- Update from version 3.22.6 to 3.23.5
- Update of rootfile
- Changelog
3.23.5 - This release has the following changes:
Added support for the following new Printers:
HP Color LaserJet Enterprise 6700dn
HP Color LaserJet Enterprise 6700
HP Color LaserJet Enterprise 6701dn
HP Color LaserJet Enterprise 6701
HP Color LaserJet Enterprise X654dn
HP Color LaserJet Enterprise X65455dn
HP Color LaserJet Enterprise X654
HP Color LaserJet Enterprise X65465dn
HP Color LaserJet Enterprise X654 65 PPM
HP Color LaserJet Enterprise X654 55 to 65ppm License
HP Color LaserJet Enterprise X654 Down License
HP Color LaserJet Enterprise MFP 6800dn
HP Color LaserJet Enterprise Flow MFP 6800zf
HP Color LaserJet Enterprise Flow MFP 6800zfsw
HP Color LaserJet Enterprise Flow MFP 6800zfw+
HP Color LaserJet Enterprise MFP 6800
HP Color LaserJet Enterprise MFP 6801
HP Color LaserJet Enterprise MFP 6801 zfsw
HP Color LaserJet Enterprise Flow MFP 6801zfw+
HP Color LaserJet Enterprise MFP X677 55 to 65ppm License
HP Color LaserJet Enterprise MFP X677 65ppm
HP Color LaserJet Enterprise MFP X677s
HP Color LaserJet Enterprise Flow MFP X677z
HP Color LaserJet Enterprise MFP X67765dn
HP Color LaserJet Enterprise Flow MFP X67765zs
HP Color LaserJet Enterprise Flow MFP X67765z+
HP Color LaserJet Enterprise MFP X677
HP Color LaserJet Enterprise MFP X67755dn
HP Color LaserJet Enterprise Flow MFP X67755zs
HP Color LaserJet Enterprise Flow MFP X67755z+
HP Color LaserJet Enterprise MFP X677dn
HP Color LaserJet Enterprise Flow MFP X677zs
HP Color LaserJet Enterprise Flow MFP X677z+
HP Color LaserJet Enterprise 5700dn
HP Color LaserJet Enterprise 5700
HP Color LaserJet Enterprise X55745dn
HP Color LaserJet Enterprise X55745
HP Color LaserJet Enterprise MFP 5800dn
HP Color LaserJet Enterprise MFP 5800f
HP Color LaserJet Enterprise Flow MFP 5800zf
HP Color LaserJet Enterprise MFP 5800
HP Color LaserJet Enterprise MFP X57945
HP Color LaserJet Enterprise Flow MFP X57945zs
HP Color LaserJet Enterprise MFP X57945dn
HP Color LaserJet Enterprise Flow MFP X57945z
3.23.3 - This release has the following changes:
Added support for following new Distro's:
LinuxMint 21.1
MxLinux 21.3
Elementary OS 7
Ubuntu 22.10
RHEL 8.6
RHEL 8.7
RHEL 9.1
Fedora 37
Added support for the following new Printers:
HP Smart Tank 520_540 series
HP Smart Tank 580-590 series
HP Smart Tank 5100 series
HP Smart Tank 210-220 series
3.22.10 - This release has the following changes:
Added support for following new Distro's:
Manjaro 21.3
Suse 15.4
RHEL 9
Linux Mint 21.0
Mx Linux 21.2
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.38.1 to 2.41.0
- Update of rootfile
- Changelog is too large to show here. Look in the Source tarball in Documentation
RelNotes and each of the version numbers released - 2.38.2, 2.38.3, 2.38.4, 2.38.5,
2.39.0, 2.39.1, 2.39.2, 2.39.3, 2.40.0, 2.40.1, 2.41.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.0.1 to 8.5.2
- Update of rootfile
- tar.xz versions are no longer provided by the developers. They onl provide the tar.gz
that is automatically created by github. This started shortly after 8.0.1 was released
- Changelog is too large to include here. For full details see the changelog details at
https://github.com/FRRouting/frr/releases
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.0.26 to 3.2.3
- Update of rootfile
- Changelog
3.2.3
Feature Improvements
Add "max_retries" for connection pools. Fixes#4908. Patch from Nick Porter.
Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and
dictionary.wispr; add dictionary.eleven.
You can now list "eap" in the "pre-proxy" section. If the packet contains a
malformed EAP message, then the request will be rejected The home server
will either reject (or discard) this packet anyways, so this change can only
help with large proxy scenarios.
Show warnings if libldap is not using OpenSSL.
Support RADIUS/1.1. See
https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ Disabled by
default, can be enabled by passing `--with-radiusv11` to the configure
script. For now, this is for testing interoperability.
Add extra sanity checks for malformed EAP attributes.
More TLS debugging output.
Clear old module instance data before HUP reload. Avoids burst memory use
when e.g. using large data files with rlm_files. Patch from Nick Porter.
`rlm_cache_redis` is now included in the freeradius-redis packages.
Separate out python2/python3 in Debian Packages. Previously python 2 or 3 was
built depending on the system default which led to confusion. We now build
both freeradius-python2 and freeradius-python3 packages where possible.
Bug Fixes
Don't leak MD contexts with OpenSSL 3.0.
Increase internal buffer size for TLS connections, which can help with
high-load proxies.
Send Status-Server checks for TLS connections.
Give descriptive error if "update CoA" is used with "fake" packets, as it
won't work. i.e. inner-tunnel and virtual home servers.
Many small ASAN / LSAN fixes from Jorge Pereira.
Close inbound RADIUS/TLS socket on TLS errors. When a home server sees a TLS
error, it will now close the socket, so proxies do not have an open (but
dead) TLS connection.
Fix mutex locking issues on inbound RADIUS/TLS connections This change avoids
random issues with "bad record mac".
Improve REST encoding loop. Patch from Herwin Weststrate. Closes#4950.
Correctly report the LDAP group a user was found in. Fixes#3084 Patch from
Nick Porter.
Force correct packet type when running Post-Auth-Type. Helps with #4980.
Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996.
Fix TCP socket statistics. Closes#4990.
Use NAS-Port-Id instead of NAS-Port during SQL simultaneous-use checks. Helps
with #5010.
3.2.2
Feature Improvements
The "configure" process now gives a much clearer report when it's finished.
Patches by Matthew Newton.
Fallback to "uname -n" on missing "hostname". Fixes#4771.
Export thread details in radmin "stats threads". Fixes#4770.
Improve queries for processing radacct into periodic usage data Fix from Nick
Porter.
Update dictionary.juniper.
Add dictionary.calix.
Fix dictionary.rfc6519 DS-Lite-Tunnel-Name to be "octets".
Update documentation for robust-proxy-accounting, and be more aggressive
about sending packets.
