Matthias Fischer [Thu, 21 May 2026 13:26:46 +0000 (15:26 +0200)]
rrdtool: Update to 1.10.2
Excerpt from "CHANGES":
"RRDtool 1.10.2 - 2026-05-19
===========================
Bugfixes
--------
* The Linux .deb packages were missing the Lua language binding @oetiker
* The Python binding is now installed with pip into a consistent, distribution-independent location @oetiker
Features
--------
* RPM releases now ship matching debuginfo and debugsource packages @oetiker
RRDtool 1.10.1 - 2026-05-19
===========================
Bugfixes
--------
* Modernize obsolete autoconf macros so configure regenerates cleanly with current autotools @oetiker
Features
--------
* Add more DEB and RPM package variants: Ubuntu 26.04, Debian 13, AlmaLinux 8/10, Fedora @oetiker
RRDtool 1.10.0 - 2026-05-19
===========================
Bugfixes
--------
* Mark the Ruby bindings as Ractor safe @LevitatingBusinessMan
* Fix Compatiblity with TCL-9 @yselkowitz
* Correctly link Ruby Bindings @LevitatingBusinessMan
* Fix MacOS Build error (no SOCK_CLOEXEC on mac) @ensc fixes oetiker#1261
* Fix build on 32bits platforms (like armhf) when time_t is 64bits, fixes #1264
* Fix compilation on illumos @hadfl
* Python2.3 is deprecated and therefore, the Python bindings should use Python3 as default @pticon
* Fix issue where RRDtool detects a LINE or AREA with a constant numeric value as being exportable
* Fix broken argc overflow check in rrdcached tune handler that rejected all tune commands @somethingwithproof
* Harden rrdcached pid file parsing and daemon options with strtol validation @somethingwithproof
* Add NULL, bounds, and zero-division safety guards in xport, graph, and graph_helper @somethingwithproof
* Escape control characters in JSON xport output per RFC 7159 @somethingwithproof fixes #1311
* Add pkg-config fallback for Perl and Ruby bindings when building standalone @somethingwithproof
* Export ABS_TOP_BUILDDIR to environment for Ruby extconf.rb during in-tree builds @somethingwithproof
* Fix parse_tick: shift the legend by 2 spaces for the "coloured-box" @neo954 #1314
Features
--------
* Add Georgian translation @NorwayFun
* Add -S short option for --step in rrdtool xport @somethingwithproof fixes #1310
* Automated release workflow: a single workflow_dispatch on master computes
the next SemVer, bumps version strings in-place, builds source tarball +
Windows MSVC zips + RPM (AlmaLinux) + DEB (Ubuntu/Debian) — the binary
packages install under /opt/rrdtool so they coexist with distro-maintained
rrdtool packages without touching the system. See .github/workflows/release.yml. @oetiker"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 21 May 2026 13:39:06 +0000 (15:39 +0200)]
rsync: Update to 3.4.3
For details see:
https://download.samba.org/pub/rsync/NEWS#3.4.3
"SECURITY FIXES:
Six CVEs are fixed in this release. All six are assigned by VulnCheck as
CNA. Affected versions are 3.4.2 and earlier in every case. Three of the
six (CVE-2026-29518, CVE-2026-43617, CVE-2026-43619) require non-default
daemon configuration to reach: the first and third need use chroot = no for
a module, the second needs daemon chroot = ... set in rsyncd.conf. Two
(CVE-2026-43618, CVE-2026-43620) are reachable from a normal pull or a
normal authenticated daemon connection. The sixth (CVE-2026-45232) is
reachable only when RSYNC_PROXY is set and the proxy (or a MITM) returns a
pathological response. Many thanks to the external researchers who reported
these issues.
CVE-2026-29518 (CVSS v4.0 7.3, HIGH): TOCTOU symlink race condition
allowing local privilege escalation in daemon mode without chroot. An
rsync daemon configured with "use chroot = no" was exposed to a
time-of-check / time-of-use race on parent path components: a local
attacker with write access to a module could replace a parent directory
component with a symlink between the receiver's check and its open(),
redirecting reads (basis-file disclosure) and writes (file overwrite)
outside the module. Default "use chroot = yes" is not exposed.
secure_relative_open() (added in 3.4.0 for CVE-2024-12086) was
previously unused in the daemon-no-chroot case; the fix enables it
there and reroutes the sender's read-path opens through it. Reported by
Nullx3D (Batuhan Sancak), Damien Neil and Michael Stapelberg.
