with the goal of
simplifying this part of the code base and improving error reporting.
Other highlights:
- Consolidated private header files.
- Major rework of the autoconf build.
- Deprecated several outdated and internal functions.
Special thanks to Google's Open Source Security Subsidies program for
sponsoring much of the work on this release!
Ongoing work on libxml2 relies on funding. For a list of important open
issues see <https://gitlab.gnome.org/GNOME/libxml2/-/issues/507>
### Security
- Fix use-after-free in xmlParseContentInternal() (David Kilzer)
- xmllint: Fix use-after-free with --maxmem
- parser: Fix OOB read when formatting error message
- entities: Rework entity amplification checks
### Regressions
- parser: Fix regression in xmlParserNodeInfo accounting
### Bug fixes
- Fix memory errors in code handling malloc failures
- encoding: Fix error code in asciiToUTF8
- xpath: number('-') should return NaN
- xmlParseStartTag2() contains typo when checking for default definitions for
an attribute in a namespace (David Kilzer)
- uri: Fix handling of port numbers
- error: Make sure that error messages are valid UTF-8
- xinclude: Fix nested includes
### Improvements
- xmllint: Validate --maxmem integer option
- xmlValidatePopElement() can return invalid value (-1) (David Kilzer)
- parser: Rework EBCDIC code page detection
- parser: Limit name length in xmlParseEncName
- parser: Rework shrinking of input buffers
- html: Rely on CUR_CHAR to grow the input buffer
- parser: Rely on CUR_CHAR/NEXT to grow the input buffer
- valid: Make xmlValidateElement non-recursive
- html: Fix quadratic behavior in htmlParseTryOrFinish
- xmllint: Fix memory leak with --pattern --stream
- parser: Stop calling xmlParserInputShrink
- html: Impose some length limits
- valid: Allow xmlFreeValidCtxt(NULL)
- parser: Stop calling xmlParserInputGrow
- xinclude: Fix quadratic behavior in xmlXIncludeLoadTxt
- xinclude: Abort immediately if max depth was exceeded
- xpath: Only report the first error
- error: Don't move past current position
- error: Limit number of parser errors
- parser: Lower entity nesting limit with XML_PARSE_HUGE
- parser: Don't increase depth twice when parsing internal entities
- parser: Improve detection of entity loops
- parser: Only report a single entity error
- libxml.h: Remove dubious definition of LIBXML_STATIC
- html: Improve parsing of nested lists
- memory: Don't use locks in xmlMemUsed
- encoding: Remove unused variable xmlDefaultCharEncodingHandler
- Rework initialization code
- Add .editorconfig
- parser: Merge misc, prolog and epilog cases in push parser
- parser: Fix 'consumed' accounting when switching encodings
- html: Fix check for end of comment in push parser
- parser: Fix push parser with 1-3 byte initial chunk
- parser: Rewrite push parser boundary checks
- reader: Switch to xmlParserInputBufferCreateMem
- html: Don't escape ASCII chars in href attributes
- io: Don't shrink memory input buffers
- parser: Don't call xmlSHRINK from push parser
- parser: Ignore cdata argument in xmlParseCharData
- parser: Rework push parser parser progress checks
- io: Fix a few integer overflows in I/O statistics
- io: Rework xmlParserInputBufferGrow with encodings
- io: Remove xmlInputReadCallbackNop
- io: Check for memory buffer early in xmlParserInputGrow
- parser: Fix error message in xmlParseCommentComplex
- Bypass proxy in nanoHTTP for hosts in "no_proxy" (Markus Jörg)
- schemas: Fix infinite loop in xmlSchemaCheckElemSubstGroup
- threads: Remove check for pthread_equal
- xinclude: Rework XInclude cache
- xinclude: Remove inefficient refcounting scheme
- xmllint: Improve handling of empty XPath node sets
- parser: Fix potential memory leak in xmlParseAttValueInternal
- error: Don't use initGenericErrorDefaultFunc
- xpath: Lower XPath recursion limit on Windows
- Stop including sys/types.h
- Don't define WIN32 macro
- Make xmlNewSAXParserCtx take a const sax handler
- Consolidate private header files
- Remove internal macros from parserInternals.h
- Move some HTML functions to correct header file
- xmllint: Stop calling xmlSAXDefaultVersion
- Introduce xmlNewSAXParserCtxt and htmlNewSAXParserCtxt
- Don't mess with parser options in htmlParseDocument
- Remove useless call to htmlDefaultSAXHandlerInit
- Remove htmlDefaultSAXHandler from non-SAX1 build
- Don't initialize SAX handler in htmlReadMemory
- Fix htmlReadMemory mixing up XML and HTML functions
- Don't use default SAX handler to report unrelated errors
- Create stream with buffer in xmlNewStringInputStream
- xmlcatalog: Fix memory leaks
### Code quality
- xzlib: Fix implicit sign change in xz_open