Add per-module README.md files in the source.
Add default Visual Studio configuration for developers.
Postgres can now automatically use alternate queries for errors other than
duplicate keys.
%{listen:TLS-PSK-Identity} is now set when using PSK and psk_query This helps
the server track the identity of the client which is connecting.
Include thread stats in Status-Server attributes. Fixes#4870.
Mark rlm_unbound stable and add to packages. Patches by Nick Porter.
Remove broken/unsupported Dockerfiles for centos8 and debian9.
Ensure Docker containers have stable uid/gid. Patches from Terry Burton.
Bug Fixes
Preliminary support for non-blocking TLS sockets. Helps with #3501.
Fix support for partial certificate chains after adding reload support.
Fixes#4753.
Fix handling of debug_condition.
Clean up home server states, and re-sync with the dictionaries.
Correct certificate order when creating TLS-* attributes Fixes#4785.
Update use of isalpha() etc. so broken configurations have less impact on the
server.
Outgoing TLS sockets now set SNI correctly from the "hostname" configuration
item.
Support Apple Homebrew on the M1. Fixes#4754.
Better error messages when %{listen:TLS-...} is used.
Getting statistics via Status-Server can now be done within a virtual server.
Fixes#4868.
Make TTLS+MS-CHAP work with TLS 1.3. Fixes#4878.
Fix md5 xlat memory leak when using OpenSSL 3. Fix by Terry Burton.
3.2.1
Feature Improvements
Add dictionary.ciena, dictionary.nile, and DHCPv4 dictionaries,.
Add simultaneous-use queries for MS SQL.
Add radmin command for "stats pool <module-name>" Which prints out statistics
about the connection pools.
Client statistics now shows "conflicts", to count conflicting packets.
New optional "lightweight accounting-on/off" strategy. When refreshing
queries.conf you should also add the new nasreload table and corresponding
GRANTs to your DB schema.
Add TLS-Client-Cert-X509v3-Certificate-Policies, which helps with Eduroam.
Suggested by Stefan Winter.
Allow auth+acct for TCP sockets, too.
Add rlm_cache_redis. See raddb/mods-available/cache for details.
Allow radmin to look up home servers by name, too.
Ensure that dynamic clients don't create loops on duplicates Reported by Sam
Yee.
Removed rlm_sqlhpwippool. There was no documentation, no configuration, and
the module was ~15 years old with no one using it.
Marked rlm_python3 as stable.
Add sigalgs_list. See raddb/mods-available/eap. Patch from Boris Lytochkin.
For rlm_linelog, when opening files in /dev, look at "permissions" to see
whether to open them r/w.
More flexibility for dynamic home servers. See
doc/configuration/dynamic_home_servers.md and raddb/home_servers/README.md.
Allow setting of application_name for PostgreSQL. See mods-available/sql.
Bug Fixes
Correct test for open sessions in radacct for MS SQL.
The linelog module now opens /dev/stdout in "write-only" mode if the
permissions are set to "u+w" (0002).
Various fixes to rlm_unbound from Nick Porter.
PEAP now correctly runs Post-Auth-Type Accept.
Create "TLS-Cert-*" for outbound Radsec, instead of TLS-Client-Cert-*
Fixes#4698. See sites-available/tls, and fix_cert_order.
Minor updates and fixes to CI, Dockerfiles and packaging.
Fix rlm_python3 build with python >= 3.10. Fixes#4441.
3.2.0
Feature Improvements
All features from 3.0.x are included in the 3.2.x releases. In addition:.
Add 'reset_day' and '%%r' parameter for rlm_sqlcounter to specify which day
of the month the counter should be reset.
Partial backport of rlm_json from v4, providing the json_encode xlat See
mods-available/json for documentation.
Support for haproxy "PROXY" protocol See sites-available/tls,
"proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/.
Support for sending CoA-Request and Disconnect-Request packets in "reverse"
down RadSec tunnels. Experimental for now, and undocumented.
It is now possible to run a virtual server when saving / loading TLS cache
attributes. See sites-available/tls-cache for more information.
Removed the "cram" module. It was undocumented, and used old and insecure
authentication methods.
Remove the "otp" module. The "otpd" program it needs is no longer available,
and the module has not been usable since at least 2015.
All features from 3.0.x are included in the 3.2.x releases.
3.2.0 requires OpenSSL 1.0.2 or greater.
Bug Fixes
All bug fixes from 3.0.x are included in the 3.2.x releases.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.0.10-4 (Sep 2014) to 2.0.11 (Dec 2019)
- Update of rootfile
- Deletion of patch to prevent installing in usr/local as new tarball now has a ./configure
file that enables setting prefix to /usr and sysconfdir to /etc
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.26.5 to 2.28.1
- Update of rootfile
- Changelog
2.28.1
This is a stable bugfix release, with the following changes:
Added support for the Nintendo Online Famicom controllers
Improved support for third-party Nintendo Switch controllers
Fixed setting the player LED on Nintendo Switch controllers
Added Linux controller mapping for the Logitech Chillstream
Fixed appending to a file greater than 4GB in size on Windows
2.28.0
Thanks to all the people who contributed code and feedback, SDL 2.28.0 is now
available!
In addition to lots of bug fixes, here are the major changes in this release:
General:
Added SDL_HasWindowSurface() and SDL_DestroyWindowSurface() to switch between
the window surface and rendering APIs
Added a display event SDL_DISPLAYEVENT_MOVED which is sent when the primary
monitor changes or displays change position relative to each other
Added the hint SDL_HINT_ENABLE_SCREEN_KEYBOARD to control whether the
on-screen keyboard should be shown when text input is active
With this release, SDL 2.0 is entering maintenance mode. While we will continue
to support the library and provide stable bug fix updates, the SDL team is
focusing on SDL 3.0 and all new feature development will be happening there. We
are simultaneously bringing up sdl2-compat so your existing SDL 2.0 applications
can run on the SDL 3.0 runtime in the future.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Removal of lfs file
- Removal of rootfile
- Removal of backup includes file
- Removal of three patches
- Removal of paks files
- Adjustment of make.sh to remove squidclamav
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 0.7.5 to 0.9.4
- Update of rootfile
- wavemon would not build because it could not find the netlink include files. wavemon was
still looking in include/netlink/ as for libnl version 1 but with libnl3 the include
files are in include/libnl3/netlink/
- Based on an issue entry in the wavemon github repo I created the patch to force wavemon
to look in the correct place.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- What is it?
rsnapshot is a filesystem snapshot utility based on
rsync. rsnapshot makes it easy to make periodic snapshots of the
ipfire device. The code makes extensive use of hard links whenever
possible, to greatly reduce the disk space required. See:
https://rsnapshot.org
- Why is it needed?