CVE-2026-43617 (CVSS v3.1 4.8, MEDIUM): Hostname/ACL bypass on an rsync
daemon configured with daemon chroot = /X in rsyncd.conf when the
chroot tree lacks DNS resolution support. The reverse-DNS lookup of the
connecting client was performed after the daemon chroot had been
entered; if /X did not contain the libc resolver fixtures
(/etc/resolv.conf, /etc/nsswitch.conf, /etc/hosts, NSS service modules)
the lookup failed and the connecting hostname was set to "UNKNOWN",
causing hostname-based deny rules to silently fail open. IP-based ACLs
are unaffected. The per-module use chroot setting is unrelated to this
issue. The fix performs the lookup before entering the daemon chroot.
Reported by MegaManSec.
CVE-2026-43618 (CVSS v3.1 8.1, HIGH): Integer overflow in the
compressed-token decoder enabling remote memory disclosure to an
authenticated daemon peer. The receiver accumulated a 32-bit signed
counter without overflow checking; a malicious sender could trigger an
overflow that, with careful manipulation, leaked process memory
contents to the attacker -- environment variables, passwords, heap
and library pointers -- significantly weakening ASLR. The fix bounds
the counter and adds wire-input validation in several adjacent places
(defence-in-depth). Workaround for older releases: refuse options =
compress in rsyncd.conf. Reported by Omar Elsayed.
CVE-2026-43619 (CVSS v3.1 6.3, MEDIUM): Symlink races on path-based
system calls in "use chroot = no" daemon mode (generalisation of
CVE-2026-29518). Earlier fixes for symlink races on the receiver's
open() call missed the same race class on every other path-based system
call: chmod, lchown, utimes, rename, unlink, mkdir, symlink, mknod,
link, rmdir and lstat. The fix routes each affected path-based syscall
through a parent dirfd opened under RESOLVE_BENEATH-equivalent
kernel-enforced confinement (openat2 on Linux 5.6+, O_RESOLVE_BENEATH
on FreeBSD 13+ and macOS 15+, per-component O_NOFOLLOW walk elsewhere).
Default "use chroot = yes" is not exposed. Reported by Andrew Tridgell
as a follow-on audit of CVE-2026-29518.
CVE-2026-43620 (CVSS v3.1 6.5, MEDIUM): Out-of-bounds read in the
receiver's recv_files() enabling remote denial-of-service of any client
pulling from a malicious server (incomplete fix of commit 797e17f). The
earlier parent_ndx<0 guard added to send_files() was not applied to the
visually-identical block in recv_files(). A malicious rsync server can
drive any connecting client into a deterministic SIGSEGV by setting
CF_INC_RECURSE in the compatibility flags and sending a crafted file
list and transfer record. inc_recurse is the protocol-30+ default, so
no special options are required on the victim. Workaround for older
releases: --no-inc-recursive on the client. Reported by Pratham Gupta.
CVE-2026-45232 (CVSS v3.1 3.1, LOW): Off-by-one out-of-bounds stack
write in the rsync client's HTTP CONNECT proxy handler
(establish_proxy_connection() in socket.c). After issuing the CONNECT
request, rsync read the proxy's first response line one byte at a time
into a 1024-byte stack buffer with the bound cp < &buffer[sizeof buffer
- 1]. If the proxy (or a MITM in front of it) returned 1023+ bytes on
that first line without a newline terminator, cp exited the loop
pointing at a buffer slot the loop never wrote, leaving *cp holding
stale stack data from the earlier snprintf() of the outgoing CONNECT
request. The post-loop logic then wrote a single \0 one byte past the
end of the buffer on the stack. Reach is client-side only, and only
when RSYNC_PROXY is set so rsync tunnels an rsync:// connection through
an HTTP CONNECT proxy. The written byte is always \0 and the offset is
fixed by the buffer size, not attacker-chosen, so this is not an
arbitrary-write primitive: practical impact is corruption of one
adjacent stack byte and possible later misbehaviour or crash. The fix
detects the "buffer filled without finding \n" case explicitly by
position and refuses the response with "proxy response line too long".
