Adolf Belka [Thu, 28 Sep 2023 10:37:01 +0000 (12:37 +0200)]
libslirp: Add the slirp library as this is required for the net user backend in qemu
- Looking through some of the changelog and some mail list communications it looks like
qemu decided they did noty want to maintain their own bundled version of libslirp when
the majority of OS's had their own version now in place. Ubuntu 18.04 did not have
libslirp but qemu stopped supporting that version from qemu-7.1
- So it looks like all OS's have a standard libslirp available now and qemu have taken
the decision to no longer have their own version but to use the system version. That
was always possible to do if use of the system version was explicitly defined but
the default was to use the bundled version.
- No evidence that libslirp is deprecated.
- The last version of libslirp was released a year ago but it looks like every month or
so there are a couple of commits merged. The last was a month ago.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 28 Sep 2023 10:36:59 +0000 (12:36 +0200)]
qemu: Update to version 8.1.1 and add libslirp for net user backend
- Update from version 8.0.3 to 8.1.1
- In CU179 the update of qemu caused at least one user to have a problem starting his
qemu system as the qemu bundled slirp library used for the net user backend was removed
in version 7.2. Unfortunately no user tested qemu in the CU179 Testing phase, or if they
did they are not using the net user backend.
- This patch adds the --enable-slirp option to configure and installs libslirp in a
separate patch.
- I can't test if this now works as I don't use qemu anywhere.
- Changelog is too large to include here.
8.1
https://wiki.qemu.org/ChangeLog/8.1
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 26 Sep 2023 14:07:01 +0000 (16:07 +0200)]
urlfilter.cgi: Fixes bug#10649 - calls urlfilterctrl with remove option if update disabled
- When the url filter update enable checkbox is unchecked then this patch calls
urlfilterctrl with the remove option added in the otrher patch of this series.
- Tested on my vm testbed that this change does remove the urlfilter symlink from the
fcron directories when the update is disabled.
Fixes: Bug#10649 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 26 Sep 2023 14:07:00 +0000 (16:07 +0200)]
urlfilterctrl: Fix bug#10649 - add option to remove urlfilter from fcron directories
- Currently if the urlfilter update is enabled then autoupdate.pl is renamed urlfilter and
added into either the daily, weekly or monthly fcron directoiries. If the update is
disabled then the urlfilter update script stays in the directory and is not removed.
- This patch adds in the option of remove to the urlfilterctrl program. The first part
of the urlfilterctrl.c code removes any existing symlinks so all that needs to be done
for the remove option is to not add any symlinks to the fcron directories.
- Confirmed in a vm testbed that the current approach leaves the symlink in place. Installed
the changes from this and the previous patch and confirmed that when the url update is
disabled the symlink is removed.
Fixes: Bug#10649 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 25 Sep 2023 16:41:56 +0000 (18:41 +0200)]
update.sh: Adds code to update an existing ovpnconfig with pass or no-pass
- The code checks first if ovpnconfig exists and is not empty.
- Then it makes all net2net connections no-pass since they do not use encryption
- Then it cycles through all .p12 files and checks with openssl if a password exists or not.
If a password is present then pass is added to index 41 and if not then no-pass is added
to index 41
- I had to add a blank line to the top of the ovpnconfig file otherwise the awk code
treated the first line as a blank line and missed it out of the update. This was the
problem that was discovered during the previous Testing Release evaluation.
Tested out this time with several existing entries both encrypted and insecure and with
additional entries of both added in afterwards and all connection entries were
maintained - road warrior and net2net.
- This code should be left in update.sh for future Core Updates in case people don't update
with Core Update 175 but leave it till later. This code works fine on code that already
has pass or no-pass entered into index 41 in ovpnconfig
Fixes: Bug#11048 Suggested-by: Erik Kapfer <ummeegge@ipfire.org> Suggested-by: Adolf Belka <adolf.belka@ipfire.org> Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 25 Sep 2023 16:41:55 +0000 (18:41 +0200)]
web-user-interface: Addition of new icon for secure connection certificate download
- This uses a padlock icon from https://commons.wikimedia.org/wiki/File:Encrypted.png
- The license for this image is the following:-
This library is free software; you can redistribute it and/or modify it under the terms
of the GNU Lesser General Public License as published by the Free Software Foundation;
either version 2.1 of the License, or (at your option) any later version. This library
is distributed in the hope that it will be useful, but without any warranty; without
even the implied warranty of merchantability or fitness for a particular purpose. See
version 2.1 and version 3 of the GNU Lesser General Public License for more details.
- Based on the above license I believe it can be used by IPFire covered by the GNU General
Public License that is used for it.
- The icon image was made by taking the existing openvpn.png file and superimposing the
padlock icon on top of it as a 12x12 pixel format and naming it openvpn_encrypted.png
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 25 Sep 2023 16:41:51 +0000 (18:41 +0200)]
ovpnmain.cgi: Fix for bug#11048 - insecure download icon shown for connections with a password
- At long last I have re-visited the patch submission for bug #11048 and fixed the issues
that caused the problems last time I evaluated it in Testing.
- The insecure package download icon is shown if entry 41 in /var/ipfire/ovpn/ovpnconfig
is set to no-pass. The code block on ovpnmain.cgi that deals with this checks if the
connection is a host and if the first password entry is a null. Then it adds no-pass
to ovpnconfig.
- The same block of code is also used for when he connection is edited. However at this
stage the password entry is back to null because the password value is only kept until
the connection has been saved. Therefore doing an edit results in the password value
being taken as null even for connections with a password.
- This fix enters no-pass if the connection type is host and the password is null, pass if
the connection type is host and the password has characters. If the connection type is
net then no-pass is used as net2net connections dop not have encrypted certificates.
- The code has been changed to show a different icon for unencrypted and encrypted
certificates.
- Separate patches are provided for the language file change, the provision of a new icon
and the code for the update.sh script for the Core Update to update all existing
connections, if any exist, to have either pass or no-pass in index 41.
- This patch set was a joint collaboration between Erik Kapfer and Adolf Belka
- Patch set, including the code for the Core Update 180 update.sh script has been tested
on a vm testbed
Fixes: Bug#11048 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Suggested-by: Adolf Belka <adolf.belka@ipfire.org> Suggested-by: Erik Kapfer <ummeegge@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.44/doc/arm/html/notes.html#notes-for-bind-9-16-44
Changes since 9.16.40:
9.16.44:
"Previously, sending a specially crafted message
over the control channel could cause the packet-parsing
code to run out of available stack memory, causing named
to terminate unexpectedly. This has been fixed. (CVE-2023-3341)"
9.16.43:
"Processing already-queued queries received over TCP could cause
an assertion failure, when the server was reconfigured at the
same time or the cache was being flushed. This has been fixed."
