This is useful when the user-data needs to reboot an instance.
Previously, some initialization did not happen which is now being done
first before the user-data script is being executed.
This gives users more flexibility about what they are doing in those
scripts.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Only try to read-in the providers settings file, in case it exists.
Otherwise the script produces an error message, about the missing file,
each time it gets executed.
Because of the fcron job this would be twice a day in most cases.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
and a restore on install / update
The include file that was added in a previous commit allowed to manually
create a backup, but none was created when the addon was installed,
uninstalled or updated.
Signed-off-by: Daniel Weismueller <daniel.weismueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
- CVE-2022-26505 A DNS rebinding issue in ReadyMedia (formerly MiniDLNA) before 1.3.1
allows a remote web server to exfiltrate media files. CVE created on 6th March 2022
- minidlna have created the patches to fix CVE-2022-26505 and have created a git tag for
version 1.3.1 but have not provided any 1.3.1 source tarballs. A ticket was raised on
14th March 2022 in the source forge support system asking to "Please publish a tarball
for 1.3.1" but there was no reply from the developer so far.
- In the NIST National Vulnerability Database it refers to a fix implemented in 1.3.1 but
the link to the sourceforge page is only the patches applied for the fix
- I used those diff descriptions to create a patch to implement on the existing 1.3.0
version in IPFire and this patch submission applies that fix
- Incremented the lfs PAK_VER
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 2.4.49 to 2.6.1
- Update of rootfile
- Update of consolidated patch to 2.6.1
- Removal of old patches
- Changelog
OpenLDAP 2.6.1 Release (2022/01/20)
Fixed libldap to init client socket port (ITS#9743)
Fixed libldap with referrals (ITS#9781)
Added slapd config keyword for logfile format (ITS#9745)
Fixed slapd to allow objectClass edits with no net change (ITS#9772)
Fixed slapd configtable population (ITS#9576)
Fixed slapd to only set loglevel in server mode (ITS#9715)
Fixed slapd logfile-rotate use of uninitialized variable (ITS#9730)
Fixed slapd passwd scheme handling with slapd.conf (ITS#9750)
Fixed slapd postread support for modrdn (ITS#7080)
Fixed slapd syncrepl recreation of deleted entries (ITS#9282)
Fixed slapd syncrepl replication with ODSEE (ITS#9707)
Fixed slapd syncrepl to properly replicate glue entries (ITS#9647)
Fixed slapd syncrepl to reject REFRESH for precise resync (ITS#9742)
Fixed slapd syncrepl to avoid busy loop during refresh (ITS#9584)
Fixed slapd syncrepl when X-ORDERED is specified (ITS#9761)
Fixed slapd syncrepl to better handle out of order delete ops (ITS#9751)
Fixed slapd syncrepl to correctly close connections when config is deleted (ITS#9776)
Fixed slapd-mdb to update indices correctly on replace ops (ITS#9753)
Fixed slapd-wt to set correct flags (ITS#9760)
Fixed slapo-accesslog to fix assertion due to deprecated code (ITS#9738)
Fixed slapo-accesslog to fix inconsistently normalized minCSN (ITS#9752)
Fixed slapo-accesslog delete handling of multi-valued config attrs (ITS#9493)
Fixed slapo-autogroup to maintain values in insertion order (ITS#9766)
Fixed slapo-constraint to maintain values in insertion order (ITS#9770)
Fixed slapo-dyngroup to maintain values in insertion order (ITS#9762)
Fixed slapo-dynlist compare operation for static groups (ITS#9747)
Fixed slapo-dynlist static group filter with multiple members (ITS#9779)
Fixed slapo-ppolicy when not built modularly (ITS#9733)
Fixed slapo-refint to maintain values in insertion order (ITS#9763)
Fixed slapo-retcode to honor requested insert position (ITS#9759)
Fixed slapo-sock cn=config support (ITS#9758)
Fixed slapo-syncprov memory leak (ITS#8039)
Fixed slapo-syncprov to generate a more accurate accesslog query (ITS#9756)
Fixed slapo-syncprov to allow empty DB to host persistent syncrepl connections (ITS#9691)
Fixed slapo-syncprov to consider all deletes for sycnInfo messages (ITS#5972)
Fixed slapo-translucent to warn on invalid config (ITS#9768)
Fixed slapo-unique to warn on invalid config (ITS#9767)
Fixed slapo-valsort to maintain values in insertion order (ITS#9764)
Build Environment
Fix test022 to preserve DELAY search output (ITS#9718)
Fix slapd-watcher to allow startup when servers are down (ITS#9727)
Contrib
Fixed slapo-lastbind to work with 2.6 lastbind-precision configuration (ITS#9725)
Documentation
Fixed slapd.conf(5)/slapd-config(5) documentation on lastbind-precision (ITS#9728)
Fixed slapo-accesslog(5) to clarify logoldattr usage (ITS#9749)
OpenLDAP 2.6.0 Release (2021/10/25)
Initial release for "general use".