Reported by Aisle Research via Michal Ruprich (rsync-3.4.1-2.el10 QE).
In addition to the six CVE fixes, this release adds defence-in-depth
hardening on several adjacent paths: bounded wire-supplied counts and
lengths in flist/io/acls/xattrs, a guard against length underflow in
cumulative snprintf() callers, a parent block-index bounds check on the
receiver, a NULL check in read_delay_line(), a lower ceiling on
MAX_WIRE_DEL_STAT to avoid signed-int overflow in the read_del_stats()
accumulator, rejection of hyphen-prefixed remote-shell hostnames
(defence-in-depth against argv-injection in tooling that forwards untrusted
input into the hostspec position; reported by Aisle Research via Michal
Ruprich), and a NULL-check on localtime_r() in timestring() to keep a
malicious server from crashing the client by advertising a file with an
out-of-range modtime.
BUG FIXES:
Fixed a regression introduced by the 3.4.0 secure_relative_open() CVE
fix where legitimate directory symlinks on the receiver side (e.g. when
using -K / --copy-dirlinks) caused "failed verification -- update
discarded" errors on delta transfers. The old code rejected every
symlink in the path with a per-component O_NOFOLLOW walk; the receiver
now uses kernel-enforced "stay below dirfd" path resolution where
available. Fixes #715.
PORTABILITY / BUILD:
secure_relative_open() now uses openat2(RESOLVE_BENEATH |
RESOLVE_NO_MAGICLINKS) on Linux 5.6+, and openat() with
O_RESOLVE_BENEATH on FreeBSD 13+ and macOS 15+ (Sequoia) / iOS 18+. The
kernel rejects ".." escapes, absolute symlinks, and symlinks whose
target lies outside the starting directory, while still following
symlinks that resolve within it -- the same trade-off that fixes the
issue #715 regression without weakening the original CVE protection.
Other platforms (Solaris, OpenBSD, NetBSD, Cygwin) retain the previous
per-component O_NOFOLLOW walk; on those platforms the issue #715
regression remains visible.
testsuite/xattrs: ignore SUNWattr_* in the Solaris xls helper.
DEVELOPER RELATED:
Added testsuite/symlink-dirlink-basis.test (taken from PR #864 by
Samuel Henrique) covering the issue #715 regression and several edge
cases (--backup, --inplace, --partial-dir with protocol < 29, top-level
files). The test skips on platforms without a RESOLVE_BENEATH
equivalent.
Added regression tests for the new security fixes:
chmod-symlink-race.test, chdir-symlink-race.test,
bare-do-open-symlink-race.test, alt-dest-symlink-race.test,
copy-dest-source-symlink.test, sender-flist-symlink-leak.test,
secure-relpath-validation.test, daemon-chroot-acl.test and
daemon-refuse-compress.test. The symlink-race tests skip on Cygwin,
Solaris, OpenBSD and NetBSD (no RESOLVE_BENEATH equivalent on those
platforms).
runtests.py now errors early with a clear message when any of the test
helper programs (tls, trimslash, t_unsafe, t_chmod_secure,
t_secure_relpath, wildtest, getgroups, getfsdev) are missing, instead
of letting many tests fail with confusing "not found" errors.
Added OpenBSD and NetBSD CI jobs that run make check on those
platforms.
Added Ubuntu 22.04 and AlmaLinux 8 CI workflows so future backports to
the two mainstream LTS families build and test on the same CI surface
as trunk.
testsuite/protected-regular.test now runs unprivileged via unshare with
user-namespace UID mapping, falling back to skip if unshare/uidmap is
not available; previously it required real root.
Added symlink-dirlink-basis to the Cygwin CI's expected-skipped list.
Removed the old release system (replaced by the new release script in
3.4.2)."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Matthias Fischer [Thu, 21 May 2026 13:29:50 +0000 (15:29 +0200)]
unbound: Update to 1.25.1
For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-25-1
"Bug Fixes
Fix CVE-2026-33278, Possible remote code execution during DNSSEC
validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie,
padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for
the report.
Fix CVE-2026-42959, Crash during DNSSEC validation of malicious
content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew
Griffiths from 'calif.io' for the report.
Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang,
Palo Alto Networks, for the report.
