Adolf Belka [Mon, 8 Apr 2024 16:57:21 +0000 (18:57 +0200)]
configroot: Add in LOGDROPHOSTILExxx values
- I checked out doing a fresh install of CU184 and found that although the
LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries were selected as "on" the values were not
in the /var/ipfire/optionsfw/settings file.
- After some investigfation I realised that when I created the LOGDROPHOSTILE split into
incoming and outgoing I had not added them into the configroot lfs file.
- This patch adds the two entries and this was tested out with a fresh install and
confirmed to update the settings file.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Mon, 8 Apr 2024 14:57:49 +0000 (14:57 +0000)]
suricata: Enable midstream scanning
We require this because Suricata might be restarted due to development
or rule refreshment purposes. We should then try to resume any
decoders/app-layers wherever possible.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 5 Apr 2024 19:26:40 +0000 (21:26 +0200)]
suricata: Set midstream-policy to pass-packet
Set this value to the same as the exception-policy to keep in sync and
hopefully have the same behaviour. In case this option is not set an
ugly message about a not correctly set value will be logged to syslog
during startup.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Stefan Schantl [Fri, 5 Apr 2024 19:26:37 +0000 (21:26 +0200)]
suricata: Update suricata.yaml
Updata the configuration file for suricata 7.
This includes:
* Default values for newly introduced features and parsers
* Enable recently added protocol parsers for HTTP2, QUIC, Telnet and Torrent
* Update of URL for documentation
* Fixes of various typos and other clarifications
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Michael Tremer [Wed, 3 Apr 2024 20:42:13 +0000 (21:42 +0100)]
suricata: Disable fail-open on NFQUEUE
This change causes that if suricata crashes, the NFQUEUE will no longer
fall into a mode where ALL packets are being accepted. This used the be
the case before which opened the entire firewall.
If suricata randomly crashes, we will fall back to the "bypass" mode
where packets will bypass suricata, but nothing else.
Fixes: #13642 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 30 Mar 2024 08:14:58 +0000 (09:14 +0100)]
xz: Revert back to version 5.4.5 due to backdoor issue
- xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what looks to have
been one of the xz devs.
- IPFire looks not to be affected by the problem as we don't patch openssh to be linked
with liblzma
- However due to question marks about what else might be in these 5.6.x versions it is
better to revert back to a version that did not have the build-to-host.m4 file with the
code that modifies the build if it meets certain criteria.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 25 Mar 2024 17:44:56 +0000 (18:44 +0100)]
CU185-update.sh: Add drop hostile in & out logging entries if not already present
- This v2 patch corrects that the previous script was looking for =on. If a user had
modified the preferences to change it to =off then the script would have resulted in
both =on and =off versions being in the settings file.
- This patch ensures that those people who updated to CU184 before the CU184-update.sh
patch fix to add the logging entries was added will get their optionsfw settings file
correctly updated with CU185
- This only adds the LOGDROPHOSTILEIN & LOGDROPHOSTILEOUT entries if they do not already
exist in the optionsfw settings file.
- This change also does the check for LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT as two
separate checks and then runs the firewall update command
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 25 Mar 2024 13:41:38 +0000 (14:41 +0100)]
shadow: Update login.defs to remove reference to cracklib
- From shadow-15.0.0 all references to cracklib were removed from shadow. Apparently
some functions were no longer accessible and the shadow team decided to remove cracklib
references completely. This was not mentioned in the changelkog for 15.0.0
- This resulkts in gettinbg the message configuration error - unknown item
'CRACKKLIB_DICTPATH' ( notify administrator ) when logging in to the console.
- The login to the console occurs successfully so the message is only a warning that
cracklib is no longer used.
- IPfire does not use cracklkib anyway so this patch removes the section referring to
cracklib from the login.defs configuration file.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 20 Mar 2024 14:43:27 +0000 (15:43 +0100)]
CU185-update.sh: Add drop hostile in & out logging entries if not already present
- This patch ensures that those people who updated to CU184 before the CU184-update.sh
patch fix to add the logging entries was added will get their optionsfw settings file
correctly updated with CU185
- This only adds the LOGDROPHOSTILEIN & LOGDROPHOSTILEOUT entries if they do noit already
exist in the optionsfw settings file.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 18 Mar 2024 18:43:14 +0000 (19:43 +0100)]
wsdd: Update install and uninstall pak files
- As wsdd is now started by samba when it is started then the wsdd install and uninstall
paks no longer need to create the symlinks for starting and stopping wsdd and no longer
need the start_service and stop_service commands in the paks.
Fixes: bug#13445 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 18 Mar 2024 18:43:13 +0000 (19:43 +0100)]
wsdd: Update of lfs file - fixes bug#13445
- Removal of services line as wsdd will now be started by the samba option in the addon
services wui page
- Removal of installing separate wsdd initscript as it is nowe integrated into the samba
initscript.
Fixes: bug#13445 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 18 Mar 2024 18:43:12 +0000 (19:43 +0100)]
wsdd: remove wsdd initscript as now covered by samba - fixes bug#13445
Fixes: bug#13445 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 18 Mar 2024 18:43:11 +0000 (19:43 +0100)]
samba: Integrate wsdd initscript into samba initscript - bug#13445
- This integrates the wsdd initscript functions into the samba initscript. When samba is
started or stopped or the status requested then wsdd is part of that process.
- Tested in my vm testbed and confirmed to work for start, stop and status. Confirmed
pid's shown with status command are in the appropriate pid files.
Fixes: bug#13445 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Fri, 15 Mar 2024 12:38:06 +0000 (13:38 +0100)]
ppp: Update to include bug fixes that should be in 2.5.1 but not yet released
- Update from version 2.5.0 to commit e1266c7
- Update of rootfile
- When ppp-2.5.0 was released it had a bug bin it that the lock and run directories
had non standard defaults but also that if the directory did not exist ppp just
ignored it and continued to start but would then have error messages in the logs about
not being able to cretae the lock file
- This issue was raised in the ppp github issues and a set of patches merged into ppp.