OpenLDAP 2.5.7 Release (2021/08/18)
Fixed lloadd client state tracking (ITS#9624)
Fixed slapd bconfig to canonicalize structuralObjectclass (ITS#9611)
Fixed slapd-ldif duplicate controls response (ITS#9497)
Fixed slapd-mdb multival crash when attribute is missing an equality matchingrule (ITS#9621)
Fixed slapd-mdb compatibility with OpenLDAP 2.4 MDB databases (ITS#8958)
Fixed slapd-mdb idlexp maximum size handling (ITS#9637)
Fixed slapd-monitor number of ops executing with asynchronous backends (ITS#9628)
Fixed slapd-sql to add support for ppolicy attributes (ITS#9629)
Fixed slapd-sql to close transactions after bind and search (ITS#9630)
Fixed slapo-accesslog to make reqMod optional (ITS#9569)
Fixed slapo-ppolicy logging when pwdChangedTime attribute is not present (ITS#9625)
Documentation
slapd-mdb(5) note max idlexp size is 30, not 31 (ITS#9637)
slapo-accesslog(5) note that reqMod is optional (ITS#9569)
Add ldapvc(1) man page (ITS#9549)
Add guide section on load balancer (ITS#9443)
Updated guide to document multiprovider as replacement for mirrormode (ITS#9200)
Updated guide to clarify slapd-mdb upgrade requirements (ITS#9200)
Updated guide to document removal of deprecated options from client tools (ITS#9200)
OpenLDAP 2.5.6 Release (2021/07/27)
Fixed libldap buffer overflow (ITS#9578)
Fixed libldap missing mutex unlock on connection alloc failure (ITS#9590)
Fixed lloadd cn=config olcBkLloadClientMaxPending setting (ITS#8747)
Fixed slapd multiple config defaults (ITS#9363)
Fixed slapd ipv6 addresses to work with tcp wrappers (ITS#9603)
Fixed slapo-syncprov delete of nonexistent sessionlog (ITS#9608)
Build
Fixed library symbol versioning on Solaris (ITS#9591)
Fixed compile warning in libldap/tpool.c (ITS#9601)
Fixed compile warning in libldap/tls_o.c (ITS#9602)
Contrib
Fixed ppm module for sysconfdir (ITS#7832)
Documentation
Updated guide to document multival, idlexp, and maxentrysize (ITS#9613, ITS#9614)
OpenLDAP 2.5.5 Release (2021/06/03)
Added libldap LDAP_OPT_TCP_USER_TIMEOUT support (ITS#9502)
Added lloadd tcp-user-timeout support (ITS#9502)
Added slapd-asyncmeta tcp-user-timeout support (ITS#9502)
Added slapd-ldap tcp-user-timeout support (ITS#9502)
Added slapd-meta tcp-user-timeout support (ITS#9502)
Fixed incorrect control OIDs for AuthZ Identity (ITS#9542)
Fixed libldap typo in util-int.c (ITS#9541)
Fixed libldap double free of LDAP_OPT_DEFBASE (ITS#9530)
Fixed libldap better TLS1.3 cipher suite handling (ITS#9521, ITS#9546)
Fixed lloadd multiple issues (ITS#8747)
Fixed slapd slap_op_time to avoid duplicates across restarts (ITS#9537)
Fixed slapd typo in daemon.c (ITS#9541)
Fixed slapd slapi compilation (ITS#9544)
Fixed slapd to handle empty DN in extended filters (ITS#9551)
Fixed slapd syncrepl searches with empty base (ITS#6467)
Fixed slapd syncrepl refresh on startup (ITS#9324, ITS#9534)
Fixed slapd abort due to typo (ITS#9561)
Fixed slapd-asyncmeta quarantine handling (ITS#8721)
Fixed slapd-asyncmeta to have a default operations timeout (ITS#9555)
Fixed slapd-ldap quarantine handling (ITS#8721)
Fixed slapd-mdb deletion of context entry (ITS#9531)
Fixed slapd-mdb off-by-one affecting search scope (ITS#9557)
Fixed slapd-meta quarantine handling (ITS#8721)
Fixed slapo-accesslog to record reqNewDN for modRDN ops (ITS#9552)
Fixed slapo-pcache locking during expiration (ITS#9529)
Build
Fixed slappw-argon2 module installation (ITS#9548)
Contrib
Update ldapc++/ldaptcl to use configure.ac (ITS#9554)
Documentation
ldap_first_attribute(3) - Document ldap_get_attribute_ber (ITS#8820)
ldap_modify(3) - Delete non-existent mod_next parameter (ITS#9559)
OpenLDAP 2.5.4 Release (2021/04/29)
Initial release for "general use".
