Changes in version 0.4.7.8 - 2022-06-17
This version fixes several bugfixes including a High severity security issue
categorized as a Denial of Service. Everyone running an earlier version
should upgrade to this version.
o Major bugfixes (congestion control, TROVE-2022-001):
- Fix a scenario where RTT estimation can become wedged, seriously
degrading congestion control performance on all circuits. This
impacts clients, onion services, and relays, and can be triggered
remotely by a malicious endpoint. Tracked as CVE-2022-33903. Fixes
bug 40626; bugfix on 0.4.7.5-alpha.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on June 17, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/06/17.
o Minor bugfixes (linux seccomp2 sandbox):
- Allow the rseq system call in the sandbox. This solves a crash
issue with glibc 2.35 on Linux. Patch from pmu-ipf. Fixes bug
40601; bugfix on 0.3.5.11.
o Minor bugfixes (logging):
- Demote a harmless warn log message about finding a second hop to
from warn level to info level, if we do not have enough
descriptors yet. Leave it at notice level for other cases. Fixes
bug 40603; bugfix on 0.4.7.1-alpha.
- Demote a notice log message about "Unexpected path length" to info
level. These cases seem to happen arbitrarily, and we likely will
never find all of them before the switch to arti. Fixes bug 40612;
bugfix on 0.4.7.5-alpha.
o Minor bugfixes (relay, logging):
- Demote a harmless XOFF log message to from notice level to info
level. Fixes bug 40620; bugfix on 0.4.7.5-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
pango and the PDF tools as core parts are linked against
libtiff, therefore this library has to become a part of the
core distribution too.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
On one hand, the key.dns_resolver binary is linked against libkrb5, so this
library at least is required by the base system.
On the other hand this easily allows different services on the firewall
to use kerberos for authentication (ssh etc).
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
- samba is linked to liblber from openldap. openldap was updated in CU168 but
I missed that samba had a dependency to one of its libraries.
- find-dependencies was not run on openldap liblber although looking at the openldap
rootfile it is clear that an sobump occurred.
- This patch increments the samba PAK_VER so that it will be shipped and therefore
have the library links updated.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- netatalk is linked to liblber from openldap. openldap was updated in CU168 but
I missed that netatalk had a dependency to one of its libraries.
- find-dependencies was not run on openldap liblber although looking at the openldap
rootfile it is clear that an sobump occurred.
- This patch increments the netatalk PAK_VER so that it will be shipped and therefore
have the library links updated.
Fixes: Bug #12878
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
This script runs aside of OpenVPN and connects to the management socket.
On the socket, OpenVPN will post any new clients trying to authenticate
which will be handled by the authenticator.
If a client has 2FA enabled, it will be challanged for the current token
which will then be checked in a second pass.
Clients which do not have 2FA enabled will just be authenticated no
matter what and tls-verify will have handled the rest.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Add two-factor authentication (2FA) to OpenVPN host connections with
one-time passwords.
The 2FA can be enabled or disabled per host connection and requires the
client to download it's configuration again after 2FA has beend enabled
for it.
Additionally the client needs to configure an TOTP application, like
"Google Authenticator" which then provides the second factor.
To faciliate this every connection with enabled 2FA
gets an "show qrcode" button after the "show file" button in the
host connection list to show the 2FA secret and an 2FA configuration QRCode.
When 2FA is enabled, the client needs to provide the second factor plus
the private key password (if set) to successfully authorize.
This only supports time based one-time passwords, TOTP with 30s
window and 6 digits, for now but we may update this in the future.
Signed-off-by: Timo Eissler <timo.eissler@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.30/doc/arm/html/notes.html#notes-for-bind-9-16-30
"Bug Fixes
The fetches-per-server quota is designed to adjust itself downward
automatically when an authoritative server times out too frequently.
Due to a coding error, that adjustment was applied incorrectly,
so that the quota for a congested server was always set to 1. This
has been fixed. [GL #3327]
DNSSEC-signed catalog zones were not being processed correctly. This
has been fixed. [GL #3380]
Key files were updated every time the dnssec-policy key manager ran,
whether the metadata had changed or not. named now checks whether
changes were applied before writing out the key files. [GL #3302]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Full changelog as retrived from https://cisofy.com/changelog/lynis/#308:
- MALW-3274 - Detect McAfee VirusScan Command Line Scanner
- PKGS-7346 Check Alpine Package Keeper (apk)
- PKGS-7395 Check Alpine upgradeable packages
- EOL for Alpine Linux 3.14 and 3.15
- AUTH-9408 - Check for pam_faillock as well (replacement for pam_tally2)
- FILE-7524 - Test enhanced to support symlinks
- HTTP-6643 - Support ModSecurity version 2 and 3
- KRNL-5788 - Only run relevant tests and improved logging
- KRNL-5820 - Additional path for security/limits.conf
- KRNL-5830 - Check for /var/run/needs_restarting (Slackware)
- KRNL-5830 - Add a presence check for /boot/vmlinuz
- PRNT-2308 - Bugfix that prevented test from storing values correctly
- Extended location of PAM files for AARCH64
- Some messages in log improved
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 0.9.24 to 0.9.29
- Update of rootfile not required
- Changelog - there is no changelog in the source tarball or on the Symas website or in
the github repository.
