mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-24 18:03:06 +02:00
07abe4e2f641b20741a993daf51249ad697fb55d
1962 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Arne Fitzenreiter
|
4d448aa458 |
vdr: update to version 2.6.9
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> |
||
|
Arne Fitzenreiter
|
bc1444c489 |
nmap: rootfile update
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> |
||
|
Arne Fitzenreiter
|
135b61b564 |
freeradius: update rootfile and increment PAK_VER
new package is needed because a lib was not shipped with v21 Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> |
||
Adolf Belka
|
b71fe1a1e7 |
tshark: Update to version 4.4.1
- Update from version 4.2.7 to 4.4.1
- The 4.4.x series is the new Stable Release replascing the 4.2.x series which becomes
the Old Stable Release.
- There is an sobump so find-dependencies was run for the three libraries with changes
but all linked programs are within tshark.
- Changelog is too large to include here. Links provided
4.4.1
https://www.wireshark.org/docs/relnotes/wireshark-4.4.1.html
4.4.0
https://www.wireshark.org/docs/relnotes/wireshark-4.4.0.html
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
1af2530c07 |
lcdproc: removal as discussed in Conf call 7th Oct
- removal of lfs, rootfile and config files - backup includes file is also removed, althouigh it was an empty file, so not backing anything up. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
5fd4ca19a8 |
mpfire: removal as discussed in Conf call 7th Oct
- removal of lfs, rootfile, backup, paks, misc-progs, mpfire perl, language file content, mpfire.cgi, mpfire menu references and files, mpfire specific image, web-user-interface references and references in manualpages. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
Michael Tremer
|
e28cb28628 | Merge branch 'master' into next | ||
|
Michael Tremer
|
7eec7e2c8b |
ncat: Make this package part of the core system
The nc command is required for the Unbound/DHCP leases bridge. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
f7d6648e76 |
samba: Update to version 4.21.0
- Update from 4.20.4 to 4.21.0
- Update of rootfile for x86_64, aarch64 & riscv64
- Changelog
4.21.0
Hardening of "valid users", "invalid users", "read list" and "write list"
In previous versions of Samba, if a user or group name in either of the
mentioned options could not be resolved to a valid SID, the user (or group)
would be skipped without any notification. This could result in unexpected and
insecure behaviour. Starting with this version of Samba, if any user or group
name in any of the options cannot be resolved due to a communication error with
a domain controller, Samba will log an error and the tree connect will fail.
Non existing users (or groups) are ignored.
LDAP TLS/SASL channel binding support
The ldap server supports SASL binds with
kerberos or NTLMSSP over TLS connections
now (either ldaps or starttls).
Setups where 'ldap server require strong auth = allow_sasl_over_tls'
was required before, can now most likely move to the
default of 'ldap server require strong auth = yes'.
If SASL binds without correct tls channel bindings are required
'ldap server require strong auth = allow_sasl_without_tls_channel_bindings'
should be used now, as 'allow_sasl_over_tls' will generate a
warning in every start of 'samba', as well as '[samba-tool ]testparm'.
This is similar to LdapEnforceChannelBinding under
HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
on Windows.
All client tools using ldaps also include the correct
channel bindings now.
NEW FEATURES/CHANGES
LDB no longer a standalone tarball
LDB, Samba's LDAP-like local database and the power behind the Samba
AD DC, is no longer available to build as a distinct tarball, but is
instead provided as an optional public library.
If you need ldb as a public library, say to build sssd, then use
./configure --private-libraries='!ldb'
This re-integration allows LDB tests to use the Samba's full selftest
system, including our knownfail infrastructure, and decreases the work
required during security releases as a coordinated release of the ldb
tarball is not also required.
This approach has been demonstrated already in Debian, which is already
building Samba and LDB is this way.
As part of this work, the pyldb-util public library, not known to be
used by any other software, is made private to Samba.
LDB Module API Python bindings removed
The LDB Modules API, which we do not promise a stable ABI or API for,
was wrapped in python in early LDB development. However that wrapping
never took into account later changes, and so has not worked for a
number of years. Samba 4.21 and LDB 2.10 removes this unused and
broken feature.
Changes in LDB handling of Unicode
Developers using LDB up to version 2.9 could call ldb_set_utf8_fns()
to determine how LDB handled casefolding. This is used internally by
string comparison functions. In LDB 2.10 this function is deprecated,
and ldb_set_utf8_functions() is preferred. The new function allows a
direct comparison function to be set as well as a casefold function.
This improves performance and allows for more robust handling of
degenerate cases. The function should be called just after ldb_init(),
with the following arguments:
ldb_set_utf8_functions(ldb, /* the struct ldb_ctx LDB object */
context_variable /* possibly NULL */
casefold_function,
case_insensitive_comparison_function);
The default behaviour of LDB remains to perform ASCII casefolding
only, as if in the "C" locale. Recent versions have become
increasingly consistent in this.
Some Samba public libraries made private by default
The following Samba C libraries are currently made public due to their
use by OpenChange or for historical reasons that are no longer clear.
dcerpc-samr, samba-policy, tevent-util, dcerpc, samba-hostconfig,
samba-credentials, dcerpc_server, samdb
The libraries used by the OpenChange client now private, but can be
made public (like ldb above) with:
./configure --private-libraries='!dcerpc,!samba-hostconfig,!samba-credentials,!ldb'
The C libraries without any known user or used only for the OpenChange
server (a dead project) may be made private entirely in a future Samba
version.
If you use a Samba library in this list, please be in touch with the
samba-technical mailing list.
Using ldaps from 'winbindd' and 'net ads'
Beginning with Samba 3.0.22 the 'ldap ssl = start tls' option also
impacted LDAP connections to active directory domain controllers.
Using the STARTTLS operation on LDAP port 389 connections. Starting
with Samba 3.5.0 'ldap ssl ads = yes' was required in addition in
order let to 'ldap ssl = start tls' have any effect on those
connections.
'ldap ssl ads' was deprecated with Samba 4.8.0 and removed together
with the whole functionality in Samba 4.14.0, because it didn't support
tls channel bindings required for the sasl authentication.
The functionality is now re-added using the correct channel bindings
based on the gnutls based tls implementation we already have, instead
of using the tls layer provided by openldap. This makes it available
and consistent with all LDAP client libraries we use and implement on
our own.
The 'client ldap sasl wrapping' option gained the two new possible values:
'starttls' (using STARTTLS on tcp port 389)
and
'ldaps' (using TLS directly on tcp port 636).
If you had 'ldap ssl = start tls' and 'ldap ssl ads = yes'
before, you can now use 'client ldap sasl wrapping = starttls'
in order to get STARTTLS on tcp port 389.
As we no longer use the openldap tls layer it is required to configure the
correct certificate trusts with at least one of the following options:
'tls trust system cas', 'tls ca directories' or 'tls cafile'.
While 'tls verify peer' and 'tls crlfile' are also relevant,
see 'man smb.conf' for further details.
New DNS hostname config option
To get `net ads dns register` working correctly running manually or during a
domain join a special entry in /etc/hosts was required. This not really
documented and thus the DNS registration mostly didn't work. With the new option
the default is [netbios name].[realm] which should be correct in the majority of
use cases.
We will also use the value to create service principal names during a Kerberos
authentication and DNS functions.
This is not supported in samba-tool yet.
Samba AD will rotate expired passwords on smartcard-required accounts
Traditionally in AD, accounts set to be "smart card require for logon"
will have a password for NTLM fallback and local profile encryption
(Windows DPAPI). This password previously would not expire.
Matching Windows behaviour, when the DC in a FL 2016 domain and the
msDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute on the domain
root is set to TRUE, Samba will now expire these passwords and rotate
them shortly before they expire.
Note that the password expiry time must be set to twice the TGT lifetime for
smooth operation, e.g. daily expiry given a default 10 hour TGT
lifetime, as the password is only rotated in the second half of its
life. Again, this matches the Windows behaviour.
Provided the default 2016 schema is used, new Samba domains
provisioned with Samba 4.21 will have this enabled once the domain
functional level is set to 2016.
NOTE: Domains upgraded from older Samba versions will not have this
set, even after the functional level preparation, matching the
behaviour of upgraded Windows AD domains.
Per-user and group "veto files" and "hide files"
"veto files" and "hide files" can optionally be restricted to certain users and
groups. To apply a veto or hide directive to a filename for a specific user or
group, a parametric option like this can be used:
hide files : USERNAME = /somefile.txt/
veto files : GROUPNAME = /otherfile.txt/
For details consult the updated smb.conf manpage.
Automatic keytab update after machine password change
When machine account password is updated, either by winbind doing regular
updates or manually (e.g. net ads changetrustpw), now winbind will also support
update of keytab entries in case you use newly added option
'sync machine password to keytab'.
The new parameter allows you to describe what keytabs and how should be updated.
From smb.conf(5) manpage - each keytab can have exactly one of these four forms:
account_name
sync_spns
spn_prefixes=value1[,value2[...]]
spns=value1[,value2[...]]
The functionaity provided by the removed commands "net ads keytab
add/delete/add_update_ads" can be achieved via the 'sync machine password to
keytab' as in these examples:
"net ads keytab add wurst/brot@REALM"
- this command is not adding <principal> to AD, so the best fit can be specifier
"spns"
- add to smb.conf:
sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password
- run:
"net ads keytab create"
"net ads keytab delete wurst/brot@REALM"
- remove the principal (or the whole keytab line if there was just one)
- run:
"net ads keytab create"
"net ads keytab add_update_ads wurst/brot@REALM"
- this command was adding the principal to AD, so for this case use a keytab
with specifier sync_spns
- add to smb.conf:
sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password
- run:
"net ads setspn add wurst/brot@REALM" # this adds the principal to AD
"net ads keytab create" # this sync it from AD to local keytab
A new parameter 'sync machine password script' allows to specify external script
that will be triggered after the automatic keytab update. If keytabs should be
generated in clustered environments it is recommended to update them on all
nodes. Check in smb.conf(5) the scripts winbind_ctdb_updatekeytab.sh and
46.update-keytabs.script in section 'sync machine password script' for details.
For detailed information check the smb.conf(5) and net(8) manpages.
New cephfs VFS module
Introduce new vfs-to-cephfs bridge which uses libcephfs low-level APIs (instead
of path-based operations in the existing module). It allows users to pass
explicit user-credentials per call (including supplementary groups), as well as
faster operations using inode and file-handle caching on the Samba side.
Configuration is identical to existing module, but using 'ceph_new' instead of
'ceph' for the relevant smb.conf entries. This new module is expected to
deprecate and replace the old one in next major release.
Group Managed Service Accounts
Samba 4.21 adds support for gMSAs (Group Managed Service Accounts),
completing support for Functional Level 2012.
The purpose of a gMSA is to allow a single host, or a cluster of
hosts, to share access to an automatically rotating password, avoiding
the weak static service passwords that are often the entrypoint of
attackers to AD domains. Each server has a strong and regularly
rotated password, which is used to access the gMSA account of (e.g.)
the database server.
Samba provides management and client tools, allowing services on Unix
hosts to access the current and next gMSA passwords, as well as obtain
a credentials cache.
Samba 4.20 announced the client-side tools for this feature. To avoid
duplication and provide consistency, the existing commands for
password viewing have been extended, so these commands operate both on
a gMSA (with credentials, over LDAP, specify -H) and locally for
accounts that have a compatible password (e.g. plaintext via GPG,
compatible hash)
samba-tool user getpassword
samba-tool user get-kerberos-ticket
samba-tool domain exportkeytab
An example command, which gets the NT hash for use with NTLM, is
samba-tool user getpassword -H ldap://server --machine-pass \
TestUser1 --attributes=unicodePwd
Kerberos is a better choice (gMSA accounts should not use LDAP simple
binds, for reasons of both security and compatibility). Use
samba-tool user get-kerberos-ticket -H ldap://server --machine-pass \
TestUser1 --output-krb5-ccache=/srv/service/krb5_ccache
gMSAs disclose a current and previous password. To access the previous
NT hash, use:
samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \
--attrs=unicodePwd;previous=1
To access the previous password as UTF8, use:
samba-tool user getpassword -H ldap://server --machine-pass TestUser1 \
--attributes=pwdLastSet,virtualClearTextUTF8;previous=1
However, Windows tools for dealing with gMSAs tend to use Active
Directory Web Services (ADWS) from Powershell for setting up the
accounts, and this separate protocol is not supported by Samba 4.21.
Samba-tool commands for handling gMSA (KDS) root keys
Group managed service accounts rotate passwords based on root keys,
which can be managed using samba-tool, with commands such as
samba-tool domain kds root_key create
samba-tool domain kds root_key list
Samba will create a new root key for new domains at provision time,
but users of gMSA accounts on upgraded domains will need to first
create a root key.
RFC 8070 PKINIT "Freshness extension" supported in the Heimdal KDC
The Heimdal KDC will recognise when a client provides proof that they
hold the hardware token used for smart-card authentication 'now' and
has not used a saved future-dated reply. Samba 4.21 now matches
Windows and will assign an extra SID to the user in this case,
allowing sensitive resources to be additionally protected.
Only Windows clients are known to support the client side of this
feature at this time.
New samba-tool Authentication Policy management command structure
As foreshadowed in the Samba 4.20 release notes, the "samba-tool
domain auth policy" commands have been reworked to be more intuitive
based on user feedback and reflection.
Support for key features of AD Domain/Forest Functional Level 2012R2
Combined with other changes in recent versions (such as claims support
in 4.20), Samba can now claim Functional Level 2012R2 support.
Build system
In previous versions of Samba, packagers of Samba would set their
package-specific version strings using a patch to the
SAMBA_VERSION_VENDOR_SUFFIX line in the ./VERSION file. Now that is
achieved by using --vendor-suffix (at configure time), allowing this
to be more easily scripted. Vendors are encouraged to include their
name and full package version to assist with upstream debugging.
More deterministic builds
Samba builds are now more reproducible, providing better assurance
that the Samba binaries you run are the same as what is expected from
the source code. If locale settings are not changed, the same objects
will be produced from each compilation run. If Samba is built in a
different path, the object code will remain the same, but DWARF
debugging sections will change (while remaining functionally
equivalent).
Improved command-line redaction
There are several options that can be used with Samba tools for
specifying secrets. Although this is best avoided, when these options
are used, Samba will redact the secrets in /proc, so that they won't
be seen in ps or top. This is now carried out more thoroughly,
redacting more options. There is a race inherent in this, and the
passwords will be visible for a short time. The secrets are also not
removed from .bash_history and similar files.
REMOVED FEATURES
Following commands are removed:
net ads keytab add <principal>
net ads keytab delete <principal>
net ads keytab add_update_ads
Changes
smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
client ldap sasl wrapping new values
client use spnego principal removed
ldap server require strong auth new values
tls trust system cas new
tls ca directories new
dns hostname client dns name [netbios name].[realm]
valid users Hardening
invalid users Hardening
read list Hardening
write list Hardening
veto files Added per-user and per-group vetos
hide files Added per-user and per-group hides
sync machine password to keytab keytabs
sync machine password script script
CHANGES SINCE 4.21.0rc4
* BUG 15699: Incorrect FSCTL_QUERY_ALLOCATED_RANGES response when truncated.
* BUG 15702: Bad variable definition for ParseTuple causing test failure for
Smb3UnixTests.test_create_context_reparse.
* BUG 15686: Add new vfs_ceph module (based on low level API).
CHANGES SINCE 4.21.0rc3
* BUG 15698: samba-tool can not load the default configuration file.
* BUG 15700: Crash when readlinkat fails.
CHANGES SINCE 4.21.0rc2
* BUG 15689: Can't add/delete special keys to keytab for nfs, cifs, http etc.
* BUG 15696: Compound SMB2 requests don't return
NT_STATUS_NETWORK_SESSION_EXPIRED for all requests, confuses
MacOSX clients.
* BUG 15689: Can't add/delete special keys to keytab for nfs, cifs, http etc.
CHANGES SINCE 4.21.0rc1
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15686: Add new vfs_ceph module (based on low level API)
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15690: ldb_version.h is missing from ldb public library
* BUG 15689: Can not add/delete special keys to keytab for nfs, cifs, http etc
* BUG 15686: Add new vfs_ceph module (based on low level API)
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15687: undefined reference to winbind_lookup_name_ex
* BUG 15688: per user veto and hide file syntax is to complex
* BUG 15689: Can not add/delete special keys to keytab for nfs, cifs, http etc
* BUG 15688: per user veto and hide file syntax is to complex
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Michael Tremer
|
8241cf686f | Merge branch 'master' into next | ||
|
Michael Tremer
|
3cd62a7c4c | Merge branch 'core188' | ||
|
Michael Tremer
|
0694e7e45f |
ncat: Fix rootfile and bump release
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
debdb60e31 |
nfs: Update to version 2.7.1
- Update from version 2.6.4 to 2.7.1
- Update of rootfile
- Changelog is a list of all the commits and it is made available in the file
2.7.1-Changelog in the sourceforge site
https://sourceforge.net/projects/nfs/files/nfs-utils/2.7.1/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
32c667786c |
perl-JSON: removal of module as it is now in the perl core modules
- Used in the samba addon. - With the old separate module removed samba still successfully built, installed and was able to be run from the WUI. Fixes: bug13640 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
c83ddb7c49 |
perl-MIME-Base64: removal of module as it is now in the perl core modules
- Used by the git addon. - With the old separate module removed git still successfully built, installed and was able to be run, cloning the ipfire git repo, changing to next, modifying a file and the running a commit with the change. Fixes: bug13640 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
Robin Roevens
|
a66263b4f5 |
zabbix_agentd: Add IPFire services.get item
- Adds Zabbix Agent userparameter `ipfire.services.get` for the agent to get details about configured IPFire services (builtin and addon-services) - Includes `ipfire_services.pl` script in sudoers for Zabbix Agent as it needs root permission to call addonctrl for addon service states. - Adapts lfs install script to install new script - Adds new script to rootfiles Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
4c672e3b96 |
clamav: Update to version 1.3.2
- Update from version 1.3.1 to 1.3.2
- Update of rootfile
- 2 CVE Fixes
- Changelog
1.3.2
- [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506):
Changed the logging module to disable following symlinks on Linux and Unix
systems so as to prevent an attacker with existing access to the 'clamd' or
'freshclam' services from using a symlink to corrupt system files.
This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to Detlef for identifying this issue.
- [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505):
Fixed a possible out-of-bounds read bug in the PDF file parser that could
cause a denial-of-service (DoS) condition.
This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to OSS-Fuzz for identifying this issue.
- Removed unused Python modules from freshclam tests including deprecated
'cgi' module that is expected to cause test failures in Python 3.13.
- Fix unit test caused by expiring signing certificate.
- Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1305)
- Fixed a build issue on Windows with newer versions of Rust.
Also upgraded GitHub Actions imports to fix CI failures.
Fixes courtesy of liushuyu.
- Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1307)
- Fixed an unaligned pointer dereference issue on select architectures.
Fix courtesy of Sebastian Andrzej Siewior.
- Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1293)
- Fixes to Jenkins CI pipeline.
For details, see [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1330)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
0dbab78066 |
qemu: Update to version 9.0.0
- Update from version 8.1.2 to 9.0.0
- Update of rootfile
- Version 9.0.1 and 9.0.2 no longer have the bundled dtc package to provide the libfdt
library and require a system version but identify the 1.7.1 version of dtc as being
older than 1.5.1. So currently qemu has only been updated to 9.0.0 until the reason
for this is identified and can be fixed. It has been raised as an issue on the qemu
gitlab site.
- Changelog is only available at x.0 level
9.0 https://wiki.qemu.org/ChangeLog/9.0
8.2 https://wiki.qemu.org/ChangeLog/8.2
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
5c83f22939 |
taglib: Update to version 2.0.2
- Update from version 2.0.1 to 2.0.2
- Update of rootfile
- Changelog
2.0.2
* Fix parsing of ID3v2.2 frames.
* Tolerate MP4 files with unknown atom types as generated by Android tools.
* Support setting properties with arbitrary names in MP4 tags.
* Windows: Fix "-p" option in tagwriter example.
* Support building with older utfcpp versions.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
4c24b80d92 |
shairport-sync: Update to version 4.3.4
- Update from version 4.3.2 to 4.3.4
- Update of rootfile
- Changelog is only defined for 4.3, 4.2 etc so the below changelog is for all of 4.3
Cannot determine which things were alreday fixed in 4.3.2 and earlier and which are
from 4.3.3 onwards.
4.3
**Security Updates**
* A crashing bug in NQPTP has been fixed.
* The communications protocol used between NQPTP and Shairport Sync has been
revised and made more resilient to attempted misuse.
* In Linux systems, NQPTP no longer runs as `root` -- instead it runs as the
restriced user `nqptp`, with access to ports 319 and 320 set by the installer
via the `setcap` utility.
**Enhancements**
* A new volume control profile called `dasl-tapered` has been added in which
halving the volume control setting halves the output level.
For example, moving the volume slider from full to half reduces the output
level by 10dB, which roughly corresponds with a perceived halving of the audio
volume level.
Moving the volume slider from half to a quarter reduces the output level by a
a further 10dB.
The tapering rate is slightly modified at the lower end of the range if the
device's attenuation range is restricted (less than about 55dB).
To activate the `dasl-tapered` profile, set the `volume_control_profile` to
`"dasl_tapered"` in the configuration file and restart Shairport Sync.
Many thanks to David Leibovic, aka [dasl-](https://github.com/dasl-), for this.
* On graceful shutdown, an `active_end` signal should now be generated if the
system was in the active state. Addresses issue
[#1647](https://github.com/mikebrady/shairport-sync/issues/1647). Thanks to
[Tucker Kern](https://github.com/mill1000) for raising the issue.
**Bug Fixes**
* Fixed a bug that causes the Docker image to crash occasionally when OwnTone
interrupted an existing iOS session. Thanks to
[aaronk6](https://github.com/aaronk6) for the report.
* Fixed a cross-compliation error caused by not looking for the correct version
of the `ar` tool. The fix was to substitute the correct version during the
`autoreconf` phase. Thanks to
[sternenseemann](https://github.com/sternenseemann) for raising the
[issue](https://github.com/mikebrady/shairport-sync/issues/1705) and the
[PR](https://github.com/mikebrady/shairport-sync/pull/1706) containing the fix.
* Updated the mDNS strings for the Classic AirPlay feature of AP2, so that it
does not appear to provide MFi authentication. Addresses
[this discussion](https://github.com/mikebrady/shairport-sync/discussions/1691).
* Always uses a revision number of 1 when looking for status updates on the DACP
remote control port. This follows a suggestion in
[Issue #1658](https://github.com/mikebrady/shairport-sync/issues/1658). Thanks
to [ejurgensen](https://github.com/ejurgensen), as ever, for the report and
the suggested fix.
* Fixed a `statistics` bug (the minimum buffer size was incorrectly logged) and
also tidy up the statistics logging interval logic for resetting min and max
counters.
* Added an important missing format string argument to a call in the Jack Audio
backend. Many thanks to [michieldwitte] for their
[PR](https://github.com/mikebrady/shairport-sync/pull/1693).
**Maintenance**
* Stopped using a deprecated FFmpeg data structure reference.