Rsnapshot backups run multiple times per day
(e.g., once per day up to 24 times per day). Rsnapshot is much easier
to configure, setup and use than the borg backup add-on. (I found
borg somewhat confusing). Rsnapshot completes each backup very fast.
Unlike borg, rsnapshot does not compress each backup before storage.
During a complete rebuild, borg backup need installation of the borg
add-on to recover archived files. Rsnapshot backups can be copied
directly from the backup drive. Current backups (backup.pl or borg)
could corrupt sqlite3 databases by running a backup during a database
write. This add-on includes a script specifically for sqlite backups.
- IPFire Wiki
In process at: https://wiki.ipfire.org/addons/rsnapshot
Thanks to Gerd for creating a first build and a nice template for me!
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org>
- Moved rootfile from common to packages and commented out all entries.
- Updated lfs file from addon to core package that is only used for build
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Based on input from Arne Fitzenreiter there are conf files that alsa complains about if
they are not present. This patch uncomments all the default conf files
- The backup include file is also added to the rootfile.
Suggested-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Configure Zabbix Agent to log to syslog instead of its own logs.
- Remove old zabbix log-dir and logrotate settings from rootfile, lfs
and install-script.
- Update log.dat to view Zabbix Agent logging from syslog.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
For details see:
https://blog.clamav.net/2023/05/clamav-110-released.html
"Major changes
Added the ability to extract images embedded in HTML CSS <style> blocks.
Updated to Sigtool so that the --vba option will extract VBA code from
Microsoft Office documents the same way that libclamav extracts VBA.
This resolves several issues where Sigtool could not extract VBA.
Sigtool will also now display the normalized VBA code instead of the
pre-normalized VBA code.
Added a new ClamScan and ClamD option: --fail-if-cvd-older-than=days.
Additionally, we introduce FailIfCvdOlderThan as a clamd.conf synonym
for --fail-if-cvd-older-than. When passed, it causes ClamD to exit on
startup with a non-zero return code if the virus database is older than
the specified number of days.
Added a new function cl_cvdgetage() to the libclamav API. This function
will retrieve the age in seconds of the youngest file in a database
directory, or the age of a single CVD (or CLD) file.
Added a new function cl_engine_set_clcb_vba() to the libclamav API. Use
this function to set a cb_vba callback function. The cb_vba callback
function will be run whenever VBA is extracted from office documents.
The provided data will be a normalized copy of the extracted VBA. This
callback was added to support Sigtool so that it can use the same VBA
extraction logic that ClamAV uses to scan documents.
Other improvements
Removed the vendored TomsFastMath library in favor of using OpenSSL to
perform "big number"/multiprecision math operations. Work courtesy of
Sebastian Andrzej Siewior.
Build system: Added CMake option DO_NOT_SET_RPATH to avoid setting
RPATH on Unix systems. Feature courtesy of Sebastian Andrzej Siewior.
Build system: Enabled version-scripts with CMake to limit symbol
exports for libclamav, libfreshclam, libclamunrar_iface, and
libclamunrar shared libraries on Unix systems, excluding macOS.
Improvement courtesy of Orion Poplawski and Sebastian Andrzej Siewior.
Build system: Enabled users to pass in custom Rust compiler flags using
the RUSTFLAGS CMake variable. Feature courtesy of Orion Poplawski.
Removed a hard-coded alert for CVE-2004-0597. The CVE is old enough
that it is no longer a threat and the detection had occasional
false-positives.
Set Git attributes to prevent Git from altering line endings for Rust
vendored libraries. Third-party Rust libraries are bundled in the
ClamAV release tarball. We do not commit them to our own Git
repository, but community package maintainers may now store the tarball
contents in Git. The Rust build system verifies the library manifest,
and this change ensures that the hashes are correct. Improvement
courtesy of Nicolas R.
Fixed compile time warnings. Improvement courtesy of Razvan Cojocaru.
Added a minor optimization when matching domain name regex signatures
for PDB, WDB and CDB type signatures.
Build system: Enabled the ability to select a specific Python version.
When building, you may use the CMake option -D
PYTHON_FIND_VER=<version> to choose a specific Python version. Feature
courtesy of Matt Jolly.
Added improvements to the ClamOnAcc process log output so that it is
easier to diagnose bugs.
Windows: Enabled the MSI installer to upgrade between feature versions
more easily when ClamAV is installed to a location different from the
default (i.e., not C:\Program Files\ClamAV). This means that the MSI
installer can find a previous ClamAV 1.0.x installation to upgrade to
ClamAV 1.1.0.
Sigtool: Added the ability to change the location of the temp directory
using the --tempdir option and added the ability to retain the temp
files created by Sigtool using the --leave-temps option.
Other minor improvements.
Bug fixes
Fixed the broken ExcludePUA / --exclude-pua feature. Fix courtesy of
Ged Haywood and Shawn Iverson.
Fixed an issue with integer endianness when parsing Windows executables
on big-endian systems. Fix courtesy of Sebastian Andrzej Siewior.
Fixed a possible stack overflow read when parsing WDB signatures. This
issue is not a vulnerability.
Fixed a possible index out of bounds when loading CRB signatures. This
issue is not a vulnerability.
Fixed a possible use after free when reading logical signatures. This
issue is not a vulnerability.
Fixed a possible heap overflow read when reading PDB signatures. This
issue is not a vulnerability.
Fixed a possible heap overflow read in javascript normalizer module.
This issue is not a vulnerability.
Fixed two bugs that would cause Freshclam to fail update when applying
a CDIFF database patch if that patch adds a file to the database
archive or removes a file from the database archive. This bug also
caused Sigtool to fail to create such a patch.
Fixed an assortment of complaints identified by Coverity static analysis.
Fixed one of the Freshclam tests that was failing on some Fedora
systems due to a bug printing debug-level log messages to stdout. Fix
courtesy of Arjen de Korte.
Correctly remove temporary files generated by the VBA and XLM
extraction modules so that the files are not leaked in patched versions
of ClamAV where temporary files are written directly to the
temp-directory instead of writing to a unique subdirectory."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from version 5.1.2 to 6.0
- Update of rootfile
- sobump occurs so find-dependencies checked and the addons mpd, shairport-sync &
minidlna will be bumped to the next PAK_VER as a patch set with this change.