9.16.42:
"The overmem cleaning process has been improved, to prevent the
cache from significantly exceeding the configured max-cache-size
limit. (CVE-2023-2828)
A query that prioritizes stale data over lookup triggers a fetch
to refresh the stale data in cache. If the fetch is aborted for
exceeding the recursion quota, it was possible for named to enter
an infinite callback loop and crash due to stack overflow. This
has been fixed. (CVE-2023-2911)
Previously, it was possible for a delegation from cache to be
returned to the client after the stale-answer-client-timeout
duration. This has been fixed."
9.16.41:
"When removing delegations from an opt-out range, empty-non-terminal
NSEC3 records generated by those delegations were not cleaned up.
This has been fixed."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Security #6289: Crash in SMTP parser during parsing of email (6.0.x backport)
Security #6196: process exit in hyperscan error handling (6.0.x backport)
Security #6156: dcerpc: max-tx config parameter, also for UDP (6.0.x backport)
Bug #6285: community-id: Fix IPv6 address sorting not respecting byte order (6.0.x backport)
Bug #6248: Multi-tenancy: crash under test mode when tenant signature load fails (6.0.x backport)
Bug #6245: tcp: RST with data used in reassembly (6.0.x backport)
Bug #6236: if protocol dcerpc first packet type is Alter_context, it will not parse dcerpc (6.0.x backport)
Bug #6228: ips/af-packet: crash when copy-iface is the same as the interface (6.0.x backport)
Bug #6227: windows: lua script path truncated (6.0.x backport)
Bug #6226: Decode-events of IPv6 GRE are not triggered (6.0.x backport)
Bug #6224: base64: complete support for RFC2045 (6.0.x backport)
Bug #6220: Backport tenant_id conversion to uint32_t
Bug #6213: file.magic: rule reload can lead to crashes (6.0.x backport)
Bug #6193: smtp: Attachment not being md5 matched (6.0.x backport)
Bug #6192: smtp: use every byte to compute email.body_md5 (6.0.x backport)
Bug #6182: log-pcap: fix segfault on lz4 compressed pcaps (6.0.x backport)
Bug #6181: eve/alert: deprecated fields can have unexpected side affects (6.0.x backport)
Bug #6174: FTP bounce detection doesn't work for big-endian platforms (6.0.x backport)
Bug #6166: http2: fileinfo events log http2 object instead of http object as alerts and http2 do (6.0.x backport)
Bug #6139: smb: wrong offset when parse SMB_COM_WRITE_ANDX record (6.0.x backport)
Bug #6082: pcap: device reopen broken (6.0.x backport)
Bug #6068: pcap: memory leaks (6.0.x backport)
Bug #6045: detect: multi-tenancy leaks memory if more than 1 tenant registered (6.0.x backport)
Bug #6035: stream.midstream: if enabled breaks exception policy (6.0.x backport)
Bug #5915: rfb: parser returns error on unimplemented record types (6.0.x backport)
Bug #5794: eve: if alert and drop rules match for a packet, "alert.action" is ambigious (6.0.x backport)
Bug #5439: Invalid certificate when Issuer is not present.
Optimization #6229: Performance impact of Cisco Fabricpath (6.0.x backport)
Optimization #6203: detect: modernize filename fileext filemagic (6.0.x backport)
Optimization #6153: suricatasc: Gracefully handle unsupported commands (6.0.x backport)
Feature #6282: dns/eve: add 'HTTPS' type logging (6.0.x backport)
Feature #5935: ips: add 'master switch' to enable dropping on traffic (handling) exceptions (6.0.x backport)
Documentation #6234: userguide: add installation from Ubuntu PPA section (6.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
extrahd: use udev rule to mount extrahd partitions
the previous patches for
https://bugzilla.ipfire.org/show_bug.cgi?id=12863
introduce a new bug that slow devices are not mounted
at boot. So now udev calls the extrahd script with
the uuid.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Peter Müller [Thu, 14 Sep 2023 17:45:12 +0000 (17:45 +0000)]
Tor: Do not attempt to establish connections via IPv6
To quote from the changelog of Tor 0.4.8.4:
o Minor feature (client, IPv6):
- Make client able to pick IPv6 relays by default now meaning
ClientUseIPv6 option now defaults to 1. Closes ticket 40785.
In order to avoid any malfunctions on IPFire installations,
set this option to "0" explicitly.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Thu, 14 Sep 2023 17:45:11 +0000 (17:45 +0000)]
Tor: Update to 0.4.8.5
Changes in version 0.4.8.5 - 2023-08-30
Quick second release after the first stable few days ago fixing minor
annoying bugfixes creating log BUG stacktrace. We also fix BSD compilation
failures and PoW unit test.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 30, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/08/30.
o Minor bugfix (NetBSD, compilation):
- Fix compilation issue on NetBSD by avoiding an unnecessary
dependency on "huge" page mappings in Equi-X. Fixes bug 40843;
bugfix on 0.4.8.1-alpha.
o Minor bugfix (NetBSD, testing):
- Fix test failures in "crypto/hashx" and "slow/crypto/equix" on
x86_64 and aarch64 NetBSD hosts, by adding support for
PROT_MPROTECT() flags. Fixes bug 40844; bugfix on 0.4.8.1-alpha.
o Minor bugfixes (conflux):
- Demote a relay-side warn about too many legs to ProtocolWarn, as
there are conditions that it can briefly happen during set
construction. Also add additional set logging details for all
error cases. Fixes bug 40841; bugfix on 0.4.8.1-alpha.
