- Update from version 5.4.6 to 5.6.0
- Update of rootfile
- Changelog
5.6.0 (2024-02-24)
This bumps the minor version of liblzma because new features were
added. The API and ABI are still backward compatible with liblzma
5.4.x and 5.2.x and 5.0.x.
NOTE: As described in the NEWS for 5.5.2beta, the core components
are now under the BSD Zero Clause License (0BSD).
Since 5.5.2beta:
* liblzma:
- Disabled the branchless C variant in the LZMA decoder based
on the benchmark results from the community.
- Disabled x86-64 inline assembly on x32 to fix the build.
* Sandboxing support in xz:
- Landlock is now used even when xz needs to create files.
In this case the sandbox is has to be more permissive than
when no files need to be created. A similar thing was
already in use with pledge(2) since 5.3.4alpha.
- Landlock and pledge(2) are now stricter when reading from
more than one input file and only writing to standard output.
- Added support for Landlock ABI version 4.
* CMake:
- Default to -O2 instead of -O3 with CMAKE_BUILD_TYPE=Release.
-O3 is not useful for speed and makes the code larger.
- Now builds lzmainfo and lzmadec.
- xzdiff, xzgrep, xzless, xzmore, and their symlinks are now
installed. The scripts are also tested during "make test".
- Added translation support for xz, lzmainfo, and the
man pages.
- Applied the symbol versioning workaround for MicroBlaze that
is used in the Autotools build.
- The general XZ Utils and liblzma API documentation is now
installed.
- The CMake component names were changed a little and several
were added. liblzma_Runtime and liblzma_Development are
unchanged.
- Minimum required CMake version is now 3.14. However,
translation support is disabled with CMake versions
older than 3.20.
- The CMake-based build is now close to feature parity with the
Autotools-based build. Most importantly a few tests aren't
run yet. Testing the CMake-based build on different operating
systems would be welcome now. See the comment at the top of
CMakeLists.txt.
* Fixed a bug in the Autotools feature test for ARM64 CRC32
instruction support for old versions of Clang. This did not
affect the CMake build.
* Windows:
- The build instructions in INSTALL and windows/INSTALL*.txt
were revised completely.
- windows/build-with-cmake.bat along with the instructions
in windows/INSTALL-MinGW-w64_with_CMake.txt should make
it very easy to build liblzma.dll and xz.exe on Windows
using CMake and MinGW-w64 with either GCC or Clang/LLVM.
- windows/build.bash was updated. It now works on MSYS2 and
on GNU/Linux (cross-compiling) to create a .zip and .7z
package for 32-bit and 64-bit x86 using GCC + MinGW-w64.
* The TODO file is no longer installed as part of the
documentation. The file is out of date and does not reflect
the actual tasks that will be completed in the future.
* Translations:
- Translated lzmainfo man pages are now installed. These
had been forgotten in earlier versions.
- Updated Croatian, Esperanto, German, Hungarian, Korean,
Polish, Romanian, Spanish, Swedish, Vietnamese, and Ukrainian
translations.
- Updated German, Korean, Romanian, and Ukrainian man page
translations.
* Added a few tests.
Summary of new features added in the 5.5.x development releases:
* liblzma:
- LZMA decoder: Speed optimizations to the C code and
added GCC & Clang compatible inline assembly for x86-64.
- Added lzma_mt_block_size() to recommend a Block size for
multithreaded encoding.
- Added CLMUL-based CRC32 on x86-64 and E2K with runtime
processor detection. Similar to CRC64, on 32-bit x86 it
isn't available unless --disable-assembler is used.
- Optimized the CRC32 calculation on ARM64 platforms using the
CRC32 instructions. Runtime detection for the instruction is
used on GNU/Linux, FreeBSD, Windows, and macOS. If the
compiler flags indicate unconditional CRC32 instruction
support (+crc) then the generic version is not built.
