Timo Eissler [Tue, 7 Jun 2022 15:53:23 +0000 (17:53 +0200)]
openvpn-authenticator: Change event and environment handling
Move reading of environment in it's own function because not all
events have a ENV block following and thus always reading the ENV
will cause RuntimeError("Unexpected environment line ...").
Michael Tremer [Wed, 4 May 2022 13:46:41 +0000 (14:46 +0100)]
openvpn-2fa: Import a prototype of an authenticator
This script runs aside of OpenVPN and connects to the management socket.
On the socket, OpenVPN will post any new clients trying to authenticate
which will be handled by the authenticator.
If a client has 2FA enabled, it will be challanged for the current token
which will then be checked in a second pass.
Clients which do not have 2FA enabled will just be authenticated no
matter what and tls-verify will have handled the rest.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Timo Eissler [Fri, 8 Apr 2022 08:50:20 +0000 (10:50 +0200)]
OpenVPN: Add support for 2FA / One-Time Password
Add two-factor authentication (2FA) to OpenVPN host connections with
one-time passwords.
The 2FA can be enabled or disabled per host connection and requires the
client to download it's configuration again after 2FA has beend enabled
for it.
Additionally the client needs to configure an TOTP application, like
"Google Authenticator" which then provides the second factor.
To faciliate this every connection with enabled 2FA
gets an "show qrcode" button after the "show file" button in the
host connection list to show the 2FA secret and an 2FA configuration QRCode.
When 2FA is enabled, the client needs to provide the second factor plus
the private key password (if set) to successfully authorize.
This only supports time based one-time passwords, TOTP with 30s
window and 6 digits, for now but we may update this in the future.
Signed-off-by: Timo Eissler <timo.eissler@ipfire.org>
Stefan Schantl [Fri, 13 May 2022 17:10:44 +0000 (19:10 +0200)]
update-ids-ruleset: Silent script if no providers settings file exists.
Only try to read-in the providers settings file, in case it exists.
Otherwise the script produces an error message, about the missing file,
each time it gets executed.
Because of the fcron job this would be twice a day in most cases.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 13 May 2022 04:30:57 +0000 (06:30 +0200)]
expat: Fix rootfile.
The libexpat.so.1 file is just a symlink to libexpat.so.1.8.8 which
contains all the functions and symbols required by the binaries, linked
against it. Therefore this file needs to be present on the systems.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Since this addresses security issues, and also with regards to reports
such as https://community.ipfire.org/t/core-update-167-ipsec-issue/7893,
I take the liberty to push this straight into Core Update 168.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Refreshing the Pakfire page may cause a command to be
executed multiple times and induce odd errors.
This patch implements a HTTP 303 redirect after form processing,
which causes the browser to discard the POST form data.
Navigating backward or reloading the page now does not trigger
multiple executions anymore.
Fixes: #12781 Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de> Acked-by: Peter Müller <peter.muelle@ipfire.org>
Adolf Belka [Thu, 5 May 2022 16:39:53 +0000 (18:39 +0200)]
nut: Update to version 2.8.0
- Update from version 2.7.4 to 2.8.0
- 2.7.4 was released in 2016 and since then not a lot of progress was made with it but
since the start of 2022 new work on nut has ocurred culminating in this release
- Update of rootfile
- Ran find-dependencies on the old libraries due to the sobump to confirm that nothing
else than nut used them, which was the case.
- Changelog
After a long and windy trip since the last official release v2.7.4 half a dozen
years ago, we the community, contributors and maintainers are proud to announce
at last the general availability of NUT v2.8.0!
As always, the new release includes numerous new drivers, sub-drivers, protocols
and bug-fixes, with many companies and individuals chipping in with contributions
of code.Thanks to everyone involved in making this happen, inspiring the changes,
and providing the open-source friendly infrastructure.
This release also culminates a significant effort in improvements of NUT QA and
CI, and as a result -- in codebase quality and portability across a decade or
two of recent platforms, third-party tools and other dependencies. As a side
effect, public API (in headers and libraries) has changed a bit, hence a new
semantic "minor" number is claimed for this major body of work.
During this time, the https://networkupstools.org/ web site has changed to a
rolling-release model to serve current information to match the evolving
codebase. There are now special Sub-sites for historic releases to keep
documentation snapshots relevant for users of packages which are typically based
on official NUT releases.
We recognize that NUT is an important piece of infrastructure which gets built
into all sorts of devices, projects and operating systems -- some of which the
team never heard of until they pop up in a question, and others we haven't heard
of for years -- so we take a seriously omnivorous stance towards covering many
versions and implementations of compiler suites, C/C++ revisions, make programs,
shell and other scripted language interpreters, OSes and CPUs, and other similar
variables tamed with our new NUT CI farm test matrix dynamically driven by
currently registered build agents and their declared capabilities.