OpenLDAP 2.4.57 Release (2021/01/18)
Fixed ldapexop to use correct return code (ITS#9417)
Fixed slapd to remove asserts in UUIDNormalize (ITS#9391)
Fixed slapd to remove assert in csnValidate (ITS#9410)
Fixed slapd validity checks for issuerAndThisUpdateCheck (ITS#9411, ITS#9427)
Fixed slapd validity checks for serialNumberAndIssuerCheck (ITS#9404, ITS#9424)
Fixed slapd AVA sort with invalid RDN (ITS#9412)
Fixed slapd ldap_X509dn2bv to check for invalid BER after RDN count (ITS#9423, ITS#9425)
Fixed slapd saslauthz to remove asserts in validation (ITS#9406, ITS#9407)
Fixed slapd saslauthz to use slap_sl_free on normalized DN (ITS#9409)
Fixed slapd saslauthz SEGV in slap_parse_user (ITS#9413)
Fixed slapd modrdn memory leak (ITS#9420)
Fixed slapd double-free in vrfilter (ITS#9408)
Fixed slapd cancel operation to correctly terminate (ITS#9428)
Fixed slapd-ldap fix binds on retry with closed connection (ITS#9400)
Fixed slapo-syncprov to ignore duplicate sessionlog entries (ITS#9394)
OpenLDAP 2.4.56 Release (2020/11/10)
Fixed slapd to remove assert in certificateListValidate (ITS#9383)
Fixed slapd to remove assert in csnNormalize23 (ITS#9384)
Fixed slapd to better parse ldapi listener URIs (ITS#9379)
OpenLDAP 2.4.55 Release (2020/10/26)
Fixed slapd normalization handling with modrdn (ITS#9370)
Fixed slapd-meta to check ldap_install_tls return code (ITS#9366)
Contrib
Fixed nssov misplaced semicolon (ITS#8731, ITS#9368)
OpenLDAP 2.4.54 Release (2020/10/12)
Fixed slapd delta-syncrepl to ignore delete ops on deleted entry (ITS#9342)
Fixed slapd delta-syncrepl to be fully serialized (ITS#9330)
Fixed slapd delta-syncrepl MOD on zero-length context entry (ITS#9352)
Fixed slapd syncrepl to be fully serialized (ITS#8102)
Fixed slapd syncrepl to call check_syncprov on fresh consumer (ITS#9345)
Fixed slapd syncrepl to propagate errors from overlay_entry_get_ov (ITS#9355)
Fixed slapd syncrepl to not create empty ADD ops (ITS#9359)
Fixed slapd syncrepl replace usage on single valued attrs (ITS#9295)
Fixed slapd-monitor fix monitor_back_register_database for empty suffix DB (ITS#9353)
Fixed slapo-accesslog normalizer for reqStart (ITS#9358)
Fixed slapo-accesslog to not generate new contextCSN on purge (ITS#9361)
Fixed slapo-syncprov contextCSN generation with empty suffix (ITS#9015)
Fixed slapo-syncprov sessionlog to use a TAVL tree (ITS#8486)
OpenLDAP 2.4.53 Release (2020/09/07)
Added slapd syncrepl additional SYNC logging (ITS#9043)
Fixed slapd syncrepl segfault on NULL cookie on REFRESH (ITS#9282)
Fixed slapd syncrepl to use fresh connection on REFRESH fallback (ITS#9338)
Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302,ITS#9334)
Build
Require OpenSSL 1.0.2 or later (ITS#9323)
Fixed libldap compilation issue with broken C compilers (ITS#9332)
OpenLDAP 2.4.52 Release (2020/08/28)
Added libldap LDAP_OPT_X_TLS_REQUIRE_SAN option (ITS#9318)