- Added definitions of mask values like
LZMA_INDEX_CHECK_MASK_CRC32 to <lzma/index.h>.
* xz:
- Multithreaded mode is now the default. This improves
compression speed and creates .xz files that can be
decompressed in multithreaded mode. The downsides are
increased memory usage and slightly worse compression ratio.
- Added a new command line option --filters to set the filter
chain using the liblzma filter string syntax.
- Added new command line options --filters1 ... --filters9 to
set additional filter chains using the liblzma filter string
syntax. The --block-list option now allows specifying filter
chains that were set using these new options.
- Ported the command line tools to Windows MSVC.
Visual Studio 2015 or later is required.
* Added lz4 support to xzdiff/xzcmp and xzgrep.
5.5.2beta (2024-02-14)
* Licensing change: The core components are now under the
BSD Zero Clause License (0BSD). In XZ Utils 5.4.6 and older
and 5.5.1alpha these components are in the public domain and
obviously remain so; the change affects the new releases only.
0BSD is an extremely permissive license which doesn't require
retaining or reproducing copyright or license notices when
distributing the code, thus in practice there is extremely
little difference to public domain.
* liblzma
- Significant speed optimizations to the LZMA decoder were
made. There are now three variants that can be chosen at
build time:
* Basic C version: This is a few percent faster than
5.4.x due to some new optimizations.
* Branchless C: This is currently the default on platforms
for which there is no assembly code. This should be a few
percent faster than the basic C version.
* x86-64 inline assembly. This works with GCC and Clang.
The default choice can currently be overridden by setting
LZMA_RANGE_DECODER_CONFIG in CPPFLAGS: 0 means the basic
version and 3 means that branchless C version.
- Optimized the CRC32 calculation on ARM64 platforms using the
CRC32 instructions. The instructions are optional in ARMv8.0
and are required in ARMv8.1 and later. Runtime detection for
the instruction is used on GNU/Linux, FreeBSD, Windows, and
macOS. If the compiler flags indicate unconditional CRC32
instruction support (+crc) then the generic version is not
built.
* Added lz4 support to xzdiff/xzcmp and xzgrep.
* Man pages of xzdiff/xzcmp, xzgrep, and xzmore were rewritten
to simplify licensing of the man page translations.
* Translations:
- Updated Chinese (simplified), German, Korean, Polish,
Romanian, Spanish, Swedish, and Ukrainian translations.
- Updated German, Korean, Romanian, and Ukrainian man page
translations.
* Small improvements to the tests.
* Added doc/examples/11_file_info.c. It was added to the Git
repository in 2017 but forgotten to be added into distribution
tarballs.
* Removed doc/examples_old. These were from 2012.
* Removed the macos/build.sh script. It had not been updated
since 2013.
5.5.1alpha (2024-01-26)
* Added a new filter for RISC-V binaries. The filter can be used
for 32-bit and 64-bit binaries with either little or big
endianness. In liblzma, the Filter ID is LZMA_FILTER_RISCV (0x0B)
and the xz option is --riscv. liblzma filter string syntax
recognizes this filter as "riscv".
* liblzma:
- Added lzma_mt_block_size() to recommend a Block size for
multithreaded encoding
- Added CLMUL-based CRC32 on x86-64 and E2K with runtime
processor detection. Similar to CRC64, on 32-bit x86 it
isn't available unless --disable-assembler is used.
- Implemented GNU indirect function (IFUNC) as a runtime
function dispatching method for CRC32 and CRC64 fast
implementations on x86. Only GNU/Linux (glibc) and FreeBSD
builds will use IFUNC, unless --enable-ifunc is specified to
configure.
- Added definitions of mask values like
LZMA_INDEX_CHECK_MASK_CRC32 to <lzma/index.h>.
- The XZ logo is now included in the Doxygen generated
documentation. It is licensed under Creative Commons
Attribution-ShareAlike 4.0.