Fix CVE-2026-41292, Parsing a long list of incoming EDNS options
degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan
Zhang from Palo Alto Networks, for the report.
Fix CVE-2026-42534, Jostle logic bypass degrades resolution
performance. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-42923, Degradation of service with unbounded NSEC3 hash
calculations. Thanks to Qifan Zhang, Palo Alto Networks, for the
report.
Fix CVE-2026-42960, Possible cache poisoning attack while following
delegation. Thanks to TaoFei Guo from Peking University, Yang Luo and
JianJun Chen, Tsinghua University, for the report.
Fix CVE-2026-44390, Unbounded name compression in certain cases causes
degradation of service. Thanks to Qifan Zhang, Palo Alto Networks, for
the report.
Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks to
Qifan Zhang, Palo Alto Networks, for the report."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Thu, 21 May 2026 08:59:06 +0000 (08:59 +0000)]
unbound: Update to 1.25.1
This release consolidates security fixes for issues reported over
a period of time. There are fixes for CVE-2026-33278,
CVE-2026-42944, CVE-2026-42959, CVE-2026-32792, CVE-2026-40622,
CVE-2026-41292, CVE-2026-42534, CVE-2026-42923, CVE-2026-42960,
CVE-2026-44390 and CVE-2026-44608.
Bug Fixes
Fix CVE-2026-33278, Possible remote code execution during DNSSEC
validation. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-42944, Heap overflow and crash with multiple nsid,
cookie, padding EDNS options. Thanks to Qifan Zhang, Palo Alto
Networks, for the report.
Fix CVE-2026-42959, Crash during DNSSEC validation of malicious
content. Thanks to Qifan Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew
Griffiths from 'calif.io' for the report.
Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan
Zhang, Palo Alto Networks, for the report.
Fix CVE-2026-41292, Parsing a long list of incoming EDNS options
degrades performance. Thanks to GitHub user 'N0zoM1z0', also Qifan
Zhang from Palo Alto Networks, for the report.
Fix CVE-2026-42534, Jostle logic bypass degrades resolution
performance. Thanks to Qifan Zhang, Palo Alto Networks, for the
report.
Fix CVE-2026-42923, Degradation of service with unbounded NSEC3
hash calculations. Thanks to Qifan Zhang, Palo Alto Networks, for
the report.
Fix CVE-2026-42960, Possible cache poisoning attack while following
delegation. Thanks to TaoFei Guo from Peking University, Yang Luo
and JianJun Chen, Tsinghua University, for the report.
Fix CVE-2026-44390, Unbounded name compression in certain cases
causes degradation of service. Thanks to Qifan Zhang, Palo Alto
Networks, for the report.
Fix CVE-2026-44608, Use after free and crash in RPZ code. Thanks
to Qifan Zhang, Palo Alto Networks, for the report.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 20 May 2026 20:15:49 +0000 (22:15 +0200)]
squid: Add --without-nettle to configure options
- nettle-4.0 has various API/ABI changes that prevent squid from building.
- input from @michael was to use the --without-nettle configure option until the squid
dev team provide an update for the API/ABI changes and squidf in IPFire is migrated
successfully from the 6.x branch to the 7.x branch
- All other packages that use nettle, such as gnutls etc have updated versions capable
of working with nettle-4.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 20 May 2026 20:15:48 +0000 (22:15 +0200)]
nettle: Update to version 4.0
- Update from version 3.10.2 to 4.0
- Update of rootfile
- Changelog
4.0
This is a new major release. It includes one new feature,
support for SLH-DSA. There are several changes to Nettle's
API, as well as deletion of obsolete features. There are also
several improvements to the ABI that leaves the API mostly
unchanged, in particular, smaller context structs for several
algorithms.
The most disruptive API change is that the *_digest functions
no longer takes the desired digest size as argument. Truncated
hashes appeared to be an important use case decades ago when
the previous interface was designed, but that is now rather
obscure.
Feedback on the new interfaces is appreciated, e.g., if the
variable tag length for OCB and CCM should be supported
differently, if additional types would benefit from larger
alignment, or if there are remaining interface bugs or
inconsistencies. Smaller additional API or ABI changes may be
considered for the next release, Nettle-4.1, but after that,
the intention is that both ABI and API should stay backwards
compatible for a longer time.
