Adolf Belka [Sun, 5 Oct 2025 12:53:19 +0000 (14:53 +0200)]
nasm: Update to version 3.00
- Update from version 2.16.03 to 3.00
- Update of rootfile not required
- Changelog
3.00
Improve the documentation for building from source (appendix D).
Add support for the APX and AVX10 instruction sets, and various
miscellaneous new instructions.
Add new preprocessor functions: %b2hs(), %chr(), %depend(), %find(),
%findi(), %hs2b(), %null(), %ord(), %pathsearch(), and %realpath().
See section 5.4.
New preprocessor directive %note to insert a note in the list file,
without issuing an external diagnosic. Unlike a comment, it is
optionally macro-expanded, see section 5.11.
New preprocessor directive %iffile (and corresponding function %isfile())
to test for the existence of a file. See section 5.6.12.
New preprocessor directive %ifdirective to test for the existence of a
preprocessor directive, assembly directive, or pseudo-instruction; see
section 5.6.10.
Fix a number of invalid memory references (usually causing crashes) on
various invalid inputs.
Fix multiple bugs in the handling of $–escaped symbols.
The use of $ as a prefix for hexadecimal numbers has been deprecated, and
will now issue a warning. A new directive [DOLLARHEX] can be used to
disable this syntax entirely, see section 8.12.
Fix the generation of segment selector references (mainly used in the obj
output format.)
Fix crash in the obj backend when code was emitted into the default
segment, without any labels having been defined.
Clean up the command-line help text (-h) and break it down into individual
topics, as the previous output was just too verbose to be practical
as a quick reference.
The implicit DEFAULT ABS in 64-bit mode is deprecated and may be changed
to REL in the future. See section 8.2. A warning is now emitted for
this condition.
It is now possible to set the REL/ABS default for memory accesses using
FS: or GS:, see section 8.2.
The __?DEFAULT?__ standard macro now reflects the settings of the DEFAULT
directive. See section 6.4.
The NASM preprocessor now assumes that an unknown directive starting
with %if or %elif is a misspelled or not yet implemented conditional
directive, and tries to match it with a corresponding %endif. See
section 5.6.14.
The masm macro package now defines a macro for x87 register syntax. See
section 7.5.
A new macro package, vtern, to simplify generation of the control
immediates for the VPTERNLOGD and VPTERNLOGQ instructions. See
section 7.6.
A new command line option -LF allows overriding [LIST -] directives.
In the obj output format, allow a segment in the FLAT pseudo-group to also
belong to another (real) group. Used on OS/2.
Add a new build_version directive to the Mach-O backend. See section 9.8.6.
Fix a spec violation in the generation of DWARF debugging information on ELF.
Response files can now be nested.
Many documentation improvements.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 12:45:08 +0000 (14:45 +0200)]
libxml2: Update to version 2.15.0
- Update from version 2.14.6 to 2.15.0
- Update of rootfile
- Changelog
2.15.0
Major changes
The API documentation is now generated with Doxygen. Building the
documentation requires the new --with-docs configuration option as well
as Doxygen, xsltproc and the DocBook 4 XSLT stylesheets.
The Python bindings are disabled by default now. Building the bindings
also requires Doxygen.
Support for Schematron is now disabled by default.
The parser option XML_PARSE_UNZIP is now required to read compressed data.
HTML serialization and handling of character encodings is more in line
with the HTML5 spec now.
More accessors for xmlParserCtxt were added.
Deprecations
More internal functions and struct members were deprecated.
Removals
The built-in HTTP client and support for LZMA compression were removed.
The custom Windows build system in `win32` was removed in favor of CMake.
Planned removals
The Python bindings and support for Schematron validation are planned to
be removed in the 2.16 release.