* Stopped using deprecated OpenSSL calls. Thanks to [yubiuser] for their
[PR](https://github.com/mikebrady/shairport-sync/pull/1684) -- which did some
of the updating -- and for their guidance.
* Run workflow-based tests on PRs automatically. Thanks to [yubiuser]
for their [PR](https://github.com/mikebrady/shairport-sync/pull/1687).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
2261d072e5 |
libvirt: Update to version 10.7.0
- Update from version 10.0.0 to 10.7.0
- Update of rootfile
- 1 CVE fix in 10.7.0 and 1 in 10.1.0
- Changelog
10.7.0
* **Security**
* CVE-2024-8235: Crash of ``virtinterfaced`` via ``virConnectListInterfaces()``
A refactor of the code fetching the list of interfaces for multiple APIs
introduced corner case on platforms where allocating 0 bytes of memory
results in a NULL pointer.
This corner case would lead to a NULL-pointer dereference and subsequent
crash of ``virtinterfaced`` if ``virConnectListInterfaces()`` is called
requesting 0 networks to be filled.
The bug was introduced in libvirt-10.4.0
* **New features**
* qemu: Introduce the ability to disable the built-in PS/2 controller
It is now possible to control the state of the ``ps2`` feature in the
domain XML for descendants of the generic PC machine type (``i440fx``,
``q35``, ``xenfv`` and ``isapc``).
* **Improvements**
* ch: support restore with network devices
Cloud-Hypervisor starting from V40.0 supports restoring file descriptor
backed network devices. So, create new net fds and pass them via
SCM_RIGHTS to CH during restore operation.
* ch: support basic networking modes
Cloud-Hypervisor driver now supports Ethernet, Network (NAT) and Bridge
networking modes.
10.6.0
* **Removed features**
* qemu: Require QEMU-5.2.0 or newer
The minimal required version of QEMU was bumped to 5.2.0.
* **New features**
* qemu: Add support for the 'pauth' Arm CPU feature
* Introduce pstore device
The aim of pstore device is to provide a bit of NVRAM storage for guest
kernel to record oops/panic logs just before it crashes. Typical usage
includes usage in combination with a watchdog so that the logs can be
inspected after the watchdog rebooted the machine.
* **Improvements**
* qemu: Set 'passt' net backend if 'default' is unsupported
If QEMU is compiled without SLIRP support, and if domain XML allows it,
starting from this release libvirt will use passt as the default backend
instead. Also, supported backends are now reported in the domain
capabilities XML.
* qemu: add a monitor to /proc/$pid when killing times out
In cases when a QEMU process takes longer to be killed, libvirt might have
skipped cleaning up after it. But now a /proc/$pid watch is installed so
this does not happen ever again.
* **Bug fixes**
* virt-aa-helper: Allow RO access to /usr/share/edk2-ovmf
When binary version of edk2 is distributed, the files reside under
/usr/share/edk2-ovmf. Allow virt-aa-helper to generate paths under that
directory.
* virt-host-validate: Allow longer list of CPU flags
During its run, virt-host-validate parses /proc/cpuinfo to learn about CPU
flags. But due to a bug it parsed only the first 1024 bytes worth of CPU
flags leading to unexpected results. The file is now parsed properly.
* capabilities: Be more forgiving when decoding OEM strings
On some systems, OEM strings are scattered in multiple sections. This
confused libvirt when generating capabilities XML. Not anymore.
10.5.0
* **New features**
* Introduce SEV-SNP support
SEV-SNP is introduced as another type of ``<launchSecurity/>``. Its support
is reported in both domain capabilities and ``virt-host-validate``.
* **Improvements**
* tools: virt-pki-validate has been rewritten in C
The ``virt-pki-validate`` shell script has been rewritten as a C program,
providing an output format that matches ``virt-host-validate``, removing
the dependency on ``certtool`` and providing more comprehensive checks
of the certificate properties.
* qemu: implement iommu coldplug/unplug
The ``<iommu/>`` device can be now cold plugged and/or cold unplugged.
* Pass shutoff reason to release hook
Sometimes in release hook it is useful to know if the VM shutdown was
graceful or not. This is especially useful to do cleanup based on the VM
shutdown failure reason in release hook. Starting with this release the
last argument 'extra' is used to pass VM shutoff reason in the call to
release hook.
* nodedev: improve DASD detection
In newer DASD driver versions the ID_TYPE tag is supported. This tag is
missing after a system reboot but when the ccw device is set offline and
online the tag is included. To fix this version independently we need to
check if a device detected as type disk is actually a DASD to maintain the
node object consistency and not end up with multiple node objects for
DASDs.
* **Bug fixes**
* remote_daemon_dispatch: Unref sasl session when closing client connection
A memory leak was identified when a client started SASL but then suddenly
closed connection. This is now fixed.
* qemu: Fix migration with disabled vmx-* CPU features
Migrating a domain with some vmx-* CPU features marked as disabled could
have failed as the destination would incorrectly expect those features to
be enabled after starting QEMU.
* qemu: Fix ``libvirtd``/``virtqemud`` crash when VM shuts down during migration
The libvirt daemon could crash when a VM was shut down while being migrated
to another host.
10.4.0
* **New features**
* qemu: Support for ras feature for virt machine type
It is now possible to set on/off ``ras`` feature in the domain XML for virt
(Arm) machine type as ``<ras state='on'/>``.
* SSH proxy for VM
Libvirt now installs a binary helper that allows connecting to QEMU domains
via SSH using the following scheme: ``ssh user@qemu/virtualMachine``.
* qemu: Support for ``virtio`` sound model
Sound devices can now be configured to use the virtio model with
``<sound model='virtio'/>``. This model is available from QEMU 8.2.0
onwards.
* network: use nftables to setup virtual network firewall rules
The network driver can now use nftables rules for the virtual
network firewalls, rather than iptables. With the standard build
options, nftables is preferred over iptables (with fallback to
iptables if nftables isn't installed), but this can be modified at
build time, or at runtime via the firewall_backend setting in
network.conf. (NB: the nwfilter driver still uses
ebtables/iptables).
* **Improvements**
* qemu: add zstd to supported compression formats
Extend the list of supported formats of QEMU save image by adding zstd
compression.
* qemu: Implement support for hotplugging evdev input devices
As of this release, hotplug and hotunplug of evdev ``<input/>`` devices is
supported.
* **Bug fixes**
* virsh/virt-admin: Fix ``--help`` option for all commands
A bug introduced in `v10.3.0 (2024-05-02)`_ caused that the attempt to print
help for any command by using the ``--help`` option in ``virsh`` and
``virt-admin`` would print::
$ virsh list --help
error: command 'list' doesn't support option --help
instead of the help output. A workaround for the affected version is to use
the help command::
$ virsh help list
* qemu: Fix ``virsh save`` and migration when storage in question is root_squashed NFS
Attempting to save a VM to a root_squash NFS mount or migrating with disks
hosted on such mount could, in some scenarios, result in error stating::
'Unknown error 255'
The bug was introduced in `v10.1.0 (2024-03-01)`_.
* qemu: Don't set affinity for isolcpus unless explicitly requested
When starting a domain, by default libvirt sets affinity of QEMU process to
all online CPUs. This also included isolated CPUs (``isolcpus=``) which is
wrong. As of this release, isolated CPUs are left untouched, unless
explicitly configured in domain XML.
* qemu_hotplug: Properly assign USB address to hotplugged usb-net device
Previously, the network device hotplug logic would try to ensure only CCW
or PCI addresses. With recent support for the usb-net model, USB addresses
for usb-net network devices are assigned automatically.
* qemu: Fix hotplug of ``virtiofs`` filesystem device with ``<boot order=`` set
The bug was introduced in `v10.3.0 (2024-05-02)`_ when attempting to reject
unsupported configurations. During hotplug the addresses are
assigned after validation and thus errorneously reject valid configs.
10.3.0
* **New features**
* qemu: Proper support for USB network device
USB address is now automatically assigned to USB network devices thus they
can be used without manual configuration.
* conf: Introduce memReserve attribute to <controller/>
Some PCI devices have large non-prefetchable memory. This can be a problem
in case when such device needs to be hotplugged as the firmware can't
foresee such situation. The user thus can override the value calculated at
start to accomodate for such devices.
* **Improvements**
* Improve validation of USB devices
Certain USB device types ('sound', 'fs', 'chr', 'ccid' and 'net') were not
properly handled in the check whether the VM config supports USB and thus
would result in poor error messages.
* virsh: Fix behaviour of ``--name`` and ``--parent`` used together when listing checkpoint and snapshots
The ``checkpoint-list`` and ``snapshot-list`` commands would ignore the
``--name`` option to print only the name when used with ``--parent``.
* Extend libvirt-guests to shutdown only persistent VMs
Users can now choose to shutdown only persistent VMs when the host is being
shut down.
* **Bug fixes**
* qemu: Fix migration with custom XML
Libvirt 10.2.0 would sometimes complain about incompatible CPU definition
when trying to migrate or save a domain and passing a custom XML even
though such XML was properly generated as migratable. Hitting this bug
depends on the guest CPU definition and the host on which a particular
domain was running.
* qemu: Fix TLS hostname verification failure in certain non-shared storage migration scenarios
In certain scenarios (parallel migration, newly also post-copy migration)
libvirt would wrongly pass an empty hostname to QEMU to be used for TLS
certificate hostname validation, which would result into failure of the
non-shared storage migration step::
error: internal error: unable to execute QEMU command 'blockdev-add': Certificate does not match the hostname
* Create OVS ports as transient
Libvirt now creates OVS ports as transient which prevents them from
reappearing or going stale on sudden reboots.
* Clear OVS QoS settings when domain shuts down
Libvirt now clears QoS settings on domain shutdown, so they no longer pile
up in OVS database.
10.2.0
* **New features**
* ch: Basic save and restore support for ch driver
The ch driver now supports basic save and restore operations. This is
functional on domains without any network, host device config defined.
The ``path`` parameter for save and restore should be a directory.
* qemu: Support for driver type ``mtp`` in ``<filesystem/>`` devices
The ``mtp`` driver type exposes the ``usb-mtp`` device in QEMU. The
guest can access files on this driver through the Media Transfer
Protocol (MTP).
* qemu: Added support for the loongarch64 architecture
It is now possible for libvirt to run loongarch64 guests, including on
other architectures via TCG. For the best results, it is recommended to
use the upcoming QEMU 9.0.0 release together with the development version
of edk2.
* qemu: Introduce virDomainGraphicsReload API
Reloading the graphics display is now supported for QEMU guests using
VNC. This is useful to make QEMU reload the TLS certificates without
restarting the guest. Available via the ``virDomainGraphicsReload`` API
and the ``domdisplay-reload`` virsh command.
* **Bug fixes**
* qemu: Fix migration from libvirt older than 9.10.0 when vmx is enabled
A domain with vmx feature enabled (which may be even done automatically
with ``mode='host-model'``) started by libvirt 9.9.0 or older cannot be
migrated to libvirt 9.10.0, 10.0.0, and 10.1.0 as the target host would
complain about a lot of extra ``vmx-*`` features. Migration of similar
domains started by the affected releases to libvirt 9.9.0 and older
does not work either. Since libvirt 10.2.0 migration works again with
libvirt 9.9.0 and older in both directions. Migration from the affected
releases to 10.2.0 works as well, but the other direction remains broken
unless the fix is backported.
* node_device: Don't report spurious errors from PCI VPD parsing
In last release the PCI Vital Product Data parser was enhanced to report
errors but that effort failed as some kernels have the file but don't allow
reading it causing logs to be spammed with::
libvirtd[21055]: operation failed: failed to read the PCI VPD data
Since the data is used only in the node device XML and errors are ignored if
the parsing failed, this release removes all the error reporting.
* qemu: set correct SELinux label for unprivileged virtiofsd
It is now possible to use virtiofsd-based ``<filesystem>`` shares even
if the guest is confined using SELinux.
* qemu: fix a crash on unprivileged virtiofsd hotplug
Hotplugging virtiofsd-based filesystems works now.
* virt-admin: Fix segfault when libvirtd dies
``virt-admin`` no longer crashes when ``libvirtd`` unexpectedly closes
the connection.
10.1.0
* **Security**
* ``CVE-2024-1441``: Fix off-by-one error leading to a crash
In **libvirt-1.0.0** there were couple of interface listing APIs
introduced which had an off-by-one error. That error could lead to a
very rare crash if an array was passed to those functions which did
not fit all the interfaces.
In **libvirt-5.10** a check for non-NULL arrays has been adjusted to
allow for NULL arrays with size 0 instead of rejecting all NULL
arrays. However that made the above issue significantly worse since
that off-by-one error now did not write beyond an array, but
dereferenced said NULL pointer making the crash certain in a
specific scenario in which a NULL array of size 0 was passed to the
aforementioned functions.
* **New features**
* nodedev: Support updating mdevs
The node device driver has been extended to allow updating mediated node
devices. Options are available to target the update against the persistent,
active or both configurations of a mediated device.
**Note:** The support is only available with at least mdevctl v1.3.0 installed.
* qemu: Add support for /dev/userfaultfd
On hosts with new enough kernel which supports /dev/userfaultfd libvirt will
now automatically grant QEMU access to this device. It's no longer needed to
set vm.unprivileged_userfaultfd sysctl.
* qemu: Support clusters in CPU topology
It is now possible to configure the guest CPU topology to use clusters.
Additionally, if CPU clusters are present in the host topology, they will
be reported as part of the capabilities XML.
* network: Make virtual domains resolvable from the host
When starting a virtual network with a new ``register='yes'`` attribute
in the ``<domain>`` element, libvirt will configure ``systemd-resolved``
to resolve names of the connected guests using the name server started
for this network.
* qemu: Introduce dynamicMemslots attribute for virtio-mem
QEMU now allows setting ``.dynamic-memslots`` attribute for virtio-mem-pci
devices. When turned on, it allows memory exposed to guest to be split into
multiple memory slots and thus smaller memory footprint (see the original
commit for detailed explanation).
* **Improvements**
* nodedev: Add ability to update persistent mediated devices by defining them
Existing persistent mediated devices can now also be updated by
``virNodeDeviceDefineXML()`` as long as parent and UUID remain unchanged.
* ch: Enable ``ethernet`` interface mode support
``<interface type='ethernet'/>`` can now be used for CH domains.
* viraccessdriverpolkit: Add missing vtpm case
Secrets with ``<usage type='vtpm'>`` were left unable to be checked for in
the access driver, i.e. in ACL rules. Missing code was provided.
* virt-admin: Notify users to use explicit URI if connection fails
``virt-admin`` doesn't try to guess the URI of the daemon to manage so a
failure to connect may be confusing for users if modular daemons are used.
Add a hint to use the URI of the dameon to manage.
* **Bug fixes**
* qemu_process: Skip over non-virtio non-TAP NIC models when refreshing rx-filter
If ``trustGuestRxFilters`` is enabled for a vNIC that doesn't support it,
libvirt may throw an error when such domain is being started, loaded from a
saved state, migrated, etc. These errors are now silenced, but make sure to
fix such configurations (after previous release it is even possible to
change ``trustGuestRxFilters`` value on live domains via
``virDomainUpdateDeviceFlags()`` or ``virsh device-update``).
* domain: Fix check for overlapping ``<memory/>`` devices
A bug was identified which caused libvirt to report two NVDIMMs as
overlapping even though they weren't. This now fixed.
* vmx: Accept empty fileName for cdrom-image
Turns out, ``fileName`` attribute (which contains path to CDROM image) can
be set to an empty string (``""``) to denote a state in which the CDROM has
no medium in it. Libvirt used to reject such configuration file, but not
anymore.
* qemu_hotplug: Don't lose 'created' flag in qemuDomainChangeNet()
When starting a domain, libvirt tracks what resources it created for it and
which were pre-existing and uses this information to preserve pre-existing
resources when cleaning up after said domain is shut off. But for macvtaps
this information was lost after the macvtap device was changed (e.g. via
``virsh update-device``).
* Fix virStream hole handling
When a client sent multiple holes into a virStream it may have caused
daemon hangup as the daemon stopped processing RPC from the client
temporarily. This is now fixed.
* nodedev: Don't generate broken XML with certain hardware
A broken node device XML would be generated in a rare case when a hardware
device had certain characters in the VPD fields.
* qemu: Fix reservation of manually specified port for disk migration
A manually specified port would not be relased after disk migration making
it impossible to use it again.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
53eeed5a81 |
tshark: Update to version 4.2.7
- Update from version 4.2.6 to 4.2.7
- Update of rootfile
- Version 4.4.0 is out but is a major change version. I have therefore decided to wait
for a few update versions before looking at changing to it. Most of the changes appear
to be more for the gui wireshark than for the cli tshark that IPFire nis using.
- The version 4.2.x branch will still have ongoing bug and security fixes anyway.
- CVE fix in this version update.
- Changelog
4.2.7
Bug Fixes
The following vulnerability has been fixed:
• wnpa-sec-2024-11[2] NTLMSSP dissector crash. Issue 19943[3].
CVE-2024-8250[4].
The following bugs have been fixed:
• Fuzz job issue: fuzz-2024-01-31-7745.pcap. Issue 19627[5].
• OSS-Fuzz 70534: wireshark:fuzzshark_ip_proto-udp: Stack-overflow
in dissect_cbor_main_type. Issue 19935[6].
• SOME/IP Protocol heuristic dissector fails to parse. Issue
19670[7].
• 6loWPAN: Page Number Field Incorrect Registration. Issue
19934[8].
• PacketBB incorrectly reports "Malformed Packet" Issue 19972[9].
Updated Protocol Support
6LoWPAN, BGP, CAN-ETH, CBOR, IEEE 802.11, LBMSRS, NTLMSSP, PacketBB,
PN-MRP, SOME/IP, USBLL, X.75, and Zabbix
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
678951a19c |
python3-msgpack: Update to version 1.0.8
- Update from version 1.0.7 to 1.0.8
- Update of rootfile
- borgbackup now works with version 1.0.8 of msgpack
- Changelog
1.0.8
exclude C/Cython files from wheel by @methane in #577
Build pure Python wheel for minor architectures.
update Cython to 3.0.8 by @methane in #581
This fixes memory leak when iterating over Unpacker on Python 3.12.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
a04f94ff7a |
libxxhash: New install, required by borgbackup version 1.4.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
3ba7cd1a5d |
borgbackup: Update to version 1.4.0
- Update from version 1.2.7 to 1.4.0
- Update of rootfile
- This version now requires libxxhash and can now work with python3-msgpack at version
1.0.8 so additional patch submissions combined with this one for implementation of
libxxhash and for update og python3-msgpack.
- Tested out changes on my vm testbed system and was able to access old repo info and
fusemount the repo successfully and write a new backup. So everything I normally
test is functioning.
- Changelog
1.4.0
Compatibility notes:
By default, borg 1.4 will behave quite similar to borg 1.2 (it was forked off
from 1.2-maint branch at 1.2.7).
- the slashdot hack: be careful not to accidentally give paths containing
/./ to "borg create" if you do not want to trigger this feature (which
strips the left part of the path from archived items).
- BORG_EXIT_CODES=modern is a feature that borg script, wrapper and GUI
authors may want to use to get more specific error and warning return
codes from borg.
In that case, of course they will need to make sure to correctly deal
with these new codes, see the internals/frontends docs.
Other changes:
- vagrant: revive the buster64 box, RHEL8 has same glibc
- tests: fix pytest_report_header, #8232
- docs:
- mount: add examples using :: positional argument, #8255
- Installation: update Arch Linux repo name
- update standalone binary section
1.4.0rc1
Fixes:
- setup.py: fix import error reporting for cythonize import, #8208
- setup.py: detect noexec build fs issue, #8208
Other changes:
- changed insufficiently reserved length for log message, #8152
- use Python 3.11.9, Cython 3.0.10 and PyInstaller 6.7.0 for binary builds
- docs:
- use python 3.9 in cygwin install docs, fixes #8196
- recreate: remove experimental status
- github CI: fix PKG_CONFIG_PATH for openssl 3.0
- vagrant:
- add a ubuntu noble (24.04) VM
- drop buster VM, fixes #8171
1.4.0b2
Fixes:
- check: fix return code for index entry value discrepancies
- benchmark: inherit options --rsh --remote-path, #8099
- sdist: dynamically compute readme (long_description)
- create: deal with EBUSY, #8123
- No need to use OpenSSL 3.0 on OpenBSD, use LibreSSL.
- fix Ctrl-C / SIGINT behaviour for pyinstaller-made binaries, #8155
New features:
- create: add the slashdot hack, update docs, #4685
- upgrade --check-tam: check manifest TAM auth, exit with rc=1 if there
are issues.
- upgrade --check-archives-tam: check archives TAM auth, exit with rc=1
if there are issues.
Other changes:
- improve acl_get / acl_set error handling, improved/added tests, #8125
- remove bundled lz4/zstd/xxhash code (require the respective
libs/headers),
simplify setup.py, remove support for all BORG_USE_BUNDLED_*=YES, #8094
- require Cython 3.0.3 at least (fixes py312 memory leak), #8133
- allow msgpack 1.0.8, #8133
- init: better borg key export instructions
- init: remove compatibility warning for borg <=1.0.8
The warning refers to a compatibility issue not relevant any
more since borg 1.0.9 (released 2016-12).
- locate libacl via pkgconfig
- scripts/make.py: move clean, build_man, build_usage to there,
so we do not need to invoke setup.py directly, update docs
- docs:
- how to run the testsuite using the dist package
- add non-root deployment strategy (systemd / capabilities)
- simplify TAM-related upgrade docs using the new commands
- vagrant:
- use python 3.11.8
- use pyinstaller 6.5.0
- add xxhash for macOS, add libxxhash-dev for debianoid systems
- use openindiana/hipster box
1.4.0b1
Fixes:
- fix CommandError args, #8029
New features:
- implement "borg version" (shows client and server version), #7829
Other changes:
- better error msg for corrupted key data, #8016
- repository: give clean error msg for invalid nonce file, #7967
- check_can_create_repository: deal with PermissionErrors, #7016
- add ConnectionBrokenWithHint for BrokenPipeErrors and similar, #7016
- with-lock: catch exception, print error msg, #8022
- use cython 3.0.8
- modernize msgpack wrapper
- docs:
- add brew bundle instructions (macOS)
- improve docs for borg with-lock, #8022
1.4.0a1
New features:
- BORG_EXIT_CODES=modern: optional more specific return codes (for
errors and warnings).
The default value of this new environment variable is "legacy", which
should result in a behaviour similar to borg 1.2 and older (only using
rc 0, 1 and 2).
"modern" exit codes are much more specific (see the
internals/frontends docs).
Fixes:
- PATH: do not accept empty strings, #4221.
This affects the cli interface of misc. commands (create, extract,
diff, mount, ...) and they now will reject "" (empty string) given as
a path.
