- Update from version 2.1.4 to 2.1.148
- Update of rootfile
- Minimum version of 2.1.128 will be required in a future frr release and currently needs
to be a minimum of 2.1.80 but not 2.1.111
- Changelog
2.1.148
Main changes of this release are:
lots of bugfixes and improvements in various parts of the library
2.1.128
Main changes of this release are:
revert of identityref canonical value change
the identity always printed with the module name as the prefix
data tree and hash table optimizations
opaque node handling fixes and improvements
lots of other bug fixes
2.1.111
Main changes of this release are:
opaque node parsing improved
native RESTCONF operation parsing support
union value error reporting improved
new yanglint and yangre tests
optional support for leafref with XPath functions
lots of other fixes and improvements
2.1.80
Main changes of this release are:
RESTCONF message parsing
JSON parser refactor
timezone DST handling
public hash table API
stored union value bugfix
many other clarifications, improvements, and bugfixes
2.1.55
Main changes of this release are:
type compilation fixes
multi-error validation support
JSON parser fixes
portability improvements
schema-mount support improvements
minor optimizations
other minor fixes
2.1.30
Main changes of this release are:
many JSON printer/parser fixes and improvements
unintentionally large library size reduced
thread safety improvements
big-endian compatibility fix
uncrustify updated
lots of other fixes and improvements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.5.2 to 9.1
- Update of rootfile
- Build dependencies of frr now include protobuf-c. protobuf-c requires protobuf.
protobuf requires abseil-cpp.
- Build dependency of libyang will have a minimum version requirement of 2.1.128 coming
out of an issue. Minimum version for frr-9.1 is 2.1.80 but excluding 2.1.111 due to
API issues. Based on the near future requirement being 2.1.128 will move to current
latest version of 2.1.148
- This patch set includes the above build dependencies
- Changelog
9.1
FRR 9.1 brings a long list of enhancements and fixes with 941 commits from 73
developers.
OSPFv2 HMAC-SHA Cryptographic Authentication
Specify that HMAC cryptographic authentication must be used on a
specific interface using a key chain.
BGP MAC-VRF Site-Of-Origin support
In some EVPN deployments, it is useful to associate a logical VTEP’s
Layer 2 domain (MAC-VRF) with a Site-of-Origin “site” identifier. This
provides a BGP topology-independent means of marking and
import-filtering EVPN routes originating from a particular L2 domain.
One situation where this is valuable is when deploying EVPN using
anycast VTEPs, i.e. Active/Active MLAG, as it can be used to avoid
ownership conflicts between the two control planes (EVPN vs MLAG).
BGP Dynamic capability support
Added support for Graceful-Restart, Long-lived Graceful-Restart,
Software-version, and Role BGP capabilities to be adjusted dynamically
using BGP dynamic capability.
Dynamic BGP capability allows the dynamic update of capabilities over an
established BGP session. This capability would facilitate
non-disruptive capability changes by BGP speakers.
IS-IS SRv6 uSID support (RFC 9352)
The Segment Routing (SR) architecture allows a flexible definition of
the end-to-end path by encoding it as a sequence of topological
elements called "segments". It can be implemented over the MPLS or the
IPv6 data plane. This feature enables extensions in IS-IS to support
Segment Routing over the IPv6 data plane (SRv6) as per RFC 9352.
Next-hop resolution via the default route
Changed the default for a traditional profile to be enabled. The
datacenter profile is left as disabled.
Add support for VLAN, ECN, DSCP mangling/filtering
PBR maps are a way to specify a set of rules that are applied to packets
received on individual interfaces. If a received packet matches a rule,
the rule’s next-hop-group or next-hop is used to forward it; any other
actions specified in the rule are also applied to the packet.
With this change, we added more commands for PBR maps, like matching
src-ip, dst-ip, src-port, dst-port, vlan, dscp, ecn, and more.
libyang 2.1.80 related breaking changes
prefix-list matching in route-maps is fundamentally broken with
libyang 2.1.111. If you have this version, please downgrade to the most
stable version 2.1.80.