The following features are considered for removal:
- Modules API (xmlmodule.h)
- Support for zlib compressed file I/O
RELAX NG support is still in a bad state and a long-term removal
candidate.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 12:39:32 +0000 (14:39 +0200)]
iproute2: Update to version 6.17.0
- Update from version 6.16.0 to 6.17.0
- Update of rootfile
- Changelog is not provided. Details of changes can be found from the git commit changes
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sun, 5 Oct 2025 12:35:56 +0000 (14:35 +0200)]
harfbuzz: Update to version 12.1.0
- Update from version 11.4.5 to 12.1.0
- Update of rootfile
- Changelog
12.1.0
- Build fixes with GCC 15 on some 32 bit platforms.
- Fix misaligned pointer use.
- New API, `hb_ot_layout_lookup_collect_glyph_alternates()`, to collect glyph
substitutions from single and alternate substitution lookups in one call,
instead of getting substitutions one by one using
`hb_ot_layout_lookup_get_glyph_alternates()`.
- New API
+hb_ot_layout_lookup_collect_glyph_alternates()
12.0.0
- The major feature of this release is that the Variable Composites /
Components (`VARC` table) addition to the ISO OpenFontFormat has graduated
from experimental, and is now enabled by default. It can be disabled at
compile time by defining the `HB_NO_VAR_COMPOSITES`z macro.
`VARC` table is a new way to store glyph outlines, that allows for better
shape reuse, and can reduce font file size for Chinese, Japanese, Korean, and
some other scripts drastically. Some font design tools provide a similar
feature to designers, known as "smart components". This technology brings the
same idea to the compiled font file. For the format specification, see:
https://github.com/harfbuzz/boring-expansion-spec/blob/main/VARC.md
Test fonts can be found at:
https://github.com/notofonts/noto-cjk-varco/releases/tag/v0.003
The Fontra font editor already supports this technology.
Note that this new format involves just the HarfBuzz draw API and does not
affect shaping.
- Correctly handle `markFilteringSet` lookup field during subsetting.
- Deduplicate features during subsetting.
- Disable “more” buffer messages that give more verbose output when using
buffer messages callbacks, as it has a performance overhead. Users/tools that
need the more verbose messages should define `HB_BUFFER_MESSAGE_MORE` to 1
when building HarfBuzz.
- Shaping and instancing optimizations.
- Fix subsetting issues when building with GCC 12.
11.5.1
- Optimized partial-instancing of fonts with a large number of axes. Now over
two times faster.
- Fix C++ STL atomics implementation.
11.5.0
- Update to Unicode 17.0.0.
- Subsetter optimizations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 4 Oct 2025 17:31:06 +0000 (19:31 +0200)]
fetchmail: Update to version 6.5.5
- Update from version 6.5.4 to 6.5.5
- Update of rootfile not required
- Changelog
6.5.5
LICENSING CHANGE OF WOLFSSL:
* Note that wolfSSL 5.8.2 switched license from GPLv2 to GPLv3, so if
a distribution links fetchmail against wolfSSL, this implies the use
of the "or-any-later-version" clause of the GPLv2-or-later licensed material
in fetchmail, and the combined work can also only ship as GPLv3.
This may or may not apply to later versions of wolfSSL - be sure to check!
BUGFIXES:
==-- note that these comprise C23 compatibility fixes (GCC 15) --==
* Support t.operation when the running user is different from the one
mentioned in the $USER variable. Fix courtesy of Corey Halpin.
* The kerberos*_auth() functions for v4 and v5 have prototypes now,
so they can be compiled by the most modern C compilers.
* AC_TYPE_* type-checking macros seem unnecessary, strip them, also from
config.h.meson which would not fill them from build.meson. We expect
the operating system to provide us pid_t, size_t, uint32_t.
* Our res_search() autoconf check was broken on compilers adhering to newer
standards (C23), for instance GCC 15, disabling several DNS-based features
in autotools-based builds, but not meson-based builds.
Strip the bogus "extern int res_search();" declaration without prototype,
we would need to have the prototype from the system either way.
IMPORTANT CHANGE:
* Fetchmail is now more careful to actually clear password and like buffers
in memory, so that is less likely that other processes could access them
should they happen to access similar memory regions after fetchmail's exit.