Other changes:
- Python: require Python >= 3.9, drop support for 3.8, #6383
- Cython: require Cython >= 3.0, drop support for Cython 0.29.x,
use 3str language level (default in cython3), #7978
- use pyinstaller 6.3.0 and python 3.11 for binary build, #7987
- msgpack: require >= 1.0.3, <= 1.0.7
- replace flake8 by ruff style/issue checker
- tests: remove python-dateutil dependency
- tests: move conftest.py to src/borg/testsuite, #6386
- move misc. config/metadata to pyproject.toml
- vagrant:
- use a freebsd 14 box, #6871
- use generic/openbsd7 box
- use openssl 3 on macOS, FreeBSD, OpenBSD
- remove ubuntu 20.04 "focal" box
- remove debian 9 "stretch" box (remove stretch-based binary builds)
- require recent setuptools and setuptools_scm
- crypto: get rid of deprecated HMAC_* functions to avoid warnings.
Instead, use hmac.digest from Python stdlib.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Michael Tremer
|
90b19f6aab |
Revert "clamav: Update to 1.4.0"
This reverts commit
|
||
Matthias Fischer
|
3586563f17 |
clamav: Update to 1.4.0
For details see: https://blog.clamav.net/2024/08/clamav-140-feature-release-and-clamav.html Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Matthias Fischer
|
7ffcccb509 |
mc: Update to 4.8.32
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
ba6d6014ff |
ffmpeg: Update to version 7.0.2
- Update from version 6.0 to 7.0.2
- Removal of mathpops patch as content now included in source tarball.
- Update of rootfile
- sobump means that mpd, shairport-sync and minidlna need to be shipped
- minidlna also requires an update due to a variable name change from ffmpeg-7.0 onwards
- Changelog
7.0.2
avcodec/snow: Fix off by 1 error in run_buffer
avcodec/utils: apply the same alignment to YUV410 as we do to YUV420 for snow
avformat/iamf_parse: Check for 0 samples
swscale: [loongarch] Fix checkasm-sw_yuv2rgb failure.
avcodec/aacps_tablegen_template: don't redefine CONFIG_HARDCODED_TABLES
avutil/hwcontext_vaapi: use the correct type for VASurfaceAttribExternalBuffers.buffers
avcodec/pcm-bluray/dvd: Use correct pointer types on BE
avcodec/pngenc: fix sBIT writing for indexed-color PNGs
avcodec/pngdec: use 8-bit sBIT cap for indexed PNGs per spec
avformat/mov: check that child boxes of trak are only present inside it
avformat/mov: check that sample and chunk count is 1 for HEIF
avcodec/videotoolboxenc: Fix bitrate doesn't work as expected
avdevice/dshow: Don't skip audio devices if no video device is present
avcodec/hdrenc: Allocate more space
avcodec/cfhdenc: Height of 16 is not supported
avcodec/cfhdenc: Allocate more space
avcodec/osq: fix integer overflow when applying factor
avcodec/osq: avoid using too large numbers for shifts and integers in update_residue_parameter()
avcodec/vaapi_encode: Check hwctx
avcodec/proresdec: Consider negative bits left
avcodec/alsdec: Clear shift_value
avcodec/hevc/hevcdec: Do not allow slices to depend on failed slices
avformat/mov: add an EOF check in IPRP
avfilter/vf_xfade: Check ff_inlink_consume_frame() for failure
avutil/slicethread: Check pthread_*_init() for failure
avutil/frame: Check log2_crop_align
avutil/buffer: Check ff_mutex_init() for failure
avformat/xmv: Check this_packet_size
avformat/webpenc: Check filesize in trailer
avformat/ty: rec_size seems to only need 32bit
avformat/tty: Check avio_size()
avformat/siff: Basic pkt_size check
avformat/sauce: Check avio_size() for failure
avformat/sapdec: Check ffurl_get_file_handle() for error
avformat/nsvdec: Check asize for PCM
avformat/mp3dec: Check header_filesize
avformat/mp3dec; Check for avio_size() failure
avformat/mov: Use 64bit for str_size
avformat/mm: Check length
avformat/hnm: Check *chunk_size
avformat/hlsenc: Check ret
avformat/bintext: Check avio_size() return
avformat/asfdec_o: Check size of index object
avfilter/vf_scale: Check ff_scale_adjust_dimensions() for failure
avfilter/scale_eval: Use 64bit, check values in ff_scale_adjust_dimensions()
avfilter/vf_lut3d: Check av_scanf()
avfilter/vf_elbg: Use unsigned for shifting into the top bit
avfilter/vf_premultiply: Use AV_PIX_MAX_PLANES
avfilter/vf_deshake_opencl: Ensure that the first iteration initializes the best variables
avformat/iamf_parse: Check for negative sample sizes
swscale/output: Fix integer overflows in yuv2rgba64_X_c_template
avformat/mxfdec: Reorder elements of expression in bisect loop
avutil/timecode: Use a 64bit framenum internally
avcodec/pnmdec: Use 64bit for input size check
avformat/mov: Check extradata in mov_read_iacb()
avcodec/mpeg12enc: Use av_rescale() in vbv_buffer_size computation
avcodec/utvideoenc: Use unsigned shift to build flags
avcodec/j2kenc: Merge dwt_norm into lambda
avcodec/vc2enc: Fix overflows with storing large values
avcodec/mpegvideo_enc: Do not duplicate pictures on shifting
avdevice/dshow_capture: Fix error handling in ff_dshow_##prefix##_Create()
avcodec/tiff: Check value on positive signed targets
avfilter/vf_convolution_opencl: Assert that the filter name is one of the filters
avfilter/vf_bm3d: Dont round MSE2SSE to an integer
avdevice/dshow: Remove NULL check on pin
avdevice/dshow: check ff_dshow_pin_ConnectionMediaType() for failure
avdevice/dshow: Check device_filter_unique_name before use
avdevice/dshow: Cleanup also on av_log case
avdevice/dshow_filter: Use wcscpy_s()
avcodec/flac_parser: Assert that we do not overrun the link_penalty array
avcodec/osq: avoid signed overflow in downsample path
avcodec/pixlet: Simplify pfx computation
avcodec/motion_est: Fix score squaring overflow
avcodec/mlpenc: Use 64 for ml, mr
avcodec/loco: Check loco_get_rice() for failure
avcodec/loco: check get_ur_golomb_jpegls() for failure
avcodec/leaddec: Check init_get_bits8() for failure
avcodec/imm4: check cbphi for error
avcodec/iff: Use signed count
avcodec/golomb: Assert that k is in the supported range for get_ur/sr_golomb()
avcodec/golomb: Document return for get_ur_golomb_jpegls() and get_sr_golomb_flac()
avcodec/dxv: Fix type in get_opcodes()
avcodec/cri: Check length
avcodec/xsubdec: Check parse_timecode()
avutil/imgutils: av_image_check_size2() ensure width and height fit in 32bit
avfilter/vf_tiltandshift: Free dst on error
doc/examples/mux: remove nop
avcodec/proresenc_kostya: use unsigned alpha for rotation
avformat/rtpenc_rfc4175: Use 64bit in computation if copy_offset
avformat/rtmpproto: Use AV_DICT_MATCH_CASE instead of litteral number
avformat/rtmppkt: Simplify and deobfuscate amf_tag_skip() slightly
avformat/rmdec: use 64bit for audio_framesize checks
avutil/wchar_filename: Correct sizeof
avutil/hwcontext_d3d11va: correct sizeof IDirect3DSurface9
avutil/hwcontext_d3d11va: Free AVD3D11FrameDescriptor on error
avutil/hwcontext_d3d11va: correct sizeof AVD3D11FrameDescriptor
avcodec/vvc/refs: Use unsigned mask
doc/examples/vaapi_encode: Try to check fwrite() for failure
avformat/usmdec: Initialize value
avformat/tls_schannel: Initialize ret
avformat/subfile: Assert that whence is a known case
avformat/subfile: Merge if into switch()
avformat/rtsp: Check that lower transport is handled in one of the if()
avformat/rtsp: initialize reply1
avformat/rtsp: use < 0 for error check
avformat/rtpenc_vc2hq: Check sizes
avfilter/af_aderivative: Free out on error
swscale/swscale: Use ptrdiff_t for linesize computations
avfilter/af_amerge: Cleanup on av_channel_layout_copy() failure
avfilter/af_afir: Assert format
avfilter/af_afftdn: Assert format
avfilter/af_pan: check nb_output_channels before use
cbs_av1: Reject thirty-two zero bits in uvlc code
avfilter/af_mcompand: compute half frequency in double
avfilter/af_channelsplit: Assert that av_channel_layout_channel_from_index() succeeds
avfilter/af_aresample: Cleanup on av_channel_layout_copy() failure
tools/coverity: Phase 1 study of anti-halicogenic for coverity av_rescale()
avfilter/vf_avgblur: Check plane instead of AVFrame
avfilter/drawutils: Fix depthb computation
avfilter/avf_showcwt: Check av_parse_video_rate() for failure
avformat/rdt: Check pkt_len
avformat/mpeg: Check len in mpegps_probe()
avformat/mxfenc: resurrects the error print
avdevice/dshow: Check ICaptureGraphBuilder2_SetFiltergraph() for failure
avcodec/mfenc: check IMFSample_ConvertToContiguousBuffer() for failure
avcodec/vc1_loopfilter: Factor duplicate code in vc1_b_h_intfi_loop_filter()
avcodec/vvc/ctu: Remove dead ret check
avcodec/vvc/dec: Remove constant eos_at_start
avformat/img2dec: assert no pipe on ts_from_file
avcodec/cbs_jpeg: Try to move the read entity to one side in a test
fftools/ffplay: Check vulkan_params
fftools/ffmpeg_enc: Initialize Decoder
fftools/ffmpeg_enc: Initialize fd
fftools/ffmpeg_enc: simplify opaque_ref check
avformat/mov: Check edit list for overflow
fftools/ffmpeg: Check read() for failure
avcodec/vvc/dec: Check ff_init_cabac_decoder() for failure
swscale/output: Avoid undefined overflow in yuv2rgb_write_full()
swscale/output: alpha can become negative after scaling, use multiply
avcodec/targaenc: Allocate space for the palette
avcodec/r210enc: Use av_rescale for bitrate
avcodec/jfdctint_template: Fewer integer anomalies
avcodec/snowenc: MV limits due to mv_penalty table size
tools/target_dec_fuzzer: Adjust threshold for MV30
tools/target_dec_fuzzer: Adjust threshold for jpeg2000
avformat/mxfdec: Check container_ul->desc before use
avcodec/libvpxenc: Cleanup on error
doc/developer: Provide information about git send-email and gmail
avfilter/vf_rotate: Check ff_draw_init2() return value
avformat/mov: Use int64_t in intermediate for corrected_dts
avformat/mov: Use 64bit in intermediate for current_dts
avformat/matroskadec: Assert that num_levels is non negative
avformat/libzmq: Check av_strstart()
avformat/img2dec: Little JFIF / Exif cleanup
avformat/img2dec: Move DQT after unrelated if()
avformat/imfdec: Simplify get_next_track_with_minimum_timestamp()
avdevice/xcbgrab: Check sscanf() return
fftools/cmdutils: Add protective () to FLAGS
avformat/sdp: Check before appending ","
avcodec/libx264: Check init_get_bits8() return code
avcodec/ilbcdec: Remove dead code
avcodec/vp8: Check cond init
avcodec/vp8: Check mutex init
avcodec/proresenc_anatoliy: Assert that AV_PROFILE_UNKNOWN is replaced
avcodec/pcm-dvdenc: 64bit pkt-size
avcodec/notchlc: Check init_get_bits8() for failure
avcodec/tests/dct: Use 64bit in intermediate for error computation
avcodec/scpr3: Check add_dec() for failure
avcodec/rv34: assert that size is not 0 in rv34_gen_vlc_ext()
avcodec/wavpackenc: Use unsigned for potential 31bit shift
avcodec/vvc/mvs: Initialize mvf
avcodec/tests/jpeg2000dwt: Use 64bit in comparission
avcodec/tests/jpeg2000dwt: Use 64bit in err2 computation
avformat/fwse: Remove always false expression
avcodec/sga: Make it clear that the return is intentionally not checked
avformat/asfdec_f: Use 64bit for preroll computation
avformat/argo_asf: Use 64bit in offset intermediate
avformat/ape: Use 64bit for final frame size
avformat/ac4dec: Check remaining space in ac4_probe()
avdevice/pulse_audio_enc: Use av_rescale() to avoid integer overflow
avcodec/vlc: Cleanup on multi table alloc failure in ff_vlc_init_multi_from_lengths()
avcodec/tiff: Assert init_get_bits8() success in unpack_gray()
avcodec/tiff: Assert init_get_bits8() success in horizontal_fill()
tools/decode_simple: Check avcodec_send_packet() for errors on flushing
swscale/yuv2rgb: Use 64bit for brightness computation
swscale/x86/swscale: use a clearer name for INPUT_PLANER_RGB_A_FUNC_CASE
avutil/tests/opt: Check av_set_options_string() for failure
avutil/tests/dict: Check av_dict_set() before get for failure
avdevice/dshow: fix badly indented line
avformat/demux: resurrect dead stores
avcodec/tests/bitstream_template: Assert bits_init8() return
tools/enc_recon_frame_test: Assert that av_image_get_linesize() succeeds
avformat/iamf_writer: disallow Opus extradata with mapping family other than 0
avformat/iamf_parse: sanitize audio_roll_distance values
avformat/iamf: byteswap values in OpusHeader
avformat/iamf: rename Codec Config seek_preroll to audio_roll_distance
avformat/iamf_writer: fix coded audio_roll_distance values
avformat/iamf_writer: fix PCM endian-ness flag
avformat/movenc: fix channel count and samplerate fields for IAMF tracks
avformat/iamf_parse: keep substream count consistent
avformat/iamf_parse: add missing padding to AAC extradata
avformat/iamf_parse: 0 layers are not allowed
avformat/iamf_parse: consider nb_substreams when accessing substreams array
avformat/iamf_parse: Remove dead case
avcodec/png: more informative error message for invalid sBIT size
avcodec/pngdec: avoid erroring with sBIT on indexed-color images
avfilter/vf_tiltandshift: fix buffer offset for yuv422p input
avutil/timestamp: avoid possible FPE when 0 is passed to av_ts_make_time_string2()
avformat/mov: add more checks for infe atom size
avformat/mov: check for EOF inside the infe list parsing loop
avformat/mov: check extent_offset calculation for overflow
avformat/mov: check that iloc offset values fit on an int64_t
avcodec/pngenc: fix mDCv typo
avcodec/pngdec: fix mDCv typo
avcodec/nvenc: fix segfault in intra-only mode
avdevice/avfoundation: add external video devices
aarch64: Add OpenBSD runtime detection of dotprod and i8mm using sysctl
fftools/ffplay_renderer: use correct NULL value for Vulkan type
qsv: Initialize impl_value
avutil/hwcontext_qsv: fix GCC 14.1 warnings
avcodec/mediacodecenc: workaround the alignment requirement for H.265
avcodec/mediacodecenc: workaround the alignment requirement only for H.264
lavc/lpc: fix off-by-one in R-V V compute_autocorr
lavc/vp9: reset segmentation fields when segmentation isn't enabled
configure: enable ffnvcodec, nvenc, nvdec for FreeBSD
lavc/sbrdsp: fix potential overflow in noise table
7.0.1
lavc/flacdsp: do not assume maximum R-V VL
avformat/flacdec: Reorder allocations to avoid leak on error
avcodec/adts_parser: Don't presume buffer to be padded
avformat/movenc: Check av_malloc()
avcodec/vp8: Return error on error
avformat/mov: store sample_sizes as unsigned ints
avformat/vvc: fix parsing sps_subpic_id
avformat/vvc: initialize some ptl flags
avcodec/mscc & mwsc: Check loop counts before use
avcodec/mpegvideo_enc: Fix potential overflow in RD
avcodec/mpeg4videodec: assert impossible wrap points
avcodec/mpeg12dec: Use 64bit in bit computation
avcodec/vqcdec: Check init_get_bits8() for failure
avcodec/vvc/dec: Check init_get_bits8() for failure
avcodec/vble: Check av_image_get_buffer_size() for failure
avcodec/vp3: Replace check by assert
avcodec/vp8: Forward return of ff_vpx_init_range_decoder()
avcodec/jpeg2000dec: remove ST=3 case
avcodec/qsvdec: Check av_image_get_buffer_size() for failure
avcodec/exr: Fix preview overflow
avcodec/decode: decode_simple_internal() only implements audio and video
avcodec/fmvc: remove dead assignment
avcodec/h2645_sei: Remove dead checks
avcodec/h264_slice: Remove dead sps check
avcodec/lpc: copy levenson coeffs only when they have been computed
avutil/tests/base64: Check with too short output array
libavutil/base64: Try not to write over the array end
avcodec/cbs_av1: Avoid shift overflow
fftools/ffplay: Check return of swr_alloc_set_opts2()
tools/opt_common: Check for malloc failure
doc/examples/demux_decode: Simplify loop
avformat/concatdec: Check file
avcodec/mpegvideo_enc: Fix 1 line and one column images
avcodec/amrwbdec: assert mode to be valid in decode_fixed_vector()
avcodec/wavarc: fix integer overflow in decode_5elp() block type 2
swscale/output: Fix integer overflow in yuv2rgba64_full_1_c_template()
swscale/output: Fix integer overflow in yuv2rgba64_1_c_template
avcodec/av1dec: Change bit_depth to int
avcodec/av1dec: bit_depth cannot be another values than 8,10,12
avcodec/avs3_parser: assert the return value of init_get_bits()
avcodec/avs2_parser: Assert init_get_bits8() success with const size 15
avfilter/avfiltergraph: return value of ff_request_frame() is unused
avformat/mxfdec: Check body_offset
avformat/kvag: Check sample_rate
avcodec/atrac9dec: Check init_get_bits8() for failure
avcodec/ac3_parser: Check init_get_bits8() for failure
avcodec/pngdec: Check last AVFrame before deref
avcodec/hevcdec: Check ref frame
doc/examples/qsv_transcode: Initialize pointer before free
doc/examples/qsv_transcode: Simplify str_to_dict() loop
doc/examples/vaapi_transcode: Simplify loop
doc/examples/qsv_transcode: Simplify loop
avcodec/cbs_h2645: Check NAL space
avfilter/vf_thumbnail_cuda: Set ret before checking it
avfilter/signature_lookup: Dont copy uninitialized stuff around
avfilter/signature_lookup: Fix 2 differences to the refernce SW
avcodec/x86/vp3dsp_init: Set correct function pointer, fix crash
avformat/mp3dec: change bogus error message if read_header encounters EOF
avformat/mp3dec: simplify inner frame size check in mp3_read_header
avformat/mp3dec: only call ffio_ensure_seekback once
avcodec/cbs_h266: read vps_ptl_max_tid before using it
avcodec/cbs_h266: fix sh_collocated_from_l0_flag and sh_collocated_ref_idx infer
avformat/vvc: fix parsing some early VPS bitstream values
avformat/vvc: fix writing general_constraint_info bytes
avutil/ppc/cpu: Also use the machdep.altivec sysctl on NetBSD
lavd/v4l2: Use proper field type for second parameter of ioctl() with BSD's
vulkan_av1: Fix force_integer_mv value
vaapi_av1: Fix force_integer_mv value
av1dec: Add force_integer_mv derived field for decoder use
avutil/iamf: fix offsets for mix_gain options
avformat/iamfdec: check nb_streams in header read
avformat/mov: free the infe allocated item data on failure
avformat/iamf_writer: reject duplicated stream ids in a stream group
avformat/mov: don't read key_size bytes twice in the keys atom
avformat/mov: take into account the first eight bytes in the keys atom
avformat/mov: fix the check for the heif item parsing loop
avutil/iamf: fix mix_gain_class name
av1dec: Fix RefFrameSignBias calculation
avcodec/codec_par: always clear extradata_size in avcodec_parameters_to_context()
avcodec/mediacodecenc: Fix return empty packet when bsf is used
avcodec/hevcdec: Fix precedence, bogus film grain warning
avcodec/hevcdec: fix segfault on invalid film grain metadata
lavc/vvc: Skip enhancement layer NAL units
avformat/mov: ignore old infe box versions
vulkan_av1: add workaround for NVIDIA drivers tested on broken CTS
lavc/vulkan_av1: Use av1dec reference order hint information
lavc/av1: Record reference ordering information for each frame
doc/encoders: add missing libxvid option
doc/encoders: remove non-existent flag
fate/ffmpeg: Avoid dependency on samples
avcodec/wavpack: Remove always-false check
avcodec/wavpack: Fix leak and segfault on reallocation error
avcodec/lossless_videoencdsp: Don't presume alignment in diff_bytes
avcodec/ppc/h264dsp: Fix left shifts of negative numbers
7.0
- DXV DXT1 encoder
- LEAD MCMP decoder
- EVC decoding using external library libxevd
- EVC encoding using external library libxeve
- QOA decoder and demuxer
- aap filter
- demuxing, decoding, filtering, encoding, and muxing in the
ffmpeg CLI now all run in parallel
- enable gdigrab device to grab a window using the hwnd=HANDLER syntax
- IAMF raw demuxer and muxer
- D3D12VA hardware accelerated H264, HEVC, VP9, AV1, MPEG-2 and VC1 decoding
- tiltandshift filter
- qrencode filter and qrencodesrc source
- quirc filter
- lavu/eval: introduce randomi() function in expressions
- VVC decoder (experimental)
- fsync filter
- Raw Captions with Time (RCWT) closed caption muxer
- ffmpeg CLI -bsf option may now be used for input as well as output
- ffmpeg CLI options may now be used as -/opt <path>, which is equivalent
to -opt <contents of file <path>>
- showinfo bitstream filter
- a C11-compliant compiler is now required; note that this requirement
will be bumped to C17 in the near future, so consider updating your
build environment if it lacks C17 support
- Change the default bitrate control method from VBR to CQP for QSV encoders.
