Adolf Belka [Tue, 2 Aug 2022 09:20:48 +0000 (11:20 +0200)]
borgbackup: Fix Bug#12611 by adding fuse mount capability with pyfuse3
- The addition of pyfuse3 requires a total of 11 python3 module dependencies and the
addition of python3-Cython during the build
- The other dependencies etc are submitted in the rest of this patch series.
Fixes: Bug#12611 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Peter Müller [Mon, 1 Aug 2022 17:18:07 +0000 (17:18 +0000)]
linux: Randomize layout of sensitive kernel structures
To quote from the kernel documentation:
> If you say Y here, the layouts of structures that are entirely
> function pointers (and have not been manually annotated with
> __no_randomize_layout), or structures that have been explicitly
> marked with __randomize_layout, will be randomized at compile-time.
> This can introduce the requirement of an additional information
> exposure vulnerability for exploits targeting these structure
> types.
>
> Enabling this feature will introduce some performance impact,
> slightly increase memory usage, and prevent the use of forensic
> tools like Volatility against the system (unless the kernel
> source tree isn't cleaned after kernel installation).
>
> The seed used for compilation is located at
> scripts/gcc-plgins/randomize_layout_seed.h. It remains after
> a make clean to allow for external modules to be compiled with
> the existing seed and will be removed by a make mrproper or
> make distclean.
>
> Note that the implementation requires gcc 4.7 or newer.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Wed, 3 Aug 2022 10:27:23 +0000 (10:27 +0000)]
GnuTLS: Update to 3.7.7
Please refer to https://lists.gnupg.org/pipermail/gnutls-help/2022-July/004746.html
the release notes of this version, and https://www.gnutls.org/security-new.html#GNUTLS-SA-2022-07-07
for the accompanying security advisory.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Tue, 2 Aug 2022 14:17:21 +0000 (14:17 +0000)]
mpd: Update to 0.23.8
Full changelog since version 0.23.6:
ver 0.23.8 (2022/07/09)
* storage
- curl: fix crash if web server does not understand WebDAV
* input
- cdio_paranoia: fix crash if no drive was found
- cdio_paranoia: faster cancellation
- cdio_paranoia: don't scan for replay gain tags
- pipewire: fix playback of very short tracks
- pipewire: drop all buffers before manual song change
- pipewire: fix stuttering after manual song change
- snapcast: fix busy loop while paused
- snapcast: fix stuttering after resuming playback
* mixer
- better error messages
- alsa: fix setting volume before playback starts
- pipewire: fix crash bug
- pipewire: fix volume change events with PipeWire 0.3.53
- pipewire: don't force initial volume=100%
* support libfmt 9
ver 0.23.7 (2022/05/09)
* database
- upnp: support pupnp 1.14
* decoder
- ffmpeg: fix HLS seeking
- opus: fix missing song length on high-latency files
* output
- shout: require at least libshout 2.4.0
* mixer
- pipewire: fix volume restore
- software: update volume of disabled outputs
* support libiconv
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Mon, 1 Aug 2022 15:55:06 +0000 (15:55 +0000)]
git: Update to 2.37.1
Please refer to
- https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.37.0.txt
- https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.37.1.txt
for the changes since 2.36.1.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Mon, 1 Aug 2022 15:57:08 +0000 (15:57 +0000)]
NRPE: Update to 4.1.0
Full changelog:
4.1.0 - 2022-07-18
ENHANCEMENTS
Add support for OpenSSL 3 (and EL9/Debian 11/Ubuntu 22)
Allow tcpd/libwrap to be excluded from build when present on the system
Allow loading of full certificate chains
Change -u (connection issues return UNKNOWN) to include all SSL-layer failures.
Disable renegotiation and enforce server cipher order when using SSL
Verify that private keys match certificates when using SSL
FIXES
Fixed incorrect default for nasty_metachars in nrpe.cfg
Fixed incorrect help text for --use-adh
Fixed potential out-of-bound read when used with IPv6
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Mon, 1 Aug 2022 16:02:11 +0000 (18:02 +0200)]
parted: Update LFS to reflect that parted is no longer an addon
- In 2018 parted was moved from being an addon to being a core program
- The rootfile was moved from rootfiles/packages/ to rootfiles/common/
- The LFS was not updated to remove the PAK_VER etc elements.
- This patch adjusts the LFS file to be in line with being a core program
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-2
"Features
Merge #718: Introduce infra-cache-max-rtt option to config max retransmit timeout.
Bug Fixes
Fix the novel ghost domain issues CVE-2022-30698 and CVE-2022-30699.
Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing
for one loop pass'.
Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT
on outbound tcp sockets.
Fix verbose EDE error printout.
Fix dname count in sldns parse type descriptor for SVCB and HTTPS.