Fetchmail now uses memset_explicit(), explicit_bzero(), or its own
explicit_bzero() implementation to clear memory buffers that contain
passwords or like secrets, or their base64 equivalents, and also buffers
that it uses to visualize such strings, instead of just using memset().
The motivating reason is that a plain memset() that does not have
/observable/ effects, i. e. when we do not read from the buffer or
transfer it, can be removed by the compiler's optimizer in the so-called
dead store elimination, voiding our attempt to clear the buffer contents
before releasing it to the heap.
The named alternative functions are not being optimized away.
WORKAROUND:
* IMAP: Recognize SASL_IR advertisement of Cyrus IMAP 3.10.0...3.12.? as
synonymous to SASL-IR per RFC4959. Upstream bug reported at
https://github.com/cyrusimap/cyrus-imapd/issues/5481 - and it was
quickly fixed in all their supported branches by patch releases.
CHANGES:
* Several documentation tweaks.
* As long as SOURCE_DATE_EPOCH is set, the source tarball build may
be reproducible now. Tested on Fedora 42.
* The Japanese translation [ja] has been updated by Takeshi Hamasaki.
* The Makefile should be compatible across a wider set of make implementations,
beyond GNU make.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 4 Oct 2025 14:12:04 +0000 (16:12 +0200)]
openvpn: Update to version 2.6.15
- Update from version 2.6.14 to 2.6.15
- Update of rootfile not required
- Changelog
2.6.15
dco: add standard mi prefix handling to multi_process_incoming_dco()
Check message id/acked ids too when doing sessionid cookie checks
GHA: Pin version of CMake for MinGW build
GHA: Dependency and Actions update April 2025 (2.6)
GHA: Update dependencies July 2025 (2.6)
Fix compiler warning in reliable.c with --disable-debug
dco linux: avoid redefining ovpn enums (2.6)
Update text of GPL to latest version from FSF
unit_tests/plugins/auth-pam: fix stdint.h related build error on fedora 42
Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file
replace assert() calls with ASSERT()
remove newline characters at the end of msg() calls
fix building of openvpnsrvmsg.dll from eventmsg.mc in mingw builds
Fix t_net.sh / networking_testdriver after 'broadcast' change
preparing release 2.6.15
Fix tmp-dir documentation
dco: support float notifications on FreeBSD
dco-win: Ensure correct OVERLAPPED scope
win: replace wmic invocation with powershell
openvpnserv: Fix writing messages to the event log
Validate DNS domain name before powershell invocation
Makefile: fix 'make dist'
GHA: collect more artifacts for mingw builds
dco: backport OS-independent part of peer float support
Bugfix: Set broadcast address on interface.
Fix MBEDTLS_DEPRECATED_REMOVED build errors
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 4 Oct 2025 14:08:13 +0000 (16:08 +0200)]
openvmtools: Update to version 13.0.5
- Update from version 12.5.0 to 13.0.5
- Update of rootfile not required
- 2 CVE fixes.
- Changelog
13.0.5
Resolved Issues
This release resolves CVE-2025-41244.
For more information on this vulnerability and its impact on Broadcom
products, see VMSA-2025-0015.
A patch to address CVE-2025-41244 on earlier open-vm-tools releases is
provided to the Linux community at CVE-2025-41244.patch.
Guest OS Customization updated to use "systemctl reboot".
Currently the "telinit 6" command is used to reboot a Linux VM following
Guest OS Customization. As the classic Linux init system, SysVinit, is
deprecated in favor of a newer init system, systemd, the telinit
command may not be available on the base Linux OS.
This change adds support to Guest OS Customization for the systemd init
system. If the modern init system, systemd, is available, then a
"systemctl reboot" command will be used to trigger reboot. Otherwise,
the "telinit 6" command will be used assuming the traditional init
system, SysVinit, is still available.
13.0.0
Resolved Issues
The following github.com/vmware/open-vm-tools pull requests and issues has
been addressed.