The shared library names are libnettle.so.9.0 and
libhogweed.so.7.0, with new sonames libnettle.so.9 and
libhogweed.so.7.
Interface changes:
* The _digest functions for hash algorithms, MACs and AEADs no
longer take the desired digest size as argument, instead,
they always produce the full-size digest. The typedef
nettle_hash_digest_func has also been changed accordingly.
There are two exceptions: CCM and OCB. These AEAD algorithms
are specified with a variable tag length, which is not a
mere truncation of the output. Their _digest functions
(ccm_digest, ocb_digest, ccm_ae128_digest, ...) also have
their length argument deleted, but they still produce a
variable size digest. The number of octets to write (at most
16) is stored into the context struct by the corresponding
_set_nonce function.
* The functions to process complete messages using CCM AES now
take a const cipher context as the first argument, e.g,
first argument to ccm_aes128_encrypt_message is now a const
struct aes128_ctx *. It used to be a struct ccm_aes128_ctx
*, where everything but the underlying cipher context was
ignored.
* The SHA3 functions now use the same struct sha3_ctx for all
flavors, and the same function sha3_init. Old names, e.g.,
sha3_256_ctx and sha3_256_init, are defined as preprocessor
aliases, for backwards compatibility.
* The dst_length argument to base16_decode_update and
base64_decode_update is now both an input and output
argument. On input it must now hold the size of the
destination buffer, and decoding fails if that is not
sufficient. Previously, dst_length was an output only, and
it was required that the destination buffer was large enough
for any input of the given src_length.
Interface deletions:
* Deleted the old struct aes_ctx, and all functions operating
on it. Use the fixed key size interfaces instead, e.g.,
struct aes256_ctx, introduced in Nettle-3.0.
* Deleted dsa-compat.h, and everything declared therein. Use
the interface in dsa.h, introduced in Nettle-3.0.
* Deleted old header sha.h. Use sha1.h or sha2.h instead, as
appropriate.
* Deleted the general HMAC interface, with functions like
hmac_set_key that work with an arbitrary underlying hash
function. Use the specific hmac functions instead, e.g.,
hmac_sha256_set_key, or the mac abstraction defined in
nettle-meta.h, e.g, the nettle_hmac_sha256 instance.
* Deleted the undocumented struct nettle_armor abstraction.
* Deleted the undocumented function base64_encode_group.
* Deleted md5-compat.h, and everything declared therein. Use
the interface in md5.h instead (or even better, stop using md5).
* Deleted pgp.h, and everything declared therein. This attempt
to support openpgp formats was incomplete, undocumented, and
mostly obsolete.
* Delete all the *_DATA_SIZE compatibility aliases. Use
corresponding *_BLOCK_SIZE constants instead, introduced in
Nettle-3.0.
* Deleted the obsolete functions _rsa_blind and _rsa_unblind.
(Current RSA blinding in Nettle uses internal functions with
a different interface).
* Delete compatibility aliases salsa20_set_iv,
SALSA20_IV_SIZE. These were renamed to salsa20_set_nonce and
SALSA20_NONCE_SIZE in Nettle-3.0.
* Deleted compatibility aliases _nettle_md5_compress,
_nettle_sha1_compress. These internal functions were
promoted to documented and supported functions in
Nettle-3.9, with new names md5_compress and sha1_compress.
* Deleted compatibility alias yarrow_force_reseed. Renamed to
yarrow_slow_reseed in Nettle-2.0.
ABI changes and improvements.
* Introduce 16-byte alignment on certain types. Applied to
union nettle_block16, and subkey arrays of AES and UMAC.
This is intended to improve performance for SIMD load and
store instructions, which on some platforms may be faster
with proper alignment. The larger alignment is enabled only
for platforms where the alignment of the uint64_t type is 8.
* Size of struct gcm_key is reduced from 4096 bytes to 2048.
* Size of the new sha3_ctx is considerable smaller, 216 bytes,
than the previous types that included a buffer for a
complete block. E.g., the largest one, for sha3_128_ctx
(shake128), used to be 376 bytes.
* Size of HMAC contexts have been reduced, by not including
multiple block buffers. E.g, size of struct hmac_sha256_ctx
reduced from 336 bytes to 192. This change has been
discussed for a long time, with first attempt made by Dmitry
Baryshkov years ago, but delayed, since it implies an ABI
break.