* xz:
- Multithreaded mode is now the default. This improves
compression speed and creates .xz files that can be
decompressed multithreaded at the cost of increased memory
usage and slightly worse compression ratio.
- Added new command line option --filters to set the filter
chain using liblzma filter string syntax.
- Added new command line options --filters1 ... --filters9 to
set additional filter chains using liblzma filter string
syntax. The --block-list option now allows specifying filter
chains that were set using these new options.
- Added support for Linux Landlock as a sandboxing method.
- xzdec now supports pledge(2), Capsicum, and Linux Landlock as
sandboxing methods.
- Progress indicator time stats remain accurate after pausing
xz with SIGTSTP.
- Ported xz and xzdec to Windows MSVC. Visual Studio 2015 or
later is required.
* CMake Build:
- Supports pledge(2), Capsicum, and Linux Landlock sandboxing
methods.
- Replacement functions for getopt_long() are used on platforms
that do not have it.
* Enabled unaligned access by default on PowerPC64LE and on RISC-V
targets that define __riscv_misaligned_fast.
* Tests:
- Added two new fuzz targets to OSS-Fuzz.
- Implemented Continuous Integration (CI) testing using
GitHub Actions.
* Changed quoting style from `...' to '...' in all messages,
scripts, and documentation.
* Added basic Codespell support to help catch typo errors.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 11.7.0 to 11.9.0
- Update of rootfile
- Changelog
11.9.0
* Add ENABLE_COVERAGE cmake option to assist with generating
coverage reports.
* From M. Holger: add QPDFObjectHandle::writeJSON to directly
write a JSON representation to a pipeline. This is much faster
than writing the serialized result of getJSON.
* The previous fix to #1056 was incomplete. When setting a check
box value, the previous fix allowed any value other than /Off to
mean checked. Now we also set the actual value based on the
allowable non-/Off value in the normal appearance dictionary.
Fixes#1056.
* Add fuzz testing for JSON.
* Add JSON::getDictItem (from m-holger)
* Allow --overlay and --underlay to be repeated. They may appear
multiple times on the command-line and will be stacked in the
order in which they appear. In QPDFJob JSON, the overlay and
underlay keys may contain arrays. For compatibility, they may also
contain a single dictionary.
* Add new command-line arguments --file and --range which can be
used within --pages in place of positional arguments. Allow --file
to be used inside of --overlay and --underlay as well. These new
options can be freely intermixed with positional arguments. Also
add file(), range(), and password() to QPDFJob::PagesConfig as an
alternative to pageSpec.
11.8.0
* Bug fix: treat references to older generations of objects as
null.
* When recovering a file's xref table, attempt to find xref
streams if a traditional trailer dictionary is not found. Fixes
#1103.
* Add --set-page-labels command-line argument and supporting API.
Fixes#939.
- QPDFJob::Config::setPageLabels
- pdf_page_label_e enumerated type
- QPDFPageLabelDocumentHelper::pageLabelDict
* Support comma-separated numeric values with --collate to select
different group sizes from different files. Fixes#505.
* Support "x" before a group in a numeric range to exclude a group
from the previous group. Details are in the manual. Fixes#564,
#790.
* When flattening annotations, preserve annotations without any
appearance information at all, such as types /Link, /Popup, and
/Projection. Fixes#1039.
* Detect overlong UTF-8 in the UTF-8 decoder, and fix detection of
8-bit characters in erroneous UTF-8 strings.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 0.43.0 to 0.43.4
- Update of rootfile
- Changelog
0.43.4
Revert the changes to fix the problem in big-endian architectures
Allow to build pixman on clang/arm32
pixman-arm: Fix build on clang/arm32
pixman-x86: Use cpuid.h header
pixman-x86: Move #include "cpuid.h" inside conditionals
Revert "Allow to build pixman on clang/arm32"
pixman-arm: Use unified syntax
0.43.2
Note, in the past pixman used a numbering scheme with odd minor number
numbers for development versions and even minor number for stable
versions. This is no longer the case, all releases (including this one)
are stable production versions now.