- Changelog
version 6.0:
- Radiance HDR image support
- ddagrab (Desktop Duplication) video capture filter
- ffmpeg -shortest_buf_duration option
- ffmpeg now requires threading to be built
- ffmpeg now runs every muxer in a separate thread
- Add new mode to cropdetect filter to detect crop-area based on motion vectors and edges
- VAAPI decoding and encoding for 10/12bit 422, 10/12bit 444 HEVC and VP9
- WBMP (Wireless Application Protocol Bitmap) image format
- a3dscope filter
- bonk decoder and demuxer
- Micronas SC-4 audio decoder
- LAF demuxer
- APAC decoder and demuxer
- Media 100i decoders
- DTS to PTS reorder bsf
- ViewQuest VQC decoder
- backgroundkey filter
- nvenc AV1 encoding support
- MediaCodec decoder via NDKMediaCodec
- MediaCodec encoder
- oneVPL support for QSV
- QSV AV1 encoder
- QSV decoding and encoding for 10/12bit 422, 10/12bit 444 HEVC and VP9
- showcwt multimedia filter
- corr video filter
- adrc audio filter
- afdelaysrc audio filter
- WADY DPCM decoder and demuxer
- CBD2 DPCM decoder
- ssim360 video filter
- ffmpeg CLI new options: -stats_enc_pre[_fmt], -stats_enc_post[_fmt],
-stats_mux_pre[_fmt]
- hstack_vaapi, vstack_vaapi and xstack_vaapi filters
- XMD ADPCM decoder and demuxer
- media100 to mjpegb bsf
- ffmpeg CLI new option: -fix_sub_duration_heartbeat
- WavArc decoder and demuxer
- CrystalHD decoders deprecated
- SDNS demuxer
- RKA decoder and demuxer
- filtergraph syntax in ffmpeg CLI now supports passing file contents
as option values, by prefixing option name with '/'
- hstack_qsv, vstack_qsv and xstack_qsv filters
For more details about the changes you have to review the commits in the git repo
https://git.ffmpeg.org/gitweb/ffmpeg.git/shortlog/n6.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Updsate from version 1.3.1 to 1.4
- Update of rootfile
- Changelog
opus 1.4 major release brings the following improvements and fixes:
Improved tuning of the Opus in-band FEC (LBRR).
See https://gitlab.xiph.org/xiph/opus/-/issues/2360 for details
Added a OPUS_SET_INBAND_FEC(2) option that turns on FEC, but does not force
SILK mode (FEC will be disabled in CELT mode)
Improved tuning and various fixes to DTX
Added Meson support, improved CMake support In addition to the improvements
above, this release includes many minor bug fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from version 2.26.4 to 2.26.5
- Update of rootfile
- Changelog
2.26.5
The minimum deployment target on macOS is now 10.11, due to changes in the
latest Xcode update
Fixed incorrect modifier keys handling on macOS
Fixed occasional duplicate controller visible on macOS
Fixed handling of third party PS4 controller input reports
Added support for the trigger buttons on the Victrix Pro FS for PS5
Added mapping for Flydigi Vader 2 with the latest firmware (6.0.4.9)
Added mapping for DualSense Edge Wireless Controller on Linux
Added mapping for Hori Pokken Tournament DX Pro Pad
Improved the speed and quality of audio resampling
Fixed crash on Linux if dbus can't be initialized
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from version 4.17.5 to 4.18.1
- Update of rootfile
some libraries now use x86-64 instead of x86_64 but most are still left with x86_64
Good thing that we create a separate version of the rootfile for each architecture
because it is no longer just the arm version that is unique but also the x86_64 one.
- Since version 4.17.0 it has been possible to do a build excluding SMB1 server capability.
As SMB1 is insecure and has known exploits including ransomeware based ones it seems
reasonable to build samba without SMB1 server capability for use on a firewall.
The option to build wiythout SMB1 server capability has been added to the LFS file.
- Changelog
Release Notes for Samba 4.18.1
This is a security release in order to address the following defects:
o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
but otherwise unprivileged users to delete this attribute from
any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html
o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was
insufficient and an attacker may be able to obtain
confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should
assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
* BUG 15276: CVE-2023-0225.
* BUG 15270: CVE-2023-0614.
* BUG 15331: ldb wildcard matching makes excessive allocations.
* BUG 15332: large_ldap test is inefficient.
* BUG 15315: CVE-2023-0922.
* BUG 15270: CVE-2023-0614.
* BUG 15276: CVE-2023-0225.
Release Notes for Samba 4.18.0
NEW FEATURES/CHANGES
SMB Server performance improvements
The security improvements in recent releases
(4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
caused performance regressions for metadata heavy workloads.
While 4.17 already improved the situation quite a lot,
with 4.18 the locking overhead for contended path based operations
is reduced by an additional factor of ~ 3 compared to 4.17.
It means the throughput of open/close
operations reached the level of 4.12 again.
More succinct samba-tool error messages
Historically samba-tool has reported user error or misconfiguration by
means of a Python traceback, showing you where in its code it noticed
something was wrong, but not always exactly what is amiss. Now it
tries harder to identify the true cause and restrict its output to
describing that. Particular cases include:
* a username or password is incorrect
* an ldb database filename is wrong (including in smb.conf)
* samba-tool dns: various zones or records do not exist
* samba-tool ntacl: certain files are missing
* the network seems to be down
* bad --realm or --debug arguments
Accessing the old samba-tool messages
This is not new, but users are reminded they can get the full Python
stack trace, along with other noise, by using the argument '-d3'.
This may be useful when searching the web.
The intention is that when samba-tool encounters an unrecognised
problem (especially a bug), it will still output a Python traceback.
If you encounter a problem that has been incorrectly identified by
samba-tool, please report it on https://bugzilla.samba.org.
Colour output with samba-tool --color
For some time a few samba-tool commands have had a --color=yes|no|auto
option, which determines whether the command outputs ANSI colour
codes. Now all samba-tool commands support this option, which now also
accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no',
and 'tty' and 'if-tty' for 'auto' (this more closely matches
convention). With --color=auto, or when --color is omitted, colour
codes are only used when output is directed to a terminal.
Most commands have very little colour in any case. For those that
already used it, the defaults have changed slightly.
* samba-tool drs showrepl: default is now 'auto', not 'no'
* samba-tool visualize: the interactions between --color-scheme,
--color, and --output have changed slightly. When --color-scheme is
set it overrides --color for the purpose of the output diagram, but
not for other output like error messages.
New samba-tool dsacl subcommand for deleting ACES
The samba-tool dsacl tool can now delete entries in directory access
control lists. The interface for 'samba-tool dsacl delete' is similar
to that of 'samba-tool dsacl set', with the difference being that the
ACEs described by the --sddl argument are deleted rather than added.
No colour with NO_COLOR environment variable
With both samba-tool --color=auto (see above) and some other places
where we use ANSI colour codes, the NO_COLOR environment variable will
disable colour output. See https://no-color.org/ for a description of
this variable. `samba-tool --color=always` will use colour regardless
of NO_COLOR.
New wbinfo option --change-secret-at
The wbinfo command has a new option, --change-secret-at=<DOMAIN CONTROLLER>
which forces the trust account password to be changed at a specified domain
controller. If the specified domain controller cannot be contacted the
password change fails rather than trying other DCs.
