This patch adds a watcher thread which monitors if Unbound is still
alive. If not, it will wait until Unbound comes back, rewrite the leases
file and reload Unbound to get it back into sync.
Afterwards Unbound will receive updates as usual.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This variable is no longer been used and has been abused way too much in
the past. May it rest in pieces.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This reverts commit 8ea702f3f8.
This commit seems to introduce many more regressions when building
packages which I cannot easily reproduce.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
We have defaulted to CAKE for all devices that quality. That has however
resulted in worse network quality as some devices could not provide the
compute power necessary for CAKE. There are however only very few
benefits to run an unconfigured CAKE.
This patch changes this back to fq_codel which is computationally
cheaper and should deliver 99% of the throughput that CAKE does. This is
presumably the better trade-off.
We don't use fq_codel on wireless devices since the kernel is running
this for each client. It would have been nice to only apply this to
wireless interfaces in AP mode, but I cannot find a way to tell the
difference with asking NETLINK.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- When a user tries to restore on the console from a backup on IPFire that has a colon in
the filename the tar treats this as meaning that everything after the colon is
information about a remote location to do the extraction to. This results in a filename
that cannot be found, and a remote location that is not correct and the tar operation
fails.
- This has been confirmed by myself.
- If the user tries a restore from a file downloaded to another computer then for most, if
not all browsers, the colon will have been replaced by an underscore or other character.
Firefox, Chromium and Vivaldi do this.
- So any backup file that is selected to be restored using the WUI will no longer have a
colon in the filename.
- This patch adds --force-local to the tar command, which means that tar will treat the
colon as a character in the filename. This will ensure that if a user has any backup
files stored on their IPFire system, with a colon in the filename then doing a restore
from this file will not cause tar to fail.
- The NOW variable is also changed to replace the colon by a dash and to separate the date
and time by an underscore. This filename will be accepted by browsers, without doing
any replacements. Tested out with Firefox, Chromium & Vivaldi.
- The above ensures that both the new and old filename versions will work for doing a
restore.
Fixes: bug13734
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Tested-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The kernel's build system uses its own CFLAGS for building the kernel
but for the tooling we want to use our own CFLAGS.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This variable never actually held the kernel version. There were always
suffixes appended and other things changed about it. This makes it a lot
simpler as this variable now holds the actual kernel version.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
unshare(8) seems to fail with kernels older than 6.0.0 when mounting
the /proc filesystem in the inner namespace. This seems to be an bug
where unshare does not even try to mount the /proc filesystem but tries
to make its mount propagation private.
This is now solved in that way that we will use unshare on newer kernels
but will fall back on manually mounting the /proc filesystem once we have
entered the chroot environment.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When we create the outer mount namespace, we still want to receive any
mounts from the host system which is why we set it to slave.
The second mount namespace should be a copy of the outer one but should not
propagate anything back to the outer mount namespace.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
When using QMI the dial-in option has to be set to "ppp" during setup.
In this case the initscript of suricata will create all related firewall
rules for the ppp0 interface which is not correct when using QMI where
the RED device is called red0.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This package seemed to have bunlded WolfSSL which we don't want to use.
Instead we want to use OpenSSL.
The bundled version of WolfSSL did not want to compile with GCC 14.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This went really bad with the latest CSS changes. So this is a
refactor/rewrite of the CGI without many modifications.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This might only be useful for debugging (and even that is questionable).
So instead of flooding logs, we disable this, but it can be easily
enabled for development again.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 5.9.1 to 5.9.3
- Version 5.9.4 exists but it is indicated that SNMP over TLS and/or DTLS is not
functioning properly with various versions of OpenSSL. However I could not find which
versions mentioned in the News or Changelog. The problem will be fixed in a future
version. There are no CVE fixes in 5.9.4, only a relatively few bug fixes so I
decided to wait for the fixed version in case there are users using TLS with SNMP.
- Update of rootfile
- 6 CVE fixes in 5.9.3
- Changelog
5.9.3
security:
- These two CVEs can be exploited by a user with read-only credentials:
- CVE-2022-24805 A buffer overflow in the handling of the INDEX of
NET-SNMP-VACM-MIB can cause an out-of-bounds memory access.
- CVE-2022-24809 A malformed OID in a GET-NEXT to the nsVacmAccessTable
can cause a NULL pointer dereference.
- These CVEs can be exploited by a user with read-write credentials:
- CVE-2022-24806 Improper Input Validation when SETing malformed
OIDs in master agent and subagent simultaneously
- CVE-2022-24807 A malformed OID in a SET request to
SNMP-VIEW-BASED-ACM-MIB::vacmAccessTable can cause an
out-of-bounds memory access.