Drop automatic DEBUG define
Drop ChangeLog
Drop contrib/ci.sh
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.10.0 to 3.11.1
- Update of rootfile
- Changelog
3.11.1
* Fixed wrong API version in lib/pci.h.
* Updated README.Windows.
* Fix compilation on Windows.
3.11.0
* update-pciids now supports XZ compression. If libpci is configured
with support for compression, all downloaded files are recompressed
as gzip. Otherwise they are stored as plain text.
* update-pciids now sends itself as the User-Agent.
* Added a pcilmr utility for PCIe lane margining. Thanks to Nikita
Proshkin for contributing it.
* Re-factored access to i386 ports on all relevant platforms.
* Added i386 port access on OpenBSD.
* Back-ends for Windows received many bug fixes and improvements.
* ECAM back-end now scans ACPI and BIOS memory faster.
* Linux systems without pread/pwrite are no longer supported
as they are hopefully long gone. This helps avoid the tricky check
for presence of pread which was found to fail on musl libc.
* Improved decoding of PCIe control and status registers.
* Decoding of CXL capabilities now supports up to CXL 3.0.
* lspci now displays interrupt message numbers consistently across
different capabilities.
* Cache of IDs resolved via DNS, which was located in ~/.pci-ids
by default, is now stored according to the XDG base directory
specification in $XDG_CACHE_HOME/pci-ids.
* All source files now have SPDX license identifiers.
* Internal: The "aux" fields of structs pci_access and pci_dev
reserved for use by back-ends were renamed to backend_data to better
reflect their meaning.
* As usually, various minor bug fixes and updated pci.ids.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.50.13 to 1.52.0
- Update of rootfile
- Changelog
1.52.0
- Add pango_font_map_reload_font
- Improve formatting of font sizes
1.51.2
- Build improvements on Windows
- Use single fontconfig thread
- Fix problems with spaces at line ends
- Allow custom fonts on Windows
- pango-viewer: Fix hint-metrics options
- Pangofont: Add properties
1.51.0
- itemize: Improve script itemization
- build: Check for cairo DWrite dependency
- win32: Fix various issues and crashes
- layout: Add a missing switch case
1.50.14
- Fix underline thickness in scaled contexts
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 6.2.0 to 6.2.1
- Update of rootfile
- Changelog
2.6.1 Thu February 29 2024
Bug fixes:
#817 Make tests independent of CPU speed, and thus more robust
#828#836 Expose billion laughs API with XML_DTD defined and
XML_GE undefined, regression from 2.6.0
Other changes:
#829 Hide test-only code behind new internal macro
#833 Autotools: Reject expat_config.h.in defining SIZEOF_VOID_P
#819 Address compiler warnings
#832#834 Version info bumped from 10:0:9 (libexpat*.so.1.9.0)
to 10:1:9 (libexpat*.so.1.9.1); see https://verbump.de/
for what these numbers do
Infrastructure:
#818 CI: Adapt to breaking changes in clang-format
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- The update to openssl-3.2.x introduced a bug fix which now gives an error if the
subjectKeyIdentifier (SKID) or authorityKeyIdentifier (AKID) is in the x509 extensions
for a CSR.
- See the following discssion in the openssl github issues
https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738
- The SKID & AKID should never have been specified in the CSR but due to a bug they were
never flagged with an error, just ignored. Since the bug fix for that bug was put into
OpenSSL-3.2.0 the prescence of the SKID & AKID in the CSR causes an error to be flagged.
- The consequence of this is that in CU183 trying to create a new x509 root/host
certificate gives an error when the CSR is generated so only the root certificate is
created and not the host certificate.
- Tested out the removal of the SKID & AKID lines from the [ server ] section of the
ovpn.cnf file and the root/host certificate set was created without any issue.
- Then tested the creation of a RW client connection and that worked with no problems. Also
creating a fresh N2N connection worked without any problems.