New option to change the NT ACL default location
Usually the NT ACLs are stored in the security.NTACL extended
attribute (xattr) of files and directories. The new
"acl_xattr:security_acl_name" option allows to redefine the default
location. The default "security.NTACL" is a protected location, which
means the content of the security.NTACL attribute is not accessible
from normal users outside of Samba. When this option is set to use a
user-defined value, e.g. user.NTACL then any user can potentially
access and overwrite this information. The module prevents access to
this xattr over SMB, but the xattr may still be accessed by other
means (eg local access, SSH, NFS). This option must only be used when
this consequence is clearly understood and when specific precautions
are taken to avoid compromising the ACL content.
Azure Active Directory / Office365 synchronisation improvements
Use of the Azure AD Connect cloud sync tool is now supported for
password hash synchronisation, allowing Samba AD Domains to synchronise
passwords with this popular cloud environment.
REMOVED FEATURES
smb.conf changes
Parameter Name Description Default
acl_xattr:security_acl_name New security.NTACL
server addresses New
CHANGES SINCE 4.18.0rc4
* BUG 15314: streams_xattr is creating unexpected locks on folders.
* BUG 15310: New samba-dcerpc architecture does not scale gracefully.
CHANGES SINCE 4.18.0rc3
* BUG 15308: Avoid that tests fail because other tests didn't do cleanup on
failure.
* BUG 15311: fd_load() function implicitly closes the fd where it should not.
CHANGES SINCE 4.18.0rc2
* BUG 15301: Improve file_modtime() and issues around smb3 unix test.
* BUG 15299: Spotlight doesn't work with latest macOS Ventura.
* BUG 15298: Build failure on solaris with tevent 0.14.0 (and ldb 2.7.0).
(tevent 0.14.1 and ldb 2.7.1 are already released...)
* BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
fsp_get_pathref_fd() in close and fstat.
* BUG 15291: test_chdir_cache.sh doesn't work with SMBD_DONT_LOG_STDOUT=1.
* BUG 15301: Improve file_modtime() and issues around smb3 unix test.
CHANGES SINCE 4.18.0rc1
* BUG 10635: Office365 azure Password Sync not working.
* BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
* BUG 15293: With clustering enabled samba-bgqd can core dump due to use
after free.
Release Notes for Samba 4.17.7
This is a security release in order to address the following defects:
o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
but otherwise unprivileged users to delete this attribute from
any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html
o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was
insufficient and an attacker may be able to obtain
confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should
assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
* BUG 15276: CVE-2023-0225.
* BUG 15270: CVE-2023-0614.
* BUG 15331: ldb wildcard matching makes excessive allocations.
* BUG 15332: large_ldap test is inefficient.
* BUG 15315: CVE-2023-0922.
* BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
allow full write to all attributes (additional changes).
* BUG 15270: CVE-2023-0614.
* BUG 15276: CVE-2023-0225.
Release Notes for Samba 4.17.6
* BUG 15314: streams_xattr is creating unexpected locks on folders.
* BUG 10635: Use of the Azure AD Connect cloud sync tool is now supported for
password hash synchronisation, allowing Samba AD Domains to synchronise
passwords with this popular cloud environment.
* BUG 15299: Spotlight doesn't work with latest macOS Ventura.
* BUG 15310: New samba-dcerpc architecture does not scale gracefully.
* BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
fsp_get_pathref_fd() in close and fstat.
* BUG 15293: With clustering enabled samba-bgqd can core dump due to use
after free.
* BUG 15311: fd_load() function implicitly closes the fd where it should not.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- powertop requires debug_fs to be enabled in the kernel for it to function. In Core
Update 171 debug_fs was disabled as a security risk for a firewall application.
- Based on the above powertop has stopped functioning since Core Update 171. Discussed
at IPFire Developers monthly conf call for April and agreed to remove the addon as
debug_fs will not be re-enabled.
- removal of lfs and rootfiles and removal of powertop line in make.sh
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.23.12 to 1.27.100
- Update of rootfile
- Changelog is over 2000 lines long. For details please see the CHNGELOG.rst file in the
source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 10.0.0 to 10.01.1
- Update of rootfile
- Changelog highlights is only shown in the website. For more details of the changes made
you bhave to go and look at the commit log
https://git.ghostscript.com/?p=ghostpdl.git;a=shortlog;h=refs/heads/master
Version 10.01.0 (2023-03-22)
Highlights in this release include:
We've continued to improve the performance of the PDF interpreter written in
C and improve it's behaviour in edge and out-of-specification cases.
Our efforts in code hygiene and maintainability continue.
The usual round of bug fixes, compatibility changes, and incremental
improvements.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 17.04 to 17.05
- Update of rootfile
- Changelog
Version 17.05
- add UTF-8 support for Client7z
- fix issue 130
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 0.187 to 0.189
- Update of rootfile
- Changelog
Version 0.189 "Don't deflate!"
configure: eu-nm, eu-addr2line and eu-stack can provide demangled symbols
when linked with libstdc++. Use --disable-demangler to disable.
A new option --enable-sanitize-memory has been added for msan
sanitizer support.
libelf: elf_compress now supports ELFCOMPRESS_ZSTD when build against
libzstd
libdwfl: dwfl_module_return_value_location now returns 0 (no return type)
for DIEs that point to a DW_TAG_unspecified_type.
elfcompress: -t, --type= now support zstd if libelf has been build with
ELFCOMPRESS_ZSTD support.
backends: Add support for LoongArch and Synopsys ARCv2 processors.
Version 0.188 "no section left behind"
readelf: Add -D, --use-dynamic option.
debuginfod-client: Add $DEBUGINFOD_HEADERS_FILE setting to supply outgoing
HTTP headers. Add new function debuginfod_find_section.
debuginfod: Add --disable-source-scan option.
libdwfl: Add new function dwfl_get_debuginfod_client.
Add new function dwfl_frame_reg.
Add new function dwfl_report_offline_memory.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 2.26.2 to 2.26.4
- Update of rootfile
- Changelog
2.26.4 Latest
Fixed relative mouse motion over remote desktop on Windows
Fixed using older game controller mappings on Linux
2.26.3
Fixed infinite loop shutting down WGI controllers
Fixed centering the D-pad on some Xbox controllers
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Stefan Schantl <stefan.schantl@ipfire.org>
- Update from version 65.4.1 to 67.5.1
- Update of rootfile
- Changelog
v67.5.1
Misc
* #3836: Fixed interaction between ``setuptools``' package auto-discovery and
auto-generated ``htmlcov`` files.
Previously, the ``htmlcov`` name was ignored when searching for single-file
modules, however the correct behaviour is to ignore it when searching for
packages (since it is supposed to be a directory, see `coverage config`_)
-- by :user:`yukihiko-shinoda`.