- parser: Simplify calculation of available buffer space
- parser: Use size_t when subtracting input buffer pointers
- parser: Check for integer overflow when updating checkIndex
- xpath: Fix harmless integer overflow in xmlXPathTranslateFunction
- schematron: Use logical and
- relaxng: Remove useless if statement
- schemas: Remove useless if statement
- pattern: Merge identical branches
- regexp: Add sanity check in xmlRegCalloc2
- regexp: Simplify xmlRegAtomPush
- encoding: Cast toupper argument to unsigned char
- uri: Add explicit cast in xmlSaveUri
- buf: Fix return value of xmlBufGetInputBase
- parser: Fix integer overflow of input ID
- parser: Remove useless ent->etype test in xmlParseReference
- parser: Remove useless ent->children tests in xmlParseReference
- xmlmemory.c: Remove xmlMemContentShow
- libxml.h: Add comments and indentation
- libxml.h: Don't include stdio.h
- xmlexports.h: Disable docs for internal macro XMLPUBLIC
- parser: Simplify xmlParseConditionalSections
- io: Rearrange code in xmlSwitchInputEncodingInt
- warnings: Fix -Wstrict-prototypes warning
- warnings: Remove set-but-unused variables
- Fix compiler warnings in SAX2.c
- Fix unused variable warning in python/types.c
- Fix compiler warning in examples
- Fix compiler warnings in fuzzing code
- Remove unused code in nanohttp.c
- Remove or annotate char casts
- Don't use sizeof(xmlChar) or sizeof(char)
- Remove explicit integer casts
### Deprecations
- parser: Deprecate more internal functions
- parser: Deprecate some parser input functions
- parser: Deprecate xmlString*DecodeEntities
- threads: Deprecate some internal functions
- buf: Deprecate static/immutable buffers
- Deprecate internal parser functions
- Deprecate old HTML SAX API
- Generate deprecation warnings for old SAX API
- Mark more functions setting globals as deprecated
- Mark more parser functions as deprecated
- Mark most SAX1 functions as deprecated
- Deprecate some global variables
### Portability
- autoconf: Warn about outdated C compilers
- win32: Remove broken libxml2.def.src
- Remove symbols from version script
- catalog.c: Silence a cast warning on VS 2022 (Lukáš Tyrychtr)
- libxml.h: Remove ancient LynxOS setup
- Use python3 not python (Ross Burton)
- xstc/fixup-tests.py: port to Python 3 (Ross Burton)
- xstc/fixup-tests.py: unify whitespace (Ross Burton)
- Remove hacky heuristic from b2dc5675 (Alex Richardson)
- Avoid creating an out-of-bounds pointer by rewriting a check
(Alex Richardson)
- Hide internal functions
- Correctly relocate internal pointers after realloc() (Alex Richardson)
- Visual Studio builds: Allow silencing deprecation warnings (Chun-wei Fan)
- Visual Studio: Define XML_DEPRECATED (Chun-wei Fan)
- xmllint: Include <io.h> on Windows
- warnings: Work around MSVC bug
- sources: Silence C4013 warnings on Visual Studio (Chun-wei Fan)
- python/setup.py.in: Improve Windows import patching (Chun-wei Fan)
- python: Create .pyd on Windows
- Fix Python build on Windows
- Fix Windows compiler warnings in python/types.c
- Fix libxml_PyFileGet
- Remove BeOS support
- Fix libxml_PyFileGet with stdout on macOS
- Migrate from PyEval_ to PyObject_
- Port build_glob.py to Python 3
- Port genChRanges.py to Python 3
- xmlexports.h: Remove LIBXML_FASTCALL optimization
- Remove XMLCALL and XMLCDECL macros from public headers
- Remove XMLDECL macro from .c files
### Build systems
- cmake: Link against `dl` and `dld` only when `LIBXML2_WITH_MODULES` is
enabled (Alexander Kutelev)
- autotools: Fix make distcheck
- Remove RPM build, Makefile.tests, README.tests
- libxml.m4: deprecate AM_PATH_XML2, wrap PKG_CHECK_MODULES instead
(Ross Burton)
- libxml.m4: fix -Wstrict-prototypes (Sam James)
- cmake: Build static library with -DLIBXML_STATIC
- autotools: Don't use version script on Windows
- autotools: Fix winsock detection
- autotools: Only add network libraries if HTTP/FTP enabled
- autotools: Disable parallel Python build
- python: Don't output missing generators during build
- build: Remove check for broken ss_family
- http: Simplify IPv6 checks
- autotools: Fix network checks on Windows
- Fix detection of GNU libiconv
- cmake: Fix Python installation
- cmake: Don't check for Python 2
- configure.ac: Also check for MSYS host
- Improve network library detection
- Detect ws2_32 with AC_SEARCH_LIBS
- Rework network configure checks
- Remove arg cast configure checks
- Fix dlopen check
- Remove HAVE_WIN32_THREADS configuration flag
- Rework dlopen and pthread detection
- Fix test in configure.ac
- cmake: Enable GCC compiler warnings
- Always link with -no-undefined
- Use AM_CFLAGS and AM_LDFLAGS consistently