- Also tested restoring from an earlier backup. The RW and N2N connections worked without
issues with the AKID and SKID missing from the [ server ] section.
- It would be good if this could be merged into CU184 for final testing.
Fixes: Bug#13595
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- This code ensures that all existing N2N connections have no-pass in key 41 in place
of disabled for some of them.
- Tested out and confirmed on my vm testbed.
Fixes: Bug#13548
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Adds Zabbix Agent userparameters `ipfire.ovpn.clientcert` and `ipfire.ovpn.cacert` for the agent to get details about openvpn client, server and ca certificates.
- Moves all `ipfire.ovpn.*` userparameters to a separate config file `userparameter_ovpn.conf` to enable users to selectively disable openvpn items when not needed
- Includes `ipfire_certificate_detail.sh` script in sudoers for Zabbix Agent as it needs root permission to read openvpn certificate details.
- Adapts lfs install script to install new script and configfile
- Adds new script and configfile to rootfiles
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Add script to parse openssl output on certificates and return it as JSON for consumption by the Zabbix agent.
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.47 to 1.48
- Update of rootfile
- Changelog
1.48
* New configure option --with-libtool-modification. [T6619]
* New option parser flag to detect commands given without a double
dash. There is also the new meta command "command-mode" to set
this flag via a config file. [T6978]
* Added an es_fopen mode flag "sequential" with support on Windows.
[rE7a42ff0ec9]
* Added an es_fopen mode flag "wipe" to cleanup internal buffers at
close time. [T6954]
* New function gpgrt_wipememory. [T6964]
* Improvements to setenv on Windows. [rE89e53ad90f]
* Fixed call to estream-printf string filters. [T6737]
* Many improvements to the yat2m tool.
* Updates to the build system.
* Interface changes relative to the 1.47 release:
ARGPARSE_FLAG_COMMAND NEW.
gpgrt_wipememory NEW.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.4.4 to 3.4.6
- Update of rootfile
- Changelog
3.4.6
Fix long double regression on mips64 and alpha.
3.4.5
Add support for wasm32.
Add support for aarch64 branch target identification (bti).
Add support for ARCv3: ARC32 & ARC64.
Add support for HPPA64, and many HPPA fixes.
Add support for Haikuos on PowerPC.
Fixes for AIX, loongson, MIPS, power, sparc64, and x86 Darwin.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.43.0 to 2.44.0
- Update of rootfile
- Changelog is too large to include here.
See the files 2.43.1.txt, 2.43.2.txt, 2.43.3.txt & 2.44.0.txt in the source tarball in
directory Documentation/RelNotes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Existing situation is if four new client connections are created and then it is decided
to restore to an earlier stage the new certficates will be in the certs directory but
not usable from the WUI page as they are no longer shown in the client connection table
as that now shows the ones from the restored backup.
- This patch clears the /var/ipfire/ovpn/certs/ directory before restoring the contents
of the backup so that the certs directory only holds what was in the backup.
Fixes: Bug#13404
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- The PT Attack ruleset has not been updated since 2021 and made read-only in 2022
The PT Attack website no longer has any reference to Suricata Rulesets. The PT Attack
ruleset is being removed.
- The Secureworks three rulesets are no longer available. The website path gives a 404
error. No mention of Suricata rulesets in the Secureworks website. The Secureworks three
rulesets are being removed.
- ThreatFox ruleset has been added to the list. Both a plain and archive version of the
rules are available but the plain version is being regularly updated while the archive
version was last updated 5 days ago. So this patch has implemented the plain version.
- All above was discussed in the January Developers Conference call.
- Tested out on my vm testbed. I had PT Attack selected as one of the providers. As
mentioned by Stefan removing PT Attack means it is not available in the list of
providers but the provider stays in the providers table but with the line shown in red.
I will update the wiki to mention the red highlight and what it means.
Suggested-by: Stefan Schantl <stefan.schantl@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