- The plan was written in Nov 2023 that this would be released as 2.5.1, however nearly
three months later there is no sight of 2.5.1 being released and people continue to
flag up the lock directory issues and have to apply a workaround to create the directory
in local.rc
- This patch has taken the zip source tarball of master at the commit e1266c7. The zip
tarball was then extracted and then tar'd back up as a tar.gz file with the version set
at e1266c7 rather than master. I could not find any other way to get a source tarball\
created at a certain commit stage.
- The patch ppp-2.5.0-2-everywhere-O_CLOEXEC-harder.patch had to be updated due to some
changes in the source files.
- The patch ppp-2.5.0-7-add-configure-check-to-see-if-we-have-struct-sockaddr_ll.patch
was removed as the changes are now built into the source tarball.
- This will need to be tested thoroughly by people with ppp to confirm that the lock
directory is created if it doesn't exist on the system. I can't test that as I have
no access to a ppp connection system.
- For a view of the changelog between 2.5.0 and e1266c7 the github commits list needs to
be reviewed. https://github.com/ppp-project/ppp/commits/master/?before=e1266c76d1ad39f98f11676e34f180f78c5a510c+35
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Sat, 16 Mar 2024 09:32:54 +0000 (10:32 +0100)]
CU184-update.sh: Add drop hostile in & out logging entries
- My drop hostile patch set updated the WUI entries to include in and out logging options
but the values need to be added to the optionsfw entries for existing systems being
upgraded.
- After the existing CU184 update the LOGDROPHOSTILEIN and LOGDROPHO)STILEOUT entries
are not in the settings file which trewats them as being set to off, even though they
are enabled in the WUI update.
- This patch adds the LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries into the settings
file and then runs the firewallctrl command to apply to the firewall.
- Ran a CU184 update on a CU183 vm system and then ran the comands added into the update.sh
script and then did a reboot. Entries include and DROP_HOSTILE entries start to be
logged again.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Jon Murphy [Mon, 11 Mar 2024 23:45:00 +0000 (18:45 -0500)]
time.cgi: add current date-time to this WebGUI page
- added words and date-time format to english (en.pl)
- other languages are needed
- seconds included since time is accurate to < .1s
https://git.ipfire.org/?p=ipfire-2.x.git;a=commit;h=2234e8aacac2e0d0b06dac4513585c15c2b3b440
Code-by: Leo-Andres Hofmann <hofmann@leo-andres.de> Signed-off-by: Jon Murphy <jon.murphy@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 14 Mar 2024 16:52:08 +0000 (17:52 +0100)]
expat: Update to version 2.6.2
- Update from version 2.6.1 to 2.6.2
- Update of rootfile
- Changelog
2.6.2
Security fixes:
#839 #842 CVE-2024-28757 -- Prevent billion laughs attacks with
isolated use of external parsers. Please see the commit
message of commit 1d50b80cf31de87750103656f6eb693746854aa8
for details.
Bug fixes:
#839 #841 Reject direct parameter entity recursion
and avoid the related undefined behavior
Other changes:
#847 Autotools: Fix build for DOCBOOK_TO_MAN containing spaces
#837 Add missing #821 and #824 to 2.6.1 change log
#838 #843 Version info bumped from 10:1:9 (libexpat*.so.1.9.1)
to 10:2:9 (libexpat*.so.1.9.2); see https://verbump.de/
for what these numbers do
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 14 Mar 2024 13:32:58 +0000 (14:32 +0100)]
xz: Update to version 5.6.1
- Update from version 5.6.0 to 5.6.1
- Update of rootfile
- Changelog
5.6.1
* liblzma: Fixed two bugs relating to GNU indirect function (IFUNC)
with GCC. The more serious bug caused a program linked with
liblzma to crash on start up if the flag -fprofile-generate was
used to build liblzma. The second bug caused liblzma to falsely
report an invalid write to Valgrind when loading liblzma.
* xz: Changed the messages for thread reduction due to memory
constraints to only appear under the highest verbosity level.
* Build:
- Fixed a build issue when the header file <linux/landlock.h>
was present on the system but the Landlock system calls were
not defined in <sys/syscall.h>.
- The CMake build now warns and disables NLS if both gettext
tools and pre-created .gmo files are missing. Previously,
this caused the CMake build to fail.
* Minor improvements to man pages.
* Minor improvements to tests.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 14 Mar 2024 13:32:57 +0000 (14:32 +0100)]
wget: Update to version 1.24.5
- Update from version 1.21.4 to 1.24.5
- Update of rootfile not required
- Changelog
1.24.5
** Fix how subdomain matches are checked for HSTS.
Fixes a minor issue where cookies may be leaked to the wrong domain
** Wget will now also parse the srcset attribute in <source> HTML tags
** Support reading fetchmail style "user" and "passwd" fields from netrc
** In some cases, prevent the confusing "Cannot write to... (success)" error messages
** Support extremely fast download speeds (TB/s).
Previously this would cause Wget to crash when printing the speed
** Improve portability on OpenBSD to run the test suite
** Ensure that CSS URLs are corectly quoted (Bug: 64082)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3450100 to 3450200
- Update of rootfile not required
- Changelog 3450200 (3.45.2)
Fix an error in UPSERT, introduced by enhancement 3a in version 3.35.0
(2021-03-12), that could cause an index to get out-of-sync with its table. Forum
thread 919c6579c8.
Reduce the scope of the NOT NULL strength reduction optimization that was added as
item 8e in version 3.35.0 (2021-03-12). The optimization was being attempted in
some contexts where it did not work, resulting in incorrect query results. Forum
thread 440f2a2f17.