For windows crosscompile, fix setting the IPV6_MTU socket option
equivalent (IPV6_USER_MTU); allows cross compiling with latest cross-compiler versions.
Merge PR 714: Avoid treat normal hosts as unresponsive servers. And fixup the lock code.
iana portlist update.
Update documentation for 'outbound-msg-retry:'.
Tests for ghost domain fixes."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Mon, 11 Jul 2022 15:07:22 +0000 (15:07 +0000)]
linux: Give CONFIG_RANDOMIZE_BASE on aarch64 another try
Quoted from https://capsule8.com/blog/kernel-configuration-glossary/:
> Significance: Critical
>
> In support of Kernel Address Space Layout Randomization (KASLR) this randomizes
> the physical address at which the kernel image is decompressed and the virtual
> address where the kernel image is mapped as a security feature that deters
> exploit attempts relying on knowledge of the location of kernel code internals.
We tried to enable this back in 2020, and failed. Since then, things
may have been improved, so let's give this low-hanging fruit another
try.
Fixes: #12363 Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Thu, 28 Jul 2022 13:09:51 +0000 (13:09 +0000)]
CUPS: Update to 2.4.2
Please refer to https://github.com/OpenPrinting/cups/releases/tag/v2.4.2
for the release notes of this version. Most notably for IPFire, it comes
with OpenSSL support again.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Robin Roevens [Thu, 28 Jul 2022 11:21:36 +0000 (13:21 +0200)]
pakfire: Replace getmetadata duplicate code
- Use getmetadata function in services.cgi to determine installed
addon services to display. Removing code duplication and intel that
should only be known by pakfire itself.
- Removed hardcoded exclusions:
- squid should show up correctly using the new metadata info
- mdadm is part of core and will never show up here
- alsa, unknown if this problem still exists, but if it is, this
should be handled somewhere else.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Robin Roevens [Thu, 28 Jul 2022 11:21:35 +0000 (13:21 +0200)]
pakfire: Add getmetadata function
- Added new getmetadata function for easy access to all available
metadata of a pak without knowledge about or need to parse
pakfire internal db files.
- Added new 'pakfire info' functionality for displaying all available
metadata of (a) pak(s) to the user, using the new getmetadata.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Robin Roevens [Thu, 28 Jul 2022 11:21:33 +0000 (13:21 +0200)]
pakfire: Refactor status seperating UI and logic
- Removed UI code from status function now returning hash with status
properties.
- Removed function coreupdate_available as it is now not used anymore
- Added UI code to pakfire status routine
- Added meaningfull exitcode to status:
- 2: Core update available
- 3: Pak update available
- 4: Reboot required
- Error codes can be added together: 2+3 = 5 means both core update
and pak update is available
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Robin Roevens [Thu, 28 Jul 2022 11:21:32 +0000 (13:21 +0200)]
pakfire: Add list upgrade functionality
- Added possibility to list available upgrades from commandline
using 'pakfire list upgrade'.
- Added exitcode to 'pakfire list'
- Moved 'Pakfire has finished' log message inside END block to
always log when pakfire exited.
- Fix: allow [options] between 'list' and [installed/notinstalled/
upgrade] parameters (Partly fixes Bug #12868)
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Robin Roevens [Thu, 28 Jul 2022 11:21:31 +0000 (13:21 +0200)]
pakfire: Optimize upgradecore function
upgradecore function should just upgrade the core:
Moved check if upgrade is necessary to pakfire upgrade code, removing
code from upgradecore function duplicating codedbinfo workings.
Also adding more vebosity to pakfire upgrade.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Robin Roevens [Thu, 28 Jul 2022 11:21:27 +0000 (13:21 +0200)]
pakfire: Refactor dblist seperating UI and logic
- Removed UI code from dblist function and refactor it making it return
a hash representing the pak db for easier handling of this data.
- Moved core update check in dblist to new seperate dbcoreinfo function
making it return a hash with current and possibly available core
version info.