FTBFS: --std=c23 conflicting types between function definition and
declaration MXUserTryAcquireForceFail()
Fixes Issue #750
Pull request #751
Provide tools.conf settings to deactivate one-time and periodic time
synchronization
The new tools.conf settings disable-all and disable-periodic allow the
guest OS administrator to deactivate one-time and periodic time
synchronization without rebooting the VM or restarting the guest OS.
Fixes Issue #302
Fix xmlsec detection when cross-compiling with pkg-config
Pull request #732
After October 25, 2024, with open-vm-tools earlier than 13.0.0, the
salt-minion component is not installed or fails to install in a guest
operating system through the VMware Component Manager
When you configure the salt-minion component in the present state, its
last status is set to 102 (not installed) or 103 (installation failed),
never reaching the installed state 100.
The VM advanced setting with the key
"guestinfo./vmware.components.salt_minion.desiredstate" has a value
present.
The VM advanced setting with the key
"guestinfo.vmware.components.salt_minion.laststatus" has a value 102
or 103.
The salt-minion component installs a log file with traces indicating
failure to access the online salt repository on
https://repo.saltproject.io. The "vmware-svtminion.sh-install-*.log"
file for the failed install shows a trace similar to:
<date+time> INFO: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download attempting download of file 'repo.json'
<date+time> WARNING: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' on '0' attempt, retcode '6'
<date+time> WARNING: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' on '1' attempt, retcode '6'
<date+time> WARNING: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' on '2' attempt, retcode '6'
<date+time> WARNING: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' on '3' attempt, retcode '6'
<date+time> WARNING: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' on '4' attempt, retcode '6'
<date+time> ERROR: /usr/lib64/open-vm-tools/componentMgr/saltMinion/svtminion.sh:_curl_download failed to download file 'repo.json' from 'https://repo.saltproject.io/salt/py3/onedir/repo.json' after '5' attempts
This issue is resolved in this release.
The new versions of the salt-minion integration scripts supporting the
new Salt Project repository locations are available at:
https://packages.broadcom.com/artifactory/saltproject-generic/onedir/
12.5.4
Product Support Notice
Beginning with the next major release, we will be reducing the number
of supported localization languages. The three supported languages
will be:
Japanese
Spanish
French
The following languages will no longer be supported:
Italian
German
Brazilian Portuguese
Traditional Chinese
Korean
Simplified Chinese
Impact:
Users who have been using the deprecated languages will no longer
receive updates or support in these languages.
All user interfaces, message catalogs, help documentation, and
customer support will be available only in English or in the
three supported languages mentioned above.
Resolved Issues
This release resolves CVE-2025-41244.
For more information on this vulnerability and its impact on Broadcom
products, see VMSA-2025-0015.
A patch to address CVE-2025-41244 on earlier open-vm-tools releases is
provided to the Linux community at CVE-2025-41244.patch.
12.5.2
Resolved Issues
This release resolves CVE-2025-22247.
For more information on this vulnerability and its impact on Broadcom
products, see VMSA-2025-0007
A patch to address CVE-2025-22247 on earlier open-vm-tools releases is
provided to the Linux community at CVE-2025-22247.patch.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 3 Oct 2025 14:04:35 +0000 (16:04 +0200)]
openssl: Update to version 3.5.4
- Update from version 3.5.1 to 3.5.4
- Update of rootfile
- Changelog
3.5.4
* Fix Out-of-bounds read & write in RFC 3211 KEK Unwrap
Issue summary: An application trying to decrypt CMS messages encrypted using
password based encryption can trigger an out-of-bounds read and write.
Impact summary: This out-of-bounds read may trigger a crash which leads to
Denial of Service for an application. The out-of-bounds write can cause
a memory corruption which can have various consequences including
a Denial of Service or Execution of attacker-supplied code.
The issue was reported by Stanislav Fort (Aisle Research).
([CVE-2025-9230])
* Fix Timing side-channel in SM2 algorithm on 64 bit ARM
Issue summary: A timing side-channel which could potentially allow remote
recovery of the private key exists in the SM2 algorithm implementation on
64 bit ARM platforms.