Sections in the NEWS and UPGRADING files about changes since last release are
several pages long, so would not all be repeated here. A few important
highlights for distribution packagers and custom builders follow, however:
NUT now supports more i2c and modbus devices, as well as libusb-1.0 support
as an alternative to earlier libusb-0.1 (so new dependency-based categories
of packages for drivers may be due);
NUT Python modules and scripts (e.g. NUT-Monitor variants) should work with
python-2.7 and with python-3.x, so covering historic distro releases as
well as new ones (and so your distro can deliver one or both, probably in
several packages with different dependencies in the latter case);
NUT provides revised reference systemd and SMF service unit definitions,
including support of drivers wrapped into individual service instances with
varying dependencies based on different media required (networked stack, USB
stack, etc.), and many daemons include -F option for running "in foreground"
to avoid extra forking after one already done by a service framework - you
may want to use those in your packaged deliverables;
NUT newly provides the "nut-driver-enumerator" script and service, which
allows it to follow edition of ups.conf and dynamically define+(re)start and
stop+undefine service instances for drivers - there are several ways it can
be integrated for different use-cases;
There are several new configuration keywords and CLI options - so while new
NUT builds should work with old configs and scripts, the opposite is not
necessarily true (old binaries may reject configurations taking advantage
of new features);
There are several new protocol keywords - but old and new NUT daemons (data
server and clients) should be able to communicate both ways;
It is assumed that API/ABI changes may require third-party NUT clients
(library consumers of libnutclient, libupsclient, libnutscan... -- their
version info was bumped accordingly) to get rebuilt, in order to work with
the new NUT release in a stable fashion;
The dummy-ups driver used in automated testing now processes *.dev filename
patterns once and does not loop, like it still does for *.seq and other
files (by default);
USB code is now more strict about logical minimum/maximum ranges for data
reported from devices, and some devices were already found to make mistakes
- so there is also a mechanism for turning a blind eye to known issues and
fix-up such report descriptors to produce intended sane values;
New documentation page docs/config-prereqs.txt highlights packaged
dependencies installable on a large range of platforms to build as much of
NUT as possible (incidentally, ones NUT CI farm uses to test every iteration);
Finally, we hope that NUT codebase might be able to cater for everyone "out
of the box" (it also simplifies local builds from GitHub sources on any
systems, for troubleshooting and checking pre-release enhancements): if you
as a packager have to apply patches for your distribution, give it a thought
-- whether they address a common issue best solved upstream once and behave
similarly for everyone (and conversely, if your platform can do with
existing solutions already tracked in the NUT version du-jour). PRs welcome!
Or at least Wiki entries to list all the distro efforts for cross-pollination
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 4 May 2022 19:51:00 +0000 (21:51 +0200)]
freetype: Update to version 2.12.1
- Update from version 2.11.1 to 2.12.1
- Update of rootfile
- Changelog
CHANGES BETWEEN 2.12.0 and 2.12.1
I. IMPORTANT BUG FIXES
- Loading CFF fonts sometimes made FreeType crash (bug introduced in
version 2.12.0)
- Loading a fully hinted TrueType glyph a second time (without
caching) sometimes yielded different rendering results if TrueType
hinting was active (bug introduced in version 2.12.0).
- The generation of the pkg-config file `freetype2.pc` was broken if
the build was done with cmake (bug introduced in version 2.12.0).
II. MISCELLANEOUS
- New option `--with-librsvg` for the `configure` script for better
FreeType demo support.
- The meson build no longer enforces both static and dynamic
versions of the library by default.
- The internal zlib library was updated to version 1.2.12. Note,
however, that FreeType is *not* affected by CVE-2018-25032 since
it only does decompression.
CHANGES BETWEEN 2.11.1 and 2.12.0
I. IMPORTANT CHANGES
- FreeType now handles OT-SVG fonts, to be controlled with
`FT_CONFIG_OPTION_SVG` configuration macro. By default, it can
only load the 'SVG ' table of an OpenType font. However, by using
the `svg-hooks` property of the new 'ot-svg' module it is possible
to register an external SVG rendering engine. The FreeType demo
programs have been set up to use 'librsvg' as the rendering
library.
This work was Moazin Khatti's GSoC 2019 project.
II. MISCELLANEOUS
- The handling of fonts with an 'sbix' table has been improved.
- Corrected bitmap offsets.
- A new tag `FT_PARAM_TAG_IGNORE_SBIX` for `FT_Open_Face` makes
FreeType ignore an 'sbix' table in a font, allowing applications
to access the font's outline glyphs.
- `FT_FACE_FLAG_SBIX` and `FT_FACE_FLAG_SBIX_OVERLAY` together
with their corresponding preprocessor macros `FT_HAS_SBIX` and
`FT_HAS_SBIX_OVERLAY` enable applications to treat 'sbix' tables
as described in the OpenType specification.