Other trifling corrections and compiler warning fixes that have come up since the
previous patch release.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 14 Mar 2024 13:32:56 +0000 (14:32 +0100)]
tcl: Update to version 8.6.14
- Update from version 8.6.13 to 8.6.14
- Update of rootfile
- Changelog
8.6.14
This is a patch release, so it primarily includes bug fixes and corrections
to erratic behavior. Highlighted changes are noted below. The changes file
at the root of the source tree contains a more complete list. The Timelines
of all changes are online.
http://core.tcl-lang.org/tcl/timeline
http://core.tcl-lang.org/tk/timeline
* [TIP 402] revise path normalization for x-platform UNC path support
*** POTENTIAL INCOMPATIBILITY ***
* Harmonize Tk's parse of numbers (screen distance, etc) with Tcl
*** POTENTIAL INCOMPATIBILITY ***
* Iconlist ignores options db for fg text color; affects dialogs
*** POTENTIAL INCOMPATIBILITY ***
* Aqua: XPutImage() swaps red and blue channels
*** POTENTIAL INCOMPATIBILITY ***
* [encoding convertfrom] handling of incomplete code sequences
*** POTENTIAL INCOMPATIBILITY ***
* Harmonize handling of ~ in paths across platforms.
*** POTENTIAL INCOMPATIBILITY ***
* Fix menu clone binding misbehavior, menu-20.1[2-6].
*** POTENTIAL INCOMPATIBILITY ***
* Improved performance of [exec] and [open |$cmd] on unix-lke
systems, especially with large memory footprints.
* Improve performance of large treeview destruction.
* Improve performance of large image insertions into text.
* Improve widget creation performance due to poor font caching.
* Fix notebook tab appearances when placed on edge other than top.
* Enable treeview display of partial final line.
* Win: restore [exec %var%] that was dropped in 8.6.13.
* Allow [chan create {} $cmd]. Enables simulation of server channels.
* Allow return from [tk scaling] in safe interps.
* Prevent navigation by word exposing clues to masked entry contents.
* Fix crashes or hangs in...
- [chan pop] with pending input
- thread finalization of reflected channels
- [label .l -bitmap floppy]
- [set tcl_precision 15; expr 6.4623485355705287e-27]
- [tk busy forget] and [tk busy hold]
- channel read into "string" Tcl_Obj can BO, and perform poorly
- KVO crash after destroying Aqua's first root toplevel
- Test treeview-6ee162c3f9
- Test tailcall-bug-784befb0ba
- Tests menu-40.[12]
* Repair memory leaks and errors
- Eliminate undefined realloc() calls
- Silence many warnings from -fsanitize=function
- Flawed interfacing with XIM
- Tcl_UtfToExternal writing to one-byte buffer
- Tcl_UtfToUniChar() handling of 0xC1.
- Tk_ConfigureValue could call wrong free() routine.
- tests getuncichar-1.* in utf.test
- ...and many more
* No more support for 32-bit Cygwin
* ::tcl_platform(osVersion) updated to report Windows 11
* Accommodate macOS deprecation of sprintf()
* Silence macOS 14 warnings about secure restorable state.
* Code changes to support ASan use-after-return detection
* Revise Tcl_MakeFileChannel() to better partner with pledge()
* Prevent false [clock format] error reports on FreeBSD
* Region clip & copy make better use of OS facilities.
* Update handling of Apple FourCC creator codes.
* Text selection omits first character, text-38.1
* Windows: improved support of non-BMP pathnames
* Fixed some Y2038 limitations
* Fix photo color drawing on X11 32-bit visuals.
* Fix <<MenuSelect>> regression on menus with -tearoff
* Correct rounding of [nsFont pointSize].
* zlib comment/filename error handling (zlib-8.19, zlib-8.2[012])
* Prevent theme change attempts after Tk finalize.
* Make dialogs robust against parent destruction.
* Make [tk_chooseColor] robust against failed grab.
* Fix menu parsing of @x,y indices. menu-22.[6-9]
* Fix inconsistent results from [font measure].
* Fixed [clock scan|add] handling of abbreviated options
* Avoid endless loops replacing [unknown] or [history].
* Fix polluted error messages from [send -option].
* PNG photo image decoder missed a 0xFF entry.
* Fix failing winTime-2.1 on Windows
* test string-2.20.1 failed on big endian platforms
* Updated bundled packages, libraries, standards, data
- Itcl 4.2.4
- sqlite3 3.44.2
- Thread 2.8.9
- TDBC* 1.1.7
- tcltest 2.5.7
- libtommath 1.2.1
- zlib 1.3.1
- Unicode 15.1
- tzdata 2024a
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 14 Mar 2024 13:32:54 +0000 (14:32 +0100)]
shadow: Update to version 4.15.0
- Update from 4.14.5 to 4.15.0
- Update of rootfile not required
- Changelog
4.15.0
libshadow:
Fix build error (parameter name omitted).
Build system:
Link correctly with libdl.
Install pam configs for chpasswd(8) and newusers(8) when using
./configure --with-libpam --disable-account-tools-setuid.
Merge libshadow and libmisc into a single libshadow. This fixes
problems in the linker, which were reported at least in Gentoo.
Fix build with musl libc.
Support out of tree builds
useradd(8):
Set proper SELinux labels for def_usrtemplate
4.14.6
login(1):
Fix off-by-one bugs.
passwd(1):
Don't silently truncate passwords of length >= 200 characters.
Instead, accept a length of PASS_MAX, and reject longer ones.
libshadow:
Fix calculation in strtoday(), which caused a wrong half-day
offset in some cases.
Fix parsing of dates in get_date().
Use utmpx instead of utmp. This fixes a regression introduced in 4.14.0.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 14 Mar 2024 13:32:53 +0000 (14:32 +0100)]
sdl2: Update to version 2.30.1
- Update from version 2.28.5 to 2.30.1
- Update of rootfile
- Changelog
2.30.1
Fixed a regression causing SDL_WaitEvent() to return spurious failures
Fixed X11 cursors on the latest release of GNOME
Wayland windows automatically have OpenGL enabled again
Fixed memory corruption when converting signed 16-bit audio to float
Fixed audio artifacts when converting signed 8-bit audio to float
Fixed the clip rectangle not being updated when the viewport changes in the SDL renderer
Convert mouse wheel coordinates to the rendering view in the SDL renderer
Fixed a crash handling controllers on macOS
Fixed a crash setting a window fullscreen with Emscripten
Fixed the keyboard automatically popping up when resuming an application on Android
2.30.0
In addition to lots of bug fixes, here are the major changes in this release:
General:
Added support for 2 bits-per-pixel indexed surface formats
Added the function SDL_GameControllerGetSteamHandle() to get the Steam API handle for a controller, if available
Added the event SDL_CONTROLLERSTEAMHANDLEUPDATED which is sent when the Steam API handle for a controller changes. This could also change the name, VID, and PID of the controller.