Added libldap OpenSSL support for multiple EECDH curves (ITS#9054)
Added slapd OpenSSL support for multiple EECDH curves (ITS#9054)
Fixed librewrite malloc/free corruption (ITS#9249)
Fixed libldap hang when using UDP and server down (ITS#9328)
Fixed slapd syncrepl rare deadlock due to network issues (ITS#9324)
Fixed slapd syncrepl regression that could trigger an assert (ITS#9329)
Fixed slapd-mdb index error with collapsed range (ITS#9135)
OpenLDAP 2.4.51 Release (2020/08/11)
Added slapo-ppolicy implement Netscape password policy controls (ITS#9279)
Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650)
Fixed libldap to use getaddrinfo in ldap_pvt_get_fqdn (ITS#9287)
Fixed slapd to enforce singular existence of some overlays (ITS#9309)
Fixed slapd syncrepl to not delete non-replicated attrs (ITS#9227)
Fixed slapd syncrepl to correctly delete entries on resync (ITS#9282)
Fixed slapd syncrepl to use replace on single valued attrs (ITS#9294, ITS#9295)
Fixed slapd-perl dynamic config with threaded slapd (ITS#7573)
Fixed slapo-ppolicy to expose the ppolicy control (ITS#9285)
Fixed slapo-ppolicy race condition for pwdFailureTime (ITS#9302)
Fixed slapo-ppolicy so it can only exist once per DB (ITS#9309)
Fixed slapo-chain to check referral (ITS#9262)
Build Environment
Fix test064 so it no longer uses bashisms (ITS#9263)
Contrib
Fix default prefix value for pw-argon2, pw-pbkdf2 modules (ITS#9248)
slapo-allowed - Fix usage of unitialized variable (ITS#9308)
Documentation
ldap_parse_result(3) - Document ldap_parse_intermediate (ITS#9271)
OpenLDAP 2.4.50 Release (2020/04/28)
Fixed client benign typos (ITS#8890)
Fixed libldap type cast (ITS#9175)
Fixed libldap retry loop in ldap_int_tls_connect (ITS#8650)
Fixed libldap_r race on Windows mutex initialization (ITS#9181)
Fixed liblunicode memory leak (ITS#9198)
Fixed slapd benign typos (ITS#8890)
Fixed slapd to limit depth of nested filters (ITS#9202)
Fixed slapd-mdb memory leak in dnSuperiorMatch (ITS#9214)
Fixed slapo-pcache database initialization (ITS#9182)
Fixed slapo-ppolicy callback (ITS#9171)
Build
Fix olcDatabaseDummy initialization for windows (ITS#7074)
Fix detection for ws2tcpip.h for windows (ITS#8383)
Fix back-mdb types for windows (ITS#7878)
Contrib
Update ldapc++ config.guess and config.sub to support newer architectures (ITS#7855)
Added pw-argon2 module (ITS#9233, ITS#8575, ITS#9203, ITS#9206)
Documentation
slapd-ldap(5) - Clarify idassert-authzfrom behavior (ITS#9003)
slapd-meta(5) - Remove client-pr option (ITS#8683)
slapindex(8) - Fix truncate option information for back-mdb (ITS#9230)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 4.1.0 to 4.1.0 plus patches 1 to 13
- Version 4.1.0 was released on 10-07-2020. However patches have been progressively
issued to fix various bugs that have been identified.
- Currently 13 patches have been issued and mpfr provide a cumulative patches file to
use to patch the source file.