More details CESNET/libyang#2090
Other significant changes
Zebra support for route replace semantics in FPM link
New command for BGP neighbor x addpath-tx-best-selected link
New command for BGP mpls bgp l3vpn-multi-domain-switching link
A couple more new BGP route-map commands:
set as-path exclude all link
set as-path exclude as-path-access-list link
set extended-comm-list delete link
set as-path replace <any|ASN> [<ASN>] link
set as-path replace as-path-access-list WORD [<ASN>] link
match community-list X any UPDATE
Deprecations
Deprecate pre-standard outbound route filtering capability
Deprecate pre-standard route refresh capability
Drop deprecated capability
A complete log of changes can be found by browsing the commit history of the
FRR 9.1 tag
9.0.2
Fixed CVE-2023-47235
More details: https://frrouting.org/security/cve-2023-47235
Bug Fixes
bgpd
Fix aggregate-address summary-only suppressed export to EVPN
Allow using attribute number 255 for path attr discard/withdraw cmds
Check mandatory attributes more carefully for the UPDATE message
Do not suppress conditional advertisement updates if triggered
Fix Extended community memory leak
Fix the no set as-path prepend command
Fix heap-use-after-free for bgp_best_selection()
Fix crash in SNMP BGP4V2-MIB bgpv2PeerErrorsTable()
Fix clear bgp ipv6 unicast ... command
Flush attributes only if we don't have to announce a conditional route
(avoid use-after-free)
Free memory for SRv6 functions and locator chunks
Handle MP_UNREACH_NLRI malformed packets with session reset
Ignore handling NLRIs if we received the MP_UNREACH_NLRI attribute
Initialise timebuf arrays to zeros for dampening reuse timer
Initialise buffer in bgp_notify_admin_message() before using it
LTTng add EVPN route trace events
Make sure dampening is enabled for the specified AFI/SAFI
Use proper AFI when dumping information for dampening stuff
Treat the AS4-PATH attribute as withdrawn if malformed
Treat PMSI tunnel attribute as withdrawn if malformed
Treat EOR as withdrawn to avoid unwanted handling of malformed attrs
eigrpd
Use the correct memory pool on interface deletion
mgmtd
Change mgmtd_vty_port to 2623
Fix crash on show mgmtd datastore-contents
ospf6d
Fix setting of the forwarding address in as-external LSAs
Set loopback interface cost to 0
ospfd
Fixing infinite loop when listing OSPF interfaces
pathd
Add no msd command
Add no pcep command
pbrd
Fix show pbr map detail json command
Free memory in pbr_map_delete()
pim6d
Fix valgrind issues
pimd
Fix missing pimreg interface
tools
Fix the frr-reload interface description command
Fix the frr-reload route-map description command
Make --quiet actually suppress output
vtysh
Fix entering configuration node in file-lock mode
Fix configure terminal argument descriptions
Fix working in file-lock mode
Fix show route map json output
zebra
Add encap type when building packet for FPM
Display ptmStatus order in interface JSON
Fix connected route deletion when multiple entry exists
Fix FPM multipath encap addition
Fix link update for veth interfaces
Fix zebra crash when replacing nhe during shutdown
Prevent null pointer dereference
9.0.1
Bug Fixes
bgpd
Add peers back to peer hash when peer_xfer_conn fails
Check the length of the rcv software version
Do not explicitly print maxttl value for ebgp-multihop vty output
Do not process nlris if the attribute length is zero
Don't read the first byte of orf header if we are ahead of stream
Evpn code was not properly unlocking rd_dest
Fix show bgp all rpki notfound
Make sure we have enough data to read two bytes when validating aigp
Use treat-as-withdraw for tunnel encapsulation attribute
zebra
Fix evpn nexthop config order
lib
Allow unsetting walltime-warning and cpu-warning
ospfd
Prevent use after free( and crash of ospf ) when no router ospf
pimd
Prevent crash when receiving register message when the rp() is unknown
When receiving a packet be more careful with length in pim_pim_packet
vtysh
Print uniq lines when parsing no service ...