Added the environment variable SDL_LOGGING to control default log output
macOS:
Added the hint SDL_HINT_JOYSTICK_IOKIT to control whether the IOKit controller driver should be used
Added the hint SDL_HINT_JOYSTICK_MFI to control whether the GCController controller driver should be used
Added the hint SDL_HINT_RENDER_METAL_PREFER_LOW_POWER_DEVICE to choose whether high or low power GPU should be used for rendering, in the case where there are multiple GPUs available
Xbox:
Added the function SDL_GDKGetDefaultUser()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 14 Mar 2024 13:32:52 +0000 (14:32 +0100)]
poppler: Update to version 24.03.0
- Update from version 24.01.0 to 24.03.0
- Update of rootfile
- find-dependencies run due to sobump. No issues found
- Changelog
24.03.0:
core:
* Fix opening some malformed files. Issue #1447
* Skip drawing image when it has singular matrix. Issue #1114
* Fix crash on malformed files
* Small internal code cleanup
utils:
* pdfdetach: Fix potential directory traversal
* pdfimages: Enable to print filenames to stdout.
* pdfsig: Add visible name/date when signing an existing form signature field
24.02.0:
core:
* Fix reading some JBIG2 streams. Issue #1319
* Fix saving some annotation interior color when it's empty
* Make searching for fonts when adding annotations a bit faster
* Make sure images are compressed when adding them
* Small internal code cleanup
utils:
* pdfimages: return exit code 2 when error opening output files
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 14 Mar 2024 13:32:51 +0000 (14:32 +0100)]
opus: Update to version 1.5.1
- Update from version 1.4 to 1.5.1
- Update of rootfile
- Changelog
1.5.1
Opus 1.5.1 fixes the meson build that was broken in 1.5.
1.5
Opus 1.5 is the first release to make extended use of ML in the encoder and
decoder. You can read all the details in the release demo page. In summary, major
changes since 1.4 include:
Significant improvement to packet loss robustness using Deep Redundancy (DRED)
Improved packet loss concealment through Deep PLC
Low-bitrate speech quality enhancement down to 6 kb/s wideband
Improved x86 (AVX2) and Arm (Neon) optimizations
Support for 4th and 5th order ambisonics
In addition to the improvements above, this release includes many minor bug fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 14 Mar 2024 13:32:50 +0000 (14:32 +0100)]
meson: Update to version 1.4.0
- Update from version 1.3.1 to 1.4.0
- Update of rootfile
- Changelog is available on meson website https://mesonbuild.com/Release-notes-for-1-4-0.html
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Thu, 14 Mar 2024 13:32:49 +0000 (14:32 +0100)]
iproute2: Update to version 6.8.0
- Update from version 6.7.0 to 6.8.0
- Update of rootfile
- Changelog is only available from the git commits.
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Wed, 13 Mar 2024 22:12:12 +0000 (23:12 +0100)]
dns.cgi: Add use Encode + encode back to UTF-8
- use Encode was missed out in the previous patch for dns.cgi This would mean that the
decode from UTF-8 would fail. I had tested the previous change but forgot to copy across
the use Encode line when I created the patch.
- This patch adds an encode back to UTF-8 after running the cleanhtml command. This way
the text is decoded from UTF-8 so that the cleanhtml command works correctly on
umlauted characters and then is encoded back to UTF-8 so that all text in the cgi page
is UTF-8.
Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 12 Mar 2024 10:07:10 +0000 (11:07 +0100)]
openjpeg: Update to version 2.5.2
- Update from version 2.5.0 to 2.5.2
- Update of rootfile
- Changelog
2.5.2 (Feb 2024)
No API/ABI break compared to v2.5.1
* Make sure openjpeg.h includes opj_config.h [\#1514](https://github.com/uclouvain/openjpeg/issues/1514)
2.5.1 (Feb 2024)
No API/ABI break compared to v2.5.0
* CMake: drop support for cmake < 3.5
* Several bugfixes, including [\#1509](https://github.com/uclouvain/openjpeg/pull/1509) for CVE-2021-3575
* Significant speed-up rate allocation by rate/distoratio ratio [\#1440](https://github.com/uclouvain/openjpeg/pull/1440)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 12 Mar 2024 10:07:08 +0000 (11:07 +0100)]
libplist: Update to version 2.4.0
- Update from version 2.3.0 to 2.4.0
- Update of rootfile
- Changelog
2.4.0
- Changes:
* Add a PLIST_OPT_NONE value to plist_write_options_t
* autoconf: Allow disabling build of test suite
* Update doxygen config and document undocumented macros
* Add an explicit PLIST_FORMAT_NONE value
* Add a libplist_version() function to the interface
* docs: Use README.md to generate mainpage with doxygen
- Bugfixes:
* Several compiler-related fixes and code improvements
* Plug memory leak in plist_write_to_stream()
* Prevent adding NULL items to array/dictionary nodes
* Fix parallel running of test suite
* Fix cython bindings
* Fix OOB read in plist_from_memory()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 12 Mar 2024 10:07:07 +0000 (11:07 +0100)]
knot: Update to version 3.3.5
- Update from version 3.2.4 to 3.3.5
- Update of rootfile
- Changelog
3.3.5 (2024-03-06)
Features:
- knotd: new module mod-authsignal for automatic authenticated DNSSEC
bootstrapping records synthesis (Thanks to Peter Thomassen)
- kzonecheck: new optional ZONEMD verification (see option '-z')
Improvements:
- knotd: new DNSSEC key rollover log informs about next planned key action
- knotd, kzonecheck: added limit on non-matching keys with a duplicate keytag
- knot-exporter: added counter-type variant for each metric (Thanks to Marcel Koch)
- libs: upgraded embedded libngtcp2 to 1.3.0
- doc: various fixes and updates
Bugfixes:
- knotd, kzonecheck: failed to validate RRSIG if there are more keys with the same keytag
- knotd, kzonecheck: failed to validate zone with more CSK keys
- libknot: insufficient check for malformed TCP header options over XDP
3.3.4 (2024-01-24)
Features:
- knotd: new configuration item for clearing configuration sections (see 'clear')
- knotc: configuration import can preserve database contents (see '+nopurge' flag)
- kxdpgun: new parameter for setting UDP payload size in EDNS (see '--edns-size') #915
Improvements:
- knotd: extended configuration check for 'zonefile-load' and 'journal-content'
- knotd: lowered check limit for additional NSEC3 iterations to 0