- Update of rootfile
- Patch changelog
1 With GCC (the only tested compiler with software _Decimal128), conversions of
double to _Decimal128 yield an increase of 2 to 3 MB for the generated library
code when the decimal encoding is BID (designed for software implementations),
even though the conversions done in MPFR are very simple. Details about this GCC
issue. The decimal128-conv patch avoids these conversions by directly using
_Decimal128 constants. Note that fixing the issue entirely would require to get
rid of all the decimal128 operations; in the mean time, decimal support (i.e.
mpfr_get_decimal128 and mpfr_set_decimal128 functions) could be disabled at
configure time.
Corresponding changeset in the 4.1 branch: 14094.
2 The random_deviate.c file contains non-portable code. This is fixed by the
random_deviate patch.
Corresponding changeset in the 4.1 branch: 14126.
3 In the mpfr_set_z_2exp function, a huge mpz_t value can yield an integer overflow.
This is fixed by the set_z_2exp-overflow patch (with testcases). Note that in
practice, an integer overflow may occur only with a 32-bit ABI. Moreover, with a
usual compilation, an integer overflow should here not yield any particular issue,
assuming that the processor does signed addition and multiplication modulo 2^32 (as
usual). However, UBsan would detect the overflow, and LTO might have unpredictable
effects.
Corresponding changesets in the 4.1 branch: 14147, 14151.
4 Some function prototypes are slightly inconsistent. This is valid C code, but
these inconsistencies are unintended and possibly confusing, and they trigger
diagnostics with the -Warray-parameter option of the future GCC 11 (included in
-Wall). This causes issues when testing MPFR. And since mpfr.h is concerned, this
might also affect user code. This is fixed by the prototypes patch.
Corresponding changeset in the 4.1 branch: 14411.
5 In uncommon cases, the mpfr_digamma function needs to use an intermediate
precision equal to the exponent of the input value, which may be huge. This is
inefficient, and the code can request more memory than available, yielding a crash.
The digamma-hugemem patch improves the implementation by making such a need much
rarer; it also provides testcases showing a crash on 64-bit machines (at least).
Corresponding changeset in the 4.1 branch: 14424.
6 The mpfr_digamma function may have an erratic behavior in some cases (an assertion
failure in debug mode). This is fixed by the digamma-interm-zero patch (with
testcase).
Corresponding changeset in the 4.1 branch: 14425.
7 The Bessel functions (mpfr_j0, mpfr_j1, mpfr_jn, mpfr_y0, mpfr_y1, mpfr_yn) may
have an erratic behavior in some cases (an assertion failure in debug mode). This
is fixed by the jn-interm-zero patch (with testcase).
Corresponding changeset in the 4.1 branch: 14426.
8 The mpfr_digamma function may have an erratic behavior in some cases (an assertion
failure in debug mode) when the reflection formula is used, i.e. when x < 1/2.
This is fixed by the digamma-interm-zero2 patch (with testcase).
Corresponding changeset in the 4.1 branch: 14435.
9 The Bessel functions (mpfr_j0, mpfr_j1, mpfr_jn, mpfr_y0, mpfr_y1, mpfr_yn) may
have an erratic behavior in some cases (an assertion failure in debug mode) when
the asymptotic expansion is needed. This is fixed by the jyn_asympt-interm-zero
patch (with testcase).
Corresponding changeset in the 4.1 branch: 14436.
10 Some functions are also implemented as macros, and such a macro should behave
exactly like the corresponding function (if the code is valid for the function
call). However, the following macros do not behave as if their argument were
implicitly converted to the type from the function prototype: mpfr_nan_p,
mpfr_inf_p, mpfr_zero_p, mpfr_regular_p, mpfr_get_prec, mpfr_get_exp,
mpfr_copysign (third argument), mpfr_signbit and mpfr_set (second argument). For
instance, providing an argument of type void * instead of mpfr_ptr or mpfr_srcptr
will yield a compilation failure. Note that this issue does not exist in C++,
which does not support such implicit conversions. Moreover, the mpfr_set macro
evaluates its second argument twice (reported by David McCooey), which is
incorrect if this evaluation has side effects. This is fixed by the macros patch
(with testcases). Macros for the custom interface, which are explicitly documented
as provided, do not follow these rules; the patch clarifies this point in the MPFR
manual.
Corresponding changesets in the 4.1 branch: 14468, 14469.
11 The test programs tset_si and tset_sj fail if MPFR_USE_NO_MACRO is defined (e.g.,
via -DMPFR_USE_NO_MACRO in CFLAGS). This is fixed by the tset_sij patch.