8.5.4
Fixed CVE-2023-47235
More details: https://frrouting.org/security/cve-2023-47235
Bug Fixes
bgpd
Check mandatory attributes more carefully for the UPDATE message
Do not suppress conditional advertisement updates if triggered
Fix crash in SNMP BGP4V2-MIB bgpv2PeerErrorsTable()
Handle MP_UNREACH_NLRI malformed packets with session reset
Ignore handling NLRIs if we received the MP_UNREACH_NLRI attribute
Initialise timebuf arrays to zeros for dampening reuse timer
Initialise buffer in bgp_notify_admin_message() before using it
Make sure dampening is enabled for the specified AFI/SAFI
Use proper AFI when dumping information for dampening stuff
Treat EOR as withdrawn to avoid unwanted handling of malformed attrs
eigrpd
Use the correct memory pool on interface deletion
vtysh
Fix show route map JSON output
ospfd
Fix infinite loop when listing OSPF interfaces
pbrd
Fix show pbr map detail json output
zebra
Add encap type when building packet for FPM
Display ptmStatus order in interface JSON
Fix connected route deletion when multiple entry exists
Fix FPM multipath encap addition
Fix link update for veth interfaces
Fix zebra crash when replacing nhe during shutdown
Prevent null pointer dereference
8.5.3
Bug Fixes
bgpd
Add peers back to peer hash when peer_xfer_conn fails
Do not explicitly print maxttl value for ebgp-multihop vty output
Do not process nlris if the attribute length is zero
Do not try to redistribute routes if we are shutting down
Don't read the first byte of orf header if we are ahead of stream
Evpn code was not properly unlocking rd_dest
Fix show bgp all rpki notfound
Fix session reset issue caused by malformed core attributes
Free bgp vpn policy
Free previously dup'ed aspath attribute for aggregate routes
Free temporary memory after using argv_concat()
Intern attributes before putting into rib-out
Make sure we have enough data to read two bytes when validating aigp
Prevent use after free
Rfapi memleak fixes, clean ce tables at exit
Unlock dest if we return earlier for aggregate install
Use treat-as-withdraw for tunnel encapsulation attribute
zebra
Fix evpn nexthop config order
Abstract dplane_ctx_route_init to init route without copying
Fix crash when dplane_fpm_nl fails to process received routes
Further handle route replace semantics
Fix command ipv6 nht xxx
lib
Allow unsetting walltime-warning and cpu-warning
Skip route-map optimization if !af_inet(6)
Use max_bitlen instead of magic number
ospf6d
Fix crash because neighbor structure was freed
Stop crash in ospf6_write
ospfd
Check for nulls in vty code
Prevent use after free( and crash of ospf ) when no router ospf
pbrd
Fix crash with match command
pimd
Prevent crash when receiving register message when the rp() is unknown
When receiving a packet be more careful with length in pim_pim_packet
ripd, ripngd
Revert "Cleanup memory allocations on shutdown"
tools
Add what frr thinks as the fib routes for support_bundle
vtysh
Print uniq lines when parsing no service ...
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.5.3 to 1.6.0
- Update of rootfile
- A build bug was found with 1.6.0 if --enable-read-both-confs was set in the configure.
A commit fixing this has been released and converted into a patch for IPFire. This
will end up in the next pam release version and the IPFire patch can then be removed.
- Changelog
1.6.0
* Added support of configuration files with arbitrarily long lines.
* build: fixed build outside of the source tree.
* libpam: added use of getrandom(2) as a source of randomness if available.
* libpam: fixed calculation of fail delay with very long delays.
* libpam: fixed potential infinite recursion with includes.
* libpam: implemented string to number conversions validation when parsing
controls in configuration.
* pam_access: added quiet_log option.