- removed deprecated ffmpeg CLI options -psnr and -map_channel
- DVD-Video demuxer, powered by libdvdnav and libdvdread
- ffprobe -show_stream_groups option
- ffprobe (with -export_side_data film_grain) now prints film grain metadata
- AEA muxer
- ffmpeg CLI loopback decoders
- Support PacketTypeMetadata of PacketType in enhanced flv format
- ffplay with hwaccel decoding support (depends on vulkan renderer via libplacebo)
- dnn filter libtorch backend
- Android content URIs protocol
- AOMedia Film Grain Synthesis 1 (AFGS1)
- RISC-V optimizations for AAC, FLAC, JPEG-2000, LPC, RV4.0, SVQ, VC1, VP8, and more
- Loongarch optimizations for HEVC decoding
- Important AArch64 optimizations for HEVC
- IAMF support inside MP4/ISOBMFF
- Support for HEIF/AVIF still images and tiled still images
- Dolby Vision profile 10 support in AV1
- Support for Ambient Viewing Environment metadata in MP4/ISOBMFF
- HDR10 metadata passthrough when encoding with libx264, libx265, and libsvtav1
6.1
- libaribcaption decoder
- Playdate video decoder and demuxer
- Extend VAAPI support for libva-win32 on Windows
- afireqsrc audio source filter
- arls filter
- ffmpeg CLI new option: -readrate_initial_burst
- zoneplate video source filter
- command support in the setpts and asetpts filters
- Vulkan decode hwaccel, supporting H264, HEVC and AV1
- color_vulkan filter
- bwdif_vulkan filter
- nlmeans_vulkan filter
- RivaTuner video decoder
- xfade_vulkan filter
- vMix video decoder
- Essential Video Coding parser, muxer and demuxer
- Essential Video Coding frame merge bsf
- bwdif_cuda filter
- Microsoft RLE video encoder
- Raw AC-4 muxer and demuxer
- Raw VVC bitstream parser, muxer and demuxer
- Bitstream filter for editing metadata in VVC streams
- Bitstream filter for converting VVC from MP4 to Annex B
- scale_vt filter for videotoolbox
- transpose_vt filter for videotoolbox
- support for the P_SKIP hinting to speed up libx264 encoding
- Support HEVC,VP9,AV1 codec in enhanced flv format
- apsnr and asisdr audio filters
- OSQ demuxer and decoder
- Support HEVC,VP9,AV1 codec fourcclist in enhanced rtmp protocol
- CRI USM demuxer
- ffmpeg CLI '-top' option deprecated in favor of the setfield filter
- VAAPI AV1 encoder
- ffprobe XML output schema changed to account for multiple
variable-fields elements within the same parent element
- ffprobe -output_format option added as an alias of -of
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Michael Tremer
|
b33dcb2c3f |
epson-inkjet-orinter-escpr: Update to 1.8.5
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
0915078267 |
netsnmpd: Update to version 5.9.3
- Update from version 5.9.1 to 5.9.3
- Version 5.9.4 exists but it is indicated that SNMP over TLS and/or DTLS is not
functioning properly with various versions of OpenSSL. However I could not find which
versions mentioned in the News or Changelog. The problem will be fixed in a future
version. There are no CVE fixes in 5.9.4, only a relatively few bug fixes so I
decided to wait for the fixed version in case there are users using TLS with SNMP.
- Update of rootfile
- 6 CVE fixes in 5.9.3
- Changelog
5.9.3
security:
- These two CVEs can be exploited by a user with read-only credentials:
- CVE-2022-24805 A buffer overflow in the handling of the INDEX of
NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
- CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
can cause a NULL pointer dereference.
- These CVEs can be exploited by a user with read-write credentials:
- CVE-2022-24806 Improper Input Validation when SETing malformed
OIDs in master agent and subagent simultaneously
- CVE-2022-24807 A malformed OID in a SET request to
SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
out-of-bounds memory access.
- CVE-2022-24808 A malformed OID in a SET request to
NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
- CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
can cause a NULL pointer dereference.
- To avoid these flaws, use strong SNMPv3 credentials and do not share them.
If you must use SNMPv1 or SNMPv2c, use a complex community string
and enhance the protection by restricting access to a given IP address
range.
- Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
reporting the following CVEs that have been fixed in this release, and
to Arista Networks for providing fixes.
misc:
- Snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is
expanded in ${datarootdir} so datarootdir must be set before
@datadir@ is used.
general: Many bug fixes
5.9.2
skipped due to a last minute library versioning found bug -- use 5.9.3 instead
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
8cdc44bc70 |
oci-cli: Update to version 3.45.2
- Update from version 3.29.4 to 3.45.2 - Update of rootfile - Changelog is too large to include here. Details can be found at https://github.com/oracle/oci-cli/releases Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
849bcfd188 |
ghostscript: Update to version 10.03.1
- Update from version 10.03.0 to 10.03.1
- Update of rootfile
- Several CVE fixes in this release
- Changelog
10.03.1
Fixes for CVE-2024-33869, CVE-2023-52722, CVE-2024-33870, CVE-2024-33871 and
CVE-2024-29510
IMPORTANT: For the 10.04.0 release (fall/autumn 2024) we will be adding
protection for device selection from PostScript input. This will mean that,
by default, only the device specified on the command line will be permitted.
Similar to the file permissions, there will be a "--permit-devices="
allowing a comma separation list of allowed devices. This will also take a
single wildcard "*" allowing any device.
Any application which relies on allowing PostScript to change devices during
a job will have to be aware, and take action to deal with this change.
The exception is "nulldevice", switching to that requires no special action.
A vulnerability was identified in the way Ghostscript/GhostPDL called
tesseract for the OCR devices, which could allow arbitrary code execution.
As as result, we strongly urge anyone including the OCR devices in their
build to update as soon as possible.
As of this release (10.03.1) pdfwrite creates PDF files with XRef streams
and ObjStm streams. This can result in considerably smaller PDF output
files. See Vector Devices for more details.
Ghostscript/pdfwrite now supports passing through PDF "Optional Content".
Our efforts in code hygiene and maintainability continue.
The usual round of bug fixes, compatibility changes, and incremental
improvements.
(9.53.0) We have added the capability to build with the Tesseract OCR
engine. In such a build, new devices are available
(pdfocr8/pdfocr24/pdfocr32) which render the output file to an image, OCR
that image, and output the image "wrapped" up as a PDF file, with the OCR
generated text information included as "invisible" text (in PDF terms, text
rendering mode 3).
Mainly due to time constraints, we only support including Tesseract from
source included in our release packages, and not linking to
Tesseract/Leptonica shared libraries. Whether we add this capability will
be largely dependent on community demand for the feature.
See Enabling OCR for more details.
Incompatible changes
(10.03.1) Almost all the "internal" PostScript procedures defined during the
interpreter startup are now "executeonly", further reducing the attack
surface of the interpreter.
The nature of these procedures means there should be no impact for
legitimate usage, but it is possible it will impact uses which abuse the
previous accessibility (even for legitimate reasons). Such cases may now
require "DELAYBIND", See DELAYBIND
(10.03.1) The "makeimagedevice" non-standard operator has been removed. It
allowed low level access to the graphics library in a way that was,
essentially impossible to secure.
(10.03.1) The "putdeviceprops", "getdeviceprops", "finddevice",
"copydevice", "findprotodevice" non-standard operators have all been
removed. They provided functionality that is either accessible through
standard operators, or should not be used by user PostScript.
(10.03.1) The process of "tidying" the PostScript namespace should have
removed only non-standard and undocumented operators. Nevertheless, it is
possible that any integrations or utilities that rely on those non-standard
and undocumented operators may stop working or may change behaviour.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
ee4c4c787e |
fmt: Update to version 11.0.2
- Update from version 11.0.1 to 11.0.2
- Update of rootfile
- Changelog
11.0.2
- Fixed compatibility with non-POSIX systems
(https://github.com/fmtlib/fmt/issues/4054,
https://github.com/fmtlib/fmt/issues/4060).
- Fixed performance regressions when using `std::back_insert_iterator` with
`fmt::format_to` (https://github.com/fmtlib/fmt/issues/4070).
- Fixed handling of `std::generator` and move-only iterators
(https://github.com/fmtlib/fmt/issues/4053,
https://github.com/fmtlib/fmt/pull/4057). Thanks @Arghnews.
- Made `formatter<std::string_view>::parse` work with types convertible to
`std::string_view` (https://github.com/fmtlib/fmt/issues/4036,
https://github.com/fmtlib/fmt/pull/4055). Thanks @Arghnews.
- Made `volatile void*` formattable
(https://github.com/fmtlib/fmt/issues/4049,
https://github.com/fmtlib/fmt/pull/4056). Thanks @Arghnews.
- Made `Glib::ustring` not be confused with `std::string`
(https://github.com/fmtlib/fmt/issues/4052).
- Made `fmt::context` iterator compatible with STL algorithms that rely on
iterator category (https://github.com/fmtlib/fmt/issues/4079).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
61e6011d4e |
sdl2: Update to version 2.30.6
- Update from version 2.30.1 to 2.30.6
- Update of rootfile
- Changelog
2.30.6
Improved detection of Nintendo Switch Pro controller report mode
Fixed a rare crash when a controller is disconnected
Fixed creating a framebuffer with KMSDRM on some systems
2.30.5
Respect SDL_HINT_RENDER_DRIVER when creating an accelerated window surface
Clean up any accelerated renderer in SDL_DestroyWindowSurface()
Disable low level USB controller support on Android by default (can be
enabled by setting "SDL_ENV.SDL_JOYSTICK_HIDAPI" metadata to "1" in
AndroidManifest.xml)
Fixed USB permissions dialog on Android 14
Fixed controller mapping matching when one entry has a CRC specified and
another doesn't
Enable joystick support on FreeBSD when building using CMake
Reduced input latency when using an fcitx IME on Linux
Fixed graphical corruption on Raspberry Pi
Fixed crash when using an unstable sort function in SDL_qsort (you shouldn't
do this, but at least it won't crash)
2.30.4
Android rotation will respect user rotation lock preferences
Fixed spurious Left-Ctrl key input when the Right Alt key (AltGr) is pressed
on Windows
Added support for the Saitek Cyborg V.3 Rumble Pad in PS3 mode
Added support for the Razer Kitsune in PS5 mode
Added Linux bindings for the Qanba Drone 2 Arcade Joystick
Leave Nintendo Online controllers in simple report mode so they work with
DirectInput games
Enable using libusb for GameCube controllers when available
2.30.3
Fixed Win+V handling (pasting from clipboard history) on Windows
Fixed Caps Lock and Backspace key mapping for the Colemak keyboard layout on
Windows
Fixed mouse warp on XWayland
Reduced startup time when scanning for game controllers on Linux
Fixed building with C89 compilers
Fixed building with the GDK SDK on Windows
2.30.2
Fixed performance regression initializing controllers on Linux
Added support for the 6-button SEGA Mega Drive Control Pad for Nintendo Online
Added support for the MadCatz Saitek Side Panel Control Deck
Added support for the Hori Fighting Stick EX2
Added support for the Yawman Arrow flightstick
Added a gamepad mapping for the Defender Joystick Cobra R4
Fixed the gamepad mapping for the Sanwa Supply JY-P76USV controller
Poll for the initial controller state when using DirectInput
Allow using SDL_RWFromFile() with named pipes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
292817ad93 |
git: Update to version 2.46.0
- Update from version 2.45.2 to 2.46.0
- Update of rootfile
- Changelog
2.46.0
UI, Workflows & Features
* The "--rfc" option of "git format-patch" learned to take an
optional string value to be used in place of "RFC" to tweak the
"[PATCH]" on the subject header.
* The credential helper protocol, together with the HTTP layer, have
been enhanced to support authentication schemes different from
username & password pair, like Bearer and NTLM.
* Command line completion script (in contrib/) learned to complete
"git symbolic-ref" a bit better (you need to enable plumbing
commands to be completed with GIT_COMPLETION_SHOW_ALL_COMMANDS).
* When the user responds to a prompt given by "git add -p" with an
unsupported command, list of available commands were given, which
was too much if the user knew what they wanted to type but merely
made a typo. Now the user gets a much shorter error message.
* The color parsing code learned to handle 12-bit RGB colors, spelled
as "#RGB" (in addition to "#RRGGBB" that is already supported).
* The operation mode options (like "--get") the "git config" command
uses have been deprecated and replaced with subcommands (like "git
config get").
* "git tag" learned the "--trailer" option to futz with the trailers
in the same way as "git commit" does.
* A new global "--no-advice" option can be used to disable all advice
messages, which is meant to be used only in scripts.
* Updates to symbolic refs can now be made as a part of ref
transaction.
* The trailer API has been reshuffled a bit.
* Terminology to call various ref-like things are getting
straightened out.
* The command line completion script (in contrib/) has been adjusted
to the recent update to "git config" that adopted subcommand based
UI.
* The knobs to tweak how reftable files are written have been made
available as configuration variables.
* When "git push" notices that the commit at the tip of the ref on
the other side it is about to overwrite does not exist locally, it
used to first try fetching it if the local repository is a partial
clone. The command has been taught not to do so and immediately
fail instead.
* The promisor.quiet configuration knob can be set to true to make
lazy fetching from promisor remotes silent.
* The inter/range-diff output has been moved to the end of the patch
when format-patch adds it to a single patch, instead of writing it
before the patch text, to be consistent with what is done for a
cover letter for a multi-patch series.
* A new command has been added to migrate a repository that uses the
files backend for its ref storage to use the reftable backend, with
limitations.
* "git diff --exit-code --ext-diff" learned to take the exit status
of the external diff driver into account when deciding the exit
status of the overall "git diff" invocation when configured to do
so.
* "git update-ref --stdin" learned to handle transactional updates of
symbolic-refs.
* "git format-patch --interdiff" for multi-patch series learned to
turn on cover letters automatically (unless told never to enable
cover letter with "--no-cover-letter" and such).
* The "--heads" option of "ls-remote" and "show-ref" has been been
deprecated; "--branches" replaces "--heads".
* For over a year, setting add.interactive.useBuiltin configuration
variable did nothing but giving a "this does not do anything"
warning. The warning has been removed.
* The http transport can now be told to send request with
authentication material without first getting a 401 response.
* A handful of entries are added to the GitFAQ document.
* "git var GIT_SHELL_PATH" should report the path to the shell used
to spawn external commands, but it didn't do so on Windows, which
has been corrected.
Performance, Internal Implementation, Development Support etc.
* Advertise "git contacts", a tool for newcomers to find people to
ask review for their patches, a bit more in our developer
documentation.
* In addition to building the objects needed, try to link the objects
that are used in fuzzer tests, to make sure at least they build
without bitrot, in Linux CI runs.
* Code to write out reftable has seen some optimization and
simplification.
* Tests to ensure interoperability between reftable written by jgit
and our code have been added and enabled in CI.
* The singleton index_state instance "the_index" has been eliminated
by always instantiating "the_repository" and replacing references
to "the_index" with references to its .index member.
* Git-GUI has a new maintainer, Johannes Sixt.
* The "test-tool" has been taught to run testsuite tests in parallel,
bypassing the need to use the "prove" tool.
* The "whitespace check" task that was enabled for GitHub Actions CI
has been ported to GitLab CI.
* The refs API lost functions that implicitly assumes to work on the
primary ref_store by forcing the callers to pass a ref_store as an
argument.
* Code clean-up to reduce inter-function communication inside
builtin/config.c done via the use of global variables.
* The pack bitmap code saw some clean-up to prepare for a follow-up topic.
* Preliminary code clean-up for "git send-email".
* The default "creation-factor" used by "git format-patch" has been
raised to make it more aggressively find matching commits.
* Before discovering the repository details, We used to assume SHA-1
as the "default" hash function, which has been corrected. Hopefully
this will smoke out codepaths that rely on such an unwarranted
assumptions.
* The project decision making policy has been documented.
* The strcmp-offset tests have been rewritten using the unit test
framework.
* "git add -p" learned to complain when an answer with more than one
letter is given to a prompt that expects a single letter answer.
* The alias-expanded command lines are logged to the trace output.
* A new test was added to ensure git commands that are designed to
run outside repositories do work.
* A few tests in reftable library have been rewritten using the
unit test framework.
* A pair of test helpers that essentially are unit tests on hash
algorithms have been rewritten using the unit-tests framework.
* A test helper that essentially is unit tests on the "decorate"
logic has been rewritten using the unit-tests framework.
* Many memory leaks in the sparse-checkout code paths have been
plugged.
* "make check-docs" noticed problems and reported to its output but
failed to signal its findings with its exit status, which has been
corrected.
* Building with "-Werror -Wwrite-strings" is now supported.
* To help developers, the build procedure now allows builders to use
CFLAGS_APPEND to specify additional CFLAGS.
* "oidtree" tests were rewritten to use the unit test framework.
* The structure of the document that records longer-term project
decisions to deprecate/remove/update various behaviour has been
outlined.
* The pseudo-merge reachability bitmap to help more efficient storage
of the reachability bitmap in a repository with too many refs has
been added.
* When "git merge" sees that the index cannot be refreshed (e.g. due
to another process doing the same in the background), it died but
after writing MERGE_HEAD etc. files, which was useless for the
purpose to recover from the failure.
* The output from "git cat-file --batch-check" and "--batch-command
(info)" should not be unbuffered, for which some tests have been
added.
* A CPP macro USE_THE_REPOSITORY_VARIABLE is introduced to help
transition the codebase to rely less on the availability of the
singleton the_repository instance.
* "git version --build-options" reports the version information of
OpenSSL and other libraries (if used) in the build.
* Memory ownership rules for the in-core representation of
remote.*.url configuration values have been straightened out, which
resulted in a few leak fixes and code clarification.
* When bundleURI interface fetches multiple bundles, Git failed to
take full advantage of all bundles and ended up slurping duplicated
objects, which has been corrected.
* The code to deal with modified paths that are out-of-cone in a
sparsely checked out working tree has been optimized.
* An existing test of oidmap API has been rewritten with the
unit-test framework.
* The "ort" merge backend saw one bugfix for a crash that happens
when inner merge gets killed, and assorted code clean-ups.
* A new warning message is issued when a command has to expand a
sparse index to handle working tree cruft that are outside of the
sparse checkout.
* The test framework learned to take the test body not as a single
string but as a here-document.
* "git push '' HEAD:there" used to hit a BUG(); it has been corrected
to die with "fatal: bad repository ''".
* What happens when http.cookieFile gets the special value "" has
been clarified in the documentation.
Bug Fixes
* "git rebase --signoff" used to forget that it needs to add a
sign-off to the resulting commit when told to continue after a
conflict stops its operation.
* The procedure to build multi-pack-index got confused by the
replace-refs mechanism, which has been corrected by disabling the
latter.
* The "-k" and "--rfc" options of "format-patch" will now error out
when used together, as one tells us not to add anything to the
title of the commit, and the other one tells us to add "RFC" in
addition to "PATCH".
* "git stash -S" did not handle binary files correctly, which has
been corrected.
* A scheduled "git maintenance" job is expected to work on all
repositories it knows about, but it stopped at the first one that
errored out. Now it keeps going.
* zsh can pretend to be a normal shell pretty well except for some
glitches that we tickle in some of our scripts. Work them around
so that "vimdiff" and our test suite works well enough with it.
* Command line completion support for zsh (in contrib/) has been
updated to stop exposing internal state to end-user shell
interaction.
* Tests that try to corrupt in-repository files in chunked format did
not work well on macOS due to its broken "mv", which has been
worked around.
* The maximum size of attribute files is enforced more consistently.
* Unbreak CI jobs so that we do not attempt to use Python 2 that has
been removed from the platform.
* Git 2.43 started using the tree of HEAD as the source of attributes
in a bare repository, which has severe performance implications.
For now, revert the change, without ripping out a more explicit
support for the attr.tree configuration variable.
* The "--exit-code" option of "git diff" command learned to work with
the "--ext-diff" option.
* Windows CI running in GitHub Actions started complaining about the
order of arguments given to calloc(); the imported regex code uses
the wrong order almost consistently, which has been corrected.
* Expose "name conflict" error when a ref creation fails due to D/F
conflict in the ref namespace, to improve an error message given by
"git fetch".
(merge 9339fca23e it/refs-name-conflict later to maint).
* The SubmittingPatches document now refers folks to manpages
translation project.
* The documentation for "git diff --name-only" has been clarified
that it is about showing the names in the post-image tree.
* The credential helper that talks with osx keychain learned to avoid
storing back the authentication material it just got received from
the keychain.
(merge e1ab45b2da kn/osxkeychain-skip-idempotent-store later to maint).
* The chainlint script (invoked during "make test") did nothing when
it failed to detect the number of available CPUs. It now falls
back to 1 CPU to avoid the problem.
* Revert overly aggressive "layered defence" that went into 2.45.1
and friends, which broke "git-lfs", "git-annex", and other use
cases, so that we can rebuild necessary counterparts in the open.
* "git init" in an already created directory, when the user
configuration has includeif.onbranch, started to fail recently,
which has been corrected.
* Memory leaks in "git mv" has been plugged.
* The safe.directory configuration knob has been updated to
optionally allow leading path matches.
* An overly large ".gitignore" files are now rejected silently.
* Upon expiration event, the credential subsystem forgot to clear
in-core authentication material other than password (whose support
was added recently), which has been corrected.
* Fix for an embarrassing typo that prevented Python2 tests from running
anywhere.
* Varargs functions that are unannotated as printf-like or execl-like
have been annotated as such.
* "git am" has a safety feature to prevent it from starting a new
session when there already is a session going. It reliably
triggers when a mbox is given on the command line, but it has to
rely on the tty-ness of the standard input. Add an explicit way to
opt out of this safety with a command line option.
(merge 62c71ace44 jk/am-retry later to maint).
* A leak in "git imap-send" that somehow escapes LSan has been
plugged.
* Setting core.abbrev too early before the repository set-up
(typically in "git clone") caused segfault, which as been
corrected.
* When the user adds to "git rebase -i" instruction to "pick" a merge
commit, the error experience is not pleasant. Such an error is now
caught earlier in the process that parses the todo list.
* We forgot to normalize the result of getcwd() to NFC on macOS where
all other paths are normalized, which has been corrected. This still
does not address the case where core.precomposeUnicode configuration
is not defined globally.
* Earlier we stopped using the tree of HEAD as the default source of
attributes in a bare repository, but failed to document it. This
has been corrected.
* "git update-server-info" and "git commit-graph --write" have been
updated to use the tempfile API to avoid leaving cruft after
failing.
* An unused extern declaration for mingw has been removed to prevent
it from causing build failure.
* A helper function shared between two tests had a copy-paste bug,
which has been corrected.
* "git fetch-pack -k -k" without passing "--lock-pack" (which we
never do ourselves) did not work at all, which has been corrected.
* CI job to build minimum fuzzers learned to pass NO_CURL=NoThanks to
the build procedure, as its build environment does not offer, or
the rest of the build needs, anything cURL.
(merge 4e66b5a990 jc/fuzz-sans-curl later to maint).
* "git diff --no-ext-diff" when diff.external is configured ignored
the "--color-moved" option.
(merge 0f4b0d4cf0 rs/diff-color-moved-w-no-ext-diff-fix later to maint).
* "git archive --add-virtual-file=<path>:<contents>" never paid
attention to the --prefix=<prefix> option but the documentation
said it would. The documentation has been corrected.
(merge 72c282098d jc/archive-prefix-with-add-virtual-file later to maint).
* When GIT_PAGER failed to spawn, depending on the code path taken,
we failed immediately (correct) or just spew the payload to the
standard output (incorrect). The code now always fail immediately
when GIT_PAGER fails.
(merge 78f0a5d187 rj/pager-die-upon-exec-failure later to maint).
* date parser updates to be more careful about underflowing epoch
based timestamp.
(merge 9d69789770 db/date-underflow-fix later to maint).
* The Bloom filter used for path limited history traversal was broken
on systems whose "char" is unsigned; update the implementation and
bump the format version to 2.
(merge 9c8a9ec787 tb/path-filter-fix later to maint).
* Typofix.
(merge 231cf7370e as/pathspec-h-typofix later to maint).
* Code clean-up.
(merge 4b837f821e rs/simplify-submodule-helper-super-prefix-invocation later
to maint).
* "git describe --dirty --broken" forgot to refresh the index before
seeing if there is any chang, ("git describe --dirty" correctly did
so), which has been corrected.
(merge b8ae42e292 as/describe-broken-refresh-index-fix later to maint).
* Test suite has been taught not to unnecessarily rely on DNS failing
a bogus external name.