Corresponding changeset in the 4.1 branch: 14470.
12 The mpfr_get_str_ndigits function may raise the inexact flag. In a very reduced
exponent range (e.g. in which the result would not be representable as a MPFR
number), it has undefined behavior: it may return an incorrect value, crash, or
loop, taking more and more memory. This is fixed by the get_str_ndigits patch,
which also updates the tests to check these issues.
Corresponding changeset in the 4.1 branch: 14490.
13 The code for the formatted output functions (mpfr_printf, etc.) contains an
incorrect assertion, checked only in debug mode, i.e. when MPFR has been
configured with --enable-assert; this assertion failure occurs when the integer 0
(of either a native type or mpfr_prec_t with the length specifier P) is output
with the precision field equal to 0, i.e. when the corresponding string to output
is empty. Otherwise, there should be no side effects since the code is actually
valid in this case; but since the code incorrectly instructs the compiler that
some variable cannot be 0, there might be an issue with some optimizations (very
unlikely, though). This bug is fixed by the vasprintf-prec-zero patch, which also
provides testcases.
Corresponding changesets in the 4.1 branch: 14524, 14525.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Changelog:
"5.0.9 -- 2022-04-21
Security #4889: ftp: SEGV at flow cleanup due to protocol confusion
Security #5025: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input
Security #5028: smtp: GetLine function buffers data indefinitely if 0x0a was not found in the frag'd input
Security #5253: Infinite loop in JsonFTPLogger
Feature #4644: pthreads: set minimum stack size
Bug #4466: dataset file not written when run as user
Bug #4678: Configuration test mode succeeds when reference.config file contains invalid content
Bug #4745: Absent app-layer protocol is always enabled by default
Bug #4819: tcp: insert_data_normal_fail can hit without triggering memcap
Bug #4823: conf: quadratic complexity
Bug #4825: pppoe decoder fails when protocol identity field is only 1 byte
Bug #4827: packetpool: packets in pool may have capture method ReleasePacket callbacks set
Bug #4838: af-packet: cluster_id is not used when trying to set fanout support
Bug #4878: datasets: memory leak in 5.0.x
Bug #4887: dnp3: buffer over read in logging base64 empty objects
Bug #4891: protodetect: SMB vs TLS protocol detection in midstream
Bug #4893: TFTP: memory leak due to missing detect state
Bug #4895: Memory leak with signature using file_data and NFS
Bug #4897: profiling: Invalid performance counter when using sampling
Bug #4901: eve: memory leak related to dns
Bug #4932: smtp: smtp transaction not logged if no email is present
Bug #4955: stream: too aggressive pruning in lossy streams
Bug #4957: SMTP assertion triggered
Bug #4959: suricatasc loop if recv returns no data
Bug #4961: dns: transaction not created when z-bit set
Bug #4963: Run stream reassembly on both directions upon receiving a FIN packet
Bug #5058: dns: probing/parser can return error when it should return incomplete
Bug #5063: Not keyword matches in Kerberos requests
Bug #5096: output: timestamp missing usecs on Arm 32bit + Musl
Bug #5099: htp: server personality radix handling issue
Bug #5101: defrag: policy config can setup radix incorrectly
Bug #5103: Application log cannot to be re-opened when running as non-root user
Bug #5105: iprep: cidr support can set up radix incorrectly
Bug #5107: detect/iponly: rule parsing does not always apply netmask correctly
Bug #5109: swf: coverity warning
Bug #5115: detect/ip_proto: inconsistent behavior when specifying protocol by string
Bug #5117: detect/iponly: mixing netblocks can lead to FN/FP
Bug #5119: smb: excessive CPU utilization and higher packet processing latency due to excessive calls to Vec::extend_from_slice()
Bug #5137: smb: excessive memory use during file transfer
Bug #5150: nfs: Integer underflow in NFS
Bug #5157: xbits: noalert is allowed in rule language with other commands
Bug #5164: iprep: use_cnt can get desynchronized (SIGABRT)
Bug #5171: detect/iponly: non-cidr netmask settings can lead incorrect radix tree
Bug #5193: SSL : over allocation for certificates
Bug #5213: content:"22 2 22"; is parsed without error
Bug #5227: 5.0.x: SMB: Wrong buffer being checked for possible overflow.