* pam_access: fixed truncation of very long group names.
* pam_canonicalize_user: new module to canonicalize user name.
* pam_echo: fixed file handling to prevent overflows and short reads.
* pam_env: added support of '\' character in environment variable values.
* pam_exec: allowed expose_authtok for password PAM_TYPE.
* pam_exec: fixed stack overflow with binary output of programs.
* pam_faildelay: implemented parameter ranges validation.
* pam_listfile: changed to treat \r and \n exactly the same in configuration.
* pam_mkhomedir: hardened directory creation against timing attacks.
Please note that using *at functions leads to more open file handles
during creation.
* pam_namespace: fixed potential local DoS (CVE-2024-22365).
* pam_nologin: fixed file handling to prevent short reads.
* pam_pwhistory: helper binary is now built only if SELinux support is enabled.
* pam_pwhistory: implemented reliable usernames handling when remembering
passwords.
* pam_shells: changed to allow shell entries with absolute paths only.
* pam_succeed_if: fixed treating empty strings as numerical value 0.
* pam_unix: added support of disabled password aging.
* pam_unix: synchronized password aging with shadow.
* pam_unix: implemented string to number conversions validation.
* pam_unix: fixed truncation of very long user names.
* pam_unix: corrected rounds retrieval for configured encryption method.
* pam_unix: implemented reliable usernames handling when remembering passwords.
* pam_unix: changed to always run the helper to obtain shadow password entries.
* pam_unix: unix_update helper binary is now built only if SELinux support
is enabled.
* pam_unix: added audit support to unix_update helper.
* pam_userdb: added gdbm support.
* Multiple minor bug fixes, portability fixes, documentation improvements,
and translation updates.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.41 to 1.42
- Update of rootfile
- Changelog
1.42
** Bump required gettext version to 0.19.8 for musl-libc.
** Compiler warning improvements.
As before, compiler warnings are enabled by default. You may disable
them using ./configure --disable-gcc-warnings or turn them into fatal
errors using ./configure --enable-gcc-warnings=error to add -Werror
and sensible -Wno-error='s. Based on gnulib's manywarnings, see
<https://www.gnu.org/software/gnulib//manual/html_node/manywarnings.html>.
** Fix type confusion on LLP64/Windows platforms.
While libidn has worked using cygwin libc, it has never worked on
ucrt/msvcrt libc. Report and tiny patch by Francesco Pretto in
<https://lists.gnu.org/archive/html/help-libidn/2022-02/msg00000.html>.
** tests: Added script tests/standalone.sh suitable for integrators.
The main purpose is to test a system-installed libidn, suitable for
distributor checking (a'la Debian's autopkgtest/debci). It may also
be used to test a newly built libidn outside the usual 'make check'
infrastructure. To check that your system libidn is working, invoke
the script with `srcdir` as an environment variable indicating where
it can be find the source code for libidn's tests/ directory (it will
use the directory name where the script is by default):
tests/standalone.sh
To check that a newly built static libidn behaves, invoke:
env STANDALONE_CFLAGS="-Ilib lib/.libs/libidn.a"
tests/standalone.sh
To check that a newly built shared libidn behaves, invoke:
env srcdir=tests STANDALONE_CFLAGS="-Ilib -Wl,-rpath
lib/.libs lib/.libs/libidn.so" tests/standalone.sh
If the libidn under testing is too old and has known bugs, that
should cause tests to fail, which is intentional.
** Updated translations.
** Update gnulib files and build fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.8.2 to 3.8.3
- Update of rootfile
- Changelog
3.8.3
- libgnutls: Fix more timing side-channel inside RSA-PSK key exchange
[GNUTLS-SA-2024-01-14, CVSS: medium] [CVE-2024-0553]
- libgnutls: Fix assertion failure when verifying a certificate chain with a
cycle of cross signatures
[GNUTLS-SA-2024-01-09, CVSS: medium] [CVE-2024-0567]
- libgnutls: Fix regression in handling Ed25519 keys stored in PKCS#11 token
certtool was unable to handle Ed25519 keys generated on PKCS#11
with pkcs11-tool (OpenSC). This is a regression introduced in 3.8.2.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 4.0.4 to 4.0.5
- Update of rootfile
- Changelog
4.0.5
Highlights
Fixed 4.0.0 bug where the IP address field in UDP announces were not encoded
in network byte order. [BEP-15]. (#6132)
Fixed a bug that incorrectly escaped JSON strings in some locales.