Impact summary: A timing side-channel in SM2 signature computations on
64 bit ARM platforms could allow recovering the private key by an attacker.
The issue was reported by Stanislav Fort (Aisle Research).
([CVE-2025-9231])
* Fix Out-of-bounds read in HTTP client no_proxy handling
Issue summary: An application using the OpenSSL HTTP client API functions
may trigger an out-of-bounds read if the "no_proxy" environment variable is
set and the host portion of the authority component of the HTTP URL is an
IPv6 address.
Impact summary: An out-of-bounds read can trigger a crash which leads to
Denial of Service for an application.
The issue was reported by Stanislav Fort (Aisle Research).
([CVE-2025-9232])
* The FIPS provider no longer performs a PCT on key import for ECX keys
(that was introduced in 3.5.2), following the latest update
on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
* Fixed the length of the ASN.1 sequence for the SM3 digests of RSA-encrypted
signatures.
* Reverted the synthesised `OPENSSL_VERSION_NUMBER` change for the release
builds, as it broke some exiting applications that relied on the previous
3.x semantics, as documented in `OpenSSL_version(3)`.
3.5.3
* Avoided a potential race condition introduced in 3.5.1, where
`OSSL_STORE_CTX` kept open during lookup while potentially being used
by multiple threads simultaneously, that could lead to potential crashes
when multiple concurrent TLS connections are served.
* The FIPS provider no longer performs a PCT on key import for RSA, DH,
and EC keys (that was introduced in 3.5.2), following the latest update
on that requirement in FIPS 140-3 IG 10.3.A additional comment 1.
* Secure memory allocation calls are no longer used for HMAC keys.
* `openssl req` no longer generates certificates with an empty extension list
when SKID/AKID are set to `none` during generation.
* The man page date is now derived from the release date provided
in `VERSION.dat` and not the current date for the released builds.
* Hardened the provider implementation of the RSA public key "encrypt"
operation to add a missing check that the caller-indicated output buffer
size is at least as large as the byte count of the RSA modulus. The issue
was reported by Arash Ale Ebrahim from SYSPWN.
This operation is typically invoked via `EVP_PKEY_encrypt(3)`. Callers that
in fact provide a sufficiently large buffer, but fail to correctly indicate
its size may now encounter unexpected errors. In applications that attempt
RSA public encryption into a buffer that is too small, an out-of-bounds
write is now avoided and an error is reported instead.
* Added FIPS 140-3 PCT on DH key generation.
* Fixed the synthesised `OPENSSL_VERSION_NUMBER`.
3.5.2
* The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 2 Oct 2025 11:10:15 +0000 (13:10 +0200)]
firewall.cgi: Fixes XSS potential
- Related to CVE-2025-50975
- Fixes PROT
- ruleremark was already escaped when firewall.cgi was initially merged back in Core
Update 77.
- SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as
ports or port ranges.
- std_net_tgt is a string defined in the code and not a variable
- The variable key ignores any input that is not a digit and subsequently uses the next
free rulenumber digit
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 25 Sep 2025 11:12:52 +0000 (13:12 +0200)]
proxy.cgi: Further fix for bug 13893
- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 2 Oct 2025 11:10:15 +0000 (13:10 +0200)]
firewall.cgi: Fixes XSS potential
- Related to CVE-2025-50975
- Fixes PROT
- ruleremark was already escaped when firewall.cgi was initially merged back in Core
Update 77.
- SRC_PORT, TGT_PORT, dnaport, src_addr & tgt_addr are already validated in the code as
ports or port ranges.
- std_net_tgt is a string defined in the code and not a variable
- The variable key ignores any input that is not a digit and subsequently uses the next
free rulenumber digit
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
'dmz' => 'AÇIK BÖLGE',
'dmz pinhole configuration' => 'Açık bölge yapılandırma',
'dmz pinhole rule added' => 'Açık bölge kuralı eklendi; Açık bölge
yeniden başlatılıyor',
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
since the last update made changes for the webinterface of OpenVPN, it's
time to remove unused translations and update the remaining ones for
downloading the client configuration.