- Prevent non-fatal assert stacktrace caused by using conflux sets
during their teardown process. Fixes bug 40842; bugfix
on 0.4.8.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 7 Sep 2023 17:30:15 +0000 (19:30 +0200)]
sdl2: Update to version 2.28.3
- Update from version 2.28.1 to 2.28.3
- Update of rootfile
- Changelog
2.28.3
This is a stable bugfix release, with the following changes:
Added a gamepad mapping for the G-Shark GS-GP702
Fixed touchpad events for the Razer Wolverine V2 Pro in PS5 mode
Fixed getting key events from TV remotes on Android
Updated to Android minSdkVersion 19 and targetSdkVersion 34 to meet Google
Play Store requirements
2.28.2
This is a stable bugfix release, with the following changes:
Fixed occasionally failing to open the clipboard on Windows
Fixed crash at shutdown when using the D3D11 renderer
Fixed setting the viewport when using the D3D12 renderer
Fixed crash using SDL event functions before initializing SDL on Windows
Fixed Xbox controller trigger motion events on Windows
Fixed Xbox controller rumble in the background on Windows
Added the hint SDL_HINT_JOYSTICK_WGI to control whether to use
Windows.Gaming.Input for controllers
Fixed 8BitDo gamepad mapping when in XInput mode on Linux
Fixed controller lockup initializing some unofficial PS4 replica controllers
Fixed video initialization on headless Linux systems using VNC
Fixed large mouse jump when changing relative mouse mode on macOS
Fixed hardware keyboard text input on iPadOS
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 7 Sep 2023 17:30:14 +0000 (19:30 +0200)]
samba: Update to version 4.19.0
- Update from version 2.18.5 to 2.19.0
- Update of rootfile for x86_64
- Changelog is too large to include here
4.19.0
See the WHATSNEW.txt file in the soiurce tarball
4.18.6
* BUG 15420: reply_sesssetup_and_X() can dereference uninitialized tmp
pointer.
* BUG 15430: Missing return in reply_exit_done().
* BUG 15289: post-exec password redaction for samba-tool is more reliable for
fully random passwords as it no longer uses regular expressions
containing the password value itself.
* BUG 9959: Windows client join fails if a second container CN=System exists
somewhere.
* BUG 15342: Spotlight sometimes returns no results on latest macOS.
* BUG 15417: Renaming results in NT_STATUS_SHARING_VIOLATION if previously
attempted to remove the destination.
* BUG 15427: Spotlight results return wrong date in result list.
* BUG 15414: "net offlinejoin provision" does not work as non-root user.
* BUG 15400: rpcserver no longer accepts double backslash in dfs pathname.
* BUG 15433: cm_prepare_connection() calls close(fd) for the second time.
* BUG 15346: 2-3min delays at reconnect with smb2_validate_sequence_number:
bad message_id 2.
* BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
* BUG 15446: DCERPC_PKT_CO_CANCEL and DCERPC_PKT_ORPHANED can't be parsed.
* BUG 15390: Python tarfile extraction needs change to avoid a warning
(CVE-2007-4559 mitigation).
* BUG 15435: Regression DFS not working with widelinks = true.
* BUG 9959: Windows client join fails if a second container CN=System exists
somewhere.
* BUG 15441: samba-tool ntacl get segfault if aio_pthread appended.
* BUG 15449: mdssvc: Do an early talloc_free() in _mdssvc_open().
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 7 Sep 2023 17:30:13 +0000 (19:30 +0200)]
procps: Update to version v4.0.4
- Update from version v4.0.3 to v4.0.4
- Update of rootfile
- Removal of patch to fix build failures with gettext-0.22 as this has been incorporated
into the source tarball.
- Changelog
procps-ng-4.0.4
* library (API & ABI unchanged)
increment revision: 0:2:0
tolerates all potential 'cpuinfo' formats issue #272
restore the proper main thread tics valuations issue #280
Remove myself from proc count merge #193
Refactor the escape code Debian #1035649
* free: -L one line output issue #156
* pgrep: Use only --signal option for signal Debian #1031765
* pgrep: suppress >15 warning if using regex Debian #1037450
* pidof: Add -t option to show threads merge #190
* pmap: Reset totals between processes issue #298
* ps: fixed missing or corrupted fields with -m option Debian #1036631, issue #279
* ps: Fix buffer overflow in -C option CVE-2023-4016 Debian #1042887, issue #297
* ps: Add --signames to show signal names in masks merge #98
* sysctl: -N show names merge #198, RH #2222056
* tests: dont compare floats with == issue #271
* tests: skips tests if maps missing merge #197, Gentoo #583036
* top: bad command line arguments yield EXIT_FAILURE issue #273
* top: avoids keystroke induced '%Cpu' distortions
* top: includes VM (guest) tics in 'system' overhead issue #274
* top: includes VM (guest) tics with '!' toggle merge #179
* top: lessen summary cpu distortions on first display merge #180
* top: better backspace handling wtth line edits issue #278
* vmstat: Print guest time in non-wide mode
* w: Fix musl UT_HOSTSIZE issue
* watch: Add color support at compile time issue #296
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 7 Sep 2023 17:30:12 +0000 (19:30 +0200)]
ncdu: Update to version 1.18.1
- Update from 1.17 to 1.18.1
- Update of rootfile not required
- Changelog
1.18.1 - 2023-02-12
- Fix build on non-Linux platforms
1.18 - 2022-12-06
- Fix 'dark-bg' color scheme to actually have a dark background
- Backport configuration file support from 2.x
- Backport many new CLI options from 2.x
- Negation of existing flags: --no-si, --no-confirm-quit, --no-follow-symlinks, --include-caches, --include-kernfs
- --[no-]extended in addition to -e
- --one-file-system and --cross-file-system in addition to -x
- --slow-ui-updates, --fast-ui-updates in addition to -q
- Column visibility options: --(show|hide)-(hidden|itemcount|mtime|graph|percent)
- Sorting: --sort, --[no-]group-directories-first
- Feature selection: --(enable|disable)-(shell|delete|refresh)
- Deletion confirmation: --[no-]confirm-delete
- Hidden file visibility: --show-hidden, --hide-hidden
- Size display: --apparent-size, --disk-usage
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 7 Sep 2023 17:30:10 +0000 (19:30 +0200)]
libnl-3: Update to version 3.8.0
- Update from 3.5.0 to 3.8.0
- Update of rootfile
- Changelog is no longer provided. Changes are available by reviewing the github commits
https://github.com/thom311/libnl/commits/main
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20221030-3.1 to 20230828-3.1
- Update of rootfile
- Changelog
2023-08-28 Jess Thrysoee
* src/chartype.c: Add missing stdint.h
Reported by Rui Chen
2023-08-27 Jess Thrysoee
* all: sync with upstream source
See also NetBSD changelog:
http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libedit
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 7 Sep 2023 17:30:08 +0000 (19:30 +0200)]
gzip: Update to version 1.13
- Update from version 1.12 to 1.13
- Update of rootfile not required
- Changelog
Noteworthy changes in release 1.13 (2023-08-19) [stable]
Changes in behavior
zless now diagnoses gzip failures, if using less 623 or later.