The following are extracted from the short log of the git commits
https://github.com/LMDB/lmdb/commits/LMDB_0.9.29/libraries/liblmdb
Release (0.9.29)
ITS#9500
ITS#9500 fix regression from ITS#8662
ITS#9376 simplify
ITS#9469 - Typo fixes
ITS#9461 fix typo
ITS#9461 refix ITS#9376
Release (0.9.28)
ITS#8662 Add -a append option to mdb_load
Return to RE
Release (0.9.27)
ITS#9376 Fixes for repeated deletes with xcursor
Return to engineering
Release 0.9.26
ITS#9278
Silence stupid fallthru warning
ITS#9278 fix robust mutex cleanup for FreeBSD
Return to engineering
Release 0.9.25
ITS#9155 lmdb: free mt_spill_pgs in non-nested txn on end
ITS#9118 - Fix typo in prev commit
ITS#9118 add MAP_NOSYNC for FreeBSD
return to release engineering, ITS#9068
ITS#9068 fix backslash escaping
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 1.1.34 to 1.1.35
- Update of rootfile
- Changelog
v1.1.35: Feb 16 2022:
- Security:
[CVE-2021-30560] Fix use-after-free in xsltApplyTemplates
Fix memory leak in xsltDocumentElem (David King)
Fix memory leak in xsltCompileIdKeyPattern (David King)
Fix double-free with stylesheets containing entity nodes
- Fixed regressions:
Fix performance regression with predicates in patterns
Fix regression in xsltComputeSortResult
- Bug fixes:
Fix conflict resolution for templates with same priority
Fix xsl:number generating invalid UTF-8
Support attribute value templates in xsl:sort lang attributes
Don't pass first <xsl:sort> in <xsl:apply-templates> twice
Fix quadratic runtime with text and <xsl:message>
Don't allow empty EXSLT durations
- Improvements:
Add xsltproc --huge Argument via libxml XML_PARSE_HUGE (William N. Braswell, Jr.)
- Tests, code quality, fuzzing:
Remove .travis.yml
Fix some misleading indentation (David King)
Use actual types for templates in struct _xsltStylesheet
Add CI for CMake on MSVC (Markus Rickert)
Check for null pointer before calling freelocale
Add CI test for Python 3
Don't set maxDepth in XPath contexts
Transfer XPath limits to XPtr context
Stop using maxParserDepth XPath limit
Make long-to-double cast explicit in date.c
Disable LeakSanitizer
Run clang CI tests with -Wimplicit-int-conversion
Fix implicit-int-conversion warning in exslt/crypto.c
Fix clang -Wimplicit-int-conversion warning (David Kilzer)
Fix clang -Wconditional-uninitialized warning in libxslt/numbers.c (David Kilzer)
Fix -Wshadow warnings in libexslt/dynamic.c (David Kilzer)
Also search parent dir for source XML when fuzzing
- Build system, portability:
Add CMake build files (Markus Rickert)
Initial support for Python 3 (Suleyman Poyraz)
Call ANSI versions of WinAPI functions explicitly
Remove redundant flags from pkg-config files
Suppress automake warning in tests/XSLTMark
Fix linking libexslt dynamic library when using MinGW (Vadim Zeitlin)
Added platform specific path separators (Dmitriy Korovkin)
win32: allow passing *FLAGS on command line
Fix export of xsltExtMarker on Windows (David Kilzer)
Fix redundant includes already in libexslt.h (David Kilzer)
Minor fixes to configure.js
Fix variable syntax in Python configuration
Add new EXSLT string tests to EXTRA_DIST
Fix xml2-config check in configure script
win32: Add configuration for profiler (Chun-wei Fan)
Check whether 'xml2-config --dynamic' is supported
- Documentation:
Add Makefile rule to regenerate xsltproc.html
Update links
Remove MAINTAINERS
Upload documentation to GitLab Pages
Add documentation in devhelp format
Add --enable-rebuild-docs configure option
Fix libexslt header summaries
Fix validity of tutorial XML (David King)
Use DocBook URL for tutorial DTD (David King)
Update libxslt.doap
Add missing options to xsltproc man page
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 2.9.12 to 2.9.14
- Update of rootfile
- Changelog
v2.9.14: May 02 2022:
- Security:
[CVE-2022-29824] Integer overflow in xmlBuf and xmlBuffer
Fix potential double-free in xmlXPtrStringRangeFunction
Fix memory leak in xmlFindCharEncodingHandler
Normalize XPath strings in-place
Prevent integer-overflow in htmlSkipBlankChars() and xmlSkipBlankChars()
(David Kilzer)
Fix leak of xmlElementContent (David Kilzer)
- Bug fixes:
Fix parsing of subtracted regex character classes
Fix recursion check in xinclude.c
Reset last error in xmlCleanupGlobals
Fix certain combinations of regex range quantifiers