(merge 407cdbd271 jk/tests-without-dns later to maint).
* GitWeb update to use committer date consistently in rss/atom feeds.
(merge cf6ead095b am/gitweb-feed-use-committer-date later to maint).
* Custom control structures we invented more recently have been
taught to the clang-format file.
(merge 1457dff9be rs/clang-format-updates later to maint).
* Developer build procedure fix.
(merge df32729866 tb/dev-build-pedantic-fix later to maint).
* "git push" that pushes only deletion gave an unnecessary and
harmless error message when push negotiation is configured, which
has been corrected.
(merge 4d8ee0317f jc/disable-push-nego-for-deletion later to maint).
* Address-looking strings found on the trailer are now placed on the
Cc: list after running through sanitize_address by "git send-email".
(merge c852531f45 cb/send-email-sanitize-trailer-addresses later to maint).
* Tests that use GIT_TEST_SANITIZE_LEAK_LOG feature got their exit
status inverted, which has been corrected.
(merge 8c1d6691bc rj/test-sanitize-leak-log-fix later to maint).
* The http.cookieFile and http.saveCookies configuration variables
have a few values that need to be avoided, which are now ignored
with warning messages.
(merge 4f5822076f jc/http-cookiefile later to maint).
* Repacking a repository with multi-pack index started making stupid
pack selections in Git 2.45, which has been corrected.
(merge 8fb6d11fad ds/midx-write-repack-fix later to maint).
* Fix documentation mark-up regression in 2.45.
(merge 6474da0aa4 ja/doc-markup-updates-fix later to maint).
* Work around asciidoctor's css that renders `monospace` material
in the SYNOPSIS section of manual pages as block elements.
(merge d44ce6ddd5 js/doc-markup-updates-fix later to maint).
* Other code cleanup, docfix, build fix, etc.
(merge 493fdae046 ew/object-convert-leakfix later to maint).
(merge 00f3661a0a ss/doc-eol-attr-fix later to maint).
(merge 428c40da61 ri/doc-show-branch-fix later to maint).
(merge 58696bfcaa jc/where-is-bash-for-ci later to maint).
(merge 616e94ca24 tb/doc-max-tree-depth-fix later to maint).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
ca9abd894e |
nmap: Update to version 7.95
- Update from version 7.94 to 7.95
- Update of rootfile
- Changelog
7.95
o [Windows] Upgraded Npcap (our Windows raw packet capturing and
transmission driver) from version 1.75 to the latest version 1.79. It
includes many performance improvements, bug fixes and feature
enhancements described at https://npcap.com/changelog.
o Integrated over 4000 IPv4 OS fingerprints submitted since June 2020. Added
336 fingerprints, bringing the new total to 6036. Additions include iOS 15 &
16, macOS Ventura & Monterey, Linux 6.1, OpenBSD 7.1, and lwIP 2.2
o Integrated over 2500 service/version detection fingerprints submitted since
June 2020. The signature count went up 1.4% to 12089, including 9 new
softmatches. We now detect 1246 protocols, including new additions of grpc,
mysqlx, essnet, remotemouse, and tuya.
o [NSE] Four new scripts from the DINA community
(https://github.com/DINA-community)
for querying industrial control systems:
+ hartip-info reads device information from devices using the Highway
Addressable Remote Transducer protocol
+ iec61850-mms queries devices using Manufacturing Message Specification
requests. [Dennis Rösch, Max Helbig]
+ multicast-profinet-discovery Sends a multicast PROFINET DCP Identify All
message and prints the responses. [Stefan Eiwanger, DINA-community]
+ profinet-cm-lookup queries the DCERPC endpoint mapper exposed via the
PNIO-CM service.
o Upgraded included libraries: Lua 5.4.6, libpcre2 10.43, zlib 1.3.1,
libssh2 1.11.0, liblinear 2.47
o [GH#2639] Upgraded OpenSSL binaries (for the Windows builds and for
RPMs) to version 3.0.13. CVEs resolved in this update include only 2
moderate-severity issues which we do not believe affect Nmap:
CVE-2023-5363 and CVE-2023-2650
o [Zenmap][Ndiff][GH#2649] Zenmap and Ndiff now use setuptools, not distutils
for packaging.
o [Ncat][GH#2685] Fixed Ncat UDP server mode to not quit after EOF on stdin.
Reported as Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039613
o [GH#2672] Fixed an issue where TCP Connect scan (-sT) on Windows would fail to
open any sockets, leading to scans that never finish. [Daniel Miller]
o [NSE] ssh-auth-methods will now print the pre-authentication banner text when
available. Requires libssh2 1.11.0 or later. [Daniel Miller]
o [Zenmap][GH#2739] Fix a crash in Zenmap when changing a host comment.
o [NSE][GH#2766] Fix TLS 1.2 signature algorithms for EdDSA.
[Daniel Roethlisberger]
o [Zenmap][GH#2706] RPM spec files now correctly require the python3 package,
not python>=3
o Improvements to OS detection fingerprint matching, including a syntax change
for nmap-os-db that allows ranges within the TCP Options string. This leads
to more concise and maintainable fingerprints. [Daniel Miller]
o Improved the OS detection engine by using a new source port for each retry.
Scans from systems such as Windows that do not send RST for unsolicited
SYN|ACK responses were previously unable to get a response in subsequent
tries. [Daniel Miller]
o Several profile-guided optimizations of the port scan engine. [Daniel Miller]
o [GH#2731] Fix an out-of-bounds read which led to out-of-memory errors when
duplicate addresses were used with --exclude
o [GH#2609] Fixed a memory leak in Nsock: compiled pcap filters were not freed.
o [GH#2658] Fixed a crash when using service name wildcards with -p, as in -p
"http*"
o [NSE] Fixed DNS TXT record parsing which caused asn-query to fail in Nmap
7.80 and later. [David Fifield, Mike Pattrick]
o [NSE][GH#2727][GH#2728] Fixed packet size testing in KNX scripts [f0rw4rd]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
cbaff8bcb4 |
ncat: Update to version 7.95
- Update from version 7.94 to 7.95
- Update of rootfile
- Changelog
7.95
o [Windows] Upgraded Npcap (our Windows raw packet capturing and
transmission driver) from version 1.75 to the latest version 1.79. It
includes many performance improvements, bug fixes and feature
enhancements described at https://npcap.com/changelog.
o Integrated over 4000 IPv4 OS fingerprints submitted since June 2020. Added
336 fingerprints, bringing the new total to 6036. Additions include iOS 15 &
16, macOS Ventura & Monterey, Linux 6.1, OpenBSD 7.1, and lwIP 2.2
o Integrated over 2500 service/version detection fingerprints submitted since
June 2020. The signature count went up 1.4% to 12089, including 9 new
softmatches. We now detect 1246 protocols, including new additions of grpc,
mysqlx, essnet, remotemouse, and tuya.
o [NSE] Four new scripts from the DINA community
(https://github.com/DINA-community)
for querying industrial control systems:
+ hartip-info reads device information from devices using the Highway
Addressable Remote Transducer protocol
+ iec61850-mms queries devices using Manufacturing Message Specification
requests. [Dennis Rösch, Max Helbig]
+ multicast-profinet-discovery Sends a multicast PROFINET DCP Identify All
message and prints the responses. [Stefan Eiwanger, DINA-community]
+ profinet-cm-lookup queries the DCERPC endpoint mapper exposed via the
PNIO-CM service.
o Upgraded included libraries: Lua 5.4.6, libpcre2 10.43, zlib 1.3.1,
libssh2 1.11.0, liblinear 2.47
o [GH#2639] Upgraded OpenSSL binaries (for the Windows builds and for
RPMs) to version 3.0.13. CVEs resolved in this update include only 2
moderate-severity issues which we do not believe affect Nmap:
CVE-2023-5363 and CVE-2023-2650
o [Zenmap][Ndiff][GH#2649] Zenmap and Ndiff now use setuptools, not distutils
for packaging.
o [Ncat][GH#2685] Fixed Ncat UDP server mode to not quit after EOF on stdin.
Reported as Debian bug:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039613
o [GH#2672] Fixed an issue where TCP Connect scan (-sT) on Windows would fail to
open any sockets, leading to scans that never finish. [Daniel Miller]
o [NSE] ssh-auth-methods will now print the pre-authentication banner text when
available. Requires libssh2 1.11.0 or later. [Daniel Miller]
o [Zenmap][GH#2739] Fix a crash in Zenmap when changing a host comment.
o [NSE][GH#2766] Fix TLS 1.2 signature algorithms for EdDSA.
[Daniel Roethlisberger]
o [Zenmap][GH#2706] RPM spec files now correctly require the python3 package,
not python>=3
o Improvements to OS detection fingerprint matching, including a syntax change
for nmap-os-db that allows ranges within the TCP Options string. This leads
to more concise and maintainable fingerprints. [Daniel Miller]
o Improved the OS detection engine by using a new source port for each retry.
Scans from systems such as Windows that do not send RST for unsolicited
SYN|ACK responses were previously unable to get a response in subsequent
tries. [Daniel Miller]
o Several profile-guided optimizations of the port scan engine. [Daniel Miller]
o [GH#2731] Fix an out-of-bounds read which led to out-of-memory errors when
duplicate addresses were used with --exclude
o [GH#2609] Fixed a memory leak in Nsock: compiled pcap filters were not freed.
o [GH#2658] Fixed a crash when using service name wildcards with -p, as in -p
"http*"
o [NSE] Fixed DNS TXT record parsing which caused asn-query to fail in Nmap
7.80 and later. [David Fifield, Mike Pattrick]
o [NSE][GH#2727][GH#2728] Fixed packet size testing in KNX scripts [f0rw4rd]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
c8490adecf |
hplip: Update to version 3.24.4
- Update from version 3.23.12 to 3.24.4
- Update of rootfile
- Changelog
3.24.4
Added support for the following new Printers:
HP OfficeJet 8120 All-in-One series
HP OfficeJet Pro 8120 All-in-One series
HP OfficeJet 8130 All-in-One series
HP OfficeJet Pro 8130 All-in-One series
HP OfficeJet Pro 9720 Series
HP OfficeJet Pro 9730 Series
Added support for following new Distro:
Ubuntu 23.10
Debian 12
Fedora 39
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
fdbd6bd32f |
frr: Update to version 10.1
- Update from version 9.1 to 10.1
- Update of rootfile
- CVE Fixes in 9.1.1
- Changelog
10.1
Breaking changes
Enable BGP dynamic capability by default for datacenter profile
Advertise BGP "Dynamic" capability by default if using a datacenter
profile. The dynamic capability gives more flexibility in terms of
changing some parameters (e.g. Graceful-Restart,
Long-lived Graceful-Restart timers, Addpath, Role, etc.) without
resetting the session.
Split BGP rpki cache command into separate per SSH/TCP
The old command is broken at some level. When configuring a TCP session
with the source, the command thinks it's an SSH session with a username.
Add deprecation cycle for OSPF router-info X [A.B.C.D] command
Features
BGP dampening per-neighbor support
It is now possible to configure BGP dampening parameters on a
per-neighbor basis. In previous releases, BGP dampening could only be
configured globally or per-SAFI.
BMP send-experimental stats
We added an option to send experimental BMP (RFC 7854) stats
[65531-65534].
RFC 7854 defines BMP statistics types:
Values 65531 through 65534 are Experimental, and value 65535
is Reserved.
Implement extended link-bandwidth for BGP
By default bandwidth in extended communities is encoded in IEEE
floating-point format, and is limited to a maximum of 25 Gbps. Since
not every vendor implements this correctly (due to IEEE floating-point),
another draft is implemented to encode the bandwidth into IPv6
address-specific extended community.
Paths Limit for Multiple Paths in BGP
Implemented this draft as an extension for the Addpath capability, that
tells the sender to send only an arbitrary number of paths per prefix
instead of sending all of the known paths.
New command for OSPFv2 ip ospf neighbor-filter NAME [A.B.C.D]
Configure an IP prefix list to filter packets received from OSPF
neighbors on the OSPF interface.
Implement non-broadcast support for point-to-multipoint networks
This extends non-broadcast support to point-to-multipoint networks.
The AllOSPFRouters (224.0.0.5) is still joined for non-broadcast
networks since it is joined for NBMA networks.
Other significant changes
bgpd
Fix route leaking from the default l3vrf
Fix match peer when switching between IPv4/IPv6/interface
Fix dynamic peer graceful restart race condition
Fix colored routes not installed after a switchover
Fix crash when deleting the SRv6 locator
Fix no set as-path prepend ASNUM...
Fix negative commands for Graceful-Restart operations (avoid
entering incorrect state)
Fix ipv4-mapped ipv6 on non 6pe
Fix show run of network route-distinguisher
Fix display when using missing-as-worst
Fix show bgp neighbors output
Fix error handling for MP/GR capabilities as a dynamic capability
Fix error handling when receiving BGP Prefix-SID attribute
Fix route-target display with a dotted format
Fix no bgp as-path access-list
Fix no form for neighbor X capability software-version
Check against extended community unit size for link bandwidth
Make sure we have enough data to handle extended link bandwidth
Check if FQDN capability length is in valid ranges
Allow using different ASNs per VRF instances
Send End-of-RIB not only if Graceful-Restart capability is received
Implement backpressure to avoid CPU hog
Ignore validating the attribute flags if path-attribute is configured
Prevent deletion of BGP peer groups associated with bgp listen range
Inherit some peer flags from the peer-group
Allow specification of AS 0 for RPKI commands
Allow using maximum-prefix for EVPN
Increase install/uninstall speed of EVPN VNIs
Update default-originate route-map actual map structure
Include unsuppress-map as a valid outgoing eBGP policy
Allow dynamically disable graceful-restart/long-lived graceful-restart
Unset advertised capabilities if the capability is disabled
Aggregated summary-only remove suppressed from EVPN
isisd
Fix crash when deactivating ISIS adjacency on the interface
Fix show isis database [detail] json
Fix show isis algorithm
Fix crash when configuring the circuit type for the interface
Fix IP/IPv6 reachability TLVs
When the metric-type is configured as "wide", the IS-IS generates
incorrect metric values for IPv4 directly connected routes
Add link state support for SRv6 adjacencies
The hold time of hello packets on a P2P link does not match the
sending interval
mgmtd
Implement YANG RPC/action support
ospfd
Fix crash in OSPF TE parsing
Fix the bug where ip_ospf_dead-interval_minimal_hello-multiplier did
not reset the hello timer
Fix no write-multiplier command
Fix no maximum-paths command
Solved crash in RI parsing with OSPF TE
Assure OSPF AS External routes are installed after the link flap
Send LS Updates in response to LS Request as unicast
ospf6d
Handle topo change in Graceful-Restart Helper mode for max-age LSAs
Prevent heap-buffer-overflow with an unknown type
Redistribute metric for AS-external route
Fix next-hop computation for inter-area multi-ABR ECMP
Fix interface type vs. connected routes updates
pathd
Retry synchronous label-manager ZAPI connection
pimd
Fix null register before aging out reg-stop
Fix dr-priority range
Fix crash unconfiguring rp keepalive timer
lib
Fix keychain NB crash
Do not convert EVPN prefixes into IPv4/IPv6 if not needed
ripd
Fix clear ip rip command
ripngd
Fix clear ipv6 ripng command
tools
Handle seq num for BGP as-path in frr-reload.py
vtysh
Fix 'show ip[v6] prefix-list ... json' formatting by moving it to vtysh
Fix show route-map command when calling via do
Show ip ospf network ... even if it's not the same as the interface
type
zebra
Fix mpls label bind command
Fix excessive exit commands
Fix static SRv6 segment-list SID order
Fix JSON output for show route summary json
Fix malformed json output for multiple vrfs in command show ip route
vrf all json
Fix crash if MAC-VLAN link in another netns
Fix crash on MAC-VLAN link down/up
Deny the routes if ip protocol CLI refers to an undefined route-map
Bridge flap handle VLAN membership update
Add show fpm status [json] command
9.1.1
Fixed CVEs
CVE-2024-31950
CVE-2024-31951
CVE-2024-31949
Bug Fixes
bgpd
"default-originate" shouldn't withdraw non-default routes
Aggr summary-only suppressed export to evpn
Allow using optional table id for negative `no set table x` command
Arrange peer notification to after zebra announce
Check bgp evpn instance presence in soo
Convert the bgp_advertise_attr->adv to a fifo
Do not show tcp mss if the socket is broken
Ensure bgp does not stop monitoring nexthops
Ensure community data is freed in some cases.
Ensure that the correct aspath is free'd
Fix `match peer` when switching between ipv4/ipv6/interface
Fix `no set as-path prepend asnum...`
Fix bgp_best_selection heap-use-after-free
Fix crash when deleting the srv6 locator
Fix display when using `missing-as-worst`
Fix dynamic peer graceful restart race condition
Fix ecommunity_fill_pbr_action heap-buffer-overflow
Fix error handling when receiving bgp prefix sid attribute
Fix errors handling for mp/gr capabilities as dynamic capability
Fix format overflow for graceful-restart debug logs
Fix logging message when receiving a software version capability
Fix no bgp as-path access-list issue
Fix route-map match probability deconfiguration callback
Fix srv6 memory leak detection
Fix the order of null check and zapi decode
Fix vrf leaking with 'no bgp network import-check
Free memory for srv6 functions and locator chunks
Ignore validating the attribute flags if path-attribute is configured
Include unsuppress-map as a valid outgoing policy
Lttng tp add evpn route events
Make `suppress-fib-pending` clear peering
Note when receiving but not understanding a route notification
Prevent from one more cve triggering this place
Set correct ttl for the dynamic neighbor peers
Update default-originate route-map actual map structure
Revert "Fix pointer arithmetic in bgp snmp module"
doc
Add param range for graceful-restart helper supported-grace-time
Remove duplicated show route-map
isisd
Fix _isis_spftree_del heap-use-after-free
Fix dislaying lsp id
Fix heap-after-free with prefix sid
Fix ip/ipv6 reachability tlvs
lib
Check for not being a blackhole route
Fix show route map json output
Do not convert evpn prefixes into ipv4/ipv6 if not needed
Replace deprecated ares_gethostbyname
Replace deprecated ares_process()
nhrpd
Fix race condition
Fix core dump on shutdown
ospf6d
Ospfv3 route change comparision fixed for asbr-only change
Prevent heap-buffer-overflow with unknown type
ospfd
Add support for "no router-info [<area|as>] command"
Can not delete "segment-routing node-msd" when sr if off
Correct lsa parser which fulfill the ted
Correct opaque lsa extended parser
Correct sid check size
Fix ospf dead-interval minimal hello-multiplier param range
Fix the bug where ip_ospf_dead-interval_minimal_hello-multiplier did
not reset hello timer
Protect call to get_edge() in ospf_te.c
Solved crash in ospf te parsing
Solved crash in ri parsing with ospf te
Revert "Fix some dicey pointer arith in snmp module"
pbrd
Fix map seq installed flag in json
Fix pbr handling for last rule deletion
pimd
Fix crash unconfiguring rp keepalive timer
Fix crash when configuring ssmpingd
Fix dr-priority range
Fix null register before aging out reg-stop
Fix order of operations for evaluating join
Re-evaluated s,g oils upon rp changes and for empty sg upstream oils
Fix crash when mixing ssm/any-source joins
staticd
Fix changing to source auto in bfd monitor
tests
Check for 0.0.0.0/1 in bgp_default_route
Check if ibgp session can drop invalid aigp attribute
Extend tests for aspath exclude
Update ospf te topotests
tools
Apply black formatting for tools/frr-reload.py
Fix frr-reload interface desc cmd
Fix frr-reload multiple no description cmds
Fix frr-reload multiple no description cmds
Use error log level when failing to execute commands via frr-reload.py
topotests
Do not check table version
Redispatch tests in bfd_topo3
Test wrong bfd source in bfd_topo3
Vpnv4 route leaking with no import-check
vtysh
Show `ip ospf network ...` even if it's not the same as the
interface type
zebra
Add missing whitespace when printing route entry status
Deny the routes if ip protocol cli refers to an undefined rmap
Don't deref vxlan-vni array
Fix crash if macvlan link in another netns
Fix crash on macvlan link down/up
Fix evpn svd based remote nh neigh del
Fix mpls command
Fix route deletion during zebra shutdown
The dplane_fpm_nl return path leaks memory
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
733e957885 |
freeradius: Update to version 3.2.5
- Update from version 3.2.3 to 3.2.5
- Update of rootfile
- Various options removed from ./configure as they are all unrecognised and don't have
any effect. Most of them look to have been related to freeradius-1.x
- There is no command that gets recognised for disabling or not using static libs
- Changelog
3.2.5
Feature Improvements
TOTP now supports TOTP-Time-Offset for tokens with times that are out of sync.
See mods-available/totp.
radclient now supports forcing the Request Authenticator and ID for
Access-Request packets.
Update dictionary.3gpp.
Update advice on shared secrets, including suggesting a secure method for
generating useful secrets.
Bug Fixes
Allow proxying by pool / home server name to work with auth+acct servers.
Fix OpenSSL API usage which sometimes caused crash in MS-CHAP Previously it
would either always crash immediately, or never crash.
Fix packet statistics. Stop double counting some packets, and track packet
statistics even if a socket is closed.
Reverted patch in TTLS which broke compatibility with some systems.
Don't crash in debug mode when multiple intermediate certs are used Patch
from Alexander Chernikov.
3.2.4
Feature Improvements
Preliminary support for TEAP.
Update EAP module pre_proxy checks to make them less restrictive This
prevents the "middle box" effect from affecting future traffic.
Many fixes and updates for Docker images.
Add dpsk module. See mods-available/dpsk.
Print out what cause the TLS operations to be made, such as the EAP method
name (peap, ttls, etc), or RADIUS/TLS listen / proxy socket.
Add auto_escape to sample SQL module config.
Add 'if not exists' to mysql create table queries. ref #5032 (#5137).
Update dictionary.aruba; add dictionary.tplink, dictionary.alphion.
Allow for 'encrypt=1' attributes to be longer than 128 characters.
Added "radsecret" program which generates strong secrets. See the top of the
"clients.conf" file for more information.
radclient now prints packets as hex when using -xxx.
Added "-t timeout" to radsniff. It will stop processing packets after
<timeout> seconds.
Support "interface = ..." on OSX and other *BSD which have IP_BOUND_IF.
The detail module now has a "dates_as_integer" configuration item See
mods-available/detail for more information.
Add lookback/lookforward steps and more configuration to totp. See
mods-available/totp.
Add "time_since" xlat to calculate elapsed time in seconds, milliseconds and
microseconds.
Support "Post-Auth-Type Challenge" in the inner tunnel. Patch from Alexander
Clouter. PR #5320.
Add "proxy_dedup_window". See radiusd.conf.
Document KRB5_CLIENT_KTNAME in the "env" section of radiusd.conf.
Add "dedup_key" for misbehaving supplicants. See mods-available/eap.
Bug Fixes
Fix corner case with empty defaults in rlm_files. Fixes #5035.
When we have multiple attributes of the same name, always use the canonical
attribute.
Make FreeRADIUS-Server-EMA* attributes work again for home server exponential
moving average statistics.