- knotd: lowered severity level of an informational backup log
- knotd: better log message when flushing the journal
- knotd: zone restore checks if requested contents are in the provided backup
- knotc: '+quic' is default for zone backup, '+noquic' is default for zone restore
- kdig: better processing of timeouts and reduced sent datagrams over QUIC
- kdig: no retries are attempted over QUIC
- keymgr: improved compatibility with bind9-generated keys
- libs: some improvements in XDP buffer allocation
- libs: upgraded embedded libngtcp2 to 1.2.0
- doc: various fixes and updates
Bugfixes:
- knotd: failed to build on macOS #909
- knotd: 'nsec3-salt-lifetime: -1' doesn't work if 'ixfr-from-axfr' is enabled
- knotd: unnecessarily updated RRSIGs if 'ixfr-from-axfr' and signing are enabled
- knotc: zone check complains about missing zone file #913
- kdig: failed to try another target address over QUIC
- libknot: infinite loop in knot_rrset_to_wire_extra() #916
3.3.3 (2023-12-13)
Features:
- knotd: new 'pattern' mode of ACL update owner matching (see 'acl.update-owner-match')
- knotc: new '+keysonly' filter for zone backup/restore
Improvements:
- knotd: zone purging waits for finished zone expiration for better reliability
- knotd: remote configuration considers more 'via' with the same address family
- knotd: refresh doesn't fall back from IXFR to AXFR upon a network error
- knotd: increased default for 'policy.rrsig-refresh' by (0.1 * 'rrsig-lifetime')
- knotd: new control flag 'u' for unix time output format from zone status
- knotd: extended check for inconsistent acl settings
- knotd/libknot: simplified TCP/QUIC sweep logging
- mod-dnsproxy: all configured remote addresses are used for fallback operation
- mod-dnsproxy: module responds locally if forwarding fails instead of SERVFAIL
- libs: upgraded embedded libngtcp2 to 1.1.0
- doc: various fixes and extensions
Bugfixes:
- knotd: zone backup fails due to improper backup context deinitialization #891
- knotd: failed to sign the zone if maximum zone's TTL is too high
- knotd: malformed TCP header if used with QUIC in the generic XDP mode
- knotd: server can crash when processing new TCP connections over XDP
- knotd: incorrect initialization of TCP limits
- knotd: orphaned PEM file not deleted when key generation fails
- knotd/libknot: connection timeouts over QUIC due to incomplete retransfer handling #894
- kdig: crashed when querying DNS over TLS if TLS handshake times out #896
- kzonecheck: failed to check DS with SHA-1 or GOST if not supported by local policy
- libdnssec: failed to compile with GnuTLS if PKCS #11 support is disabled
3.3.2 (2023-10-20)
Features:
- knotd: support for IXFR from AXFR computation (see 'zone.ixfr-from-axfr')
- knotd: support benevolent IXFR (see 'zone.ixfr-benevolent')
- knot-exporter: new configuration option '--no-zone-serial' #880
Improvements:
- libs: upgraded embedded libngtcp2 to 1.0.0
- knotd: added logging of new SOA serial when signing is finished
- knotd: unified some XDP-related logging
- keymgr: improved error message if a key file is not accessible
- keymgr: added offline RRSIGs validation at the end of their validity intervals
- kdig: upgraded EDNS presentation format to draft version -02
- kdig: simplified QUIC connection without extra PING frames
- kzonecheck: removed requirement that DS is at delegation point
- doc: various fixes and improvements
Bugfixes:
- knotd: logged incorrect new SOA serial if 'zonefile-load: difference' is set #875
- knotd: more signing threads with a PKCS #11 keystore has no effect #876
- knotd: DNAME record returned with query domain name instead of actual name #873
- knotd: failed to import configuration file if mod-geoip is in use #881
- knotd: failed to sign RRSet that fits to 64k only if compressed
- knotd: broken zone update context upon failed operation over control interface
- keymgr: offline RRSIGs not refreshed if 'rrsig-refresh' is not set
- knsupdate: incorrect processing of @ in the delete operation #879
- knot-exporter: failed to parse knotd PIDs on FreeBSD
Packaging:
- docker: added support for (inter-container) D-Bus signaling
3.3.1 (2023-09-11)
Improvements:
- knotd: multiple catalog groups per member are tolerated, but only one is used
- modules: added const qualifier to various function parameters #877 (Thanks to Robert Edmonds)
- libs: upgraded embedded libngtcp2 to 0.19.1
Bugfixes:
- knotd: TCP over XDP fails to respond
- knotd: server can crash when adjusting a wildcard glue
- knotd: failed to forward DDNS if 'zone.master' points to 'remotes'
- knotd: broken YAML statistics if more modules are configured #874
- knotd: DDNS forwarding isn't RFC 8945 compliant
3.3.0 (2023-08-28)
Features:
- knotd: full DNS over QUIC (DoQ, RFC 9250) implementation, also without XDP
- knotd: bidirectional XFR over QUIC (XoQ) support with opportunistic, strict,
and mutual authentication profiles
- knotd: automatic reverse PTR records pre-generation (see 'zone.reverse-generate')
- knotd: new per zone statistic counters 'zone.size' and 'zone.max-ttl'
- knotd: new primary server pinning (see 'zone.master-pin-tolerance')
- knotd: new SOA serial modulo policy (see 'zone.serial-modulo')
- knotd: new multi-signer operation mode (see 'policy.dnskey-sync' and 'DNSSEC multi-signer')
- kdig: support for EDNS presentation format, also in JSON mode (see '+optpresent')
- kxdpgun: new TCP/QUIC debug mode 'R' for connection reuse
- kxdpgun: new XDP mode parameter '--mode' (Thanks to Jan Včelák)
- kxdpgun: new parameter '--qlog' for qlog destination specification
- kzonecheck: new '--print' parameter for dumping the zone on stdout
Improvements:
- knotd: secondary can be configured not to forward DDNS (see 'zone.ddns-master')
- knotd: extended support for UNIX socket configuration (remote, acl)
- knotd: stats no longer dump empty or zero counters
- knotd: new 'keys-updated' D-Bus event
- knotd: added transport protocol information to outgoing event and nameserver logs
- knotd: server cleans up stale LMDB readers when opening a RW transaction
- knotd,kzonecheck: semantic check allows DS only at delegation point
- knotc: new zone backup filters '+quic' and '+noquic' for QUIC key backup
- mod-dnstap: DNS over QUIC traffic is marked as QUIC
- kxdpgun: QUIC connections are closed by default
- libs: upgraded embedded libngtcp2 to 0.18.0