- CVE-2022-24808 A malformed OID in a SET request to
NET-SNMP-AGENT-MIB::nsLogTable can cause a NULL pointer dereference
- CVE-2022-24810 A malformed OID in a SET to the nsVacmAccessTable
can cause a NULL pointer dereference.
- To avoid these flaws, use strong SNMPv3 credentials and do not share them.
If you must use SNMPv1 or SNMPv2c, use a complex community string
and enhance the protection by restricting access to a given IP address
range.
- Thanks are due to Yu Zhang of VARAS@IIE and Nanyu Zhong of VARAS@IIE for
reporting the following CVEs that have been fixed in this release, and
to Arista Networks for providing fixes.
misc:
- Snmp-create-v3-user: Fix the snmpd.conf path @datadir@ is
expanded in ${datarootdir} so datarootdir must be set before
@datadir@ is used.
general: Many bug fixes
5.9.2
skipped due to a last minute library versioning found bug -- use 5.9.3 instead
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 4.20.2 to 4.20.4
- Successfully built samba on arm builder
- Update of rootfile for x86_64 & aarch64 not required.
- Changelog
4.20.4
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
4.20.3
* BUG 15683: Running samba-bgqd a a standalone systemd service does not work.
* BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
Windows computer when user account need to change their own password.
* BUG 15671: Invalid client warning about command line passwords.
* BUG 15672: Version string is truncated in manpages.
* BUG 15673: --version-* options are still not ergonomic, and they reject
tilde characters.
* BUG 15674: cmdline_burn does not always burn secrets.
* BUG 15685: Samba does not parse SDDL found in defaultSecurityDescriptor in
AD_DS_Classes_Windows_Server_v1903.ldf.
* BUG 15655: When claims enabled with heimdal kerberos, unable to log on to a
Windows computer when user account need to change their own password.
* BUG 15660: The images don\'t build after the git security release and
CentOS 8 Stream is EOL.
* BUG 15676: Fix clock skew error message and memory cache clock skew
recovery.
* BUG 15603: Heimdal ignores _gsskrb5_decapsulate errors in
init_sec_context/repl_mutual.
* BUG 15621: s4:ldap_server: does not support tls channel bindings
for sasl binds.
* BUG 15678: CTDB socket output queues may suffer unbounded delays under some
special conditions.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 10.03.0 to 10.03.1
- Update of rootfile
- Several CVE fixes in this release
- Changelog
10.03.1
Fixes for CVE-2024-33869, CVE-2023-52722, CVE-2024-33870, CVE-2024-33871 and
CVE-2024-29510
IMPORTANT: For the 10.04.0 release (fall/autumn 2024) we will be adding
protection for device selection from PostScript input. This will mean that,
by default, only the device specified on the command line will be permitted.
Similar to the file permissions, there will be a "--permit-devices="
allowing a comma separation list of allowed devices. This will also take a
single wildcard "*" allowing any device.
Any application which relies on allowing PostScript to change devices during
a job will have to be aware, and take action to deal with this change.
The exception is "nulldevice", switching to that requires no special action.
A vulnerability was identified in the way Ghostscript/GhostPDL called
tesseract for the OCR devices, which could allow arbitrary code execution.
As as result, we strongly urge anyone including the OCR devices in their
build to update as soon as possible.
As of this release (10.03.1) pdfwrite creates PDF files with XRef streams
and ObjStm streams. This can result in considerably smaller PDF output
files. See Vector Devices for more details.
Ghostscript/pdfwrite now supports passing through PDF "Optional Content".
Our efforts in code hygiene and maintainability continue.
The usual round of bug fixes, compatibility changes, and incremental
improvements.
(9.53.0) We have added the capability to build with the Tesseract OCR
engine. In such a build, new devices are available
(pdfocr8/pdfocr24/pdfocr32) which render the output file to an image, OCR
that image, and output the image "wrapped" up as a PDF file, with the OCR
generated text information included as "invisible" text (in PDF terms, text
rendering mode 3).
Mainly due to time constraints, we only support including Tesseract from
source included in our release packages, and not linking to
Tesseract/Leptonica shared libraries. Whether we add this capability will
be largely dependent on community demand for the feature.
See Enabling OCR for more details.
Incompatible changes
(10.03.1) Almost all the "internal" PostScript procedures defined during the
interpreter startup are now "executeonly", further reducing the attack
surface of the interpreter.
The nature of these procedures means there should be no impact for
legitimate usage, but it is possible it will impact uses which abuse the
previous accessibility (even for legitimate reasons). Such cases may now
require "DELAYBIND", See DELAYBIND
(10.03.1) The "makeimagedevice" non-standard operator has been removed. It
allowed low level access to the graphics library in a way that was,
essentially impossible to secure.