- Update existing calls to dblist
- Bring UI parts previously in dblist to pakfire program itself,
pakfire.cgi and index.cgi with a few small enhancements:
- Translations for 'Core-Update', 'Release', 'Update' and 'Version'
- Add currently installed version numbers to installed paks list in
pakfire.cgi
- Add 'Installed: yes/no' to pakfire list output so people not using
colors have this information too. (Partly fixes Bug #12868)
- Add update available details to pakfire list output if package has
updates available.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Peter Müller [Thu, 28 Jul 2022 13:42:48 +0000 (13:42 +0000)]
Core Update 170: Stop Suricata before extracting files
Stopping services before potentially tampering with files they use is a
more sane approach than doing the latter and hope the running service
can cope with it. Suricata, at least, reportedly doesn't.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Thu, 28 Jul 2022 13:41:12 +0000 (13:41 +0000)]
Core Update 170: Ship kernel and regenerate initial ramdisks locally
Per https://lists.ipfire.org/pipermail/development/2022-July/013889.html,
we ship the updated kernel in Core Update 170, but generate the initial
ramdisks locally to save space.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Mon, 11 Jul 2022 14:48:08 +0000 (14:48 +0000)]
linux: Enable Intel DMA Remapping Devices by default on x86_64
If available, the kernel will enable IOMMU (a/k/a DMA remapping) by
default on boot. To tools making use of that, particularly hypervisors,
this provides better security without any downsides.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Thu, 28 Jul 2022 13:24:56 +0000 (13:24 +0000)]
linux: Update to 5.15.57
Please refer to https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.15.57
for the changelog of this version. Since it introduces
architecture-dependent rootfile changes due to CPU side-channel
mitigations, changes to ARM rootfiles have been omitted due to the lack
of hardware.
Supposed hardening changes will be submitted separately.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Peter Müller [Wed, 13 Jul 2022 19:46:38 +0000 (19:46 +0000)]
Core Update 170: Harden mount options of /boot on existing installations
The second version of this patch uses @ instead of / for sed delimiters,
which makes the command less hard to read. Since Core Update 170 already
requires a reboot at this point, the respective directive is omitted.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
I know its not *actually* a link to a "DNS-Proxyserver", but I find it
nice that I can change to the page containing some of the main DNS settings
in just one click. I thought it could be useful.
JM2C
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.31/doc/arm/html/notes.html#notes-for-bind-9-16-31
Excerpt from changelog:
" --- 9.16.31 released ---
5917. [bug] Update ifconfig.sh script as is miscomputed interface
identifiers when destroying interfaces. [GL #3061]
5915. [bug] Detect missing closing brace (}) and computational
overflows in $GENERATE directives. [GL #3429]
5913. [bug] Fix a race between resolver query timeout and
validation in resolver.c:validated(). Remove
resolver.c:maybe_destroy() as it is no loger needed.
[GL #3398]
5909. [bug] The server-side destination port was missing from dnstap
captures of client traffic. [GL #3309]
5905. [bug] When the TCP connection would be closed/reset between
the connect/accept and the read, the uv_read_start()
return value would be unexpected and cause an assertion
failure. [GL #3400]
5903. [bug] When named checks that the OPCODE in a response matches
that of the request, if there is a mismatch named logs
an error. Some of those error messages incorrectly
used RCODE instead of OPCODE to lookup the nemonic.
This has been corrected. [GL !6420]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- 29 strings have been added (otp qrcode, ipblocklist, cve mmio stale
data)
- 8 strings have been improved
- 3 strings have been removed (rdrand and hwrng system, hardware
support)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Jon Murphy [Tue, 19 Jul 2022 15:30:34 +0000 (10:30 -0500)]
pcengines-apu-firmware: Update to version 4.17.0.1
- Update from 4.16.0.3 to 4.17.0.1
- Changelog
v4.17.0.1 - Release date: 2022-06-23
Rebased with official coreboot repository commit 5eda52a
updated sortbootorder to v4.6.24
Added - Support for APU7 (APU3 variant with 2.5GbE i225 NICs)
See: https://github.com/pcengines/coreboot/compare/v4.16.0.4...v4.17.0.1
v4.16.0.4 Release date: 2022-05-26
Rebased with official coreboot repository commit 9686ac2261
updated sortbootorder to v4.6.23
updated SeaBIOS to rel-1.16.0.1
See: https://github.com/pcengines/coreboot/compare/v4.16.0.3...v4.16.0.4
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org> Acked-by: Bernhard Bitsch <bbitsch@ipfire.org> Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The informative pakfire message
"No new upgrades available. You are on release ..."
does not mean that an error has happened. This patch adjusts
the log level prefix to "info" accordingly.
Bug #5429: TCP flow that retransmits the SYN with a newer TSval not properly tracked (5.0.x backport)
[Note: Therefore 'suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch' could be removed]
Bug #5424: inspection of smb traffic without smb/dcerpc doesn't work correct. (5.0.x backport)
Bug #5423: DCERPC protocol detection when nested in SMB (5.0.x backport)
Bug #5404: detect: will still inspect packets of a "dropped" flow for non-TCP (5.0.x backport)
Bug #5388: detect/threshold: offline time handling issue (5.0.x backports)
Bug #5358: test failure on Ubuntu 22.04 with GCC 12 (5.0.x backport)
Bug #5354: detect/alert: fix segvfault when incrementing discarded alerts if alert-queue-expand fails (5.0.x backport)
Bug #5345: CIDR prefix calculation fails on big endian archs (5.0.x backport)
Bug #5343: ftp: quadratic complexity for tx iterator with linked list (5.0.x backport)
Bug #5341: decode/mime: base64 decoding for data with spaces is broken (5.0.x backport)
Bug #5339: PreProcessCommands does not handle all the edge cases (5.0.x backport)
Bug #5325: FTP: expectation created in wrong direction (5.0.x backport)
Bug #5305: cppcheck: various static analyzer "warning"s
Bug #5302: Failed assert DeStateSearchState
Bug #5301: eve: payload field randomly missing even if the packet field is present
Bug #5289: Remove unneeded stack-on-signal initialization.