Starting here with the German translation.
Best regards
Peer Dietzmann
'dmz pinhole configuration' => 'Einstellungen des DMZ-Schlupfloches',
'dmz pinhole rule added' => 'Regel für DMZ-Schlupfloch hinzugefügt;
Starte DMZ-Schlupfloch neu',
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 28 Sep 2025 21:06:00 +0000 (21:06 +0000)]
OpenSSH: Amend upstream default cipher changes
This patch implements the following change made to OpenSSH server
upstream in version 10.0:
* sshd(8): this release disables finite field (a.k.a modp)
Diffie-Hellman key exchange in sshd by default. Specifically,
this removes the "diffie-hellman-group*" and
"diffie-hellman-group-exchange-*" methods from the default
KEXAlgorithms list. The client is unchanged and continues to
support these methods by default. Finite field Diffie Hellman
is slow and computationally expensive for the same security
level as Elliptic Curve DH or PQ key agreement while offering
no redeeming advantages. ECDH has been specified for the SSH
protocol for 15 years and some form of ECDH has been the default
key exchange in OpenSSH for the last 14 years.
In addition, for both OpenSSH server and client, the following upstream
change made in version 9.9 is implemented:
* ssh(1): the hybrid post-quantum algorithm mlkem768x25519-sha256
is now used by default for key agreement. This algorithm is
considered to be safe against attack by quantum computers,
is guaranteed to be no less strong than the popular
curve25519-sha256 algorithm, has been standardised by NIST
and is considerably faster than the previous default.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 28 Sep 2025 21:05:00 +0000 (21:05 +0000)]
OpenSSH: Prefer AES-GCM ciphers over AES-CTR
This reflects the following change made upstream in OpenSSH 9.9:
* ssh(1): prefer AES-GCM to AES-CTR mode when selecting a cipher
for the connection. The default cipher preference list is now
Chacha20/Poly1305, AES-GCM (128/256) followed by AES-CTR
(128/192/256).
However, we keep preferring AES-GCM over Chacha/Poly, as hardware
acceleration often grants the former a better performance, while there
is no security advance of Chacha/Poly usage over 256 bit AES-GCM.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 28 Sep 2025 19:51:00 +0000 (19:51 +0000)]
initscripts: Always wait for xtables lock when running iptables commands
If not explicitly instructed to do so, iptables by default aborts with
an error message such as
> Can't lock /run/xtables.lock: Resource temporarily unavailable
> Another app is currently holding the xtables lock. Perhaps you want to use the -w option?
if the Xtables lock is still set, i.e., another iptables operation is
currently in progress. This causes iptables commands not to be executed
at all if there are delays during the boot procedure, e.g. due to slow
PPPoE dial-up procedure or similar.
To ensure deterministic behavior, this match modifies initscripts to
always execute iptables to wait for the Xtables lock to be removed, to
make sure iptables rules are installed properly (the "firewall"
initscript is doing so already).
Fixes: #13896 - OpenVPN RW port not opened in firewall after reboot Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Tested-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Peter Müller [Sun, 28 Sep 2025 22:29:00 +0000 (22:29 +0000)]
Tor: Update to 0.4.8.18
Changes in version 0.4.8.18 - 2025-09-16
This is a minor release with a major onion service directory cache (HSDir)
bug fix. A series of minor bugfixes as well. As always, we strongly recommend
to upgrade as soon as possible.
o Major bugfixes (onion service directory cache):
- Preserve the download counter of an onion service descriptor
across descriptor uploads, so that recently updated descriptors
don't get pruned if there is memory pressure soon after update.