- kdig: QUIC, TLS, or HTTPS protocol is printed in the final statistics
- doc: new sections 'DNS over QUIC' and 'DNSSEC multi-signer'
- doc: various improvements
Bugfixes:
- knotd: server can crash if a shared module is loaded and dynamic configuration used
- knotd: inaccurate transfer size is logged if EDNS EXPIRE, PADDING, or TSIG is present
- knotd: subsequent addition and removal to catalog zone isn't handled properly
- knotc: configuration import fails if an explicit shared module is configured
- utils: database transactions not properly closed when terminated prematurely
- kdig: double-free on some malformed responses over QUIC #869
- kdig: some TLS parameters override QUIC parameters
- libs: NULL record with empty RDATA isn't allowed
- tests: dthreads destructor test sometimes fails
Compatibility:
- knotd: responses to forwarded DDNS requests are signed with local TSIG key
- knotd: NOTIFY-initiated refresh tries all configured addresses of the remote
- knotd: configuration option 'xdp.quic-log' was replaced with 'log.quic'
- libs: removed embedded libbpf, an external one is necessary for XDP
- libs: DNS over QUIC implementation only supports 'doq' ALPN
- ctl: removed 'Version: ' prefix from 'status version' output
- modules: reduced parameters of 'knotd_qdata_local_addr()'
Packaging:
- knot-exporter: Prometheus exporter imported from GitHub
- knot-exporter: packages for Debian, Ubuntu, and PyPI
- debian,ubuntu: new self-hosted repository (see https://pkg.labs.nic.cz/doc/)
- docker: upgraded to Debian bookworm-slim
3.2.9 (2023-07-27)
Improvements:
- keymgr: 'import-pkcs11' not allowed if no PKCS #11 keystore backend is configured
- keymgr: more verbose key import errors
- doc: extended migration notes
- doc: various improvements
Bugfixes:
- knotd: server may crash when storing changeset of a big zone migrating to/from NSEC3
- knotd: zone refresh loop when all masters are outdated and timers cleared
- knotd: failed to active D-Bus notifications if not started as systemd service
- kjournalprint: database transaction not properly closed when terminated prematurely
3.2.8 (2023-06-26)
Improvements:
- kdig: malformed messages are parsed and printed using a best-effort approach
- python: new dname from wire initialization
Bugfixes:
- knotd: missing outgoing NOTIFY upon refresh if one of more primaries is up-to-date
- knotd: journal loop detection can prevent zone from loading
- knotd: cryptic error message when journal is full #842
- knotd: failed to query catalog zone over UDP
- configure: libngtcp2 check wrongly requires version 0.13.0 instead of 0.13.1
3.2.7 (2023-06-06)
Features:
- knotd: new configuration option for preserving incoming IXFR changeset history
(see 'zone.ixfr-by-one')
Improvements:
- knotd: journal ensures the stored changeset's SOA serials are strictly increasing
- knotd: more effective handling of zero KNOT_ZONE_LOAD_TIMEOUT_SEC environment value
- knotd, kdig: incoming transfer fails if a message has the TC bit set
- knotd, kjournalprint: store or print the timestamp of changeset creation
- kxdpgun: load only necessary number of queries (Thanks to Petr Špaček)
- kxdpgun: print ratio of sent vs. requested queries (Thanks to Petr Špaček)
- kxdpgun: print percentages as floats (Thanks to Petr Špaček)
- kjournalprint: ability to print a changeset loop
- kjournalprint: added changset serials information to '-z -d' output
- packaging: RHEL9 requires libxdp like fedora since RHEL 9.2 #844
- doc: various improvements
Bugfixes:
- knotd: journal loading can get stuck in a multi-changeset loop
- knotd: missing RCU lock when reading zone through the control interface
- knotd: server start D-Bus signaling doesn't work well if the zone file is
missing, catalog zones are used, or in the async-start mode
- knotd: test suite fails on 32bit architectures on musl 1.2 and newer #843
- knotd: failed to process zero-length messages over QUIC
- libs: compilation with embedded ngtcp2 fails if there is another ngtcp2 in the path
3.2.6 (2023-04-04)
Improvements:
- libs: upgraded embedded libngtcp2 to 0.13.1
- libs: added support for building on Cygwin and MSYS (Thanks to Christopher Ng)
- mod-dnstap: improved precision of stored time values
- kdig: added option for EDNS EXPIRE (see '+expire') #836
- kdig: extended description of SOA timers in the multiline mode
- kdig: reduced latency of TLS communication
- libknot: added EDE codes 28 and 29
- doc: various improvements
Bugfixes:
- knotd: generated catalog zone not updated upon server reload #834
- knotd: failed to check shared module configuration
- knotd: missing RCU registration of the statistics thread (Thanks to Qin Longfei)
- knotd: server logs failed to send QUIC packets in the XDP mode
- libs: inconsistent transformation of IPv4-Compatible IPv6 Addresses
- utils: failed to load configuration if dnstap module is enabled #831
- libknot: missing include string.h
3.2.5 (2023-02-02)
Features:
- knotd: new configuration option for enforcing IXFR fallback (see 'zone.provide-ixfr')
Improvements:
- knotd: changed UNIX socket file mode to 0222 for answering and 0220 for control
- mod-probe: new support for communication over a UNIX socket
- kdig: new support for communication over a UNIX socket
- libs: upgraded embedded libngtcp2 to 0.13.0
- doc: various improvements
Bugfixes:
- knotd: failed to get catalog member configuration if catalog template is in a template
- knotd: failed to respond over a UNIX socket with EDNS
- knotd: unexpected zone update upon restart or zone reload if ZONEMD generation is enabled
- knotd: redundant zone flush of unchanged zone if zone file load is 'difference-no-serial'
- knotd/kxdpgun: failed to receive messages over XDP with drivers tap or ena
- knotc: zone check doesn't report missing zone file #829
- kxdpgun: program crashes when remote closes QUIC connection instead of resumption
- mod-geoip: configuration check leaks memory in the geodb mode
- utils: unwanted color reset sequences in non-color output
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 12 Mar 2024 10:07:06 +0000 (11:07 +0100)]
ghostscript: Update to version 10.03.0
- Update from version 10.02.1 to 10.03.0
- Update of rootfile
- Changelog
10.03.0
Highlights in this release include:
A vulnerability was identified in the way Ghostscript/GhostPDL called
tesseract for the OCR devices, which could allow arbitrary code execution.