When SIGPIPE is ignored, gzip now exits with status 2 (warning)
instead of status 1 (error) when writing to a broken pipe. This is
more useful with programs like 'less' that treat gzip exit status 2
as a non-failure.
Bug fixes
'gzip -d' no longer fails to report invalid compressed data
that uses a dictionary distance outside the input window.
[bug present since the beginning]
Port to C23, which does not allow K&R-style function definitions
with parameters, and which does not define __alignas_is_defined.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 7 Sep 2023 17:30:06 +0000 (19:30 +0200)]
boost: Update to version 1_83_0
- Update from 1_81_0 to 1_83_0
- Update of rootfile for x86_64
- Changelog is a bit long to include here so providing links to the pages with changes
1_82_0
https://www.boost.org/users/history/version_1_82_0.html
1_83_0
https://www.boost.org/users/history/version_1_83_0.html
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 6 Sep 2023 13:41:59 +0000 (15:41 +0200)]
libgudev: Update to version 238
- Update from version 237 to 238
- Update of rootfile not required.
- With patches applied to eudev tarball, libgudev built without any problems. Testing
will need to focus on use of QMI to ensure that it executes with no problems with this
fix.
- Changelog
238:
* Fix newline stripping
* Add g_udev_device_get_current_tags()
* Add a number of tests, and devel docs
* Fix devhelp not being able to find the docs
* Skip locale test with locale isn't available
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 6 Sep 2023 13:41:58 +0000 (15:41 +0200)]
udev: Apply patches to update to version 251 and add dummies for current tags
- eudev-3.2.12 has udev version 243 and this causes the build of libgudev to fail as
it requires a newer version of udev.
- Just changing the version in eudev from 243 to 251 is insufficient as libgudev also
expects to see current tags which have been introduced in a more recent version of
systemd udev.
- Two patches applied from the eudev github issue #249 covering this problem.
- With the two patches applied libgudev built without any problems.
- Update to rootfile not required.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 5 Sep 2023 19:48:38 +0000 (21:48 +0200)]
bacula: Update to version 11.0.6
- Update from version 9.6.7 to 11.0.6
- Update of rootfile
- Ran find-dependencies for the sobump. All libraries are only linked into bacula
- All of the versions from 9.6.7 to 11.0.6 and up to 13.0.3 have no bug fixes relatred to
the bacula-fd daemon. With bacula-fd running on a separate machine to the bacula-dir and
bacula-sd daemons, older versions of bacula-fd will work with no bug issues with a newer
bacula-dir and bacula-sd.
- If we put a very new version of bacula-fd on IPFire then it will not work with older
versions of bacula-dir and bacula-sd.
- A new feature in the bacula 11 series is that communication between daemons will
automatically use TLS if OpenSSL is installed on the machines running bacula.
Therefore having a bacula 11 based bacula-fd on IPFire will automatically, with no user
configuration required, use TLS for communication to the IPFire bacula-fd from the other
bacula daemons on other machines.
- This has been shown to automatically work between the bacula-fd daemons on my laptop and
desktop machines and the bacula-dir/bacula-sd on my server machine.
Currently communication between mu bacula-dir/bacuila-sd daemons and the IPFire bacula-fd
daemon communication is still unencrypted.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Jonatan Schlag [Tue, 29 Aug 2023 08:52:39 +0000 (10:52 +0200)]
network initscripts: Remove code for old zone scheme
A long time ago (2007) there were more config types possible then 1, 2, 3
and 4. As our installer currently only accepts config type out of the set
1, 2, 3 and 4 we do not need to check if our CONFIG_TYPE is in this set.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Jonatan Schlag [Tue, 29 Aug 2023 08:52:38 +0000 (10:52 +0200)]
Use bash as shebang in network initscripts
/bin/sh is a symlink to /bin/bash on ipfire systems. Using /bin/sh in
the scripts as shebang hurts in two ways:
1. We use features which do not work with sh as shell. This is not
really a problem but if we rely on features of a real bash we can
state this clearly.
2. The syntay highlighting in vim does not work without a correct
shebang. As I want and need correct syntax highlighting I propose to
change the shebang.
Signed-off-by: Jonatan Schlag <jonatan.schlag@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 10:17:36 +0000 (12:17 +0200)]
hwdata: Update pci.ids to version 2023-08-12 and usb.ids to version 2023-08-24
- Update pci.ids from version 2023-01-18 to 2023-08-12
- Update usb.ids from version 2023-01-16 to 2023-08-24
- Update of rootfile not required
- No changelog available.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 4 Sep 2023 16:52:31 +0000 (18:52 +0200)]
apcupsd: Make apcupsd link in services page access its apcupsd WUI menu.
- In the services WUI page any addon that has a WUI menu page defined, such as Samba,
Guardian etc, has the addon name shown in underlined red which is a link to the addon
cgi page. This works for the other addons as the addon cgi name is the same as the
addon name. I have identified that this is not the case for apcupsd, because the cgi
page is called upsstats.cgi
- This patch adjusts the cgi name to allow apcupsd to also be shown in underlined red.
- The lfs file copies the upsstats.cgi file to one named apcupsd.cgi
- The apcupsd menu file has the cgi name changed from upsstats.cgi to apcupsd.cgi
- The rootfile is updated to also include the apcupsd.cgi file with the others.
- Tested in my vm testbed by making the above changes in the code and the apcupsd addon
was then shown in underlined red, which acted as a link to the apcupsd status WUI page.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 31 Aug 2023 11:01:08 +0000 (13:01 +0200)]
xinetd: Update to version 2.3.15.4
- This is v2 version of this patch with the locations for the sysconf and binaries
corrected so that all files are in the same locations as they were with version 2.3.15
Added sysconfdir and bindir to the configure options to achieve this.
- Update from version 2.3.15 (2012) to 2.3.15.4 (2018)
- Update of rootfile.
- The original site for xinetd is no longer accessible.
- Version 2.3.15 was the last version from https://github.com/xinetd-org/xinetd
OpenSUSE have forked the repo and have provided 2.3.15.3 and 2.3.15.4 to collect a range
of patches together from openSUSE, Debian, Fedora, Gentoo etc.
Last bug fix was done on this github repo in Sep 2022 and the last commit in Oct 2022.