Additionally, create a separate torrc option MaxHSDirCacheBytes
that defaults to the former 20% of MaxMemInQueues threshold, but
can be controlled by relay operators under DoS. Also enforce this
theshold during HSDir uploads. Fixes bug 41006; bugfix
on 0.4.8.14.
o Minor feature (padding, logging):
- Reduce the amount of messages being logged related to channel
padding timeout when log level is "notice".
o Minor features (fallbackdir):
- Regenerate fallback directories generated on September 16, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/09/16.
o Minor bugfix (conflux):
- Remove the pending nonce if we realize that the nonce of the
unlinked circuit is not tracked anymore. Should avoid the non
fatal assert triggered with a control port circuit event. Fixes
bug 41037; bugfix on 0.4.8.15.
o Minor bugfixes (circuit handling):
- Prevent circuit_mark_for_close() from being called twice on the
same circuit. Second fix attempt Fixes bug 41106; bugfix
on 0.4.8.17
o Minor bugfixes (threads):
- Make thread control POSIX compliant. Fixes bug 41109; bugfix
on 0.4.8.17-dev.
Changes in version 0.4.8.17 - 2025-06-30
This is a minor providing a series of minor features especially in the realm
of TLS. It also brings a new set of recommended and required sub protocols.
And finally, few minor bugfixes, nothing major. As always, we strongly
recommend you upgrade as soon as possible.
o Minor features (security, TLS):
- When we are running with OpenSSL 3.5.0 or later, support using the
ML-KEM768 for post-quantum key agreement. Closes ticket 41041.
o Minor feature (client, TLS):
- Set the TLS 1.3 cipher list instead of falling back on the
default value.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on June 30, 2025.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2025/06/30.
o Minor features (hsdesc POW):
- Tolerate multiple PoW schemes in onion service descriptors, for
future extensibility. Implements torspec ticket 272.
o Minor features (performance TLS):
- When running with with OpenSSL 3.0.0 or later, support using
X25519 for TLS key agreement. (This should slightly improve
performance for TLS session establishment.)
o Minor features (portability):
- Fix warnings when compiling with GCC 15. Closes ticket 41079.
o Minor features (recommended protocols):
- Directory authorities now vote to recommend that clients support
certain protocols beyond those that are required. These include
improved support for connecting to relays on IPv6, NtorV3, and
congestion control. Part of ticket 40836.
o Minor features (required protocols):
- Directory authorities now vote to require clients to support the
authenticated SENDME feature, which was introduced in
0.4.1.1-alpha. Part of ticket 40836.
- Directory authorities now vote to require relays to support
certain protocols, all of which have been implemented since
0.4.7.4-alpha or earlier. These include improved support for
connecting to relays on IPv6, NtorV3, running as a rate-limited
introduction point, authenticated SENDMEs, and congestion control.
Part of ticket 40836.
o Minor bugfix (conflux):
- Avoid a non fatal assert when describing a conflux circuit on the
control port after being prepped to be freed. Fixes bug 41037;
bugfix on 0.4.8.15.
o Minor bugfixes (circuit handling):
- Prevent circuit_mark_for_close() from being called twice on the
same circuit. Fixes bug 40951; bugfix on 0.4.8.16-dev.
o Minor bugfixes (compiler warnings):
- Make sure the two bitfields in the half-closed edge struct are
unsigned, as we're using them for boolean values and assign 1 to
them. Fixes bug 40911; bugfix on 0.4.7.2-alpha.
o Minor bugfixes (threads, memory):
- Improvements in cleanup of resources used by threads. Fixes bug
40991; bugfix on 0.4.8.13-dev.
- Rework start and exit of worker threads.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 25 Sep 2025 17:22:53 +0000 (19:22 +0200)]
expat: Update to version 2.7.3
- Update from version 2.7.2 to 2.7.3
- Update of rootfile
- Changelog
2.7.3
Security fixes:
Fix alignment of internal allocations for some non-amd64
architectures (e.g. sparc32); fixes up on the fix to
CVE-2025-59375 from #1034 (of Expat 2.7.2 and related
backports)
Fix a class of false positives where input should have been
rejected with error XML_ERROR_ASYNC_ENTITY; regression from
CVE-2024-8176 fix pull request #973 (of Expat 2.7.0 and
related backports). Please check the added unit tests for
example documents.