As as result, we strongly urge anyone including the OCR devices in their
build to update as soon as possible.
As of this release (10.03.0) pdfwrite creates PDF files with XRef streams and
ObjStm streams. This can result in considerably smaller PDF output files.
See Vector Devices for more details.
Ghostscript/pdfwrite now supports passing through PDF "Optional Content".
Our efforts in code hygiene and maintainability continue.
The usual round of bug fixes, compatibility changes, and incremental
improvements.
(9.53.0) We have added the capability to build with the Tesseract OCR engine.
In such a build, new devices are available (pdfocr8/pdfocr24/pdfocr32)
which render the output file to an image, OCR that image, and output the
image "wrapped" up as a PDF file, with the OCR generated text information
included as "invisible" text (in PDF terms, text rendering mode 3).
Mainly due to time constraints, we only support including Tesseract from
source included in our release packages, and not linking to
Tesseract/Leptonica shared libraries. Whether we add this capability will be
largely dependent on community demand for the feature.
See Enabling OCR for more details.
Incompatible changes
(10.03.0) Almost all the "internal" PostScript procedures defined during the
interpreter startup are now "executeonly", further reducing the attack
surface of the interpreter.
The nature of these procedures means there should be no impact for legitimate
usage, but it is possible it will impact uses which abuse the previous
accessibility (even for legitimate reasons). Such cases may now require
"DELAYBIND", See DELAYBIND
(10.03.0) The "makeimagedevice" non-standard operator has been removed. It
allowed low level access to the graphics library in a way that was,
essentially impossible to secure.
(10.03.0) The "putdeviceprops", "getdeviceprops", "finddevice", "copydevice",
"findprotodevice" non-standard operators have all been removed. They
provided functionality that is either accessible through standard operators,
or should not be used by user PostScript.
(10.03.0) The process of "tidying" the PostScript namespace should have
removed only non-standard and undocumented operators. Nevertheless, it is
possible that any integrations or utilities that rely on those non-standard
and undocumented operators may stop working or may change behaviour.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 12 Mar 2024 10:07:05 +0000 (11:07 +0100)]
gdb: Update to version 14.2
- Update from version 13.2 to 14.2
- Update of rootfile
- Changelog
14.2
This is a minor corrective release over GDB 14.1, fixing the following issues:
PR symtab/31112 (DLL export forwarding is broken)
PR c++/31128 (gdb crashes when trying to print a global variable stub without
a running inferior)
PR tdep/31254 ([gdb/tdep, arm] FAIL: gdb.threads/staticthreads.exp: up 10)
PR gdb/31256 (Crash with basic 'list .')
PR python/31366 (Frame.static_link() segfaults)
14.1
This version of GDB includes the following changes and enhancements:
Removed features, removed configurations:
GDB no longer support AiX 4.x, 5.x and 6.x. The minimum version supported
is AiX 7.1.
GDB/MI version 1 support has been removed
Initial built-in support for Debugger Adapter Protocol (DAP)
GDB now recognizes the NO_COLOR environment variable
Initial support for integer types larger than 64 bits
Breakpoints can now be inferior-specific
New convenience function "$_shell", to execute a shell command and return its
result.
Python support
New class gdb.Thread
New class gdb.unwinder.FrameId
New class gdb.ValuePrinter
New gdb.Inferior.arguments attribute, holding the command-line arguments
to the inferior, if known
New gdb.Inferior.main_name attribute, holding the name of the inferior's
'main', if known.
New gdb.Breakpoint.inferior attribute
New gdb.Progspace.symbol_file attribute
New gdb.Progspace.executable_filename attribute
New function gdb.execute_mi(COMMAND, [ARG]...)
New function gdb.block_signals()
New method gdb.Frame.static_link
New gdb.Inferior 'clear_env', 'set_env' and 'unset_env' methods
New gdb.Type now has the 'is_array_like' and 'is_string_like' methods
New gdb.Value 'assign' method
New gdb.Value 'to_array' method
New gdb.Progspace 'objfile_for_address' method
New methods added to the gdb.PendingFrame class, with behavior which is
the same as the corresponding methods on gdb.Frame.
gdb.LazyString now implements the __str__ method
New event gdb.ThreadExitedEvent
New event gdb.ExecutableChangedEvent
New event gdb.NewProgspaceEvent
New event gdb.FreeProgspaceEvent
The frame-id passed to gdb.PendingFrame.create_unwind_info now use either
an integer or a gdb.Value object for each of its 'sp', 'pc', and
'special' attributes.
The Disassembler API from the gdb.disassembler module has been extended
to include styling support
gdb.parse_and_eval now has a new "global_context" parameter, allowing the
request to only examine global symbols.