- This is as up to date as there is currently available.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:40 +0000 (16:17 +0200)]
whois: Update to version 5.5.18
- Update from version 5.5.17 to 5.5.18
- Update of rootfile not required.
- Changelog
5.5.18
* Updated the .ga TLD server. (Closes: #1037288)
* Added new recovered IPv4 allocations.
* Removed the delegation of 43.0.0.0/8 to JPNIC.
* Removed 12 new gTLDs which are no longer active.
* Improved the man page source, courtesy of Bjarni Ingi Gislason.
(Closes: #1040613)
* Added the .edu.za SLD server.
* Updated the .alt.za SLD server.
* Added the -ru and -su NIC handles servers.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:38 +0000 (16:17 +0200)]
tzdata: Update to version 2023c
- Update from version 2023b to 2023c
- Update of rootfile not required.
- Changelog
Release 2023c - 2023-03-28 12:42:14 -0700
Changes to past and future timestamps
Model Lebanon's DST chaos by reverting data to tzdb 2023a.
(Thanks to Rany Hany for the heads-up.)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:37 +0000 (16:17 +0200)]
tshark: Update to version 4.0.8
- Update from version 3.6.3 to 4.0.8 covering 22 releases.
- Update of rootfile
- Ran find-dependencies due to sobump. Everything is linked to tshark files. No additional
bumping required.
- Changelog is too large to cover with 22 releases. For details see the release notes
page on the website - https://www.wireshark.org/docs/relnotes/
4.0.8 Four vulnerabilities fixed.
4.0.7 Two vulnerabilities fixed.
4.0.6 Nine vulnerabilities fixed.
4.0.5 Three vulnerabilities fixed.
4.0.4 One vulnerability fixed.
4.0.3 Seven vulnerabilities fixed.
Didn't check anymore. Based on above this package definitely needs to be regulalrly
updated as it is obviolusly susceptible to vulnerabilities.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:36 +0000 (16:17 +0200)]
transmission: Update to version 4.0.4
- Update from version 4.0.3 to 4.0.4
- Update of rootfile not required.
- Changelog
Transmission 4.0.4
This is a bugfix-only release. Everyone's feedback on 4.0.x has been very helpful -- thanks for all the suggestions, bug reports, and pull requests!
What's New in 4.0.4
All Platforms
* Fixed bug in sending torrent metadata to peers. ([#5460](https://github.com/transmission/transmission/pull/5460))
* Avoid unnecessary heap memory allocations. ([#5520](https://github.com/transmission/transmission/pull/5520), [#5527](https://github.com/transmission/transmission/pull/5527))
* Fixed filename collision edge case when renaming files. ([#5563](https://github.com/transmission/transmission/pull/5563))
* Fixed locale errors that broke number rounding when displaying statistics, e.g. upload / download ratios. ([#5587](https://github.com/transmission/transmission/pull/5587))
* Always use a fixed-length key query in tracker announces. This isn't required by the [spec](https://www.bittorrent.org/beps/bep_0007.html), but some trackers rely on that fixed length because it's common practice by other BitTorrent clients. ([#5652](https://github.com/transmission/transmission/pull/5652))
* Fixed potential Windows crash when [getstdhandle()](https://learn.microsoft.com/en-us/windows/console/getstdhandle) returns `NULL`. ([#5675](https://github.com/transmission/transmission/pull/5675))
* Fixed `4.0.0` bug where the port numbers in LDP announces are sometimes malformed. ([#5825](https://github.com/transmission/transmission/pull/5825))
* Fixed a bug that prevented editing the query part of a tracker URL. ([#5871](https://github.com/transmission/transmission/pull/5871))
* Fixed a bug where Transmission may not announce LPD on its listening interface. ([#5896](https://github.com/transmission/transmission/pull/5896))
* Made small performance improvements in libtransmission. ([#5715](https://github.com/transmission/transmission/pull/5715))
macOS Client
* Updated code that had been using deprecated API. ([#5633](https://github.com/transmission/transmission/pull/5633))
Qt Client
* Fixed torrent name rendering when showing magnet links in compact view. ([#5491](https://github.com/transmission/transmission/pull/5491))
* Fixed bug that broke the "Move torrent file to trash" setting. ([#5505](https://github.com/transmission/transmission/pull/5505))
* Fixed Qt 6.4 deprecation warning. ([#5552](https://github.com/transmission/transmission/pull/5552))
* Fixed poor resolution of Qt application icon. ([#5570](https://github.com/transmission/transmission/pull/5570))
GTK Client
* Fixed missing 'Remove torrent' tooltip. ([#5777](https://github.com/transmission/transmission/pull/5777))
Web Client
* Don't show `null` as a tier name in the inspector's tier list. ([#5462](https://github.com/transmission/transmission/pull/5462))
* Fixed truncated play / pause icons. ([#5771](https://github.com/transmission/transmission/pull/5771))
* Fixed overflow when rendering peer lists and made speed indicators honor `prefers-color-scheme` media queries. ([#5814](https://github.com/transmission/transmission/pull/5814))
* Made the main menu accessible even on smaller displays. ([#5827](https://github.com/transmission/transmission/pull/5827))
transmission-cli
* Fixed "no such file or directory" warning when adding a magnet link. ([#5426](https://github.com/transmission/transmission/pull/5426))
* Fixed bug that caused the wrong decimal separator to be used in some locales. ([#5444](https://github.com/transmission/transmission/pull/5444))
transmission-remote
* Fixed display bug that failed to show some torrent labels. ([#5572](https://github.com/transmission/transmission/pull/5572))
Everything Else
* Ran all PNG files through lossless compressors to make them smaller. ([#5586](https://github.com/transmission/transmission/pull/5586))
* Fixed potential build issue when compiling on macOS with gcc. ([#5632](https://github.com/transmission/transmission/pull/5632))
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:35 +0000 (16:17 +0200)]
traceroute: Update to version 2.1.2
- Update from version 2.1.0 to 2.1.2
- Update of rootfile not required.
- Updated ipfire traceroute patch.
- Changelog
2.1.2
* Fix unprivileged ICMP tracerouting with Linux kernel >= 6.1
(Eric Dumazet, SF bug #14)
2.1.1
* Interpret ipv4-mapped ipv6 addresses (::ffff:A.B.C.D) as true ipv4.
There are no ipv4-mapped addresses in the real network which we
operate on, so use just ipv4 in such cases, but allow users
to specify it this way for convenience.