.. _coverage config: https://coverage.readthedocs.io/en/stable/config.html#html-directory
* #3838: Improved error messages for ``pyproject.toml`` validations.
* #3839: Fixed ``pkg_resources`` errors caused when parsing metadata of packages that
are already installed but do not conform with PEP 440.
v67.5.0
Changes
* #3843: Although pkg_resources has been discouraged for use, some projects still
consider pkg_resources viable for usage. This change makes it clear that
pkg_resources should not be used, emitting a DeprecationWarning when imported.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 4.17.0.3 to 4.19.0.1
- Changelog
v4.19.0.1 - Release date: 2023-02-02
Rebased with official coreboot repository commit 2ccbcc5
Removed configuration and mainboard files for apu1 due to the board being dropped from upstream coreboot
See: https://github.com/pcengines/coreboot/compare/v4.17.0.3...v4.19.0.1
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org>
- Update from version 1.14.4 to 1.14.6
- Update of rootfile
- The Denial of service issue mentioned first in the changelog is not applicable to IPFire
as the build is done without asserts enabled.
- Changelog
dbus 1.14.6 (2023-02-08)
Denial of service fixes:
• Fix an incorrect assertion that could be used to crash dbus-daemon or
other users of DBusServer prior to authentication, if libdbus was compiled
with assertions enabled.
We recommend that production builds of dbus, for example in OS distributions,
should be compiled with checks but without assertions.
(dbus#421, Ralf Habacker; thanks to Evgeny Vereshchagin)
Other fixes:
• When connected to a dbus-broker, stop dbus-monitor from incorrectly
replying to Peer method calls that were sent to the dbus-broker with
a NULL destination (dbus#301, Kai A. Hiller)
• Fix out-of-bounds varargs read in the dbus-daemon's config-parser.
This is not attacker-triggerable and appears to be harmless in practice,
but is technically undefined behaviour and is detected as such by
AddressSanitizer. (dbus!357, Evgeny Vereshchagin)
• Avoid a data race in multi-threaded use of DBusCounter
(dbus#426, Ralf Habacker)
• Fix a crash with some glibc versions when non-auditable SELinux events
are logged (dbus!386, Jeremi Piotrowski)
• If dbus_message_demarshal() runs out of memory while validating a message,
report it as NoMemory rather than InvalidArgs (dbus#420, Simon McVittie)
• Use C11 _Alignof if available, for better standards-compliance
(dbus!389, Khem Raj)
• Stop including an outdated copy of pkg.m4 in the git tree
(dbus!365, Simon McVittie)
• Documentation:
· Consistently use Gitlab bug reporting URL (dbus!372, Marco Trevisan)
• Tests fixes:
· Fix the test-apparmor-activation test after dbus#416
(dbus!380, Dave Jones)
Internal changes:
• Fix CI builds with recent git versions (dbus#447, Simon McVittie)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.6.12 to 1.7.23
- Update of rootfile
- Changelog
Most changes are related to additional printers except for
1.7.10
* Fixed the problem that epson-escpr-wrapper filter would crash
when cupsRasterReadHeader failed.
1.7.7.2
* Supported new model.
* Fixed an issue of filter crash when FIFO I/O was closed.
1.7.0
* Supported new models.
* Applied Privacy Statement.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- This patch is to move the rng-tools package from a core package to an addon. With the
kernel changes from 5.6 rngd is no longer needed to create the required kernel entropy.
- The results from HRNG's via rngd are used with an XOR after the entropy is
collected by the kernel. So the HWRNG output is used to dilute the kernel random number
data, which is already merged from several sources.
- Based on the above and @Paul's request in the bug report to have rng-tools kept as an
addon this patch set is submitted for consideration to keep rng-tools but as an addon.
- move rng-tools rootfile from common to packages
- Modify rng-tools lfs from core package to addon package
- Create rng-tools pak to install and uninstall - creating rc.d links for start & stop.
- Move rngd initscript from system to packages directory.
- Installed into my vm testbed and confirmed that it works. No rngd daemon installed
from iso install. After addon install rngd is present and running. Added various files
to be able to test the services wui page. rngd shows up and can be turned off and on
Fixes: Bug#12900
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
- Update from version 4.3 to 4.4
- Update of rootfile
- the $(MAKETUNING) option does not work with the elinks build with version 4.4 A linked
patch has been created for the removal of that option from the elinks lfs file.
- Changelog
Version 4.4 (31 Oct 2022)
A complete list of bugs fixed in this version is available here:
https://sv.gnu.org/bugs/index.php?group=make&report_id=111&fix_release_id=109&set=custom
* WARNING: Deprecation!
The following systems are deprecated in this release:
- OS/2 (EMX)
- AmigaOS
- Xenix
- Cray
In the NEXT release of GNU Make, support for these systems will be removed.
If you want to see them continue to be supported, contact <bug-make@gnu.org>.
* WARNING: Future backward-incompatibility!
In the NEXT release of GNU Make, pattern rules will implement the same
behavior change for multiple targets as explicit grouped targets, below: if
any target of the rule is needed by the build, the recipe will be invoked if
any target of the rule is missing or out of date. During testing some
makefiles were found to contain pattern rules that do not build all targets;
this can cause issues so we are delaying this change for one release cycle
to allow these makefiles to be updated. GNU Make shows a warning if it
detects this situation: "pattern recipe did not update peer target".
* WARNING: Backward-incompatibility!
GNU Make now uses temporary files in more situations than previous releases.
If your build system sets TMPDIR (or TMP or TEMP on Windows) and deletes the
contents during the build, or uses restrictive permissions, this may cause
problems. You can choose an alternative temporary directory only for use by
GNU Make by setting the new MAKE_TMPDIR environment variable before invoking
make. Note that this value CANNOT be set inside the makefile, since make
needs to find its temporary directory before the makefiles are parsed.
* WARNING: Backward-incompatibility!
Previously each target in a explicit grouped target rule was considered
individually: if the targets needed by the build were not out of date the
recipe was not run even if other targets in the group were out of date. Now
if any of the grouped targets are needed by the build, then if any of the
grouped targets are out of date the recipe is run and all targets in the
group are considered updated.
* WARNING: Backward-incompatibility!
Previously if --no-print-directory was seen anywhere in the environment or
command line it would take precedence over any --print-directory. Now, the
last setting of directory printing options seen will be used, so a command
line such as "--no-print-directory -w" _will_ show directory entry/exits.
* WARNING: Backward-incompatibility!
Previously the order in which makefiles were remade was not explicitly
stated, but it was (roughly) the inverse of the order in which they were
processed by make. In this release, the order in which makefiles are
rebuilt is the same order in which make processed them, and this is defined
to be true in the GNU Make manual.