- The internal 'zlib' code has been updated to be in sync with the
current 'zlib' version (1.2.11).
- The previously internal load flag `FT_LOAD_SBITS_ONLY` is now
public.
- Some minor improvements of the building systems, in particular
handling of the 'zlib' library (internal vs. external).
- Support for non-desktop Universal Windows Platform.
- Various other minor bug and documentation fixes.
- The `ftdump` demo program shows more information for Type1 fonts
if option `-n` is given.
- `ftgrid` can now display embedded bitmap strikes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 4 May 2022 19:51:28 +0000 (21:51 +0200)]
sdl2: Update to version 2.0.22
- Update from version 2.0.20 to 2.0.22
- Update of rootfile
- Changelog
2.0.22:
General:
* Added SDL_RenderGetWindow() to get the window associated with a renderer
* Added floating point rectangle functions:
* SDL_PointInFRect()
* SDL_FRectEmpty()
* SDL_FRectEquals()
* SDL_FRectEqualsEpsilon()
* SDL_HasIntersectionF()
* SDL_IntersectFRect()
* SDL_UnionFRect()
* SDL_EncloseFPoints()
* SDL_IntersectFRectAndLine()
* Added SDL_IsTextInputShown() which returns whether the IME window is currently
shown
* Added SDL_ClearComposition() to dismiss the composition window without disabling
IME input
* Added SDL_TEXTEDITING_EXT event for handling long composition text, and a hint
SDL_HINT_IME_SUPPORT_EXTENDED_TEXT to enable it
* Added the hint SDL_HINT_MOUSE_RELATIVE_MODE_CENTER to control whether the mouse
should be constrained to the whole window or the center of the window when
relative mode is enabled
* The mouse is now automatically captured when mouse buttons are pressed, and the
hint SDL_HINT_MOUSE_AUTO_CAPTURE allows you to control this behavior
* Added the hint SDL_HINT_VIDEO_FOREIGN_WINDOW_OPENGL to let SDL know that a
foreign window will be used with OpenGL
* Added the hint SDL_HINT_VIDEO_FOREIGN_WINDOW_VULKAN to let SDL know that a
foreign window will be used with Vulkan
* Added the hint SDL_HINT_QUIT_ON_LAST_WINDOW_CLOSE to specify whether an
SDL_QUIT event will be delivered when the last application window is closed
* Added the hint SDL_HINT_JOYSTICK_ROG_CHAKRAM to control whether ROG Chakram
mice show up as joysticks
Windows:
* Added support for SDL_BLENDOPERATION_MINIMUM and SDL_BLENDOPERATION_MAXIMUM to
the D3D9 renderer
Linux:
* Compiling with Wayland support requires libwayland-client version 1.18.0 or later
* Added the hint SDL_HINT_X11_WINDOW_TYPE to specify the _NET_WM_WINDOW_TYPE of
SDL windows
* Added the hint SDL_HINT_VIDEO_WAYLAND_PREFER_LIBDECOR to allow using libdecor
with compositors that support xdg-decoration
Android:
* Added SDL_AndroidSendMessage() to send a custom command to the SDL java activity
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 4 May 2022 19:51:15 +0000 (21:51 +0200)]
hplip: Update to version 3.22.4
- Update from version 3.22.2 to 3.22.4
- Update of rootfile
- Changelog
HPLIP 3.22.4 - This release has the following changes:
Added support for following new Distro's:
Manjaro 21.2
Added support for the following new Printers:
HP LaserJet Pro 4001ne
HP LaserJet Pro 4001n
HP LaserJet Pro 4001dne
HP LaserJet Pro 4001dn
HP LaserJet Pro 4001dwe
HP LaserJet Pro 4001dw