* Return back more robast poll(2) loop handling.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:34 +0000 (16:17 +0200)]
tor: Update to version 0.4.8.4
- Update from version 0.4.7.14 to 0.4.8.4
- Update of rootfile not required.
- Changelog
Changes in version 0.4.8.4 - 2023-08-23
Finally, this is the very first stable release of the 0.4.8.x series making,
among other features, Proof-of-Work (prop#327) and Conflux (prop#329)
available to the entire network. Several new features and a lot of bugfixes
detailed below.
o Major feature (denial of service):
- Extend DoS protection to partially opened channels and known relays.
Because re-entry is not allowed anymore, we can apply DoS protections
onto known IP namely relays. Fixes bug 40821; bugfix on 0.3.5.1-alpha.
o Major features (onion service, proof-of-work):
- Implement proposal 327 (Proof-Of-Work). This is aimed at thwarting
introduction flooding DoS attacks by introducing a dynamic Proof-Of-Work
protocol that occurs over introduction circuits. This introduces several
torrc options prefixed with "HiddenServicePoW" in order to control this
feature. By default, this is disabled. Closes ticket 40634.
o Major features (conflux):
- Implement Proposal 329 (conflux traffic splitting). Conflux splits
traffic across two circuits to Exits that support the protocol. These
circuits are pre-built only, which means that if the pre- built conflux
pool runs out, regular circuits will then be used. When using conflux
circuit pairs, clients choose the lower-latency circuit to send data to
the Exit. When the Exit sends data to the client, it maximizes
throughput, by fully utilizing both circuits in a multiplexed fashion.
Alternatively, clients can request that the Exit optimize for latency
when transmitting to them, by setting the torrc option 'ConfluxClientUX
latency'. Onion services are not currently supported, but will be in
arti. Many other future optimizations will also be possible using this
protocol. Closes ticket 40593.
o Major features (dirauth):
- Directory authorities and relays now interact properly with directory
authorities if they change addresses. In the past, they would continue to
upload votes, signatures, descriptors, etc to the hard-coded address in
the configuration. Now, if the directory authority is listed in the
consensus at a different address, they will direct queries to this new
address. Implements ticket 40705.
o Major bugfixes (conflux):
- Fix a relay-side crash caused by side effects of the fix for bug
40827. Reverts part of that fix that caused the crash and adds additional
log messages to help find the root cause. Fixes bug 40834; bugfix on
0.4.8.3-rc.
o Major bugfixes (conflux):
- Fix a relay-side assert crash caused by attempts to use a conflux circuit
between circuit close and free, such that no legs were on the conflux
set. Fixed by nulling out the stream's circuit back- pointer when the
last leg is removed. Additional checks and log messages have been added
to detect other cases. Fixes bug 40827; bugfix on 0.4.8.1-alpha.
o Major bugfixes (proof of work, onion service, hashx):
- Fix a very rare buffer overflow in hashx, specific to the dynamic
compiler on aarch64 platforms. Fixes bug 40833; bugfix on 0.4.8.2-alpha.
o Major bugfixes (vanguards):
- Rotate to a new L2 vanguard whenever an existing one loses the Stable or
Fast flag. Previously, we would leave these relays in the L2 vanguard
list but never use them, and if all of our vanguards end up like this we
wouldn't have any middle nodes left to choose from so we would fail to
make onion-related circuits. Fixes bug 40805; bugfix on 0.4.7.1-alpha.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/08/23.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on August 23, 2023.
o Minor features (testing):
- All Rust code is now linted (cargo clippy) as part of GitLab CI, and
existing warnings have been fixed. - Any unit tests written in Rust now
run as part of GitLab CI.
o Minor feature (CI):
- Update CI to use Debian Bullseye for runners.
o Minor feature (client, IPv6):
- Make client able to pick IPv6 relays by default now meaning
ClientUseIPv6 option now defaults to 1. Closes ticket 40785.
o Minor feature (compilation):
- Fix returning something other than "Unknown N/A" as libc version
if we build tor on an O.S. like DragonFlyBSD, FreeBSD, OpenBSD
or NetBSD.
o Minor feature (cpuworker):
- Always use the number of threads for our CPU worker pool to the
number of core available but cap it to a minimum of 2 in case of a
single core. Fixes bug 40713; bugfix on 0.3.5.1-alpha.
o Minor feature (lzma):
- Fix compiler warnings for liblzma >= 5.3.1. Closes ticket 40741.
o Minor feature (MetricsPort, relay):
- Expose time until online keys expires on the MetricsPort. Closes
ticket 40546.
o Minor feature (MetricsPort, relay, onion service):
- Add metrics for the relay side onion service interactions counting
seen cells. Closes ticket 40797. Patch by "friendly73".
o Minor features (directory authorities):
- Directory authorities now include their AuthDirMaxServersPerAddr
config option in the consensus parameter section of their vote.
Now external tools can better predict how they will behave.
Implements ticket 40753.
o Minor features (directory authority):
- Add a new consensus method in which the "published" times on
router entries in a microdesc consensus are all set to a
meaningless fixed date. Doing this will make the download size for
compressed microdesc consensus diffs much smaller. Part of ticket
40130; implements proposal 275.
o Minor features (network documents):
- Clients and relays no longer track the "published on" time
declared for relays in any consensus documents. When reporting
this time on the control port, they instead report a fixed date in
the future. Part of ticket 40130.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on June 01, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/06/01.
o Minor features (hs, metrics):
- Add tor_hs_rend_circ_build_time and tor_hs_intro_circ_build_time
histograms to measure hidden service rend/intro circuit build time
durations. Part of ticket 40757.
o Minor features (metrics):
- Add a `reason` label to the HS error metrics. Closes ticket 40758.
- Add service side metrics for REND and introduction request
failures. Closes ticket 40755.
- Add support for histograms. Part of ticket 40757.
o Minor features (pluggable transports):
- Automatically restart managed Pluggable Transport processes when
their process terminate. Resolves ticket 33669.
o Minor features (portability, compilation):
- Use OpenSSL 1.1 APIs for LibreSSL, fixing LibreSSL 3.5
compatibility. Fixes issue 40630; patch by Alex Xu (Hello71).
o Minor features (relay):
- Do not warn about configuration options that may expose a non-
anonymous onion service. Closes ticket 40691.
o Minor features (relays):
- Trigger OOS when bind fails with EADDRINUSE. This improves
fairness when a large number of exit connections are requested,
and properly signals exhaustion to the network. Fixes issue 40597;
patch by Alex Xu (Hello71).
o Minor features (tests):
- Avoid needless key reinitialization with OpenSSL during unit
tests, saving significant time. Patch from Alex Xu.
o Minor bugfix (hs):
- Fix compiler warnings in equix and hashx when building with clang.