Bug #5251: smb: integer underflows and overflows
Task #5006: libhtp 0.5.40"
Additionally, I moved the 'suricata' patch files into a separate directory.
Apart from some line numbers, nothing else was changed.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
flashrom needs access to /dev/io ports for flashing firmware, a
functionality we cannot cease to support. Therefore, LSM constraints are
disabled for ioport.c, hopefully permitting us to keep it enabled.
Reported-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- These lines were introduced with another patch related to removing IPFire start/stop
capability from wio
- The lines were introduced in commented out form and so are doing nothing.
- It looks like they were added as part of a debugging or investigation work on wio
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
- The lines to scan the red interface were introduced at the time of a patch to remove
the IPFire start/stop function from wio. These lines are not related to that change
but were included in the patch with no commit message. The same lines were also added
into wio.cgi in the same patch set but in that case the lines were all commented out.
- These lines look like they were most likely added to the code for investigation or
debugging purposes. Looking at the lines in wio.pl the results obtained are not
used elsewhere in wio for obtaining info on the status of the red interface. Deleting
the lines did not affect anything related to the scanning, setup or monitoring of
systems by wio.
- The lines were wasting space but generally not creating a huge impact on pertformance.
On my production system it scans my red and comes up with a list of 1022 IP's because
of the subnet my ISP uses - xxx.yy.216.0/20
- Scanning those 1022 IP's and sorting them takes my system about 3 seconds. Without
sorting it is around the same level.
- In Bug#12799 the originator has an ISP that is using a private network that has a
defined subnet of 10.0.0.0/8 This is 16,777,214 IP's to be scanned. Even without sorting
my system would end up taking around 13 hours to do that. The bug originator found that
on certain machines that he had IPFire on wio just never stopped scanning.
- As these lines just seem to collect a large amount of IP's on red that are not related
to the actual running red IP, as there was no commit message related to their
introduction and as removing the lines on vm's running dhcp and static red interfaces
and also on my running production system for 4 weeks has shown no impact on the
monitoring capability this patch is being submitted to remove these lines from wio
Fixes: Bug#12799
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
In case a configured provider is not longer supported, simply skip it
and do not try to perform an update.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
mount, as updated via util-linux, no longer writes /etc/mtab, causing
programs to rely on this file's content (such as the check_disk Nagios
plugin) to stop working.
/proc/self/mounts contains all the necessary information, so it is fine
to replace /etc/mtab by a symlink to it.
Fixes: #12843
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- Malicious filenames can make xzgrep to write to arbitrary files
or (with a GNU sed extension) lead to arbitrary code execution.
- xzgrep from XZ Utils versions up to and including 5.2.5 are
affected. 5.3.1alpha and 5.3.2alpha are affected as well.
- This bug was inherited from gzip's zgrep. gzip 1.12 includes
a fix for zgrep.
- CU167 has gzip-1.12 with the fix already merged.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Fixes: 12831
Jonatan Schlag reported that the command line options of 'vnstat' had changed
"...and seemed to be broken a long time".
=> https://bugzilla.ipfire.org/show_bug.cgi?id=12831#c0
Several command line switches used in networking initscripts were obviously removed.
Affected commands in '.../networking/any' and '.../networking/red'):
...
/usr/bin/vnstat -u -i ${DEVICE} -r --enable --force > /dev/null 2>&1
...
/usr/bin/vnstat -u -i ${DEVICE} -r --disable > /dev/null 2>&1
...
and
...
/usr/bin/vnstat -u -i ppp0 -r --disable > /dev/null 2>&1
...
Adolf Belka tested this, "looked through the changelogs" and found - besides that
the switch '--enable' had been removed "in version 2.0 in 2018" - that '--enable', '--update'
and '--reset' switches are either not needed or not supported anymore.
"The old man page indicates that none of those options are used when the vnstat daemon
is running."
Since we only start and run 'vnstatd' in IPFire it was decided to remove these commands.
Reported-by: jonatan.schlag <jonatan.schlag@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
This is recommended by KSPP, Lynis, and others. Indeed, there is no
legitimate reason why an unprivileged user on IPFire should do any
profiling. Unfortunately, this change never landed in the mainline
kernel, hence a distribution patch is necessary.