HP LaserJet Pro 4001d
HP LaserJet Pro 4001de
HP LaserJet Pro 4002ne
HP LaserJet Pro 4002n
HP LaserJet Pro 4002dne
HP LaserJet Pro 4002dn
HP LaserJet Pro 4002dwe
HP LaserJet Pro 4002dw
HP LaserJet Pro 4002d
HP LaserJet Pro 4002de
HP LaserJet Pro 4003dn
HP LaserJet Pro 4003dw
HP LaserJet Pro 4003n
HP LaserJet Pro 4003d
HP LaserJet Pro 4004d
HP LaserJet Pro 4004dn
HP LaserJet Pro 4004dw
HP LaserJet Pro MFP 4101dwe
HP LaserJet Pro MFP 4101dw
HP LaserJet Pro MFP 4101fdn
HP LaserJet Pro MFP 4101fdne
HP LaserJet Pro MFP 4101fdw
HP LaserJet Pro MFP 4101fdwe
HP LaserJet Pro MFP 4102dwe
HP LaserJet Pro MFP 4102dw
HP LaserJet Pro MFP 4102fdn
HP LaserJet Pro MFP 4102fdw
HP LaserJet Pro MFP 4102fdwe
HP LaserJet Pro MFP 4102fdne
HP LaserJet Pro MFP 4102fnw
HP LaserJet Pro MFP 4102fnwe
HP LaserJet Pro MFP 4103dw
HP LaserJet Pro MFP 4103dn
HP LaserJet Pro MFP 4103fdn
HP LaserJet Pro MFP 4103fdw
HP LaserJet Pro MFP 4104dw
HP LaserJet Pro MFP 4104fdw
HP LaserJet Pro MFP 4104fdn
HP ScanJet Pro 3600 f1
HP ScanJet Pro N4600 fnw1
HP ScanJet Pro 2600 f1
HP ScanJet Enterprise Flow N6600 fnw1
HPLIP 3.22.2 - This release has the following changes:
Added support for following new Distro's:
Elementary OS 6.1
RHEL 8.5
Linux Mint 20.3
Added support for the following new Printers:
HP LaserJet Tank MFP 1602a
HP LaserJet Tank MFP 1602w
HP LaserJet Tank MFP 1604w
HP LaserJet Tank MFP 2602dn
HP LaserJet Tank MFP 2602sdn
HP LaserJet Tank MFP 2602sdw
HP LaserJet Tank MFP 2602dw
HP LaserJet Tank MFP 2604dw
HP LaserJet Tank MFP 2604sdw
HP LaserJet Tank MFP 2603dw
HP LaserJet Tank MFP 2603sdw
HP LaserJet Tank MFP 2605sdw
HP LaserJet Tank MFP 2606dn
HP LaserJet Tank MFP 2606sdn
HP LaserJet Tank MFP 2606sdw
HP LaserJet Tank MFP 2606dw
HP LaserJet Tank MFP 2606dc
HP LaserJet Tank MFP 1005
HP LaserJet Tank MFP 1005w
HP LaserJet Tank MFP 1005nw
HP LaserJet Tank 1502a
HP LaserJet Tank 1502w
HP LaserJet Tank 1504w
HP LaserJet Tank 2502dw
HP LaserJet Tank 2502dn
HP LaserJet Tank 2504dw
HP LaserJet Tank 2503dw
HP LaserJet Tank 2506dw
HP LaserJet Tank 2506d
HP LaserJet Tank 2506dn
HP LaserJet Tank 1020
HP LaserJet Tank 1020w
HP LaserJet Tank 1020nw
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Tue, 12 Apr 2022 10:33:36 +0000 (12:33 +0200)]
haproxy: Update to version 2.5.5
- Update from 2.4.15 to 2.5.5
- Update of rootfile not required
- Changelog
2.5.5
- CI: github actions: add the output of $CC -dM -E-
- CI: github actions: use cache for OpenTracing
- CI: refactor OpenTracing build script
- CI: github actions: use cache for SSL libs
- CI: Consistently use actions/checkout@v2
- BUILD: atomic: make the old HA_ATOMIC_LOAD() support const pointers
- BUILD: tree-wide: mark a few numeric constants as explicitly long long
- BUG/MEDIUM: mux-fcgi: Don't rely on SI src/dst addresses for FCGI health-checks
- BUG/MEDIUM: htx: Fix a possible null derefs in htx_xfer_blks()
- REGTESTS: fix the race conditions in normalize_uri.vtc
- REGTESTS: fix the race conditions in secure_memcmp.vtc
- BUG/MEDIUM: httpclient/lua: infinite appctx loop with POST
- BUG/MINOR: pool: always align pool_heads to 64 bytes
- BUG/MEDIUM: pools: fix ha_free() on area in the process of being freed
- BUILD: fix kFreeBSD build.