Closes ticket 40800.
o Minor bugfix (FreeBSD, compilation):
- Fix compilation issue on FreeBSD by properly importing
sys/param.h. Fixes bug 40825; bugfix on 0.4.8.1-alpha.
o Minor bugfixes (compression):
- Right after compression/decompression work is done, check for
errors. Before this, we would consider compression bomb before
that and then looking for errors leading to false positive on that
log warning. Fixes bug 40739; bugfix on 0.3.5.1-alpha. Patch
by "cypherpunks".
o Minor bugfixes (compilation):
- Fix all -Werror=enum-int-mismatch warnings. No behavior change.
Fixes bug 40824; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (protocol warn):
- Wrap a handful of cases where ProtocolWarning logs could emit IP
addresses. Fixes bug 40828; bugfix on 0.3.5.1-alpha.
o Minor bugfix (congestion control):
- Reduce the accepted range of a circuit's negotiated 'cc_sendme_inc'
to be +/- 1 from the consensus parameter value. Fixes bug 40569;
bugfix on 0.4.7.4-alpha.
- Remove unused congestion control algorithms and BDP calculation
code, now that we have settled on and fully tuned Vegas. Fixes bug
40566; bugfix on 0.4.7.4-alpha.
- Update default congestion control parameters to match consensus.
Fixes bug 40709; bugfix on 0.4.7.4-alpha.
o Minor bugfixes (compilation):
- Fix "initializer is not a constant" compilation error that
manifests itself on gcc versions < 8.1 and MSVC. Fixes bug 40773;
bugfix on 0.4.8.1-alpha
o Minor bugfixes (conflux):
- Count leg launch attempts prior to attempting to launch them. This
avoids inifinite launch attempts due to internal circuit building
failures. Additionally, double-check that we have enough exits in
our consensus overall, before attempting to launch conflux sets.
Fixes bug 40811; bugfix on 0.4.8.1-alpha.
- Fix a case where we were resuming reading on edge connections that
were already marked for close. Fixes bug 40801; bugfix
on 0.4.8.1-alpha.
- Fix stream attachment order when creating conflux circuits, so
that stream attachment happens after finishing the full link
handshake, rather than upon set finalization. Fixes bug 40801;
bugfix on 0.4.8.1-alpha.
- Handle legs being closed or destroyed before computing an RTT
(resulting in warns about too many legs). Fixes bug 40810; bugfix
on 0.4.8.1-alpha.
- Remove a "BUG" warning from conflux_pick_first_leg that can be
triggered by broken or malicious clients. Fixes bug 40801; bugfix
on 0.4.8.1-alpha.
o Minor bugfixes (KIST):
- Prevent KISTSchedRunInterval from having values of 0 or 1, neither
of which work properly. Additionally, make a separate
KISTSchedRunIntervalClient parameter, so that the client and relay
KIST values can be set separately. Set the default of both to 2ms.
Fixes bug 40808; bugfix on 0.3.2.1-alpha.
o Minor bugfix (relay, logging):
- The wrong max queue cell size was used in a protocol warning
logging statement. Fixes bug 40745; bugfix on 0.4.7.1-alpha.
o Minor bugfixes (logging):
- Avoid ""double-quoting"" strings in several log messages. Fixes
bug 22723; bugfix on 0.1.2.2-alpha.
- Correct a log message when cleaning microdescriptors. Fixes bug
40619; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (metrics):
- Decrement hs_intro_established_count on introduction circuit
close. Fixes bug 40751; bugfix on 0.4.7.12.
o Minor bugfixes (pluggable transports, windows):
- Remove a warning `BUG()` that could occur when attempting to
execute a non-existing pluggable transport on Windows. Fixes bug
40596; bugfix on 0.4.0.1-alpha.
o Minor bugfixes (relay):
- Remove a "BUG" warning for an acceptable race between a circuit
close and considering that circuit active. Fixes bug 40647; bugfix
on 0.3.5.1-alpha.
- Remove a harmless "Bug" log message that can happen in
relay_addr_learn_from_dirauth() on relays during startup. Finishes
fixing bug 40231. Fixes bug 40523; bugfix on 0.4.5.4-rc.
o Minor bugfixes (sandbox):
- Allow membarrier for the sandbox. And allow rt_sigprocmask when
compiled with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha.
- Fix sandbox support on AArch64 systems. More "*at" variants of
syscalls are now supported. Signed 32 bit syscall parameters are
checked more precisely, which should lead to lower likelihood of
breakages with future compiler and libc releases. Fixes bug 40599;
bugfix on 0.4.4.3-alpha.
o Minor bugfixes (state file):
- Avoid a segfault if the state file doesn't contains TotalBuildTimes
along CircuitBuildAbandonedCount being above 0. Fixes bug 40437;
bugfix on 0.3.5.1-alpha.
o Removed features:
- Remove the RendPostPeriod option. This was primarily used in
Version 2 Onion Services and after its deprecation isn't needed
anymore. Closes ticket 40431. Patch by Neel Chauhan.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:33 +0000 (16:17 +0200)]
tcl: Update to version 8.6.13
- Update from version 8.6.12 to 8.6.13
- Update of rootfile
- Changelog
Last changelog in the source tarball is from 2008.
There is no changelog on the tcl website or the tcl github repository. The only option
is the commits log - https://github.com/tcltk/tcl/commits/main
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 30 Aug 2023 14:17:32 +0000 (16:17 +0200)]
foomatic: Update engine to 4.0.13 and db to 20230828
- Update foomatic-db-engine from version 4.0.9 (2013) to 4.0.13 (2018)
- Update foomatic-db from version 20131023 to 20230828
- Update of rootfile
- Changelog
foomatic-db
See the ChangeLog file in the foomatic-db source tarball. Too long to include here.
foomatic-db-engine
4.0.13.
* README, USAGE, configure.ac: Updated for release 4.0.13.
* Makefile.in: Add support for LDFLAGS variable (bug #1422).
* configure.ac: Allow user-configurable PERLPREFIX via environment
variable (Bug #1294).
4.0.12.
* README, USAGE, configure.ac: Updated for release 4.0.12.