Don't send the global server stats when asked for client stats. They use the
same attributes, so the result is confusing.
Fix multiple typos in MongoDB query.conf (#5130).
Add define for illumos. Fixes #5135.
Add client configuration for TLS PSK.
Permit originate CoA after proxying to an internal virtual server.
Use virtual server "default" when passed "-i" and "-p" on the command line.
Fix locking issues with rlm_python3.
The detail file reader will catch bad times in the file, and will not update
Acct-Delay-Time with extreme values.
Fix issue where Message-Authenticator was calculated incorrectly for
CoA / Disconnect ACK and NAK packets.
Update Python thread and error handling. Fixes #5208.
Fix handling of Session-State when proxying. Fixes #5288.
Run relevant post-proxy Fail-* section on CoA / Disconnect timeout.
Add "limit" section to AWS health check configurtion. Fixes 35300.
Use MAX in sqlite queries instead of GREATEST.
Fix typo in Mongo queries. Fixes #5301.
Fix occasional crash with bad home servers. Fixes #5308.
Minor bug fixes to the SQL freetds modules.
Fix blocking issue with RADIUS/TLS connection checks.
Fix run-time crash on configuration typos of %{substr ...} instead of
%{substr:...} Fixes #5321.
Fix crash with TLS Status-Server requests. Fixes #5326.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
0382036f71 |
netatalk: Update to version 3.2.5
- Update from version 3.1.2 to 3.2.5
- Update of rootfile
- Change to meson build
- Bundled libevent was removed in 3.1.13 so configure option no longer needed.
- The latest netatalk places the prefix value onto all other directories. No way to change
this via the meson options. So sysconfdir and localstatedir would end up being under
/usr. Patch created to remove the prefix value at the beginning of sysconfdir and
localstatedir so that the locations stay the same as for the previous versions.
- The default value for pam.d is in /usr/etc/ but option available to change this.
- Large number of CVE fixes in some of the updates - 3.2.1, 3.1.18, 3.1.17, 3.1.16,
3.1.15, 3.1.13, 3.1.12,
- Changelog
3.2.5
* BREAKING: meson: Allow choosing shared or static libraries to build,
GitHub #1321
In practice, only shared libraries are built by default now.
Use the `default_library' option to control what is built.
* FIX: meson: Control the MySQL CNID backend, and support MariaDB, GitHub #1341
Introduces a new boolean `with-cnid-mysql-backend' option.
* FIX: meson: Implement with-init-dir option, GitHub #1346
* FIX: autotools/meson: Install FreeBSD init script into correct location,
GitHub #1345
* FIX: meson: Fix syntax error with libiconv path, GitHub #1279
* FIX: meson: Correct description for with-manual option, GitHub #1282
* FIX: meson: Correct prefix lookup for tracker-control, GitHub #1284
* FIX: meson: default OPEN_NOFOLLOW_ERRNO overwrites platform customization,
GitHub #1286
* FIX: meson: Don't make dtags depend on rpath, GitHub #1293
* FIX: meson: Remove duplicate dependency check for posix threads, GitHub #1297
* FIX: meson: Better output when cryptographic UAMs aren't built, GitHub #1302
* FIX: meson: Prioritize tests and run single-threaded to avoid race condition,
GitHub #1312
* FIX: meson: Better way to handle rpath executable targets, GitHub #1315
* FIX: meson: Refactor libcrypto check and print better status messages,
GitHub #1299
* FIX: meson: Look for libmariadb dependency to appease Fedora, GitHub #1348
* FIX: meson: Declare have_atfuncs globally to avoid failure later, GitHub #1357
* FIX: meson: Do a compiler sanity check before header checks, GitHub #1356
* FIX: Avoid using reserved keyword to build the tests on NetBSD, GitHub #1328
3.2.4
* UPD: autotools: Restore ABI versioning of libatalk,
and set it to 18.0.0, GitHub #1261
* UPD: meson: Define long-form soversion as 18.0.0, GitHub #1256
Previously, only `18' was defined.
* NEW: meson: Introduce pkgconfdir override option, GitHub #1241
The new option is called `with-pkgconfdir-path'
and is analogous to the `with-pkgconfdir' Autotools option.
Additionally, the hard-coded "netatalk" path suffix has been removed.
* NEW: meson: Introduce `debian' init style option
that installs both sysv and systemd, GitHub #1239
* FIX: meson: Add have_atfuncs check,
and make dtags dependent on rpath flag, GitHub #1236
* FIX: meson: Correct overwrite install logic for config files, GitHub #1253
* FIX: Fix typo in netatalk_conf.c log message
3.2.3
* UPD: Record note of permission to upgrade CNID code
to a later GPL, GitHub #1194
* UPD: Remove long-obsoleted cnid2_create script, GitHub #1203
* UPD: docker: Add option to enable ClearText and Guest UAMs, GitHub #1202
* FIX: docs: Standardize reference entry naming
for netatalk-config man page, GitHub #1208
* FIX: meson: Generate afppasswd manual html page, GitHub #1210
* UPD: meson: Remove obsolete 64 bit library check, GitHub #1207
* FIX: meson: Enable rpath for binaries
only when with-rpath is enabled, GitHub #1214
* FIX: meson: Require kerberos before enabling krb5 UAM,
not just GSSAPI, GitHub #1218
* FIX: meson: Restore linking with 64-bit libdb on Solaris, GitHub #1222
* FIX: meson: Fixing linking when building with
the `with-ssl-override' option, GitHub #1227
3.2.2
* UPD: meson: Use external SSL dependency to provide cast header, GitHub #1186
This reintroduces OpenSSL/LibreSSL as a dependency for the DHX UAM,
while removing all source files with the SSLeay copyright notice.
* UPD: meson: Add option to override system WolfSSL
with embedded WolfSSL: `with-ssl-override', GitHub #1176
* UPD: Remove obsolete Red Hat Upstart and SuSE SysV init scripts, GitHub #1163
* FIX: meson: Fix errors in PAM support macro, GitHub #1178
* FIX: meson: Fix perl shebang substitution in cnid2_create script, GitHub #1183
* FIX: meson: Fix operation of D-Bus path macros, GitHub #1182
* FIX: meson: Fix errors in shadow password macro, GitHub #1192
* FIX: autotools: gcc 8.5 expects explicit library flags
for libgcrypt, GitHub #1188
* NEW: Create a security policy, GitHub #1166
3.2.1
* FIX: CVE-2024-38439,CVE-2024-38440,CVE-2024-38441: Harden user login,
GitHub #1158
* BREAKING: meson: Rework option semantics and feature macros, GitHub #1099
- Consistent syntax of the build options to make them user-friendly
- Standardises the syntax of the feature macros
- Fixes the logic of the largefile support macro
- Disables gssapi support if the Kerberos V UAM is not required
- All options are now defined either as `with-*' or `with-*-path'
- Please see the Release Notes for a full list of changed options
* UPD: meson: Enable building with system WolfSSL library, GitHub #1160
- Build system will attempt to detect
that all required headers and symbols are supported
- Falls back to the bundled WolfSSL library
* FIX: meson: Fix -Doption paths on systems
where rpath is enabled by default, GitHub #1053
* FIX: meson: Fix library search macro on OmniOS hosts, GitHub #1056
* FIX: meson: Fix rules for installing scripts, GitHub #1070
- Install afpstats only when Perl is detected
- Don't install scripts only used by netatalk developers
* FIX: meson: set setuid bit to allow user afppasswd changing, GitHub #1071
* FIX: meson: Fix logic of libiconv detection macro, GitHub #1075
* FIX: meson: Address various issues with the meson build system, GitHub #1082
- Enables quota support on all flavours of linux and BSD, plus macOS
- Adds the quota provider to the configuration summary
- Adds a user option to disable LDAP support
- Sets dependencies according to user configuration
- Improves the syntax of the ACL macro
* FIX: meson: Further refinements to meson build system, GitHub #1086
- Adds user options to disable cracklib and GSSAPI support
- Automates Berkeley DB library detection on macOS
* FIX: meson: Fix issues with quota support on linux and macOS, GitHub #1092
- Enables quota support on macOS hosts
- Restores missing configuration option for linux hosts
- Removes obsolete quota configuration data for linux and macOS hosts
* FIX: meson: Set executable flags when installing scripts, GitHub #1117
* UPD: autotools and meson: Use pkg-config to find libgcrypt, GitHub #1132
- This removes dependency on the now-obsolete libgcrypt-config
* FIX: Use portable linux macro in etc/afpd header, GitHub #1083
* UPD: Debian Trixie expects systemd scripts in /usr/lib, GitHub #1135
* UPD: Add copyright for mac_roman.h, GitHub #1137
* FIX: Cleanup of copyright headers to make them scanner friendly, GitHub #1142
* FIX: Remove unused atalk/talloc.h header, GitHub #1154
* FIX: docker: Don't bail out when password is longer than 8 chars, GitHub #1067
* UPD: docker: Bump to Alpine 3.20 base image, GitHub #1111
* FIX: docker: Rework AFP user's GROUP and GID settings, GitHub #1116
- GID now requires GROUP to be set, and applies to that group
rather than that of the user.
* UPD: docs: Indicate license for software package,
and add SSLeay notice, GitHub #1125
* FIX: docs: Rephrase tarball section of manual, GitHub #1164
3.2.0
* NEW: BREAKING: Introduce the Meson build system, GitHub #707
GNU Autotools is still supported, but will be removed
in a future release. See the newly added INSTALL file.
* NEW: BREAKING: Bundle WolfSSL for DHX/RandNum UAM encryption, GitHub #358
This is enabled by default, controlled by option "-Dwith-embedded-ssl"
Requires the Meson build system.
External OpenSSL 1.1 and LibreSSL are still supported.
* NEW: BREAKING: LDAP API bump, OpenLDAP v2.3 or later required, GitHub #762
afp.conf option "ldap server" has been replaced with "ldap uri"
and has a new syntax. See the manual for details.
* UPD: BREAKING: Remove legacy cdb and tdb CNID backends, GitHub #508
* UPD: BREAKING: Remove Andrew File System (AFS) support, GitHub #554
* UPD: BREAKING: Remove bundled talloc, GitHub #479
For Spotlight support, use the talloc library supplied by your OS,
or get the source code from the Samba project and build it yourself.
* UPD: BREAKING: Remove generated SPARQL code, GitHub #337
This introduces a compile time dependency on
a yacc parser and a lexer to build with Spotlight support.
* UPD: BREAKING: Rename macOS launchd plist to io.netatalk.*, GitHub #778
Note: Only the Meson build system will clean up the old plist.
* UPD: BREAKING: Renamed Gentoo init script to openrc, GitHub #868
OpenRC is cross platform; confirmed working on Alpine Linux.
* NEW: FreeBSD init script, borrowed from FreeBSD ports, GitHub #876
Special thanks to the author, Joe Marcus Clarke.
* NEW: OpenBSD init script, GitHub #870
* NEW: Introduce an official Dockerfile and entry script, GitHub #713
* NEW: Option to log to file with second (not us) accuracy, GitHub #580
Enable with afp.conf option: "log microseconds = no"
* NEW: Option to add delay to FCE event emission, GitHub #849
Set a ms delay with afp.conf option: "fce sendwait"
* NEW: afppasswd: Add -w option to set password from the CLI, GitHub #936
* NEW: docs: Distribute a manual appendix with the GNU GPL v2, GitHub #745
* NEW: docs: Distribute the Japanese localization of the manual, GitHub #806
* NEW: docs: Generate a manual appendix with build instructions, GitHub #791
The appendix is generated from the GitHub CI workflow yaml file.
* UPD: docs: Document libraries, init scripts in manual, GitHub #808
* UPD: docs: Remove substituted file system paths from manual, GitHub #514
* FIX: afpd: Prevent theoretical crash in FPSetACL, GitHub #364
* FIX: libatalk: Fix parsing of macOS-created AppleDouble files, GitHub #270
* FIX: libatalk: Restore invalid EA metadata cleanup, GitHub #400
* FIX: quota: Use the NetBSD 6 quota API, GitHub #1028
* FIX: quota: Workaround for rquota.h symbol name on Fedora 40, GitHub #1040
* FIX: uams: Allow linking of the PGP UAM, GitHub #548
* FIX: Shore up error handling and type safety, GitHub #952
* UPD: Rewrite the afpstats script in Perl, GitHub #893
And, improve the formatting of the standard output.
Requires the Net::DBus Perl extension.
This removes the effective dependency on a Python runtime.
* UPD: Make Perl and grep optional requirements, GitHub #886
When either is missing, do not install the optional Perl scripts.
* NEW: Build system option "disable-init-hooks", GitHub #796
Will skip init script enablement commands that require
elevated privileges on the system.
* FIX: Make cracklib macro properly detect dictionary, GitHub #940
* FIX: Build with PAM support on FreeBSD 14, GitHub #560
* FIX: Allow libevent2 linking on OpenIndiana, GitHub #512
* FIX: Control all Spotlight dependencies at compile time, GitHub #571
* UPD: Remove redundant AUTHORS file, GitHub #538
3.1.18
* FIX: CVE-2022-22995: Harden create_appledesktop_folder(), GitHub #480
* FIX: Disable dtrace support on aarch64 FreeBSD hosts, Github #498
* FIX: Correct syntax for libwrap check in tcp-wrappers.m4, GitHub #500
* FIX: Correct syntax for libiconv check in iconv.m4, GitHub #491
* FIX: quota is not supported on macOS, GitHub #492
3.1.17
* FIX: CVE-2023-42464: Validate data type in dalloc_value_for_key(), GitHub #486
* FIX: Declare a variable before using it in a loop,
which was throwing off the default compiler on RHEL7, GitHub #481
* UPD: Distribute tarballs with xz compression by default, not gzip, GitHub #478
* UPD: Add AUTHOR sections to all man pages with a reference to CONTRIBUTORS,
and standardize headers and footers, GitHub #462
3.1.16
* FIX: libatalk: Fix CVE-2022-23121, CVE-2022-23123 regression
- Added guard check before access ad_entry(), GitHub#357
- Allow zero length entry, for AppleDouble specification, GitHub#368
- Remove special handling for COMMENT entries, GitHub#236
- The assertion for invalid entires is still enabled,
so please report any future "Invalid metadata EA" errors!
* FIX: build system: Fix autoconf warnings and modernize bootstrap
and configure.ac, GitHub#331
* FIX: build system: Correct syntax in libevent search macro,
summary macro and netatalk executable makefile, GitHub#342
* FIX: build system: Fix native libiconv detection on macOS, GitHub#343
* FIX: build system: Use non-interactive PAM session when available, GitHub#361
* FIX: build system: Fix detection of Berkeley DB installed
in multiarch location, GitHub#380
* FIX: build system: Fix support for cross-compilation
with mysql_config and dtrace, GitHub#384
* FIX: build system: Support building quota against libtirpc, GitHub#385
* FIX: build system: Fix variable substitution in configure summary, GitHub#443
* UPD: build system: Remove ABI checks and the --enable-developer option, GitHub#262
* FIX: initscript: Improvements to Debian SysV init script
- Source init-functions, GitHub#386
- Add a Description and Short-Description, GitHub#428
* FIX: docs: Clarify localstate dir configurability in manual, GitHub#401
* UPD: docs: Make BerkeleyDB 5.3.x the recommended version, GitHub#8
* FIX: docs: Update SourceForge URLs to fix CSS styles and download links
* FIX: docs: Remove obsoleted bug reporting sections, GitHub#455
* FIX: Sundry typo fixes in user visible strings and docs, GitHub#381, GitHub#382
* UPD: Rename asip-status.pl as asip-status
to make naming implementation-agnostic, GitHub#379
* UPD: Remove redundant uid.c|h files in etc/afpd
* UPD: Don't build and distribute deprecated cnid2_create tool, GitHub#412
* UPD: Remove deprecated megatron code and man page, GitHub#456
* UPD: Remove deprecated uniconv code and man page, GitHub#457
* UPD: Improvements to the GitHub CI workflow
3.1.15
* FIX: CVE-2022-43634
* FIX: CVE-2022-45188
* NEW: Support for macOS hosts, Intel and Apple silicon, GitHub#281
* FIX: configure.ac: update deprecated autoconf syntax
* UPD: configure.ac: Support linking with system shared libraries
Introduces the --with-talloc option
* FIX: macros: largefile-check macro for largefile (clang 16)
* UPD: macros: Update pthread macro to the latest from gnu.org
* FIX: initscripts: Modernize Systemd service file.
* FIX: libatalk/conf: include sys/file.h for LOCK_EX
* FIX: libatalk: Change log level for realpath() error, SF bug#666
* FIX: libatalk: Change log level for real_name error, SF bug#596
* FIX: libatalk: The my_bool type is deprecated as of MySQL 8.0.1, GitHub#129
* UPD: libatalk: allow afpd to read read-protected afp.conf, SF bug#546
* UPD: libatalk: Make the "valid users" option work in the Homes section, SF bug#449
* UPD: libatalk: Check that FPDisconnectOldSession is successful, SF bug#634
* UPD: libatalk: Bring iniparser library codebase in line with current version 4.1
* FIX: afpd: Provide MNTTYPE_NFS on OmniOS to make quota work, GitHub#117
* FIX: afpd: Avoid triggering realpath() lookups with empty path, GitHub#277
* FIX: spotlight: Spotlight searches can cause afpd to segfault, GitHub#56
* UPD: spotlight: add support for tracker3, SF patch#147
* FIX: macusers: Fix output for long usernames
* FIX: macusers: account for usernames with non-word characters
* FIX: macusers: Support NetBSD
* FIX: Fix all function declarations without a prototype
* FIX: Fix C99 compliance issues
* FIX: Fix gcc10 compiler warnings
* UPD: Remove acsiidocs sources and release notes script
* FIX: manpages: afp.conf: Parameters are not quoted, SF bug#617
* FIX: manpages: afp.conf: Document $u in home name, GitHub#123
* FIX: manpages: afp.conf: Document the usage of guest user, GitHub#298
* FIX: Document how the mysql cnid backend is configured, GitHub#69
* FIX: Fix user-visible typos in log output and man pages.
* FIX: Fix spelling, syntax, and dead URLs in html manual.
* NEW: Create README.md
* NEW: Set up GitHub workflow and static analysis with Sonarcloud
3.1.14
* FIX: fix build with libressl >= 2.7.0, GitHub#105
* NEW: Added Ignore Directories Feature
* UPD: Generate Unicode source code based on Unicode 14.0, GitHub#114
* FIX: Protect against removing AFP metadata xattr
* FIX: avoid setting adouble entries on symlinks
* FIX: add handling for cases where ad_entry() returns NULL, GitHub#175
* FIX: Fix setting of LD_LIBRARY_FLAGS ($shlibpath_var).
* FIX: afpstats: Fedora migrating away from IO::Socket::INET6, GitHub#130
* FIX: afpd: check return values from setXXid() functions, GitHub#115
* FIX: afpd: drop groups in become_user_permanently(), GitHub#126
* FIX: Fix use after free in get_tm_used()
* FIX: Fix sign extension problem in bsd_attr_list()
* FIX: Fix garbage read in bsd_attr_list
* FIX: make afpstats python 3 compatible
* UPD: docs: manual: Remove wrong TCP-over-TCP info; minor copy editing
* FIX: configure.ac: fix macro ordering for CentOS 6
* FIX: configure.ac: fix typo
* FIX: configure.ac: remove some trailing whitespace
* FIX: configure.ac: fix deprecated macro invocation
* FIX: configure.ac: replace obsolete macro
* FIX: libatalk/dsi/Makefile.am: fix deprecation warning
* FIX: Store AutoMake helper script in build-aux/
* FIX: configure.ac: define a dir for macros
* FIX: configure.ac: AM_CONFIG_HEADER is deprecated
* FIX: autotools: Fix another deprecation warning
* FIX: libgcrypt typo in configuration error message
* UPD: Various CI improvements
* FIX: libatalk/conf: re-generation of afp_voluuid.conf
* UPD: libatalk/conf: code cleanup and add locking to get_vol_uuid()
* UPD: add documentation for the lv_flags_t
* FIX: No need to check for attropen on Solaris, GitHub#44
3.1.13
* FIX: CVE-2021-31439
* FIX: CVE-2022-23121
* FIX: CVE-2022-23123
* FIX: CVE-2022-23122
* FIX: CVE-2022-23125
* FIX: CVE-2022-23124
* FIX: CVE-2022-0194
* FIX: afpd: make a variable declaration a definition
* UPD: Remove bundled libevent
3.1.12
* FIX: dhx uams: build with LibreSSL, GitHub#91
* FIX: various spelling errors
* FIX: CVE-2018-1160
3.1.11
* NEW: Global option "zeroconf name", FR#99
* NEW: show Zeroconf support by "netatalk -V", FR#100
* UPD: gentoo: Switch openrc init script to openrc-run, GitHub#77
* FIX: log message: name of function doese not match, GitHub#78
* UPD: volume capacity reporting to match Samba behavior, GitHub#83
* FIX: debian: sysv init status command exits with proper exit code, GitHub#84
* FIX: dsi_stream_read: len:0, unexpected EOF, GitHub#82
* UPD: dhx uams: OpenSSL 1.1 support, GitHub#87
3.1.10
* FIX: cannot build when ldap is not defined, bug #630
* FIX: SIGHUP can cause core dump when mdns is enabled, bug #72
* FIX: Solaris: stale pid file puts netatalk into maintenance mode, bug #73
* FIX: dsi_stream_read: len:0, unexpected EOF, bug #633
3.1.9
* FIX: afpd: fix "admin group" option
* NEW: afpd: new options "force user" and "force group"
* FIX: listening on IPv6 wildcard address may fail if IPv6 is
disabled, bug #606
* NEW: LibreSSL support, FR #98
* FIX: cannot build when acl is not defined, bug #574
* UPD: configure option "--with-init-style=" for Gentoo.
"gentoo" is renamed to "gentoo-openrc".
"gentoo-openrc" is same as "openrc".
"gentoo-systemd" is same as "systemd".
* NEW: configure option "--with-dbus-daemon=PATH" for Spotlight feature
* UPD: use "tracker daemon" command instead of "tracker-control" command
if Gnome Tracker is the recent version.
* NEW: configure options "--enable-rpath" and "--disable-rpath" which
can be used to force setting of RPATH (default on Solaris/NetBSD)
or disable it.
* NEW: configure option "--with-tracker-install-prefix" allows setting
an alternate install prefix for tracker when cross-compiling.
* UPD: asip-status.pl: IPv6 support
* UPD: asip-status.pl: show GSS-UAM SPNEGO blob
* FIX: afpd: don't use network IDs without LDAP, bug #621
* FIX: afpd: reading from file may fail, bug #619
* NEW: AFP clients should not be able to copy or manipulate special
extended attributes set by NFS and SMB servers on Solaris, issue #36
* FIX: ad: ad cp may crash, bug #622
* UPD: Update Unicode support to version 9.0.0
3.1.8
* FIX: CNID/MySQL: Quote UUID table names.
https://sourceforge.net/p/netatalk/bugs/585/
* FIX: Crash in cnid_metad, bug #593
* UPD: Update Unicode support to version 8.0.0
* FIX: larger server side copyfile buffer for improved IO performance,
bug #599
* NEW: afpd: new option "ea = samba". Use Samba vfs_streams_xattr
compatible xattrs which means adding a 0 byte at the end of
xattrs.