* WARNING: Backward-incompatibility!
Previously only simple (one-letter) options were added to the MAKEFLAGS
variable that was visible while parsing makefiles. Now, all options are
available in MAKEFLAGS. If you want to check MAKEFLAGS for a one-letter
option, expanding "$(firstword -$(MAKEFLAGS))" is a reliable way to return
the set of one-letter options which can be examined via findstring, etc.
* WARNING: Backward-incompatibility!
Previously makefile variables marked as export were not exported to commands
started by the $(shell ...) function. Now, all exported variables are
exported to $(shell ...). If this leads to recursion during expansion, then
for backward-compatibility the value from the original environment is used.
To detect this change search for 'shell-export' in the .FEATURES variable.
* WARNING: New build requirement
GNU Make utilizes facilities from GNU Gnulib: Gnulib requires certain C99
features in the C compiler and so these features are required by GNU Make:
https://www.gnu.org/software/gnulib/manual/html_node/C99-features-assumed.html
The configure script should verify the compiler has these features.
* New feature: The .WAIT special target
If the .WAIT target appears between two prerequisites of a target, then
GNU Make will wait for all of the targets to the left of .WAIT in the list
to complete before starting any of the targets to the right of .WAIT.
This feature is available in some other versions of make, and it will be
required by an upcoming version of the POSIX standard for make.
Different patches were made by Alexey Neyman <alex.neyman@auriga.ru> (2005)
and Steffen Nurpmeso <steffen@sdaoden.eu> (2020) that were useful but the
result is a different implementation (closer to Alexey's idea).
* New feature: .NOTPARALLEL accepts prerequisites
If the .NOTPARALLEL special target has prerequisites then all prerequisites
of those targets will be run serially (as if .WAIT was specified between
each prerequisite).
* New feature: The .NOTINTERMEDIATE special target
.NOTINTERMEDIATE disables intermediate behavior for specific files, for all
files built using a pattern, or for the entire makefile.
Implementation provided by Dmitry Goncharov <dgoncharov@users.sf.net>
* New feature: The $(let ...) function
This function allows user-defined functions to define a set of local
variables: values can be assigned to these variables from within the
user-defined function and they will not impact global variable assignments.
Implementation provided by Jouke Witteveen <j.witteveen@gmail.com>
* New feature: The $(intcmp ...) function
This function allows conditional evaluation controlled by a numerical
comparison.
Implementation provided by Jouke Witteveen <j.witteveen@gmail.com>
* New feature: Improved support for -l / --load-average
On systems that provide /proc/loadavg (Linux), GNU Make will use it to
determine the number of runnable jobs and use this as the current load,
avoiding the need for heuristics.
Implementation provided by Sven C. Dack <sdack@gmx.com>
* New feature: The --shuffle command line option
This option reorders goals and prerequisites to simulate non-determinism
that may be seen using parallel build. Shuffle mode allows a form of "fuzz
testing" of parallel builds to verify that all prerequisites are correctly
described in the makefile.
Implementation provided by Sergei Trofimovich <siarheit@google.com>
* New feature: The --jobserver-style command line option and named pipes
A new jobserver method is used on systems where mkfifo(3) is supported.
This solves a number of obscure issues related to using the jobserver
and recursive invocations of GNU Make. This change means that sub-makes
will connect to the jobserver even if they are not marked as recursive.
It also means that other tools that want to participate in the jobserver
will need to be enhanced as described in the GNU Make manual.
You can force GNU Make to use the simple pipe-based jobserver (perhaps if
you are integrating with other tools or older versions of GNU Make) by
adding the '--jobserver-style=pipe' option to the command line of the
top-level invocation of GNU Make, or via MAKEFLAGS or GNUMAKEFLAGS.
To detect this change search for 'jobserver-fifo' in the .FEATURES variable.
* Some POSIX systems (*BSD) do not allow locks to be taken on pipes, which
caused the output sync feature to not work properly there. Also multiple
invocations of make redirecting to the same output file (e.g., /dev/null)
would cause hangs. Instead of locking stdout (which does have some useful
performance characteristics, but is not portable) create a temporary file
and lock that. Windows continues to use a mutex as before.
* GNU Make has sometimes chosen unexpected, and sub-optimal, chains of
implicit rules due to the definition of "ought to exist" in the implicit
rule search algorithm, which considered any prerequisite mentioned in the
makefile as "ought to exist". This algorithm has been modified to prefer
prerequisites mentioned explicitly in the target being built and only if
that results in no matching rule, will GNU Make consider prerequisites
mentioned in other targets as "ought to exist".
Implementation provided by Dmitry Goncharov <dgoncharov@users.sf.net>
* GNU Make was performing secondary expansion of all targets, even targets
which didn't need to be considered during the build. In this release
only targets which are considered will be secondarily expanded.
Implementation provided by Dmitry Goncharov <dgoncharov@users.sf.net>
* If the MAKEFLAGS variable is modified in a makefile, it will be re-parsed
immediately rather than after all makefiles have been read. Note that
although all options are parsed immediately, some special effects won't
appear until after all makefiles are read.
* The -I option accepts an argument "-" (e.g., "-I-") which means "reset the
list of search directories to empty". Among other things this can be used
to prevent GNU Make from searching in its default list of directories.
* New debug option "print" will show the recipe to be run, even when silent
mode is set, and new debug option "why" will show why a target is rebuilt
(which prerequisites caused the target to be considered out of date).
Implementation provided by David Boyce <David.S.Boyce@gmail.com>
* The existing --trace option is made equivalent to --debug=print,why
* Target-specific variables can now be marked "unexport".
* Exporting / unexporting target-specific variables is handled correctly, so
that the attribute of the most specific variable setting is used.
* Special targets like .POSIX are detected upon definition, ensuring that any
change in behavior takes effect immediately, before the next line is parsed.
* When the pipe-based jobserver is enabled and GNU Make decides it is invoking
a non-make sub-process and closes the jobserver pipes, it will now add a new
option to the MAKEFLAGS environment variable that disables the jobserver.
This prevents sub-processes that invoke make from accidentally using other
open file descriptors as jobserver pipes. For more information see
https://savannah.gnu.org/bugs/?57242 and https://savannah.gnu.org/bugs/?62397
* A long-standing issue with the directory cache has been resolved: changes
made as a side-effect of some other target's recipe are now noticed as
expected.
* GNU Make can now be built for MS-Windows using the Tiny C tcc compiler.
Port provided by Christian Jullien <eligis@orange.fr>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
This removes support for building IPFire for 32 bit ARM architectures.
This has been decided in August 2022 with six months notice as there are
not very many users and hardware is generally not available any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- libtirpc is required for lsof to work from CU172 onwards. rpc.h is no longer available
from glibc. This would normally cause the lsof build to fail but libtirpc as an addon
is built before lsof and so is present in the build and lsof is linked to it.