- MINOR: pools: add a new global option "no-memory-trimming"
- MINOR: stats: Add dark mode support for socket rows
- BUILD: pools: fix backport of no-memory-trimming on non-linux OS
- BUILD: fix recent build breakage of freebsd caused by kFreeBSD build fix
- BUG/MINOR: add missing modes in proxy_mode_str()
- BUG/MINOR: cli: shows correct mode in "show sess"
- BUG/MINOR: httpclient: Set conn-stream/channel EOI flags at the end of request
- BUG/MINOR: hlua: Set conn-stream/channel EOI flags at the end of request
- BUG/MINOR: stats: Set conn-stream/channel EOI flags at the end of request
- BUG/MINOR: cache: Set conn-stream/channel EOI flags at the end of request
- BUG/MINOR: promex: Set conn-stream/channel EOI flags at the end of request
- BUG/MEDIUM: stream: Use the front analyzers for new listener-less streams
- DEBUG: cache: Update underlying buffer when loading HTX message in cache applet
- BUG/MEDIUM: mcli: Properly handle errors and timeouts during reponse processing
- DEBUG: stream: Add the missing descriptions for stream trace events
- DEBUG: stream: Fix stream trace message to print response buffer state
- BUG/MAJOR: mux-pt: Always destroy the backend connection on detach
- BUG/MINOR: session: fix theoretical risk of memleak in session_accept_fd()
- BUG/MEDIUM: httpclient: don't consume data before it was analyzed
- CLEANUP: htx: remove unused co_htx_remove_blk()
- BUG/MINOR: httpclient: consume partly the blocks when necessary
- BUG/MINOR: httpclient: remove the UNUSED block when parsing headers
- BUG/MEDIUM: httpclient: must manipulate head, not first
- REGTESTS: fix the race conditions in be2hex.vtc
2.5.4
- BUG/MEDIUM: htx: Be sure to have a buffer to perform a raw copy of a message
- BUG/MEDIUM: mux-h1: Don't wake h1s if mux is blocked on lack of output buffer
- BUG/MAJOR: mux-h2: Be sure to always report HTX parsing error to the app layer
- DOC: Fix usage/examples of deprecated ACLs
- BUG/MINOR: proxy: preset the error message pointer to NULL in parse_new_proxy()
- REGTESTS: fix the race conditions in 40be_2srv_odd_health_checks
- CI: github: enable pool debugging by default
- BUG/MEDIUM: stream: Abort processing if response buffer allocation fails
2.5.3
- MINOR: sock: move the unused socket cleaning code into its own function
- BUG/MEDIUM: mworker: close unused transferred FDs on load failure
- BUG/MINOR: mworker: fix a FD leak of a sockpair upon a failed reload
- BUG/MINOR: sink: Use the right field in appctx context in release callback
- BUG/MEDIUM: resolvers: Really ignore trailing dot in domain names
- BUG/MEDIUM: fd: always align fdtab[] to 64 bytes
- BUG/MAJOR: compiler: relax alignment constraints on certain structures
- MINOR: httpclient: Don't limit data transfer to 1024 bytes
- BUG/MINOR: httpclient: reinit flags in httpclient_start()
- BUG/MINOR: mailers: negotiate SMTP, not ESMTP
- BUG/MINOR: ssl: Add missing return value check in ssl_ocsp_response_print
- BUG/MINOR: ssl: Fix leak in "show ssl ocsp-response" CLI command
- BUG/MINOR: ssl: Missing return value check in ssl_ocsp_response_print
- CLEANUP: httpclient/cli: fix indentation alignment of the help message
- BUG/MINOR: tools: url2sa reads ipv4 too far
- BUG/MEDIUM: httpclient: limit transfers to the maximum available room
- DEBUG: buffer: check in __b_put_blk() whether the buffer room is respected
2.5.2
- BUG/MEDIUM: connection: properly leave stopping list on error
- BUG/MEDIUM: htx: Adjust length to add DATA block in an empty HTX buffer
- BUG/MINOR: httpclient: don't send an empty body
- BUG/MINOR: httpclient: set default Accept and User-Agent headers
- BUG/MINOR: httpclient/lua: don't pop the lua stack when getting headers
- BUILD/MINOR: fix solaris build with clang.
- BUG/MEDIUM: server: avoid changing healthcheck ctx with set server ssl
- DOC: management: mark "set server ssl" as deprecated
- MEDIUM: cli: yield between each pipelined command
- MINOR: channel: add new function co_getdelim() to support multiple delimiters
- BUG/MINOR: cli: avoid O(bufsize) parsing cost on pipelined commands
- MEDIUM: h2/hpack: emit a Dynamic Table Size Update after settings change
- BUG/MEDIUM: cli: Never wait for more data on client shutdown
- BUG/MEDIUM: mcli: do not try to parse empty buffers
- BUG/MEDIUM: mcli: always realign wrapping buffers before parsing them
- BUG/MINOR: stream: make the call_rate only count the no-progress calls
- DEBUG: cli: add a new "debug dev fd" expert command
- BUILD: debug/cli: condition test of O_ASYNC to its existence
- DEBUG: pools: add new build option DEBUG_POOL_INTEGRITY
- REGTESTS: ssl: Fix ssl_errors regtest with OpenSSL 1.0.2
- BUG/MEDIUM: mworker: don't lose the stats socket on failed reload
- BUG/MINOR: mworker: does not add the -sf in wait mode