(#6005, #6133)
Fixed 4.0.4 decreased download speeds for people who set a low upload
bandwidth limit. (#6134)
All Platforms
Fixed bug that prevented editing trackers on magnet links. (#5957)
Fixed HTTP tracker announces and scrapes sometimes failing after adding a
torrent file by HTTPS URL. (#5969)
In RPC responses, change the default sort order of torrents to match
Transmission 3.00. (#5604)
Fixed tr_sys_path_copy() behavior on some Synology Devices. (#5974)
macOS Client
Support Sonoma when building from sources. (#6016, #6051)
Fixed early truncation of long group names in groups list. (#6104)
Qt Client
Fix: only append .added suffix to watchdir files. (#5705)
GTK Client
Fixed crash when opening torrent file from "Recently used" section in
GTK 4. (#6131, #6142)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 23.08.0 to 24.01.0
- Update of rootfile
- Changelog
24.01.0:
core:
* Don't crash on certain documents on the NSS signature backend
* Fix infinite loop in some annotation code if there's not space for
even one character
* Fix build on Android with generic font configuration
* Small internal code cleanup
23.12.0:
core:
* Rewrite FoFiType1::parse to be more flexible. Issue #1422
* Small internal code refactoring
23.11.0:
core:
* CairoOutputDev: Use internal downscaling algorithm if image exceeds
Cairo's maximum dimensions.
* Internal code improvements
* Fix crash on malformed files
utils:
* pdftocairo: Add option to document logical structure if output is pdf
* pdftocairo: EPS output should not contain %%PageOrientation
23.10.0:
core:
* cairo: update type 3 fonts for cairo 1.18 api
* Fix crash on malformed files
build system:
* Make a few more dependencies soft-mandatory
* Add more supported gnupg releases
* Check if linker supports version scripts
23.09.0:
core:
* Add Android-specific font matching functionality
* Fix digital signatures for NeedAppearance=true
* Forms: Don't look up same glyph multiple times
* Provide the key location for certificates you can sign with
* Add ToUnicode support for similarequal
* Fix crash on malformed files
qt5:
* Provide the key location for certificates you can sign with
* Allow to force a rasterized overprint preview during PS conversion
qt6:
* Provide the key location for certificates you can sign with
* Allow to force a rasterized overprint preview during PS conversion
pdfsig:
* Provide the key location for certificates you can sign with
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.10.0 to 10.0.0
- Update of rootfile
- Changelog is too large to include here. Details can be found in the NEWS.rst file in the
source tarball
CVE-2023-3750 was fixed in version 9.6.0
Fix race condition in storage driver leading to a crash
In **libvirt-8.3** a bug was introduced which in rare cases could cause
``libvirtd`` or ``virtstoraged`` to crash if multiple clients attempted to
look up a storage volume by key, path or target path, while other clients
attempted to access something from the same storage pool.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.3.4 to 2.4.1
- Update of rootfile
- Changelog
2.4.1 (2023-07-20)
No change information available anywhere that I could find
2.4.0 (2023-01-18)
No change information available anywhere that I could find
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 10.0.0 to 10.2.1
- Update of rootfile
- Changelog is a bit too large to include here. Details can be found in ChangeLog.md file
in source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
new openssl need at least 2048 bit rsa keys for apache.