* For OCB block counters, use type uint32_t for blocks of
associated data, and uint64_t for message blocks, instead of
size_t. This makes the implementation limits the same for
32-bit and 64-bit platforms.
Bug fixes:
* Fix off-by-one bug in sexp parser, which could result in a
one byte overread on invalid input. Also fix excessive
recursion and stack usage for some inputs. Both problems
reported via oss-fuzz.
* Fix ed448_shake256_verify to check that the final signature
octet is zero (previous versions completely ignored this
somewhat redundant octet). Reported by Oren Yomtov.
New features:
* Support for SLH-DSA signatures (stateless hash-based digital
signature algorithm). See the Nettle manual for details.
* New public function drbg_ctr_aes256_update, to enable
FIPS-compliant reseeding. Contributed by Daiki Ueno.
Configure and build changes:
* Support for at least C99 is required when building Nettle.
In addition, support for alignof and alignas is required;
these are part of C11, but intention is that this is the
only required C11 feature.
* The unusual configure options --with-lib-path and
--with-include-path has been deleted. Use CFLAGS and LDFLAGS
instead. This implies that Nettle's configure script no
longer attempts to add rpath-related linker flags
automagically; if any are needed, they must be passed in
LDFLAGS.
* The logic to sometimes change the default libdir has been
deleted. Previously, configure tried to be helpful and
change the default, e.g., to ${exec_prefix}/lib32 when you
build 32-bit libraries on a system where ${exec_prefix}/lib
is for 64-bit libraries. If you relied on this behavior, you
now have to use the --libdir configure option.
* Rearranged getopt files, now based on gnulib copies.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 20 May 2026 16:09:41 +0000 (18:09 +0200)]
tshark: Update to version 4.6.6
- Update from version 4.6.5 to 4.6.6
- Update of rootfile
- 1 vulnerability fix
- Changelog
4.6.6
The following vulnerabilities have been fixed:
wnpa-sec-2026-51 ROHC protocol dissector crash. Issue 21243.
The following bugs have been fixed:
Wireshark crashes when run under Visual Studio on Windows. Work item 24787.
Welcome page slide preferences are now available in the preferences window.
vwr: Read of uninitialized memory in pntoh16. Issue 16460.
vwr: Read of uninitialized memory in find_signature. Issue 16461.
Upgrades on Windows do not retain existing optional features unless explicitly
requested, resulting in accidental removal of features. Issue 18925.
Wireshark.exe version 4.6.5 is twice as large as version 4.6.4. Issue 21233.
MACsec dissector global-buffer-overflow. Issue 21235.
Wireshark 4.6.5 does not run on Windows 10 version 1809 (including Server 2019
and some LTSC versions) Issue 21237.
Fuzz job issue: fuzz-2026-05-02-14184750352.pcap. Issue 21240.
packet-bacapp: rename aurth-request to auth-request. Issue 21246.
Fuzz job issue: randpkt-2026-05-10-14293434231.pcap. Issue 21253.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 20 May 2026 15:15:44 +0000 (16:15 +0100)]
sambactrl: Fix local priviledge escalation
From the reporter:
LPE in /usr/local/bin/sambactrl 'join' action
File: src/misc-progs/sambactrl.c, lines 117-126.
All other actions call is_valid_argument_alnum() on argv[2]. The
'join' branch skips it entirely and feeds argv[2]/argv[3] into
snprintf + safe_system (which is /bin/sh -c). Binary is installed
-m 4750 -g nobody (src/misc-progs/Makefile:41), so any nobody-context
process can invoke it and escalate to root.
Reported-by: valent1 <gooads612@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 20 May 2026 15:04:25 +0000 (16:04 +0100)]
samba: Fix shell command execution vulnerability in join operation
From the reporter:
File: html/cgi-bin/samba.cgi, lines 96-98 and 790-798.
joindomain() builds @options = ("/usr/local/bin/sambactrl","join",
$username, $password) and runs qx(@options). In Perl, qx(@array)
joins with $" and passes the result to /bin/sh -c. POST parameters
USERNAME and PASSWORD reach this with no validation on the 'join'
code path. RCE as the web user (nobody).
Reported-by: valent1 <gooads612@gmail.com> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