- Remove -Wredundant-decls
- Call AC_CHECK_* with multiple arguments
- configure.ac: Remove checks for unused programs
- Rework library detection in configure.ac
- Rearrange configure.ac
- Consolidate zlib and lzma detection
- Remove "runtime debugging"
- Consolidate simple API modules in configure.ac
- Fix dependency resolution in configure.ac
- Fix --with-valid --without-regexps build
- Fix --with-schemas --without-xpath build
- Don't build unneeded .c source files
- Move xmlIsXHTML to tree.c
- Cleanup distribution settings in Makefile.am
- Also clean *.pyc files for Python 2
- Don't distribute libxml2.spec
### Tests
- testchar: Add test for memory pull parser with encoding
- fuzz: Also test init function of URI fuzzer
- fuzz: Separate fuzzer for DTD validation
- gitlab-ci: Enable all "integer" sanitizers
- fuzz: Inject random malloc failures
- fuzz: Support variable integer sizes in fuzz data
- fuzz: Fix duplicate detection in fuzzEntityRecorder
- fuzz: Set filename in xmlFuzzEntityLoader
- fuzz: Allow xmlFuzzReadString(NULL)
- fuzz: Fix Makefile dependencies
- fuzz: Add test/recurse to seed corpus
- fuzz: Add separate XInclude fuzzer
- runsuite: Some errors are expected
- testrecurse: Test entity expansion stats
- testapi.c: Initialize catalog early
- gentest.py: Fix memory leak in API tests
- tests: Enable "runsuite" test
- python/tests/reader2: use absolute paths everywhere (Ross Burton)
- python/tests/reader2: always exit(1) if a test fails (Ross Burton)
- testModule: exit if the module can't be opened (Ross Burton)
- CI: disable modules in gcc:static build (Ross Burton)
- CI: fix CI on MinGW builds (Ross Burton)
- python: Fix memory leak checks
- tests: Check that xmlInitParser doesn't allocate memory
- tests: Fix use-after-free in Python tests
- tests: Remove unneeded #includes
- gitlab-ci: Make Test-Msvc exit if ctest fails
- gitlab-ci: Treat compiler warnings as errors on MSVC
- test: Add test for push parser boundaries
- gitlab-ci: Upgrade image to Ubuntu 22.10, reenable MSan
- gitlab-ci: Reenable LeakSanitizer
- gitlab-ci: Fix llvm-symbolizer
- xinclude: Don't create result doc for test with errors
- xinclude: Also test error messages
- gitlab-ci: Allow cast-align warnings from clang
- gitlab-ci: Fix tar invocation
- gitlab-ci: Move MSVC test to separate script
- gitlab-ci: Fix SUFFIX, remove MINGW_PATH
- gitlab-ci: Consolidate CMake test scripts
- gitlab-ci: Only install MinGW autotools if needed
- gitlab-ci: Only install cmake MinGW package if needed
- gitlab-ci: Install 7-Zip using the .msi
- Use $MSYSTEM and 'bash -lc' in MinGW CI
- Add CI job for MinGW/Autotools
- Consolidate CI scripts
- Allow empty MINGW_PACKAGE_PREFIX
- Move Dockerfile to .gitlab-ci directory
- testapi: Disable on Windows for now
- Disable fuzzer tests if glob.h wasn't found
- Move automata test to runtest.c
- Fix testapi when building --without-sax1
# Documentation
- doc: Remove ancient files
- Remove ancient TODOs
- html: Fix htmlInitAutoClose documentation
- doc: Mention new location of XML catalog as breaking change
- doc: Mention potentially breaking changes in NEWS
- doc: Remove xmlDllMain from documentation and version script
- doc: Mention ${sysconfdir} in man pages
- doc: Document xmlcatalog --convert
- doc: Document xmllint --nodict and --pedantic
- doc: Fix indentation in source XML files
- xmllint: Document --quiet option
- Improve cross-references in API docs
- Improve documentation of globals
- Fix documentation parser
- Support comments for global variables in documentation
- Fix update call in apibuild.py
- Don't index anything in DOC_DISABLE sections
- Fix warnings from apibuild.py
- Start with documentation for maintainers
v2.10.4: Apr 11 2023
### Security
- [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
- [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
- schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
### Regressions
- SAX2: Ignore namespaces in HTML documents
- io: Fix "buffer full" error with certain buffer sizes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:15 +0000 (19:53 +0200)]
iproute2: Update to version 6.3.0
- Update from version 6.2.0 to 6.3.0
- Update of rootfile not required
- Changelog can only be reviewed by looking at the commits in the git repo
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Tue, 2 May 2023 17:53:14 +0000 (19:53 +0200)]
harfbuzz: Update to version 7.2.0
- Update from version 7.0.1 to 7.2.0
- Update of rootfile
- Changelog
Overview of changes leading to 7.2.0
- Add Tifinagh to the list of scripts that can natively be either right-to-left
or left-to-right, to improve handling of its glyph positioning.