The name argument passed to gdb.unwinder.Unwinder.__init__ must now be of
type 'str' otherwise a TypeError will be raised.
The gdb.unwinder.Unwinder.enabled attribute can now only accept values of
type 'bool'. Changing this attribute will now invalidate GDB's
frame-cache.
It is now no longer possible to sub-class the
gdb.disassembler.DisassemblerResult type.
Remote protocol
Support for enabling or disabling individual remote target features
GDB/MI support
New 'no-history' stop reason
Support for inferior-specific breakpoints
The bkpt tuple, which appears in breakpoint-created notifications, and in
the result of the -break-insert command can now include an optional
'inferior' field for both the main breakpoint, and each location, when
the breakpoint is inferior-specific.
Trying to create a thread-specific breakpoint using a non-existent thread
ID now results in an error
New "simple-values-ref-types" -list-feature value indicating how the
--simple-values option in various commands take reference types into
account.
Enhanced AArch64 support
Initial support for Scalable Matrix Extension (SME) and for Scalable
Matrix Extension 2 (SME2)
The 'org.gnu.gdb.aarch64.pauth' Pointer Authentication feature is now
deprecated in favor of the 'org.gnu.gdb.aarch64.pauth_v2' feature string
Enhanced Ada support
Support for the Ada 2022 target name symbol ('@')
Support for the The Ada 2022 'Enum_Rep and 'Enum_Val attributes
Miscellaneous
The 'list' command now accepts '.' as an argument, telling GDB to print
the location around the point of execution within the current frame
New '%V' output format for printf and dprintf commands.
The printf command now limits the size of strings fetched from the
inferior to the value of the 'max-value-size' setting.
Support for extending at configure time the default value of the
'debug-file-directory' GDB parameter via the new
--additional-debug-dirs=PATHs configure option.
New command "info main"
New command "set tui mouse-events [on|off]" (on by default)
New command "set always-read-ctf on|off" (off by default)
Various new debug and maitenance commands
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 12 Mar 2024 10:07:04 +0000 (11:07 +0100)]
elfutils: Update to version 0.191
- Update from version 0.190 to 0.191
- Update of rootfile
- Changelog
0.191
libdw: dwarf_addrdie now supports binaries lacking a .debug_aranges
section.
Improved support for DWARF package files. Add new function
dwarf_cu_dwp_section_info.
debuginfod: Caching eviction logic improvements to improve retention
of small/frequent/slow files such as Fedora's vdso.debug.
srcfiles: Can now fetch the source files of a DWARF/ELF file and
place them into a zip.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Tue, 12 Mar 2024 08:55:14 +0000 (09:55 +0100)]
openssh: Update to version 9.7p1
- Update from version 9.6p1 to 9.7p1
- Update of rootfile not required
- Changelog
9.7p1
Future deprecation notice
OpenSSH plans to remove support for the DSA signature algorithm in
early 2025 and compile-time disable it later this year.
DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is only 80 bits symmetric equivalent.
OpenSSH has disabled DSA keys by default since 2015 but has retained
run-time optional support for them. DSA was the only mandatory-to-
implement algorithm in the SSHv2 RFCs[3], mostly because alternative
algorithms were encumbered by patents when the SSHv2 protocol was
specified.
This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining DSA in
OpenSSH to be justified and hope that removing it from OpenSSH can
accelerate its wider deprecation in supporting cryptography
libraries.
This release makes DSA support in OpenSSH compile-time optional,
defaulting to on. We intend the next release to change the default
to disable DSA at compile time. The first OpenSSH release of 2025
will remove DSA support entirely.
This release contains mostly bugfixes.
New features
* ssh(1), sshd(8): add a "global" ChannelTimeout type that watches
all open channels and will close all open channels if there is no
traffic on any of them for the specified interval. This is in
addition to the existing per-channel timeouts added recently.
This supports situations like having both session and x11
forwarding channels open where one may be idle for an extended
period but the other is actively used. The global timeout could
close both channels when both have been idle for too long.
* All: make DSA key support compile-time optional, defaulting to on.
Bugfixes
* sshd(8): don't append an unnecessary space to the end of subsystem
arguments (bz3667)
* ssh(1): fix the multiplexing "channel proxy" mode, broken when
keystroke timing obfuscation was added. (GHPR#463)
* ssh(1), sshd(8): fix spurious configuration parsing errors when
options that accept array arguments are overridden (bz3657).
* ssh-agent(1): fix potential spin in signal handler (bz3670)
* Many fixes to manual pages and other documentation, including
GHPR#462, GHPR#454, GHPR#442 and GHPR#441.
* Greatly improve interop testing against PuTTY.
Portability
* Improve the error message when the autoconf OpenSSL header check
fails (bz#3668)
* Improve detection of broken toolchain -fzero-call-used-regs support
(bz3645).
* Fix regress/misc/fuzz-harness fuzzers and make them compile without
warnings when using clang16
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 11 Mar 2024 12:19:09 +0000 (13:19 +0100)]
dns.cgi: Fixes bug#12395 - German umlauts not correctly displayed in remarks
- If Freifunk München e.V. is entered as a remark it gets converted to
Freifunk München e.V.
- This is because cleanhtml is used on the UTF-8 remark text before saving it to the file
and the HTML::Entities::encode_entities command that is run on that remark text does
not work with UTF-8 text.
- If the UTF-8 text in the remark is decoded before running through the cleanhtml command
then the characters with diacritical marks are correctly shown.
- Have tested out the fix on a remark with a range of different characters with
diacritical marks and all of the ones tested were displayed correctly with the fix while
in the original form they were mangled.
Fixes: Bug#12395 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Adolf Belka [Mon, 11 Mar 2024 12:19:08 +0000 (13:19 +0100)]
dns.cgi: Revert "dns.cgi: Fixes bug#12395 - German umlauts not correctly displayed in remarks"
- This reverts commit 7c6ff5ff12331a53f416080a44c8d6145e78bfac
- That commit removed the cleanhtml command which is not advised, based on feedback from
Michael Tremer from other patch submissions as it creates a potential security problem.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
projects / ipfire-2.x.git / log