Bug #5283: 5.0.x: ftp: don't let first incomplete segment be over maximum length
Bug #5124: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport)
Bug #5113: Off-by-one in flow-manager flow_hash row allocation
Bug #5055: Documentation copyright years are invalid
Bug #5021: dataset: error with space in rule language
Bug #4926: Rule error in SMB dce_iface and dce_opnum keywords (5.0.x backport)
Bug #4646: TCP reassembly, failed assert app_progress > last_ack_abs, both sides need to be pruned
Optimization #5123: alerts: use alert queing in DetectEngineThreadCtx (5.0.x backport)
Optimization #5121: Use configurable or more dynamic @ PACKET_ALERT_MAX@ (5.0.x backport)
Task #5322: stats/alert: log out to stats alerts that have been discarded from packet queue (5.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-16-1
"Features
Fix #704: [FR] Statistics counter for number of outgoing UDP queries
sent; introduces 'num.query.udpout' to the 'unbound-control stats'
command.
Bug Fixes
makedist.sh picks up 32bit libssp-0.dll when 32bit compile.
Fix for edns client subnet to respect not looking in its cache when
instructed to do so (e.g., prefetch).
Merge PR #688: Rpz url notify issue.
Note in the unbound.conf text that NOTIFY is allowed from the 'url:'
addresses for auth and rpz zones.
Remove unused LDNS function check for GOST Engine unloading.
Fix for loading locally stored zones that have lines with blanks or
blanks and comments.
Fix #663: use after free issue with edns options.
Clarify -v flag manpage entry (#705)
Fix test program dohclient close to use portability routine.
Show the output of the exact .rpl run that failed with 'make test'.
Fix for cached 0 TTL records to not trigger prefetching when
serve-expired-client-timeout is set.
Add debug option to the mini_tdir.sh test code.
Fix to not count cached NXDOMAIN for MAX_TARGET_NX.
Allow fallback to the parent side when MAX_TARGET_NX is reached. This
will also allow MAX_TARGET_NX more NXDOMAINs.
iana portlist update.
Fix detection of libz on windows compile with static option.
Fix compile warning for windows compile.
Merge PR #706: NXNS fallback.
From #706: Cached NXDOMAIN does not increase the target nx responses.
From #706: Don't generate parent side queries if we already have the
lame records in cache.
From #706: When a lame address is the best choice, don't try to
generate target queries when the missing targets are all lame.
Merge PR #671 from Petr Menšík: Disable ED25519 and ED448 in FIPS mode
on openssl3.
Merge PR #660 from Petr Menšík: Sha1 runtime insecure.
For #660: formatting, less verbose logging, add EDE information.
Fix for correct openssl error when adding windows CA certificates to
the openssl trust store.
Improve val_sigcrypt.c::algo_needs_missing for one loop pass.
Reintroduce documentation and more EDE support for
val_sigcrypt.c::dnskeyset_verify_rrset_sig.
Fix bug introduced in 'improve val_sigcrypt.c::algo_needs_missing for
one loop pass'.
Merge PR #668 from Cristian Rodríguez: Set IP_BIND_ADDRESS_NO_PORT on
outbound tcp sockets."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 3380500 to 3890000
- Update of rootfile not required
- Changelog
Release 3.39.0 On 2022-06-25
Add (long overdue) support for RIGHT and FULL OUTER JOIN.
Add new binary comparison operators IS NOT DISTINCT FROM and IS DISTINCT FROM that are
equivalent to IS and IS NOT, respective, for compatibility with PostgreSQL and SQL
standards.
Add a new return code (value "3") from the sqlite3_vtab_distinct() interface that
indicates a query that has both DISTINCT and ORDER BY clauses.
Added the sqlite3_db_name() interface.
The unix os interface resolves all symbolic links in database filenames to create a
canonical name for the database before the file is opened.
Defer materializing views until the materialization is actually needed, thus avoiding
unnecessary work if the materialization turns out to never be used.
The HAVING clause of a SELECT statement is now allowed on any aggregate query, even
queries that do not have a GROUP BY clause.
Many microoptimizations collectively reduce CPU cycles by about 2.3%.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
projects / people / pmueller / ipfire-2.x.git / log