So if the existing is smaller a new 4096 bit key is generated.
fixes#13527
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
To quote from the kernel documentation:
> Historically the kernel has allowed TIOCSTI, which will push
> characters into a controlling TTY. This continues to be used
> as a malicious privilege escalation mechanism, and provides no
> meaningful real-world utility any more. Its use is considered
> a dangerous legacy operation, and can be disabled on most
> systems.
>
> Say Y here only if you have confirmed that your system's
> userspace depends on this functionality to continue operating
> normally.
>
> Processes which run with CAP_SYS_ADMIN, such as BRLTTY, can
> use TIOCSTI even when this is set to N.
>
> This functionality can be changed at runtime with the
> dev.tty.legacy_tiocsti sysctl. This configuration option sets
> the default value of the sysctl.
This patch therefore proposes to no longer allow legacy TIOCSTI usage
in IPFire, given its security implications and the apparent lack of
legitimate usage.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This script has been modified when we touched ExtraHD in Core Update
179/180, but has been forgotten to be shipped.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The "ping" plugin does not re-resolve the gateway IP address after
pinging it for the first time. For most people this won't be a big
problem, but if the default gateway changes, the latency graph won't
work any more.
In order to do re-resolve "gateway", the only way is to restart
collectd.
Fixes: #13522
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
According to the source tarball's NEWS file:
- Improvements
- Allow passing a path to modprobe so the module is loaded from
anywhere from the filesystem, but still handling the module
dependencies recorded in the indexes. This is mostly intended for kernel
developers to speedup testing their kernel modules without having to load the
dependencies manually or override the module in /usr/lib/modules/.
Now it's possible to do:
# modprobe ./drivers/gpu/drm/i915/i915.ko
As long as the dependencies didn't change, this should do the right thing
- Use in-kernel decompression if available. This will check the runtime support
in the kernel for decompressing modules and use it through finit_module().
Previously kmod would fallback to the older init_module() when using
compressed modules since there wasn't a way to instruct the kernel to
uncompress it on load or check if the kernel supported it or not.
This requires a recent kernel (>= 6.4) to have that support and
in-kernel decompression properly working in the kernel.
- Make modprobe fallback to syslog when stderr is not available, as was
documented in the man page, but not implemented
- Better explaing `modprobe -r` and how it differentiates from rmmod
- depmod learned a `-o <dir>` option to allow using a separate output
directory. With this, it's possible to split the output files from
the ones used as input from the kernel build system
- Add compat with glibc >= 2.32.9000 that dropped __xstat
- Improve testsuite to stop skipping tests when sysconfdir is something
other than /etc
- Build system improvements and updates
- Change a few return codes from -ENOENT to -ENODATA to avoid confusing output
in depmod when the module itself lacks a particular ELF section due to e.g.
CONFIG_MODVERSIONS=n in the kernel.
- Bug Fixes
- Fix testsuite using uninitialized memory when testing module removal
with --wait
- Fix testsuite not correctly overriding the stat syscall on 32-bit
platforms. For most architectures this was harmless, but for MIPS it
was causing some tests to fail.
- Fix handling unknown signature algorithm
- Fix linking with a static liblzma, libzstd or zlib
- Fix memory leak when removing module holders
- Fix out-of-bounds access when using very long paths as argument to rmmod
- Fix warnings reported by UBSan
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Noteworthy changes in this release, according to
https://lists.gnu.org/archive/html/info-gnu/2023-05/msg00001.html :
* New option --ignore-dirnlink
Valid in copy-out mode, it instructs cpio to ignore the actual number
of links reported for each directory member and always store 2
instead.
* Changes in --reproducible option
The --reproducible option implies --ignore-dirlink. In other words,
it is equivalent to --ignore-devno --ignore-dirnlink --renumber-inodes.
* Use GNU ls algorithm for deciding timestamp format in -tv mode
* Bugfixes
** Fix cpio header verification.
** Fix handling of device numbers on copy out.
** Fix calculation of CRC in copy-out mode.
** Rewrite the fix for CVE-2015-1197.
** Fix combination of --create --append --directory.
** Fix appending to archives bigger than 2G.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