(10.03.1) The "putdeviceprops", "getdeviceprops", "finddevice",
"copydevice", "findprotodevice" non-standard operators have all been
removed. They provided functionality that is either accessible through
standard operators, or should not be used by user PostScript.
(10.03.1) The process of "tidying" the PostScript namespace should have
removed only non-standard and undocumented operators. Nevertheless, it is
possible that any integrations or utilities that rely on those non-standard
and undocumented operators may stop working or may change behaviour.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.26 to 1.28
- Update of rootfile not required
- Changelog
1.28
The option '--verify-on-error' has been renamed to '--check-on-error'.
The option '--verify-input-size' has been renamed to '--check-input-size'.
The option synonym '--exit-on-error' has been removed and is no longer
recognized.
In fill and rescue modes, ddrescue now makes a final fsync call on outfile
to prevent an early exit if the kernel caches all the writes.
Option '-t, --show-status' of ddrescuelog now shows the mapfile names at
verbosity level 0 if more than one mapfile is specified.
The variable MAKEINFO has been added to configure and Makefile.in.
1.27
A deadlock in command mode when stdout is fully buffered has been fixed by
flushing stdout after executing each command. (Reported by Jeffrey Bosboom).
The new option '-W, --compare-before-write' has been added. It omits
superfluous writes in rescue mode.
(Suggested by Kajetan Harald Hinner and Petr Slansky).
Diagnostics caused by invalid arguments to command line options now show the
argument and the name of the option.
The option synonym '--direct' has been removed and is no longer recognized.
'long long' is now used instead of 'long' for time variables.
A missing '#include <cstdlib>' has been added.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3460000 to 3460100
- Update of rootfile not required
- Changelog
3460100
Improved robustness while parsing the tokenize= arguments in FTS5. Forum post
171bcc2bcd.
Enhancements to covering index prediction in the query planner. Add early
detection of over-prediction of covering indexes so that sqlite3_prepare() will
return an error rather than just generate bad bytecode. Forum post
e60e4c295d22f8ce.
Do not let the number of terms on a VALUES clause be limited by
SQLITE_LIMIT_COMPOUND_SELECT, even if the VALUES clause contains elements that
appear to be variables due to double-quoted string literals.
Fix the window function version of group_concat() so that it returns an empty
string if it has one or more empty string inputs.
In FTS5 secure-delete mode, fix false-positive integrity-check reports about
corrupt indexes.
Syntax errors in ALTER TABLE should always return SQLITE_ERROR. In some cases,
they were formerly returning SQLITE_INTERNAL.
JavaScript/WASM:
Fix a corruption-causing bug in the JavaScript "opfs" VFS.
Work around a couple of browser-specific OPFS quirks.
Other minor fixes.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20240531 to 20240813
- Update of rootfile not required
- Changelog
20240813
Security updates for INTEL-SA-01083
Security updates for INTEL-SA-01118
Security updates for INTEL-SA-01100
Security updates for INTEL-SA-01038
Security updates for INTEL-SA-01046
Update for functional issues. Refer to Intel® Core™ Ultra Processor for details.
Update for functional issues. Refer to 3rd Generation Intel® Xeon® Processor Scalable Family Specification Update for details.
Update for functional issues. Refer to 3rd Generation Intel® Xeon® Scalable Processors Specification Update for details.
Update for functional issues. Refer to 2nd Generation Intel® Xeon® Processor Scalable Family Specification Update for details
Update for functional issues. Refer to Intel® Xeon® D-2700 Processor Specification Update for details.
Update for functional issues. Refer to Intel® Xeon® E-2300 Processor Specification Update for details.
Update for functional issues. Refer to 13th Generation Intel® Core™ Processor Specification Update for details.
Update for functional issues. Refer to 12th Generation Intel® Core™ Processor Family for details.
Update for functional issues. Refer to 11th Gen Intel® Core™ Processor Specification Update for details.
Update for functional issues. Refer to 10th Gen Intel® Core™ Processor Families Specification Update for details.
Update for functional issues. Refer to 10th Generation Intel® Core™ Processor Specification Update for details.
Update for functional issues. Refer to 8th and 9th Generation Intel® Core™ Processor Family Spec Update for details.
Update for functional issues. Refer to 8th Generation Intel® Core™ Processor Families Specification Update for details.
Update for functional issues. Refer to 7th and 8th Generation Intel® Core™ Processor Specification Update for details.
Update for functional issues. Refer to Intel® Processors and Intel® Core™ i3 N-Series for details.
Update for functional issues. Refer to Intel® Atom® x6000E Series, and Intel® Pentium® and Celeron® N and J Series Processors for Internet of Things (IoT) Applications for details.
For Updated Platforms see the changelog
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240813
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