(Simon Cozens)
- Return also single substitution from hb_ot_layout_lookup_get_glyph_alternates()
(Behdad Esfahbod)
- Fix 4.2.0 regression in applying across syllables in syllabic scripts.
(Behdad Esfahbod)
- Add flag to avoid glyph substitution closure during subsetting, and the
corresponding “--no-layout-closure” option to “hb-subset” command line tool.
(Garret Rieger)
- Support instancing COLRv1 table. (Qunxin Liu)
- Don’t drop used user-defined name table entries during subsetting.
(Qunxin Liu)
- Optimize handling of “gvar” table. (Behdad Esfahbod)
- Various subsetter bug fixes and improvements. (Garret Rieger, Qunxin Liu)
- Various documentation improvements. (Behdad Esfahbod, Josef Friedrich)
- New API:
+HB_SUBSET_FLAGS_NO_LAYOUT_CLOSURE
+HB_UNICODE_COMBINING_CLASS_CCC132
- Deprecated API:
+HB_UNICODE_COMBINING_CLASS_CCC133
Overview of changes leading to 7.1.0
- New experimental hb_shape_justify() API that uses font variations to expand
or shrink the text to a given advance. (Behdad Esfahbod)
- Various build and bug fixes. (Behdad Esfahbod, Garret Rieger, Qunxin Liu)
- New API:
+hb_font_set_variation()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Jon Murphy [Wed, 26 Apr 2023 20:37:13 +0000 (15:37 -0500)]
dbus: Fixes Bug#13094 - Check for existing user before `useradd`
- The dbus install.sh script useradd command causes an error:
"failed adding user 'messagebus', exit code: 9"
- This patch adds a check to only do the useradd if the user does not exist.
- See the bump PAK_VER for dbus that Adolf publised. See this patch:
https://lists.ipfire.org/pipermail/development/2023-April/015816.html
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 26 Apr 2023 12:32:29 +0000 (14:32 +0200)]
dbus: Fixes Bug#13094 - dbus daemon continues running after uninstall
- The uninstall.sh script had stop_service ${NAME} but the package name is dbus while the
initscript is named messagebus. Therefore the stop_service never stops the dbus daemon.
- This patch changes the line to stop_service messagebus
- The install.sh script already has start_service messagebus
- Bump PAK_VER for dbus
Fixes: Bug#13094 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 26 Apr 2023 12:32:28 +0000 (14:32 +0200)]
cups: Fixes Bug#12924 - Can't access https pages in cups
- Version 2.4.2 had some bugs that caused the self signed certificates to not be read or
created properly. The two involved bug fix patches are applied in this submission.
- Corrected the configure options related to avahi and TLS. Using Openssl for the TLS.
- Built .ipfire package installed into vm testbed and tested. With existing 2.4.2
any https pages come up with an error for the secure connection. With this version
the https admin page opens up and config file was able to be successfully modified
via it.
Fixes: Bug#12924 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Adolf Belka [Wed, 19 Apr 2023 12:31:41 +0000 (14:31 +0200)]
sdl2: Update to version 2.26.5
- Update from version 2.26.4 to 2.26.5
- Update of rootfile
- Changelog
2.26.5
The minimum deployment target on macOS is now 10.11, due to changes in the
latest Xcode update
Fixed incorrect modifier keys handling on macOS
Fixed occasional duplicate controller visible on macOS
Fixed handling of third party PS4 controller input reports
Added support for the trigger buttons on the Victrix Pro FS for PS5
Added mapping for Flydigi Vader 2 with the latest firmware (6.0.4.9)
Added mapping for DualSense Edge Wireless Controller on Linux
Added mapping for Hori Pokken Tournament DX Pro Pad
Improved the speed and quality of audio resampling
Fixed crash on Linux if dbus can't be initialized
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
projects / people / ms / ipfire-2.x.git / log