When running lsof it fails as the linked libtirpc library is not present unless it has
been installed as an addon.
- This patch converts the libtirpc lfs from an addon to a core program and moves the
rootfile from the packages directory to the common directory.
- Tested out on my vm testbed. With CU172 lsof fails to run due to the missing libtirpc
With the build based on this patch installed lsof works normally again.
- Disabled the static library build in the configure options and updated the rootfile
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Fixes: Bug#13015
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
[Please note: This 'clamav' version needs rust >1.56]
For details see:
https://blog.clamav.net/2022/11/clamav-100-lts-released.html
Excerpt:
"Major changes
Support for decrypting read-only OLE2-based XLS files that are encrypted with the default password. Use of
the default password will now appear in the metadata JSON.
Overhauled the implementation of the all-match feature. The newer code is more reliable and easier to
maintain.
This project fixed several known issues with signature detection in all- match mode:
Enabled embedded file-type recognition signatures to match when a malware signature also matched in
a scan of the same layer.
Enabled bytecode signatures to run in all-match mode after a match has occurred.
Fixed an assortment of all-match edge case issues.
Added multiple test cases to verify correct all-match behavior.
Added a new callback to the public API for inspecting file content during a scan at each layer of archive
extraction.
The new callback function type is clcb_file_inspection defined in clamav.h.
The function cl_engine_set_clcb_file_inspection() may be used to enable the callback prior to performing
a scan.
This new callback is to be considered unstable for the 1.0 release. We may alter this function in a
subsequent feature version.
Added a new function to the public API for unpacking CVD signature archives.
The new function is cl_cvdunpack(). The last parameter for the function may be set to verify if a CVD's
signature is valid before unpacking the CVD content to the destination directory.
The option to build with an external TomsFastMath library has been removed. ClamAV requires non-default
build options for TomsFastMath to support bigger floating point numbers. Without this change, database and
Windows EXE/DLL authenticode certificate validation may fail. The ENABLE_EXTERNAL_TOMSFASTMATH build is now
ignored.
Moved the Dockerfile and supporting scripts from the main ClamAV repository over to a new
repository: https://github.com/Cisco-Talos/clamav-docker
The separate repository will make it easier to update the images and fix issues with images for released
ClamAV versions.
Any users building the ClamAV Docker image rather than pulling them from Docker Hub will have to get the
latest Docker files from the new location.
Increased the SONAME major version for libclamav because of ABI changes between the 0.103 LTS release and
the 1.0 LTS release.
Other improvements
Add checks to limit PDF object extraction recursion.
Increased the limit for memory allocations based on untrusted input and altered the warning message when the
limit is exceeded so that it is more helpful and less dramatic.
Dramatically improved the build time of libclamav-Rust unit tests. The unit test build is included in the
time limit for the test itself and was timing out on slower systems. The ClamAV Rust code modules now share
the same build directory, which also reduces the amount of disk space used for the build.
For Windows: The debugging symbol (PDB) files are now installed alongside the DLL and LIB library files when
built in "RelWithDebInfo" or "Debug" mode.
Relaxed the constraints on the check for overlapping ZIP file entries so as not to alert on slightly
malformed, but non-malicious, Java (JAR) archives.
Increased the time limit in FreshClam before warning if the DNS entry is stale. In combination with changes
to update the DNS entry more frequently, this should prevent false alarms of failures in the database
publication system.
Docker: The C library header files are now included in the Docker image. Patch courtesy of GitHub user
TerminalFi.
Show the BYTECODE_RUNTIME build options when using the ccmake GUI for CMake. Patch courtesy of
Дилян Палаузов.
Added explicit minimum and maximum supported LLVM versions so that the build will fail if you try to build
with a version that is too old or too new and will print a helpful message rather than simply failing to
compile because of compatibility issues. Patch courtesy of Matt Jolly.
Fixed compiler warnings that may turn into errors in Clang 16. Patch courtesy of Michael Orlitzky.
Allow building with a custom RPATH so that the executables may be moved after build in a development
environment to a final installation directory.
Bug fixes
Assorted code quality fixes. These are not security issues and will not be backported to prior feature
versions:
Several heap buffer overflows while loading PDB and WDB databases were found by OSS-Fuzz and by Michal
Dardas.
oss-fuzz 43843: heap buffer overflow read (1) cli_sigopts_handler
oss-fuzz 44849: heap buffer overflow read (4) in HTML/js-norm
oss-fuzz 43816: heap buffer overflow read (8) in cli_bcomp_freemeta
oss-fuzz 43832: heap buffer overflow read (2) in cli_parse_add
oss-fuzz 44493: integer overflow in cli_scannulsft
CIFuzz leak detected in IDB parser
oss-fuzz assorted signature parser leaks
oss-fuzz 40601: leak detected in pdf_parseobj
Fixed a build failure when using LIBCLAMAV_ONLY mode with tests enabled.
Fixed an issue verifying EXE/DLL authenticode signatures to determine a given file can be trusted (skipped).
Fixed a caching bug relating to the Container and Intermediates logical signature condition.
Fixed a build issue when build with RAR disabled or when building with an external libmspack library rather
than the bundled library.
Fixed the capitalization of the -W option for clamonacc in the clamonacc manpage. Patch courtesy of GitHub
user monkz.
macOS: Fixed an issue with memory-map (mmap) system call detection affecting versions 0.105 and 0.104.
Memory maps may be used in ClamAV to improve signature load performance and scan performance, as well as RAM
usage.
Fixed a performance issue with Rust code when the build type is not explicitly set to "Release" or
"RelWithDebInfo". The Rust default build type is now "RelWithDebInfo" just like the C code, instead of
Debug. This means it is now optimized by default.
Fixed an issue loading Yara rules containing regex strings with an escaped forward-slash (\/) followed by a
colon (:).
Fixed an issue detecting and scanning ZIP file entries appended to very small files. The fix is part of the
all-match feature overhaul.
Fixed a detection issue with EXE/DLL import-address-table hash signatures that specify a wildcard (*) for
the size field. The fix is part of the all-match feature overhaul.
Fixed the default bytecode timeout value listed in the manpages and in the sample config files. Patches
courtesy of Liam Jarvis and Ben Bodenmiller.
Fixed an issue building the libclamav_rust test program when running ctest if building
with BYTECODE_RUNTIME=llvm and when the FindLLVM.cmake module is used to find the LLVM libraries. Patch
courtesy of GitHub user teoberi.
Fixed an issue where scans sent to clamd with the all-match mode enabled caused all subsequent scans to also
use all-match mode.
Fixed bug when starting clamonacc with the --log=FILE option that created randomly named files in the
current directory.
Other assorted bug fixes."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