* FIX: remove #541 workaround patch. There was this problem with only early
Fedora 20.
* FIX: rpmbuild fails on Fedora x86_64, bug #598
* FIX: Listen on IPv6 wildcard address by default, bug #602
* FIX: FCE protocol version 1 packets, bug #603
* UPD: Update list of BerkeleyDB versions searched at configure time
3.1.7
* UPD: Spotlight: enhance behaviour for long running queries, client
will now show "progress wheel" while waiting for first results.
* FIX: netatalk: fix a crash on Solaris when registering with mDNS
* FIX: netatalk: SIGHUP would kill the process instead of being resent
to the other Netatalk processes, bug #579
* FIX: afpd: Solaris locking problem, bug #559
* FIX: Handling of malformed UTF8 strings, bug #524
* FIX: afpd: umask handling, bug #576
* FIX: Spotlight: Limiting searches to subfolders, bug #581
* FIX: afpd: reloading logging config may result in privilege
escalation in afpd processes
* FIX: afpd: ACL related error messages, now logged with loglevel
debug instead of error
* FIX: cnid_metad: fix tsockfd_create() return value on error
* FIX: CNID/MySQL: volume table name generation, bug #566.
3.1.6
* FIX: Spotlight: fix for long running queries
* UPD: afpd: distribute SIGHUP from parent afpd to children and force
reload shares
* FIX: netatalk: refresh Zeroconf registration when receiving SIGHUP
* NEW: configure option "--with-init-style=debian-systemd" for Debian 8 jessie
and later.
"--with-init-style=debian" is renamed "--with-init-style=debian-sysv".
3.1.5
* FIX: Spotlight: several important fixes
3.1.4
* FIX: afpd: Hangs in Netatalk which causes it to stop responding to
connections, bug #572.
* NEW: afpd: new option "force xattr with sticky bit = yes|no"
(default: no), FR #94
* UPD: afpd: FCE version 2 with new event types and new config options
"fce ignore names" and "fce notify script"
* UPD: afpd: check for modified included config file, FR #95.
* UPD: libatalk: logger: remove flood protection and allocate messages
* UPD: Spotlight: use async Tracker SPARQL API
* NEW: afpd: new option "case sensitive = yes|no" (default: yes)
In spite of being case sensitive as a matter of fact, netatalk
3.1.3 and earlier did not notify kCaseSensitive flag to the client.
Now, it is notified correctly by default, FR #62.
3.1.3
* UPD: Spotlight: more SPARQL query optimisations
* UPD: Spotlight: new options "sparql results limit", "spotlight
attributes" and "spotlight expr"
* FIX: afpd: Unarchiving certain ZIP archives fails, bug #569
* UPD: Update Unicode support to version 7.0.0
* FIX: Memory overflow caused by 'basedir regex', bug #567
* NEW: afpd: delete empty resource forks, from FR #92
* FIX: afpd: fix a crash when accessing ._ AppleDouble files created
by OS X via SMB, bug #564
* FIX: afpd and dbd: Converting from AppleDouble v2 to ea may corrupt
the resource fork. In some circumstances an offset calculation
is wrong resulting in corrupt resource forks after the
conversion. Bug #568.
* FIX: ad: fix for bug #563 broke ad file utilities, bug #570.
* NEW: afpd: new advanced option controlling permissions and ACLs,
from FR #93
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
1e639a1dfa |
libassuan: Update to version 3.0.1
- Update from version 2.5.5 to 3.0.1
- Update of rootfile
- Changelog
3.0.1
* Change Unix symbol versioning to help the Debian transitioning
process.
3.0.0
* API change: For new code, which uses libassuan with nPTH, please
use gpgrt_get_syscall_clamp and assuan_control, instead of the
system_hooks API. Use of ASSUAN_SYSTEM_NPTH is deprecated with new
API version 3. If it's really needed to keep using old
implementation of ASSUAN_SYSTEM_NPTH, you need to change your your
application code, to define
ASSUAN_REALLY_REQUIRE_V2_NPTH_SYSTEM_HOOKS before including
<assuan.h>. For an application which uses version 2 API
(NEED_LIBASSUAN_API=2 in its configure.ac), use of
ASSUAN_SYSTEM_NPTH is still supported. [T5914]
* New function assuan_control. [T6625]
* New function assuan_sock_accept. [T5925]
* New functions assuan_pipe_wait_server_termination and
assuan_pipe_kill_server to support abstraction of process. [T6487]
* Windows support for sendfd/recvfd. [T6236]
* Implement timeout in assuan_sock_connect_byname. [T3302]
* No support for WindowsCE, any more. [T6170]
* New socket flags "linger" and "reuseaddr". [rA87f92fe962]
* Interface changes relative to the 2.5.0 release:
assuan_sock_accept NEW.
assuan_pipe_wait_server_termination NEW.
assuan_pipe_kill_server NEW.
assuan_sock_set_flag EXTENDED.
assuan_sock_get_flag EXTENDED.
2.5.7
New configure option --with-libtool-modification. [T6619]
Change the naming of the 64 bit Windows DLL from libassuan6-0.dll to
libassuan-0.dll to sync this with what we did for libgpg-error.
2.5.6
* Fix logging of confidential data. [rA0fc31770fa]
* Fix memory wiping. [T5977]
* Fix macOS build problem. [T5440,T5610]
* Upgrade autoconf stuff.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
6c0e02c80d |
fmt: Update to version 11.0.1
- Update from version 10.2.1 to 11.0.1
- Update of rootfile
- fmt from version 11.0.0 onwards has made the format function a constant. This was done to
enforce that formatter::format is const for compatibility with std::format.
- Changelog
11.0.1
Fixed version number in the inline namespace (#4047).
Fixed disabling Unicode support via CMake (#4051).
Fixed deprecated visit_format_arg (#4043).
Fixed handling of a sign and improved the std::complex formater (#4034, #4050).
Removed a redundant check in the formatter for std::expected (#4040).
11.0.0
Added fmt/base.h which provides a subset of the API with minimal include
dependencies and enough functionality to replace all uses of the printf family
of functions. This brings the compile time of code using {fmt} much closer to
the equivalent printf code.
This gives almost 4x improvement in build speed compared to version 10. Note
that the benchmark is purely formatting code and includes. In real projects the
difference from printf will be smaller partly because common standard headers
will be included in almost any translation unit (TU) anyway. In particular, in
every case except printf above ~1s is spent in total on including <type_traits>
in all TUs.
Optimized includes in other headers such as fmt/format.h which is now roughly
equivalent to the old fmt/core.h in terms of build speed.
Migrated the documentation at https://fmt.dev/ from Sphinx to MkDocs.
Improved C++20 module support (#3990, #3991, #3993, #3994, #3997, #3998, #4004,
#4005, #4006, #4013, #4027, #4029). In particular, native CMake support for
modules is now used if available.
Added an option to replace standard includes with import std enabled via the
FMT_IMPORT_STD macro (#3921, #3928).
Exported fmt::range_format, fmt::range_format_kind and fmt::compiled_string from
the fmt module (#3970, #3999).
Improved integration with stdio in fmt::print, enabling direct writes into a C
stream buffer in common cases. This may give significant performance
improvements ranging from tens of percent to 2x and eliminates dynamic memory
allocations on the buffer level. It is currently enabled for built-in and
string types with wider availability coming up in future releases.
For example, it gives ~24% improvement on a simple benchmark compiled with
Apple clang version 15.0.0 (clang-1500.1.0.2.5) and run on macOS 14.2.1
Improved safety of fmt::format_to when writing to an array (#3805). For example
(godbolt):
auto volkswagen = char[4];
auto result = fmt::format_to(volkswagen, "elephant");
no longer results in a buffer overflow. Instead the output will be truncated
and you can get the end iterator and whether truncation occurred from the
result object.
Enabled Unicode support by default in MSVC, bringing it on par with other
compilers and making it unnecessary for users to enable it explicitly. Most of
{fmt} is encoding-agnostic but this prevents mojibake in places where encoding
matters such as path formatting and terminal output. You can control the
Unicode support via the CMake FMT_UNICODE option. Note that some {fmt} packages
such as the one in vcpkg have already been compiled with Unicode enabled.
Added a formatter for std::expected (#3834).
Added a formatter for std::complex (#1467, #3886, #3892, #3900).
Added a formatter for std::type_info (#3978).
Specialized formatter for std::basic_string types with custom traits and
allocators (#3938, #3943).
Added formatters for std::chrono::day, std::chrono::month, std::chrono::year and
std::chrono::year_month_day (#3758, #3772, #3906, #3913).
Fixed handling of precision in %S (#3794, #3814). Thanks @js324.
Added support for the - specifier (glibc strftime extension) to day of the month
(%d) and week of the year (%W, %U, %V) specifiers (#3976).
Fixed the scope of the - extension in chrono formatting so that it doesn't apply
to subsequent specifiers (#3811, #3812).
Improved handling of time_point::min() (#3282).
Added support for character range formatting (#3857, #3863).
Added string and debug_string range formatters (#3973, #4024).
Enabled ADL for begin and end in fmt::join (#3813, #3824).
Made contiguous iterator optimizations apply to std::basic_string iterators
(#3798).
Added support for ranges with mutable begin and end (#3752, #3800, #3955).
Added support for move-only iterators to fmt::join (#3802, #3946).
Moved range and iterator overloads of fmt::join to fmt/ranges.h, next to other
overloads.
Fixed handling of types with begin returning void such as Eigen matrices (#3839,
#3964).
Added an fmt::formattable concept (#3974).
Added support for __float128 (#3494).
Fixed rounding issues when formatting long double with fixed precision (#3539).
Made fmt::isnan not trigger floating-point exception for NaN values (#3948, #3951).
Removed dependency on <memory> for std::allocator_traits when possible (#3804).
Enabled compile-time checks in formatting functions that take text colors and
styles.
Deprecated wide stream overloads of fmt::print that take text styles.
Made format string compilation work with clang 12 and later despite only partial
non-type template parameter support (#4000, #4001).
Made fmt::iterator_buffer's move constructor noexcept (#3808).
Started enforcing that formatter::format is const for compatibility with
std::format (#3447).
Added fmt::basic_format_arg::visit and deprecated fmt::visit_format_arg.
Made fmt::basic_string_view not constructible from nullptr for consistency with
std::string_view in C++23 (#3846).
Fixed fmt::group_digits for negative integers (#3891, #3901).
Fixed handling of negative ids in fmt::basic_format_args::get (#3945).
Improved named argument validation (#3817).
Disabled copy construction/assignment for fmt::format_arg_store and fixed moved
construction (#3833).
Worked around a locale issue in RHEL/devtoolset (#3858, #3859).
Added RTTI detection for MSVC (#3821, #3963).
Migrated the documentation from Sphinx to MkDocs.
Improved documentation and README.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
ff6a50b9e4 |
tshark: Update to version 4.2.6
- Update from version 4.2.5 to 4.2.6
- Update of rootfile
- Changelog
4.2.6
Bug Fixes
A regression in the TCP Stream Graph "Time Sequence (tcptrace)"
receive window line behavior introduced in 4.2.5 and 4.0.15 has been
fixed. Issue 19846[3]
The following vulnerability has been fixed:
• wnpa-sec-2024-10[4] SPRT dissector crash. Issue 19559[5].
The following bugs have been fixed:
• RADIUS dissector’s dictionary loading broken in many ways. Issue
6466[6].
• 3.4 → 3.6.5 ASCII display is broken on CentOS 7. Issue 18096[7].
• Funnel/Lua: Closing child window disconnects buttons of parent.
Issue 18386[8].
• Lua detection fails with Alpine Linux: missing: LUA_LIBRARIES.
Issue 19841[9].
• vnd.3gpp.5gnas payloads of type SMS not decoded inside HTTP2 5GC.
Issue 19845[10].
• TCP Stream Graphs green sliding window line not displayed
correctly. Issue 19846[11].
• Wireshark window doesn’t fully fit on screen on small resolutions
and can’t be resized properly on Russian language. Issue
19861[12].
• Wireshark started from command line doesn’t set
gui.fileopen_remembered_dir correctly on Windows. Issue
19891[13].
• Wireshark expects wrong length for DHCP Relay Agent Information
Source Port Suboption. Issue 19909[14].
• SIP P-Access-Network-Info header not correctly decoded. Issue
19917[15].
Updated Protocol Support
DHCP, E.212, MySQL, NAS-5GS, PKT CCC, ProtoBuf, RADIUS, RLC-LTE, RTP,
SIP, SPRT, Thrift, and Wi-SUN
New and Updated Capture File Support
log3gpp
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
7674c7533e |
c-ares: Update to version 1.32.1
- Update from version 1.17.1 to 1.32.1
- Update of rootfile
- There have been 22 version updates that are now being applied. 4 of these releases had
security issues being addressed and there have been 5 CVE's and fixes
- Changelog
1.32.1
Bugfixes:
Channel lock needs to be recursive to ensure calls into c-ares functions can
be made from callbacks otherwise deadlocks will occur. This regression was
introduced in 1.32.0
1.32.0
Features:
Add support for DNS 0x20 to help prevent cache poisoning attacks, enabled by
specifying ARES_FLAG_DNS0x20. Disabled by default. PR #800
Rework query timeout logic to automatically adjust timeouts based on network
conditions. The timeout specified now is only used as a hint until there is
enough history to calculate a more valid timeout. PR #794
Changes:
DNS RR TXT strings should not be automatically concatenated as there are use
cases outside of RFC 7208. In order to maintain ABI compliance, the ability
to retrieve TXT strings concatenated is retained as well as a new API to
retrieve the individual strings. This restores behavior from c-ares 1.20.0.
PR #801
Clean up header inclusion logic to make hacking on code easier. PR #797
GCC/Clang: Enable even more strict warnings to catch more coding flaws. 253bdee
MSVC: Enable /W4 warning level. PR #792
Bugfixes:
Tests: Fix thread race condition in test cases for EventThread. PR #803
Windows: Fix building with UNICODE. PR #802
Thread Saftey: ares_timeout() was missing lock. 74a64e4
Fix building with DJGPP (32bit protected mode DOS). PR #789
1.31.0
Changes:
Enable Query Cache by default. PR #786
Bugfixes:
Enhance Windows DNS configuration change detection to also detect manual DNS
configuration changes. PR #785
Various legacy MacOS Build fixes. Issue #782
Ndots value of zero in resolv.conf was not being honored. 852a60a
Watt-32 build support had been broken for some time. PR #781
Distribute ares_dns_rec_type_tostr manpage. PR #778
1.30.0
Features:
Basic support for SIG RR record (RFC 2931 / RFC 2535) PR #773
Changes:
Validation that DNS strings can only consist of printable ascii characters
otherwise will trigger a parse failure. 75de16c and 40fb125
Windows: use GetTickCount64() for a monotonic timer that does not wrap. 1dff8f6
Bugfixes:
QueryCache: Fix issue where purging on server changes wasn’t working. a6c8fe6
Windows: Fix Y2K38 issue by creating our own ares_timeval_t datatype. PR #772
Fix packaging issue affecting MacOS due to a missing header. 55afad6
MacOS: Fix UBSAN warnings that are likely meaningless due to alignment issues
in new MacOS config reader.
Android: arm 32bit build failure due to missing symbol. d1722e6
1.29.0
Features:
When using ARES_OPT_EVENT_THREAD, automatically reload system configuration
when network conditions change. PR #759
Apple: reimplement DNS configuration reading to more accurately pull DNS
settings. PR #750
Add observability into DNS server health via a server state callback, invoked
whenever a query finishes. PR #744
Add server failover retry behavior, where failed servers are retried with
small probability after a minimum delay. PR #731
Changes:
Mark ares_channel_t * as const in more places in the public API. PR #758
Bugfixes:
Due to a logic flaw dns name compression writing was not properly implemented
which would result in the name prefix not being written for a partial match.
This could cause issues in various record types such as MX records when
using the deprecated API. Regression introduced in 1.28.0. Issue #757
Revert OpenBSD SOCK_DNS flag, it doesn’t do what the docs say it does and
causes c-ares to become non-functional. PR #754
ares_getnameinfo(): loosen validation on salen parameter. Issue #752
cmake: Android requires C99. PR #748
ares_queue_wait_empty() does not honor timeout_ms >= 0. Issue #742
1.28.1
This release contains a fix for a single significant regression introduced in
c-ares 1.28.0.
ares_search() and ares_getaddrinfo() resolution fails if no search domains
are specified. Issue #737
1.28.0
Features:
Emit warnings when deprecated c-ares functions are used. This can be disabled
by passing a compiler definition of CARES_NO_DEPRECATED. PR #732
Add function ares_search_dnsrec() to search for records using the new DNS
record data structures. PR #719
Rework internals to pass around ares_dns_record_t instead of binary data,
this introduces new public functions of ares_query_dnsrec() and
ares_send_dnsrec(). PR #730
Changes:
tests: when performing simulated queries, reduce timeouts to make tests run
faster
Replace configuration file parsers with memory-safe parser. PR #725
Remove acountry completely, the manpage might still get installed otherwise.
Issue #718
Bugfixes:
CMake: don’t overwrite global required libraries/definitions/includes which
could cause build errors for projects chain building c-ares. Issue #729
On some platforms, netinet6/in6.h is not included by netinet/in.h and needs
to be included separately. PR #728
Fix a potential memory leak in ares_init(). Issue #724
Some platforms don’t have the isascii() function. Implement as a macro. PR #721
CMake: Fix Chain building if CMAKE runtime paths not set
NDots configuration should allow a value of zero. PR #735
1.27.0
Security:
Moderate. CVE-2024-25629. Reading malformatted /etc/resolv.conf,
/etc/nsswitch.conf or the HOSTALIASES file could result in a crash.
GHSA-mg26-v6qh-x48q
Features:
New function ares_queue_active_queries() to retrieve number of in-flight
queries. PR #712
New function ares_queue_wait_empty() to wait for the number of in-flight
queries to reach zero. PR #710
New ARES_FLAG_NO_DEFLT_SVR for ares_init_options() to return a failure if no
DNS servers can be found rather than attempting to use 127.0.0.1. This also
introduces a new ares status code of ARES_ENOSERVER. PR #713
Changes:
EDNS Packet size should be 1232 as per DNS Flag Day. PR #705
Bugfixes:
Windows DNS suffix search list memory leak. PR #711
Fix warning due to ignoring return code of write(). PR #709
CMake: don’t override target output locations if not top-level. Issue #708
Fix building c-ares without thread support. PR #700
1.26.0
Features:
Event Thread support. Integrators are no longer required to monitor the file
descriptors registered by c-ares for events and call ares_process() when
enabling the event thread feature via ARES_OPT_EVENT_THREAD passed to
ares_init_options(). PR #696
Added flags to are_dns_parse() to force RAW packet parsing. PR #693
Changes:
Mark ares_fds() as deprecated. PR #691
Bugfixes:
adig: Differentiate between internal and server errors. e10b16a
Autotools allow make to override CFLAGS/CPPFLAGS/CXXFLAGS. PR #695
Autotools: fix building for 32bit windows due to stdcall symbol mangling.
PR #689
RR Name should not be sanity checked against the Question. PR #685
1.25.0
Changes:
AutoTools: rewrite build system to be lighter weight and fix issues in some
semi-modern systems. It is likely this has broken building on some less
common and legacy OSs, please report issues. PR #674
Rewrite ares_strsplit() as a wrapper for ares__buf_split() for memory safety
reasons. 88c444d
The ahost utility now uses ares_getaddrinfo() and returns both IPv4 and IPv6
addresses by default. PR #669
OpenBSD: Add SOCK_DNS flag when creating socket. PR #659
Bugfixes:
Tests: Live reverse lookups for Google’s public DNS servers no longer return
results, replace with CloudFlare pubic DNS servers. 1231aa7
MacOS legacy SDKs require sys/socket.h before net/if.h PR #673
Connection failures should increment the server failure count first or a
retry might be enqueued to the same server. 05181a6
On systems that don’t implement the ability to enumerate network interfaces
the stubs used the wrong prototype. eebfe0c
Fix minor warnings and documentation typos. PR #666
Fix support for older GoogleTest versions. d186f11
getrandom() may require sys/random.h on some systems. Issue #665
Fix building tests with symbol hiding enabled. Issue #664
1.24.0
Features:
Add support for IPv6 link-local DNS servers. Nameserver formats can now
accept the %iface suffix, and a new ares_get_servers_csv() function was
added to return servers that can contain the link-local interface name.
Changes:
Unbundle GoogleTest for test cases. Package maintainers will now need to
require GoogleTest (GMock) as a build dependency if building tests. New
GoogleTest versions require C++14 or later.
Replace nameserver parsing code to use new memory-safe functions.
Replace the sortlist parser with new memory-safe functions.
Various warning fixes and dead code removal.
Bugfixes:
Old Linux versions require POSIX_C_SOURCE or _GNU_SOURCE to compile with
thread safety support.
A non-responsive DNS server that caused timeouts wouldn’t increment the
failure count, this would lead to other servers not being tried. Regression
introduced in 1.22.0.
Some projects that depend on c-ares expect invalid parameter option values
passed into ares_init_options() to simply be ignored. This behavior has been
restored.
On linux getrandom() can fail if the kernel doesn’t support the syscall, fall
back to another random source.
ares_cancel() when performing ares_gethostbyname() or ares_getaddrinfo() with
AF_UNSPEC, if called after one address class was returned but before the
other address class, it would return ARES_SUCCESS rather than ARES_ECANCELLED.
1.23.0
Features:
Introduce optional (but on by default) thread-safety for the c-ares library.
This has no API nor ABI implications.
resolv.conf in modern systems uses attempts and timeouts options instead of
the old retrans and retry options.
Query caching support based on TTL of responses. Can be enabled via
ares_init_options() with ARES_OPT_QUERY_CACHE.
Bugfixes:
ares_init_options() for ARES_OPT_UDP_PORT and ARES_OPT_TCP_PORT accept the
port in host byte order, but it was reading it as network byte order.
Regression introduced in 1.20.0.
ares_init_options() for ARES_FLAG_NOSEARCH was not being honored for
ares_getaddrinfo() or ares_gethostbyname(). Regression introduced in 1.16.0.
Autotools MacOS and iOS version check was failing
Environment variables passed to c-ares are meant to be an override for system
configuration. Regression introduced in 1.22.0.
Spelling fixes as detected by codespell.
The timeout returned by ares_timeout() was truncated to milliseconds but
validated to microseconds which could cause a user to attempt to process
timeouts prior to the timeout actually expiring.
CMake was not honoring CXXFLAGS passed in via the environment which could
cause compile and link errors with distribution hardening flags during
packaging.
Fix Windows UWP and Cygwin compilation.
ares_set_servers_*() for legacy reasons needs to accept an empty server list
and zero out all servers. This results in an inoperable channel and thus is
only used in simulation testing, but we don’t want to break users.
Regression introduced in 1.21.0.
1.22.1
Bugfixes:
Fix /etc/hosts processing performance with all entries using same IPaddress.