Other changes:
Prove and regression-proof absence of integer overflow
from function expat_realloc
Remove "harmless" cast that truncated a size_t to unsigned
Autotools: Remove "ln -s" discovery
docs: Be consistent with use of floating point around
XML_SetAllocTrackerMaximumAmplification
docs: Make it explicit that XML_GetCurrentColumnNumber starts at 0
docs: Better integrate the effect of the activation thresholds
docs: Fix an in-comment typo in expat.h
docs: Fix a typo in README.md
docs: Improve change log of release 2.7.2
xmlwf: Resolve use of functions XML_GetErrorLineNumber
and XML_GetErrorColumnNumber
Windows: Normalize .bat files to CRLF line endings
Version info bumped from 12:0:11 (libexpat*.so.1.11.0)
to 12:1:11 (libexpat*.so.1.11.1); see https://verbump.de/
for what these numbers do
Infrastructure:
CI: Cleanup UndefinedBehaviorSanitizer fatality
CI|Linux: Stop aborting at first job failure
CI|FreeBSD: Upgrade to FreeBSD 15.0
CI|FreeBSD: Do not install CMake meta-package
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 25 Sep 2025 17:22:53 +0000 (19:22 +0200)]
expat: Update to version 2.7.3
- Update from version 2.7.2 to 2.7.3
- Update of rootfile
- Changelog
2.7.3
Security fixes:
Fix alignment of internal allocations for some non-amd64
architectures (e.g. sparc32); fixes up on the fix to
CVE-2025-59375 from #1034 (of Expat 2.7.2 and related
backports)
Fix a class of false positives where input should have been
rejected with error XML_ERROR_ASYNC_ENTITY; regression from
CVE-2024-8176 fix pull request #973 (of Expat 2.7.0 and
related backports). Please check the added unit tests for
example documents.
Other changes:
Prove and regression-proof absence of integer overflow
from function expat_realloc
Remove "harmless" cast that truncated a size_t to unsigned
Autotools: Remove "ln -s" discovery
docs: Be consistent with use of floating point around
XML_SetAllocTrackerMaximumAmplification
docs: Make it explicit that XML_GetCurrentColumnNumber starts at 0
docs: Better integrate the effect of the activation thresholds
docs: Fix an in-comment typo in expat.h
docs: Fix a typo in README.md
docs: Improve change log of release 2.7.2
xmlwf: Resolve use of functions XML_GetErrorLineNumber
and XML_GetErrorColumnNumber
Windows: Normalize .bat files to CRLF line endings
Version info bumped from 12:0:11 (libexpat*.so.1.11.0)
to 12:1:11 (libexpat*.so.1.11.1); see https://verbump.de/
for what these numbers do
Infrastructure:
CI: Cleanup UndefinedBehaviorSanitizer fatality
CI|Linux: Stop aborting at first job failure
CI|FreeBSD: Upgrade to FreeBSD 15.0
CI|FreeBSD: Do not install CMake meta-package
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 25 Sep 2025 11:12:52 +0000 (13:12 +0200)]
proxy.cgi: Further fix for bug 13893
- Previous patch for proxy.cgi was related to the mitigation provided by the bug reporter
for the parameter VISIBLE_HOSTNAME. This parameter however was not mentioned in the
description for that bug.
- bug 13893 description mentions TLS_HOSTNAME, UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD but it mentions them as being from dns.cgi
which is incorrect except for TLS_HOSTNAME.
- The other parameters are from proxy.cgi but no mitigation was shown for those in the
bug report.
- This patch adds fixes for the parameters UPSTREAM_USER, UPSTREAM_PASSWORD,
ADMIN_MAIL_ADDRESS, and ADMIN_PASSWORD
Fixes: bug 13893 - proxy.cgi Multiple Parameters Stored Cross-Site Scripting Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