- BUG/MINOR: pools: always flush pools about to be destroyed
- DEBUG: pools: add extra sanity checks when picking objects from a local cache
- DEBUG: pools: let's add reverse mapping from cache heads to thread and pool
- DEBUG: pools: replace the link pointer with the caller's address on pool_free()
- BUG/MAJOR: sched: prevent rare concurrent wakeup of multi-threaded tasks
- BUG/MINOR: mworker: does not erase the pidfile upon reload
- DEBUG: fd: make sure we never try to insert/delete an impossible FD number
- MINOR: listener: replace the listener's spinlock with an rwlock
- BUG/MEDIUM: listener: read-lock the listener during accept()
- BUG/MINOR: httpclient: Revisit HC request and response buffers allocation
- BUG/MEDIUM: httpclient: Xfer the request when the stream is created
- BUG/MINOR: ssl: Remove empty lines from "show ssl ocsp-response <id>" output
- BUG/MINOR: jwt: Double free in deinit function
- BUG/MINOR: jwt: Missing pkey free during cleanup
- BUG/MINOR: jwt: Memory leak if same key is used in multiple jwt_verify calls
- BUG/MINOR: httpclient/cli: display junk characters in vsn
- BUG/MAJOR: http/htx: prevent unbounded loop in http_manage_server_side_cookies
- BUG/MAJOR: spoe: properly detach all agents when releasing the applet
- REGTESTS: server: close an occasional race on dynamic_server_ssl.vtc
- REGTESTS: peers: leave a bit more time to peers to synchronize
- BUG/MEDIUM: h2/hpack: fix emission of HPACK DTSU after settings change
- BUG/MINOR: mux-h2: update the session's idle delay before creating the stream
2.5.1
- BUG/MINOR: cache: Fix loop on cache entries in "show cache"
- BUG/MINOR: httpclient: allow to replace the host header
- BUG/MINOR: lua: don't expose internal proxies
- BUG/MINOR: lua: remove loop initial declarations
- BUG/MEDIUM: cli: Properly set stream analyzers to process one command at a time
- BUILD: evports: remove a leftover from the dead_fd cleanup
- BUG/MINOR: vars: Fix the set-var and unset-var converters
- BUG/MINOR: server: Don't rely on last default-server to init server SSL context
- BUG/MEDIUM: resolvers: Detach query item on response error
- BUG/MAJOR: segfault using multiple log forward sections.
- BUG/MEDIUM: h1: Properly reset h1m flags when headers parsing is restarted
- BUG/MEDIUM: mworker: FD leak of the eventpoll in wait mode
- BUG/MINOR: mworker: deinit of thread poller was called when not initialized
- MINOR: mux-h1: Improve H1 traces by adding info about http parsers
- BUILD: bug: Fix error when compiling with -DDEBUG_STRICT_NOCRASH
- BUG/MEDIUM: sample: Fix memory leak in sample_conv_jwt_member_query
- MINOR: cli: "show version" displays the current process version
- BUILD: tree-wide: avoid warnings caused by redundant checks of obj_types
- IMPORT: slz: use the correct CRC32 instruction when running in 32-bit mode
- MINOR: http-rules: Add capture action to http-after-response ruleset
- BUG/MINOR: cli/server: Don't crash when a server is added with a custom id
- DOC: spoe: Clarify use of the event directive in spoe-message section
- DOC: config: Specify %Ta is only available in HTTP mode
- DOC: config: retry-on list is space-delimited
- DOC: config: fix error-log-format example
- BUG/MEDIUM: mworker/cli: crash when trying to access an old PID in prompt mode
- MINOR: ssl: Remove empty lines from "show ssl ocsp-response" output
- MINOR: pools: work around possibly slow malloc_trim() during gc
- BUG/MEDIUM: backend: fix possible sockaddr leak on redispatch
- BUG/MEDIUM: peers: properly skip conn_cur from incoming messages
- BUG/MEDIUM: mux-h1: Fix splicing by properly detecting end of message
- BUG/MINOR: mux-h1: Fix splicing for messages with unknown length
- BUILD: ssl: unbreak the build with newer libressl
- DOC: fix misspelled keyword "resolve_retries" in resolvers
- DEBUG: ssl: make sure we never change a servername on established connections
- BUILD: opentracing: display warning in case of using OT_USE_VARS at compile time
- BUG/MEDIUM: ssl: initialize correctly ssl w/ default-server
- REGTESTS: ssl: fix ssl_default_server.vtc
- MINOR: compat: detect support for dl_iterate_phdr()
- MINOR: debug: add ability to dump loaded shared libraries
- MINOR: debug: add support for -dL to dump library names at boot
- MINOR: proxy: add option idle-close-on-response
- MINOR: cpuset: switch to sched_setaffinity for FreeBSD 14 and above.
- BUILD: makefile: add -Wno-atomic-alignment to work around clang abusive warning
- CI: Github Actions: do not show VTest failures if build failed
- BUG/MINOR: ssl: free the fields in srv->ssl_ctx
- BUG/MEDIUM: ssl: free the ckch instance linked to a server
- REGTESTS: ssl: update of a crt with server deletion
- BUILD/MINOR: cpuset FreeBSD 14 build fix.