The second version of this patch rebases the kernel patch by Jeff
Vander Stoep against Linux 5.15.17 to avoid fuzzying.
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This script only appeared in conjunction with Core Update 75, released
January 2014. Although it is still being executed while restoring a
backup, it would only be effective if anyone tried to restore a backup
created before C75.
I don't think there is a realistic need to carry this script along any
further. In doubt, it might be better to start from scratch again rather
than trying to restore an 8 year old backup, expecting everything to be
peachy and vanilla with it.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This reverts commit 77e3829dc1.
For the time being, shipping this was found to be too difficult, since
we cannot get linux-firmware down to an acceptable size limit.
Compressing the firmware on installations would work, but takes about 4
minutes on an Intel Xenon CPU alone, hence it is an unacceptable
workload to do for IPFire installation running on weaker hardware.
Therefore, we do not proceed with this at the moment.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Full changelog, as retrieved from https://www.zlib.net/ChangeLog.txt :
Changes in 1.2.12 (27 Mar 2022)
- Cygwin does not have _wopen(), so do not create gzopen_w() there
- Permit a deflateParams() parameter change as soon as possible
- Limit hash table inserts after switch from stored deflate
- Fix bug when window full in deflate_stored()
- Fix CLEAR_HASH macro to be usable as a single statement
- Avoid a conversion error in gzseek when off_t type too small
- Have Makefile return non-zero error code on test failure
- Avoid some conversion warnings in gzread.c and gzwrite.c
- Update use of errno for newer Windows CE versions
- Small speedup to inflate [psumbera]
- Return an error if the gzputs string length can't fit in an int
- Add address checking in clang to -w option of configure
- Don't compute check value for raw inflate if asked to validate
- Handle case where inflateSync used when header never processed
- Avoid the use of ptrdiff_t
- Avoid an undefined behavior of memcpy() in gzappend()
- Avoid undefined behaviors of memcpy() in gz*printf()
- Avoid an undefined behavior of memcpy() in _tr_stored_block()
- Make the names in functions declarations identical to definitions
- Remove old assembler code in which bugs have manifested
- Fix deflateEnd() to not report an error at start of raw deflate
- Add legal disclaimer to README
- Emphasize the need to continue decompressing gzip members
- Correct the initialization requirements for deflateInit2()
- Fix a bug that can crash deflate on some input when using Z_FIXED
- Assure that the number of bits for deflatePrime() is valid
- Use a structure to make globals in enough.c evident
- Use a macro for the printf format of big_t in enough.c
- Clean up code style in enough.c, update version
- Use inline function instead of macro for index in enough.c
- Clarify that prefix codes are counted in enough.c
- Show all the codes for the maximum tables size in enough.c
- Add gznorm.c example, which normalizes gzip files
- Fix the zran.c example to work on a multiple-member gzip file
- Add tables for crc32_combine(), to speed it up by a factor of 200
- Add crc32_combine_gen() and crc32_combine_op() for fast combines
- Speed up software CRC-32 computation by a factor of 1.5 to 3
- Use atomic test and set, if available, for dynamic CRC tables
- Don't bother computing check value after successful inflateSync()
- Correct comment in crc32.c
- Add use of the ARMv8 crc32 instructions when requested
- Use ARM crc32 instructions if the ARM architecture has them
- Explicitly note that the 32-bit check values are 32 bits
- Avoid adding empty gzip member after gzflush with Z_FINISH
- Fix memory leak on error in gzlog.c
- Fix error in comment on the polynomial representation of a byte
- Clarify gz* function interfaces, referring to parameter names
- Change macro name in inflate.c to avoid collision in VxWorks
- Correct typo in blast.c
- Improve portability of contrib/minizip
- Fix indentation in minizip's zip.c
- Replace black/white with allow/block. (theresa-m)
- minizip warning fix if MAXU32 already defined. (gvollant)
- Fix unztell64() in minizip to work past 4GB. (Daniël Hörchner)
- Clean up minizip to reduce warnings for testing
- Add fallthrough comments for gcc
- Eliminate use of ULL constants
- Separate out address sanitizing from warnings in configure
- Remove destructive aspects of make distclean
- Check for cc masquerading as gcc or clang in configure
- Fix crc32.c to compile local functions only if used
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