* foomatic-ppdfile.in: Foomatic doesn't provide some offered PPD
files. Thanks to Marek Kasik for the patch (bug #1238).
* foomatic-ppd-to-xml.in: Let missing XML files be added when to a
PPD with already existing XML files new "*Product:" lines get
added.
4.0.11.
* README, USAGE, configure.ac: Updated for release 4.0.11.
* lib/Foomatic/DB.pm: Do not interpret option default values set to
"0" in PPD files as no default setting defined. Thanks to Deng
Pang from Ricoh (DengPang at rst dot ricoh dot com) for the report.
4.0.10.
* README, USAGE, configure.ac: Updated for release 4.0.10.
* foomatic-addpjloptions.in: Make foomatic-addpjloptions work with
the system's Foomatic database, too.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Sun, 27 Aug 2023 22:33:55 +0000 (00:33 +0200)]
zabbix_agentd: Update to 6.0.21 (LTS)
- Update from version 6.0.19 to 6.0.21
- Update of rootfile not required
Bugs fixed:
- ZBX-23097:
Fixed use of uninitialised value when verifying subject and issuer with
TLS
- ZBX-22871:
Fixed regular expression crash with invalid utf-8 sequences when pcre2
is used
- ZBX-23221:
Fixed memory leaks when using certificate-based encryption
- ZBX-18168:
Added regexp runtime error logging for log*[] items
Full changelogs since 6.0.19:
- https://www.zabbix.com/rn/rn6.0.20
- https://www.zabbix.com/rn/rn6.0.21
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 13:43:11 +0000 (15:43 +0200)]
wget: Update to version 1.21.4
- Update from version 1.21.3 to 1.21.4
- Update of rootfile not required
- Changelog
Noteworthy changes in release 1.21.4 (2023-05-11)
Document --retry-on-host-error in help text
Increase read buffer size to 64k. This should speed up downloads on gigabit and
faster connections
Update deprecated option '--html-extension' to '--adjust-extension' in
documentation
Update gnulib compatibility layer.
Fixes HSTS test failures on i686. (Thanks to Andreas Enge for ponting it out)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 13:43:10 +0000 (15:43 +0200)]
krb5: Update to version 1.21.2
- Update from version 1.20.1 to 1.21.2
- Update of rootfile
- Changelog
Major changes in 1.21.2 (2023-08-14)
This is a bug fix release.
* Fix double-free in KDC TGS processing [CVE-2023-39975].
Changes by ticket ID
9101 Fix double-free in KDC TGS processing
Major changes in 1.21.1 (2023-07-10)
This is a bug fix release.
* Fix potential uninitialized pointer free in kadm5 XDR parsing
[CVE-2023-36054].
Changes by ticket ID
9099 Ensure array count consistency in kadm5 RPC
Major changes in 1.21 (2023-06-05)
User experience:
* Added a credential cache type providing compatibility with the macOS
11 native credential cache.
Developer experience:
* libkadm5 will use the provided krb5_context object to read
configuration values, instead of creating its own.
* Added an interface to retrieve the ticket session key from a GSS
context.
Protocol evolution:
* The KDC will no longer issue tickets with RC4 or triple-DES session
keys unless explicitly configured with the new allow_rc4 or
allow_des3 variables respectively.
* The KDC will assume that all services can handle aes256-sha1 session
keys unless the service principal has a session_enctypes string
attribute.
* Support for PAC full KDC checksums has been added to mitigate an
S4U2Proxy privilege escalation attack.
* The PKINIT client will advertise a more modern set of supported CMS
algorithms.
Code quality:
* Removed unused code in libkrb5, libkrb5support, and the PKINIT
module.
* Modernized the KDC code for processing TGS requests, the code for
encrypting and decrypting key data, the PAC handling code, and the
GSS library packet parsing and composition code.
* Improved the test framework's detection of memory errors in daemon
processes when used with asan.
Changes by ticket ID
9052 Support macOS 11 native credential cache
9053 Make kprop work for dump files larger than 4GB
9054 Replace macros with typedefs in gssrpc types.h
9055 Use SHA-256 instead of SHA-1 for PKINIT CMS digest
9057 Omit LDFLAGS from krb5-config --libs output
9058 Add configure variable for default PKCS#11 module
9059 Use context profile for libkadm5 configuration
9066 Set reasonable supportedCMSTypes in PKINIT
9069 Update error checking for OpenSSL CMS_verify
9071 Add and use ts_interval() helper
9072 Avoid small read overrun in UTF8 normalization
9076 Use memmove() in Unicode functions
9077 Fix aclocal.m4 syntax error for autoconf 2.72
9078 Fix profile crash on memory exhaustion
9079 Fix preauth crash on memory exhaustion
9080 Fix gic_keytab crash on memory exhaustion
9082 Fix policy DB fallback error handling
9083 Fix kpropd crash with unrecognized option
9084 Add PAC full checksums
9085 Fix read overruns in SPNEGO parsing
9086 Fix possible double-free during KDB creation
9087 Fix meridian type in getdate.y
9088 Use control flow guard flag in Windows builds
9089 Add pac_privsvr_enctype string attribute
9090 Convey realm names to certauth modules
9091 Add GSS_C_INQ_ODBC_SESSION_KEY
9092 Fix maintainer-mode build for binutils 2.37
9093 Add PA-REDHAT-PASSKEY padata type
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 27 Aug 2023 10:17:40 +0000 (12:17 +0200)]
zlib: Update to version 1.3
- Update from version 1.2.13 to 1.3
- Update of rootfile
- Changelog
1.3 (18 Aug 2023)
- Remove K&R function definitions and zlib2ansi
- Fix bug in deflateBound() for level 0 and memLevel 9
- Fix bug when gzungetc() is used immediately after gzopen()
- Fix bug when using gzflush() with a very small buffer
- Fix crash when gzsetparams() attempted for transparent write
- Fix test/example.c to work with FORCE_STORED
- Rewrite of zran in examples (see zran.c version history)
- Fix minizip to allow it to open an empty zip file
- Fix reading disk number start on zip64 files in minizip
- Fix logic error in minizip argument processing
- Add minizip testing to Makefile
- Read multiple bytes instead of byte-by-byte in minizip unzip.c
- Add memory sanitizer to configure (--memory)
- Various portability improvements
- Various documentation improvements
- Various spelling and typo corrections
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / people / pmueller / ipfire-2.x.git / log