- CI: github actions: update OpenSSL to 3.0.1
- BUILD/MINOR: tools: solaris build fix on dladdr.
- BUG/MINOR: cli: fix _getsocks with musl libc
- BUG/MEDIUM: http-ana: Preserve response's FLT_END analyser on L7 retry
- BUG/MEDIUM: mworker: don't use _getsocks in wait mode
- BUG/MINOR: ssl: Store client SNI in SSL context in case of ClientHello error
- BUG/MAJOR: mux-h1: Don't decrement .curr_len for unsent data
- BUILD: cpuset: fix build issue on macos introduced by previous change
- CI: github actions: clean default step conditions
2.5.0
- BUILD: SSL: add quictls build to scripts/build-ssl.sh
- BUILD: SSL: add QUICTLS to build matrix
- CLEANUP: sock: Wrap `accept4_broken = 1` into additional parenthesis
- BUILD: cli: clear a maybe-unused warning on some older compilers
- BUG/MEDIUM: cli: make sure we can report a warning from a bind keyword
- BUG/MINOR: ssl: make SSL counters atomic
- CLEANUP: assorted typo fixes in the code and comments
- BUG/MINOR: ssl: free correctly the sni in the backend SSL cache
- MINOR: version: mention that it's stable now
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Wed, 4 May 2022 11:14:29 +0000 (13:14 +0200)]
boost: Fix rootfile entries that referred to python3.8 instead of 3.10
- In Jan 2022 I updated python from 3.8 to 3.10 but I missed that boost had rootfile
entries with python38 in it.
- Running a build just now for another package it got flagged up that the rootfile for
boost had been changed and the logfile now had the entries with python310 instead of
python38
- Not clear why it only flagged this up now but this patch is to correct that error
- Running find-dependencies on both the pyton38 and python310 versions of the libraries
flagged nothing as being linked to either, so probably lucky with this being missed
first time around.
- Boost will need to be shipped with a Core Update
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Wed, 4 May 2022 10:59:48 +0000 (12:59 +0200)]
openssl: Update to version 1.1.1o
- Update from version 1.1.1n to 1.1.1o
- Update of rootfile not required
- This patch is to go into CU168 as this update is for fixing a moderate severity CVE
- Changelog
1.1.1o [3 May 2022]
(CVE-2022-1292)
Fixed a bug in the c_rehash script which was not properly sanitising shell
metacharacters to prevent command injection. This script is distributed by
some operating systems in a manner where it is automatically executed. On
such operating systems, an attacker could execute arbitrary commands with the
privileges of the script.
Use of the c_rehash script is considered obsolete and should be replaced
by the OpenSSL rehash command line tool.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Adolf Belka [Fri, 29 Apr 2022 12:05:22 +0000 (14:05 +0200)]
mpc: Update to version 0.34
- Update from version 0.33 to 0.34
- Combined this patch with update to mpd as mpc depends on mpd
- Changelog
0.34 (2021/11/30)
* add commands "albumart", "readpicture"
* don't print status after error
* custom status format
* support grouping "list" results
* meson: auto-build libmpdclient if not available
* require libmpdclient 2.16 or newer
* require MPD 0.21 or newer
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Fri, 29 Apr 2022 12:05:20 +0000 (14:05 +0200)]
mpd: Update to version 0.23.6
- Update from version 0.22.6 to 0.23.6
- Update of rootfile not required
- Since version 0.23 there is a new build time dependency for libfmt so a separate
patch has been created to add fmt to the system but only for build
- Changelog
ver 0.23.6 (2022/03/14)
* protocol
- support filename "cover.webp" for "albumart" command
- support "readcomments" and "readpicture" on CUE tracks
* decoder
- ffmpeg: fix end-of-file check (update stuck at empty files)
- opus: fix "readpicture" on Opus files
* output
- pipewire: fix crash bug if setting volume before playback starts
- wasapi: fix resume after pause
ver 0.23.5 (2021/12/01)
* protocol
- support relative offsets for "searchadd"
- fix "searchaddpl" bug (bogus error "Bad position")
* database
- upnp: fix crash bug
* tags
- fix MixRamp support
* migrate to PCRE2
* GCC 12 build fixes
ver 0.23.4 (2021/11/11)
* protocol
- add optional position parameter to "searchaddpl"
* decoder
- ffmpeg: support libavcodec 59
* output
- alsa: add option "thesycon_dsd_workaround" to work around device bug
* fix crash on debug builds if startup fails
* systemd
- remove "RuntimeDirectory" directive because it caused problems
- ignore the "pid_file" setting if started as systemd service
* Windows
- enable the "openmpt" decoder plugin
ver 0.23.3 (2021/10/31)
* protocol
- add optional position parameter to "add" and "playlistadd"
- allow range in "playlistdelete"
* database
- fix scanning files with question mark in the name