Large hosts files using the same IP address for all entries could use
exponential time.
Fix typos in manpages
Fix OpenWatcom building
1.22.0
Features:
ares_reinit() is now implemented to re-read any system configuration and
immediately apply to an existing ares channel
The adig command line program has been rewritten and its format now more
closely matches that of BIND’s dig utility
The new DNS message parser and writer functions have now been made public
RFC9460 HTTPS and SVCB records are now supported
RFC6698 TLSA records are now supported
The server list is now internally dynamic and can be changed without
impacting existing queries
Hosts file processing is now cached until the file is detected to be changed
to speed up repetitive lookups of large hosts files
Changes:
Internally all DNS messages are now written using the new DNS writing functions
EDNS is now enabled by default
Internal cleanups in function prototypes
Bugfixes:
Randomize retry penalties to prevent thundering herd issues when dns servers
throttle requests
Fix Windows build error for missing if_indextoname()
1.21.0
Changes:
Provide better man page cross-links.
Introduce ares_status_t as an enum rather than using #define list and integer
data type for internal functions.
Introduce ares_bool_t datatype rather than using an integer with 0/1 so it is
clear based on the function prototype what it returns.
Increase compiler warning levels by default.
Use size_t and other more proper datatypes internally (rather than int).
Many developers have used different code styles over the years, standardize
on one and use clang-format to enforce the style.
CMake can now control symbol visibility
Replace multiple DNS hand-made parsers with new memory-safe DNS message parser.
Bugfixes:
Tools: STAYOPEN flag could make tools not terminate.
Socket callbacks were passed SOCK_STREAM instead of SOCK_DGRAM on udp.
1.20.1
Bugfixes:
Resolve use-after-free issue when TCP connection is terminated before a
response is returned
Reduce number of queries for a load test case to prevent overloading some
build systems
Fix fuzz test build target
1.20.0
Changes:
Update from 1989 MIT license text to modern MIT license text
Remove acountry from built tools as nerd.dk is gone
Add new ARES_OPT_UDP_MAX_QUERIES configuration option to limit the number of
queries that can be made from a single ephemeral port
Default per-query timeout has been reduced to 2s with a 3x retry count
Modernization: start implementing some common data structures that are easy
to use and hard to misuse. This will make code refactoring easier and remove
some varied implementations in use. This change also makes ares_timeout()
more efficient
Use SPDX identifiers and a REUSE CI job to verify
rand: add support for getrandom()
Bug fixes:
TCP back to back queries were broken
Ensure queries for ares_getaddrinfo() are not requeued during destruction
ares_getaddrinfo() should not retry other address classes if one address
class has already been returned
Avoid production ill-formed result when qualifying a name with the root domain
Fix missing prefix for CMake generated libcares.pc
DNS server ports will now be read from system configuration instead of
defaulting to port 53
Remove some unreachable code
Replace usages of sprintf with snprintf
Fix Watcom instructions and update Windows URLs
1.19.1
Security:
CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service
CVE-2023-31147 Moderate. Insufficient randomness in generation of DNS query IDs
CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton()
CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during cross
compilation
Bug fixes:
Fix uninitialized memory warning in test
Turn off IPV6_V6ONLY on Windows to allow IPv4-mapped IPv6 addresses
ares_getaddrinfo() should allow a port of 0
Fix memory leak in ares_send() on error
Fix comment style in ares_data.h
Remove unneeded ifdef for Windows
Fix typo in ares_init_options.3
Re-add support for Watcom compiler
Sync ax_pthread.m4 with upstream
Windows: Invalid stack variable used out of scope for HOSTS path
Sync ax_cxx_compile_stdcxx_11.m4 with upstream to fix uclibc support
1.19.0
Security:
Low. Stack overflow in ares_set_sortlist() which is used during c-ares
initialization and typically provided by an administrator and not an end user.
Changes:
Windows: Drop support for XP and derivatives which greatly cleans up
initialization code.
Add ARES_OPT_HOSTS_FILE similar to ARES_OPT_RESOLVCONF for specifying a
custom hosts file location.
Add vcpkg installation instructions
Bug fixes:
Fix cross-compilation from Windows to Linux due to CPACK logic.
Fix memory leak in reading /etc/hosts when using localhost fallback.
Fix chain building c-ares when libresolv is already included by another project
File lookup should not immediately abort as there may be other tries due to
search criteria.
Asterisks should be allowed in host validation as CNAMEs may reference
wildcard domains
AutoTools build system referenced bad STDC_HEADERS macro
Even if one address class returns a failure for ares_getaddrinfo() we should
still return the results we have
CMake Windows: DLLs did not include resource file to include versions
CMake: Guard target creation in exported config
Fix ares_getaddrinfo() numerical address resolution with AF_UNSPEC
Apple: fix libresolv configured query times.
Fix tools and help information
Various documentation fixes and cleanups
Add include guards to ares_data.h
c-ares could try to exceed maximum number of iovec entries supported by system
CMake package config generation allow for absolute install paths
Intel compiler fixes
ares_strsplit bugs
The RFC6761 6.3 states localhost subdomains must be offline too.
1.18.1
Bug fixes:
ares_getaddrinfo() would return ai_addrlen of 16 for ipv6 adddresses rather
than the sizeof(struct sockaddr_in6)
1.18.0
Changes:
Add support for URI(Uniform Resource Identifier) records via
ares_parse_uri_reply()
Provide ares_nameser.h as a public interface as needed by NodeJS
Update URLs from c-ares.haxx.se to c-ares.org
During a domain search, treat ARES_ENODATA as ARES_NXDOMAIN so that the
search process will continue to the next domain in the search.
Turn ares_gethostbyname() into a wrapper for ares_getaddrinfo() as they
followed very similar code paths and ares_gethostbyaddr() has some more
desirable features such as priority sorting and parallel queries for
AF_UNSPEC.
ares_getaddrinfo() now contains a name element in the address info structure
as the last element. This is not an API or ABI break due to the structure
always being internally allocated and it being the last element.
ares_parse_a_reply() and ares_parse_aaaa_reply() were nearly identical,
those now use the same helper functions for parsing rather than having
their own code.
RFC6761 Section 6.3 says “localhost” lookups need to be special cased to
return loopback addresses, and not forward queries to recursive dns servers.
On Windows this now returns all loopback addresses, on other systems it
returns 127.0.0.1 or ::1 always, and will never forward a request for
“localhost” to outside DNS servers.
Haiku: port
Bug fixes:
add build to .gitignore
z/OS minor update, add missing semicolon in ares_init.c
Fix building when latest ax_code_coverage.m4 is imported
Work around autotools ‘error: too many loops’ and other newer autotools
import related bugs.
MinGW cross builds need advapi32 link as lower case
Cygwin build fix due to containing both socket.h and winsock2.h
ares_expand_name should allow underscores (_) as SRV records legitimately
use them
Allow ‘/’ as a valid character for a returned name for CNAME in-addr.arpa
delegation
ares_getaddrinfo() was not honoring HOSTALIASES
ares_getaddrinfo() had some test cases disabled due to a bug in the test
framework itself which has now been resolved
1.17.2
Security:
NodeJS passes NULL for addr and 0 for addrlen to ares_parse_ptr_reply() on
systems where malloc(0) returns NULL. This would cause a crash.
When building c-ares with CMake, the RANDOM_FILE would not be set and
therefore downgrade to the less secure random number generator
If ares_getaddrinfo() was terminated by an ares_destroy(), it would cause a
crash
Crash in sortaddrinfo() if the list size equals 0 due to an unexpected DNS
response
Expand number of escaped characters in DNS replies as per RFC1035 5.1 to
prevent spoofing follow-up
Perform validation on hostnames to prevent possible XSS due to applications
not performing valiation themselves
Changes:
Use non-blocking /dev/urandom for random data to prevent early startup
performance issues
z/OS port
ares_malloc(0) is now defined behavior (returns NULL) rather than
system-specific to catch edge cases
Bug fixes:
Fuzz testing files were not distributed with official archives
Building tests should not force building of static libraries except on Windows
Windows builds of the tools would fail if built as static due to a missing
CARES_STATICLIB definition
Relative headers must use double quotes to prevent pulling in a system library
Fix OpenBSD building by implementing portability updates for including
arpa/nameser.h
Fix building out-of-tree for autotools
Make install on MacOS/iOS with CMake was missing the bundle destination so
libraries weren’t actually installed
Fix retrieving DNS server configuration on MacOS and iOS if the configuration
did not include search domains
ares_parse_a_reply and ares_parse_aaa_reply were erroneously using strdup()
instead of ares_strdup()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Michael Tremer
|
bf8abf549e |
samba: Fix rootfiles
The CGI script, the misc-progs helper and the menu entry were removed. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
b5befbc045 |
samba: Update to version 4.20.2
- Update from version 4.20.1 to 4.20.2
- Update of rootfile for both x86_64 and aarch64
- After doing a grep into the config directories I realised that the xxxMACHINExxx phrase
is only added into rootfiles in the main common or package directories and not in the
x86_64 and aarch64
- In the past I have submitted the samba rootfile with x86_64 replaced by xxxMACHINExxx.
It seems to have worked, so the replacement probably occurs even in the architecture
specific directories but it doesn't need to be used there as the directory is clearly
only for that one architecture.
- Changelog
4.20.2
* BUG 15662: vfs_widelinks with DFS shares breaks case insensitivity.
* BUG 13213: Samba build is not reproducible.
* BUG 15569: ldb qsort might r/w out of bounds with an intransitive compare
function.
* BUG 15625: Many qsort() comparison functions are non-transitive, which can
lead to out-of-bounds access in some circumstances.
* BUG 15638: Need to change gitlab-ci.yml tags in all branches to avoid CI
bill.
* BUG 15654: We have added new options --vendor-name and --vendor-patch-
revision arguments to ./configure to allow distributions and packagers to
put their name in the Samba version string so that when debugging Samba the
source of the binary is obvious.
* BUG 15665: CTDB RADOS mutex helper misses namespace support.
* BUG 13019: Dynamic DNS updates with the internal DNS are not working.
* BUG 14981: netr_LogonSamLogonEx returns NR_STATUS_ACCESS_DENIED with
SysvolReady=0.
* BUG 15412: Anonymous smb3 signing/encryption should be allowed (similar to
Windows Server 2022).
* BUG 15573: Panic in dreplsrv_op_pull_source_apply_changes_trigger.
* BUG 15620: s4:nbt_server: does not provide unexpected handling, so winbindd
can't use nmb requests instead cldap.
* BUG 15642: winbindd, net ads join and other things don't work on an ipv6
only host.
* BUG 15659: Segmentation fault when deleting files in vfs_recycle.
* BUG 15664: Panic in vfs_offload_token_db_fetch_fsp().
* BUG 15666: "client use kerberos" and --use-kerberos is ignored for the
machine account.
* BUG 15435: Regression DFS not working with widelinks = true.
* BUG 15633: samba-gpupdate - Invalid NtVer in netlogon_samlogon_response.
* BUG 15653: idmap_ad creates an incorrect local krb5.conf in case of trusted
domain lookups.
* BUG 15660: The images don't build after the git security release and CentOS
8 Stream is EOL.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
374ba6dafc |
tshark: Update to version 4.2.5
- Update from version 4.0.8 to 4.2.5
- Update of rootfile
- Version 4.2.5 requires asciidoctor to be built for tshark to build. Despite lots of
investigation and testing out various commands, tshark will not build if asciidoctor is
not present, even if the docs are not going to be used. It is only required for the
build
- To build asciidoctor ruby has to be installed. It is only required for the build of
asciidoctor
- tshark has previously had its own version of speexdsp built in. It is only used to
provide some "arbitrary resampling code" during the build and does not end up in the
running tshark system. Version 4.2.5 has removed the internal speexdsp code but it
is still a required dependency for building, so speexdsp also need to be installed but
only for the build stage.
- The associated patches with this one provide the build installation of ruby, asciidoctor
and speexdsp. With these installed tshark was able to be built.
- version 4.0.8 and 4.2.5 of tshark were tested out on a vm system with the command
"tshark -c 100 > tshark" and this wrote 100 packets from the vm red0 interface to a
text file. Both the old and new versions provided the same sort of result. To a first
level of testing this shows that the 4.2.5 version is functioning as the previous
version was.
- This version had an sobump so find-dependencies was run. All files linked to the three
libraries in tshark are all also in tshark. No other package is linked to.
- Changelog
There are 13 releases between 4.0.8 and 4.2.5 so the changelist is too large to
include here. Details can be found in the release notes for each version at
https://www.wireshark.org/docs/relnotes/
21 CVE vulnerabilities have been fixed that were identified in 7 of the 13 versions.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
3161e5e857 |
taglib: Update to version 2.0.1
- Update from version 1.12 to 2.0.1
- Update of rootfile
- sobump so ran find-dependencies. None found except taglib itself.
- build of taglib now requires utfcpp. Patch for build of this is part of this patch set.
- Changelog
2.0.1 (Apr 9, 2024)
* Fix aborting when _GLIBCXX_ASSERTIONS are enabled.
* Fall back to utf8cpp header detection in the case that its CMake
configuration is removed.
* Improve compatibility with the SWIG interface compiler.
* Build system fixes for testing without bindings, Emscripten and Illumos.
* C bindings: Fix setting UTF-8 encoded property values.
* Windows: Fix opening long paths.
2.0 (Jan 24, 2024)
* New major version, binary incompatible, but mostly source-compatible
with the latest 1.x release if no deprecated features are used.
Simple applications should build without changes, more complex
applications (e.g. extending classes of TagLib) will have to be adapted.
* Requires a C++17 compiler and uses features of C++17.
* Major code cleanup, fixed warnings issued by compilers and static analyzers.
* Made methods virtual which should have been virtual but could not be
changed to keep binary compatibility, remove related workarounds.
* Removed deprecated functions:
- APE::Item::Item(const String &, const String &)
- APE::Item::toStringList(): Use values()
- APE::Item::value(): Use binaryData()
- ASF::Properties::setLength()
- ByteVector::checksum()
- ByteVector::isNull(): Use isEmpty()
- ByteVector::null
- FLAC::File::setID3v2FrameFactory()
- FLAC::File::streamInfoData()
- FLAC::File::streamLength()
- FLAC::Properties::Properties(File *, ReadStyle)
- FLAC::Properties::sampleWidth(): Use bitsPerSample()
- File::isReadable(): Use system functions
- File::isWritable(): Use system functions
- FileName::str()
- FileRef::create(): Use constructor
- MP4::Tag::itemListMap(): Use itemMap()
- MPC::File::remove(): Use strip()
- MPC::Properties::Properties(const ByteVector &, long, ReadStyle)
- MPEG::File::save(int, ...): Use overload
- MPEG::File::setID3v2FrameFactory(): Use constructor
- MPEG::ID3v2::Frame::Header::Header(const ByteVector &, bool)
- MPEG::ID3v2::Frame::Header::frameAlterPreservation(): Use
fileAlterPreservation()
- MPEG::ID3v2::Frame::Header::setData(const ByteVector &, bool)
- MPEG::ID3v2::Frame::Header::size(unsigned int): Use size()
- MPEG::ID3v2::Frame::Header::unsycronisation(): use unsynchronisation()
- MPEG::ID3v2::Frame::checkEncoding(const StringList &, String::Type): Use
checkTextEncoding(const StringList &, String::Type)
- MPEG::ID3v2::Frame::headerSize(): Use Header::size()
- MPEG::ID3v2::Frame::headerSize(unsigned int): Use
Header::size(unsigned int)
- MPEG::ID3v2::FrameFactory::createFrame(const ByteVector &, bool)
- MPEG::ID3v2::FrameFactory::createFrame(const ByteVector &, unsigned int):
Use createFrame(const ByteVector &, const Header *)
- MPEG::ID3v2::RelativeVolumeFrame::channelType()
- MPEG::ID3v2::RelativeVolumeFrame::peakVolume(): Use peakVolume(ChannelType)
- MPEG::ID3v2::RelativeVolumeFrame::setChannelType()
- MPEG::ID3v2::RelativeVolumeFrame::setPeakVolume(const PeakVolume &): Use
setPeakVolume(const PeakVolume &, ChannelType)
- MPEG::ID3v2::RelativeVolumeFrame::setVolumeAdjustment(float): Use
setVolumeAdjustment(float, ChannelType)
- MPEG::ID3v2::RelativeVolumeFrame::setVolumeAdjustmentIndex(short): Use
setVolumeAdjustmentIndex(short, ChannelType)
- MPEG::ID3v2::RelativeVolumeFrame::volumeAdjustment(): Use
volumeAdjustment(ChannelType)
- MPEG::ID3v2::RelativeVolumeFrame::volumeAdjustmentIndex(): Use
volumeAdjustmentIndex(ChannelType)
- MPEG::ID3v2::Tag::footer()
- MPEG::ID3v2::Tag::render(int): Use render(Version)
- MPEG::XingHeader::xingHeaderOffset()
- Ogg::Page::getCopyWithNewPageSequenceNumber()
- Ogg::XiphComment::removeField(): Use removeFields()
- PropertyMap::unsupportedData(): Returns now const reference, use
addUnsupportedData() to add keys
- RIFF::AIFF::Properties::Properties(const ByteVector &, ReadStyle)
- RIFF::AIFF::Properties::Properties(const ByteVector &, int, ReadStyle)
- RIFF::AIFF::Properties::sampleWidth(): Use bitsPerSample()
- RIFF::WAV::File::save(TagTypes, bool, int): Use
save(TagTypes, StripTags, Version)
- RIFF::WAV::File::tag(): Returns now a TagUnion, use ID3v2Tag() to get an
ID3v2::Tag
- String::isNull(): Use isEmpty()
- String::null
- TrueAudio::File::setID3v2FrameFactory(): Use constructor
- WavPack::Properties::Properties(const ByteVector &, long, ReadStyle)
* Made methods const: Frame::Header::size(), Frame::headerSize(),
MP4::Atom::findall(), MP4::Atoms::find(), MP4::Atoms::path().
* Made classes non-virtual: APE::Footer, APE::Item, ASF::Attribute,
ASF::Picture, MP4::CoverArt, MP4::Item, ID3v2::ExtendedHeader, ID3v2::Footer,
ID3v2::Header, MPEG::Header, MPEG::XingHeader, Ogg::Page, Ogg::PageHeader.
* Removed type definitions in TagLib namespace: wchar, uchar, ushort, uint,
ulong, ulonglong, wstring: Use the standard types.
* Removed include file taglib_config.h and its defines TAGLIB_WITH_ASF,
TAGLIB_WITH_MP4: They were always 1 since version 1.8.
* Behavioral changes:
- The basic tag methods (e.g. genre()) separate multiple values with " / "
instead of " ".
- The stream operator for String uses UTF-8 instead of ISO-8859-1 encoding.
- MP4 property ORIGINALDATE is mapped to "----:com.apple.iTunes:ORIGINALDATE"
instead of "----:com.apple.iTunes:originaldate".
- MP4 property ENCODEDBY is mapped to "©enc" instead of "©too", which is now
mapped to ENCODING.
* Unified interface for complex properties like pictures.
* Simplified the unified properties interface by providing its methods on
FileRef.
* C bindings: Support for properties (taglib_property_...) and complex
properties like cover art (taglib_complex_property_...), memory I/O streams.
* Support for Direct Stream Digital (DSD) stream files (DSF) and interchange
file format (DSDIFF, DFF), ADTS (AAC) files.
* The runtime version can be queried.
* Additional utility functions ByteVector::fromUShort(),
ByteVector::fromULongLong(), ByteVector::toULongLong(),
ByteVector::toULongLong(), List::sort().
* Fixed List::setAutoDelete() affecting implicitly shared copies.
* Build system: Direct support for CMake, find_package(TagLib) exports target
TagLib::tag.
* Build system: Fixed PackageConfig to support both relative and absolute paths.
* Build system: utf8cpp is no longer included, it can be provided via a system
package or a Git submodule.
* ASF: Support additional properties ARTISTWEBPAGE, ENCODING, ENCODINGTIME,
FILEWEBPAGE, INITIALKEY, ORIGINALALBUM, ORIGINALARTIST, ORIGINALFILENAME,
ORIGINALLYRICIST.
* ID3v2: Fixed extensibility of FrameFactory, use it also for WAV and AIFF
files.
* MP4: Support additional properties OWNER, RELEASEDATE.
* MP4: Introduced ItemFactory allowing clients to support new atom types.
* MP4: Detect duration from mvhd atom if not present in mdhd atom.
* MP4: Fixed type of hdvd atom to be integer instead of boolean.
* MP4: Tolerate trailing garbage in M4A files.
* MPC: Fixed content check in presence of an ID3v2 tag.
* MPEG: Do not scan full file for ID3v2 tag when ReadStyle Fast is used.
* RIFF: Support properties ALBUM, ARRANGER, ARTIST, ARTISTWEBPAGE, BPM,
COMMENT, COMPOSER, COPYRIGHT, DATE, DISCSUBTITLE, ENCODEDBY, ENCODING,
ENCODINGTIME, GENRE, ISRC, LABEL, LANGUAGE, LYRICIST, MEDIA, PERFORMER,
RELEASECOUNTRY, REMIXER, TITLE, TRACKNUMBER.
* WAV: Fixed crash with files having the "id3 " chunk as the only valid chunk.
* Windows: Fixed support for files larger than 2GB.
1.13.1 (Jul 1, 2023)
* Fixed parsing of TXXX frames without description.
* Detect MP4 atoms with invalid length or type.
* Do not miss ID3v2 frames when an extended header is present.
* Use property "DISCSUBTITLE" for ID3v2 "TSST" frame.
* Build system improvements: Use absolute path for macOS dylib install name,
support --define-prefix when using pkg-config, fixed minimum required
CppUnit version.
* Code clean up using clang-tidy.
1.13 (Oct 27, 2022)
* Added interface StreamTypeResolver to support streams which cannot be
fopen()'ed, e.g. network files.
* Added MP4::File::strip() to remove meta atom from MP4 file.
* Added Map::value() to look up without creating entry.
* Use property "WORK" instead of "CONTENTGROUP" for ID3v2 "TIT1" frame,
use property "WORK" for ASF "WM/ContentGroupDescription",
use property "COMPILATION" for ID3v2 "TCMP" frame.
* Build system improvements: option WITH_ZLIB, BUILD_TESTING instead of
BUILD_TESTS, GNUInstallDirs, FeatureSummary, tests with BUILD_SHARED_LIBS,
cross compilation with Buildroot, systems without HAVE_GCC_ATOMIC, Clang.
* Fixed heap-buffer-overflows when handling ASF, APE, FLAC, ID3v2, MP4, MPC
tags.
* Fixed detection of invalid file by extension when correct type can be
detected by contents.
* Fixed unnecessary creation of map entries in APE and FLAC tags if looked up
tag does not exist.
* Fixed parsing of MP4 non-full meta atoms.
* Fixed potential ID3v1 false positive in the presence of an APE tag.
* Fixed ID3v2 version handling for frames embedded in CHAP or CTOC frames.
* Fixed parsing of multiple strings with a single BOM in ID3v2.4.0.
* Fixed several smaller issues reported by clang-tidy.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|