Fix range quantifier on subregex
- Improvements:
Fix recovery from invalid HTML start tags
- Build system, portability:
Define LFS macros before including system headers
Initialize XPath floating-point globals
configure: check for icu DEFS (James Hilliard)
configure.ac: produce tar.xz only (GNOME policy) (David Seifert)
CMakeLists.txt: Fix LIBXML_VERSION_NUMBER
Fix build with older Python versions
Fix --without-valid build
v2.9.13: Feb 19 2022:
- Security:
[CVE-2022-23308] Use-after-free of ID and IDREF attributes
(Thanks to Shinji Sato for the report)
Use-after-free in xmlXIncludeCopyRange (David Kilzer)
Fix Null-deref-in-xmlSchemaGetComponentTargetNs (huangduirong)
Fix memory leak in xmlXPathCompNodeTest
Fix null pointer deref in xmlStringGetNodeList
Fix several memory leaks found by Coverity (David King)
- Fixed regressions:
Fix regression in RelaxNG pattern matching
Properly handle nested documents in xmlFreeNode
Fix regression with PEs in external DTD
Fix random dropping of characters on dumping ASCII encoded XML (Mohammad Razavi)
Revert "Make schema validation fail with multiple top-level elements"
Fix regression when parsing invalid HTML tags in push mode
Fix regression parsing public IDs literals in HTML
Fix buffering in xmlOutputBufferWrite
Fix whitespace when serializing empty HTML documents
Fix XPath recursion limit
Fix regression in xmlNodeDumpOutputInternal
Work around lxml API abuse
- Bug fixes:
Fix xmlSetTreeDoc with entity references
Fix double counting of CRLF in comments
Make sure to grow input buffer in xmlParseMisc
Don't ignore xmllint options after "-"
Don't normalize namespace URIs in XPointer xmlns() scheme
Fix handling of XSD with empty namespace
Also register HTML document nodes
Make xmllint return an error if arguments are missing
Fix handling of ctxt->base in xmlXPtrEvalXPtrPart
Fix xmllint --maxmem
Fix htmlReadFd, which was using a mix of xml and html context functions (Finn Barber)
Move current position before possible calling of ctxt->sax->characters (Yulin Li)
Fix parse failure when 4-byte character in UTF-16 BE is split across a chunk (David Kilzer)
Patch to forbid epsilon-reduction of final states (Arne Becker)
Avoid segfault at exit when using custom memory functions (Mike Dalessio)
- Tests, code quality, fuzzing:
Remove .travis.yml
Make xmlFuzzReadString return a zero size in error case
Fix unused function warning in testapi.c
Update NewsML DTD in test suite
Add more checks for malloc failures in xmllint.c
Avoid potential integer overflow in xmlstring.c
Run CI tests with UBSan implicit-conversion checks
Fix casting of line numbers in SAX2.c
Fix integer conversion warnings in hash.c
Add explicit casts in runtest.c
Fix integer conversion warning in xmlIconvWrapper
Add suffix to unsigned constant in xmlmemory.c
Add explicit casts in testchar.c
Fix integer conversion warnings in xmlstring.c
Add explicit cast in xmlURIUnescapeString
Remove unused variable in xmlCharEncOutFunc (David King)
- Build system, portability:
Remove xmlwin32version.h
Fix fuzzer test with VPATH build
Support custom prefix when installing Python module
Remove Makefile.win
Remove CVS and SVN-related code
Port python 3.x module to Windows and improve distutils (Chun-wei Fan)
Correctly install the HTML examples into their subdirectory (Mattia Rizzolo)
Refactor the settings of $docdir (Mattia Rizzolo)
Remove unused configure checks (Ben Boeckel)
python/Makefile.am: use *_LIBADD, not *_LDFLAGS for LIBS (Sam James)
Fix check for libtool in autogen.sh
Use version in configure.ac for CMake (Timothy Lyanguzov)
Add CMake alias targets for embedded projects (Markus Rickert)
- Documentation:
Remove SVN keyword anchors
Rework README
Remove README.cvs-commits
Remove old ChangeLog
Update hyperlinks
Remove README.docs
Remove MAINTAINERS
Remove xmltutorial.pdf
Upload documentation to GitLab pages
Document how to escape XML_CATALOG_FILES
Fix libxml2.doap
Update URL for libxml++ C++ binding (Kjell Ahlstedt)
Generate devhelp2 index file (Emmanuele Bassi)
Mention XML_CATALOG_FILES is space-separated (Jan Tojnar)
Add documentaiton for xmllint exit code 10 (Rainer Canavan)
Fix some validation errors in the FAQ (David King)
Add instructions on how to use CMake to compile libxml (Markus Rickert)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