- inotify: fix use-after-free bug
* output
- alsa: add option "stop_dsd_silence" to work around DSD DAC noise
* macOS: fix libfmt related build failure
* systemd: add "RuntimeDirectory" directive
ver 0.23.2 (2021/10/22)
* protocol
- fix "albumart" timeout bug
* input
- nfs: fix playback bug
* output
- pipewire: send artist and title to PipeWire
- pipewire: DSD support
* neighbor
- mention failed plugin name in error message
* player
- fix cross-fade regression
* fix crash with libfmt versions older than 7
ver 0.23.1 (2021/10/19)
* protocol
- use decimal notation instead of scientific notation
- "load" supports relative positions
* output
- emit "mixer" idle event when replay gain changes volume
- pipewire: emit "mixer" idle events on external volume change
- pipewire: attempt to change the graph sample rate
- snapcast: fix time stamp bug which caused "Failed to get chunk"
* fix libfmt linker problems
* fix broken password authentication
ver 0.23 (2021/10/14)
* protocol
- new command "getvol"
- show the audio format in "playlistinfo"
- support "listfiles" with arbitrary storage plugins
- support relative positions in "addid"
- fix relative positions in "move" and "moveid"
- add "position" parameter to "findadd" and "searchadd"
- add position parameter to "load"
* database
- proxy: require MPD 0.20 or later
- proxy: require libmpdclient 2.11 or later
- proxy: split search into chunks to avoid exceeding the output buffer
- simple: add option to hide CUE target songs
- upnp: support libnpupnp instead of libupnp
* archive
- zzip, iso9660: ignore file names which are invalid UTF-8
* decoder
- openmpt: new plugin
- wavpack: fix WVC file support
* player
- do not cross-fade songs shorter than 20 seconds
* output
- oss: support DSD over PCM
- pipewire: new plugin
- snapcast: new plugin
* tags
- new tags "ComposerSort", "Ensemble", "Movement", "MovementNumber", and "Location"
* split permission "player" from "control"
* add option "host_permissions"
* new build-time dependency: libfmt
ver 0.22.11 (2021/08/24)
* protocol
- fix "albumart" crash
* filter
- ffmpeg: pass "channel_layout" instead of "channels" to buffersrc
- ffmpeg: fix "av_buffersink_get_frame() failed: Resource temporarily unavailable"
- ffmpeg: support double-precision samples (by converting to single precision)
* Android
- build with NDK r23
- playlist_directory defaults to "/sdcard/Android/data/org.musicpd/files/playlists"
ver 0.22.10 (2021/08/06)
* protocol
- support "albumart" for virtual tracks in CUE sheets
* database
- simple: fix crash bug
- simple: fix absolute paths in CUE "as_directory" entries
- simple: prune CUE entries from database for non-existent songs
* input
- curl: fix crash bug after stream with Icy metadata was closed by peer
- tidal: remove defunct unmaintained plugin
* tags
- fix crash caused by bug in TagBuilder and a few potential reference leaks
* output
- httpd: fix missing tag after seeking into a new song
- oss: fix channel order of multi-channel files
* mixer
- alsa: fix yet more rounding errors
ver 0.22.9 (2021/06/23)
* database
- simple: load all .mpdignore files of all parent directories
* tags
- fix "readcomments" and "readpicture" on remote files with ID3 tags
* decoder
- ffmpeg: support the tags "sort_album", "album-sort", "artist-sort"
- ffmpeg: fix build failure with FFmpeg 3.4
* Android
- fix auto-start on boot in Android 8 or later
* Windows
- fix build failure with SQLite
ver 0.22.8 (2021/05/22)
* fix crash bug in "albumart" command (0.22.7 regression)
ver 0.22.7 (2021/05/19)
* protocol
- don't use glibc extension to parse time stamps
- optimize the "albumart" command
* input
- curl: send user/password in the first request, save one roundtrip
* decoder
- ffmpeg: fix build problem with FFmpeg 3.4
- gme: support RSN files
* storage
- curl: don't use glibc extension
* database
- simple: fix database corruption bug
* output
- fix crash when pausing with multiple partitions
- jack: enable on Windows
- httpd: send header "Access-Control-Allow-Origin: *"
- wasapi: add algorithm for finding usable audio format
- wasapi: use default device only if none was configured
- wasapi: add DoP support
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Adolf Belka [Sun, 1 May 2022 13:47:13 +0000 (15:47 +0200)]
gcc: Update mpfr with patches for use in toolchain build
- Added mpfr consolidated patches file to mpfr in gcc. mpfr is built internally for use
in the toolchain.
- Confirmed working by running./make toolchain which ran successfully
confirmed from the _build.toolchain.log file that the patches were successfully
implemented for gcc pass 1, gcc pass L and gcc pass 2
- Full toolchain build successfully completed.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org>