- Update from 1.1.0 to 1.2.1
- Update of rootfiles
- Changelog
Version 1.2.1, "Hyacinthus orientalis", released in October 2020, comes with the following new features:
Bug fixes:
Fix an incompatibility problem with GMP 6.0 and before.
Fix an intermediate overflow in asin.
Version 1.2.0, "Hyacinthus orientalis", released in August 2020, comes with the following new features:
Minimally required library version: mpfr 4.1.0
New functions:
mpc_sum
mpc_dot
Several functions are more robust with a reduced exponent range (for example corresponding to IEEE 754 binary formats).
New mpcheck tool for comparison with the native C library
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 2.27 to 3.6
- No update of rootfiles required
- Changelog is too long to include here
Full details can be reviewed in the ChangeLog file in the source tarball
55 bug fixes implemented between 2.27 and 3.6
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 6.2.0 to 6.2.1
- Update of rootfiles
- Changelog
2020-11-13 Marco Bodrato <bodrato@mail.dm.unipi.it>
* Version 6.2.1 released.
* gmp-h.in (__GNU_MP_VERSION_PATCHLEVEL): Bump version info.
* Makefile.am (LIBGMP_LT_*, LIBGMPXX_LT_*): Bump revision info.
2020-11-10 Marco Bodrato <bodrato@mail.dm.unipi.it>
* configure.ac (fat_path): Add bd1, goldmont,silvermont for CPUVEC.
* mpn/x86_64/fat/fat.c: Add more CPUs.
* mpn/x86/fat/fat.c: Add more CPUs.
2020-11-01 Marco Bodrato <bodrato@mail.dm.unipi.it>
* configure.ac: X86_{,64_}PATTERN: GMP_ASM_COFF_TYPE for all ABIs;
* mpn/x86_64/x86_64-defs.m4 (COFF_TYPE): Copy from mpn/x86/x86-defs.m4
as suggested by Jeremy Drake.
* tests/misc/t-locale.c (nl_langinfo): No redefine on __TERMUX__,
spotted by Sanselme and Glisse.
* configure.ac: Consider *-*-msys as *-*-mingw* (except on arm* |
aarch64*), as suggested by Ralph Peterson.
* Makefile.am (EXTRA_DIST): Add mini-gmp/ChangeLog.
2020-10-30 Marco Bodrato <bodrato@mail.dm.unipi.it>
* tests/mpf/t-get_d_2exp.c: Test also the case zero.
* tests/mpz/t-get_d.c: Likewise.
* tests/mpf/t-trunc.c: Use mpf_size.
* tests/mpf/t-conv.c: Some more tests on zero.
2020-10-25 Marco Bodrato <bodrato@mail.dm.unipi.it>
* configfsf.guess: Updated to version 2020-10-22, from gnulib.
2020-10-17 Marco Bodrato <bodrato@mail.dm.unipi.it>
* tests/devel/Makefile.am: Remove redundancies.
* tests/mpz/io.c: Test out-of-range bases for mpz_out_str.
2020-10-15 Torbjörn Granlund <tg@gmplib.org>
* configure.ac: Recognise zen3.
* config.guess: Recognise zen3.
2020-10-14 Marco Bodrato <bodrato@mail.dm.unipi.it>
* doc/gmp.texi (Number sequences): Remove redundancy. (spotted: TonyMcC)
* configfsf.sub: Updated to version 2020-10-13, from gnulib.
* configfsf.guess: Updated to version 2020-09-19, from gnulib.
2020-10-06 Niels Möller <nisse@lysator.liu.se>
* Makefile.am: Better support for make check-mini-gmp on wine or cygwin.
2020-09-22 Torbjörn Granlund <tg@gmplib.org>
* tests/mpz/t-mul.c: Print GMP_CHECK_FFT.
* longlong.h (x86 umul_ppmm): Fix typo.
2020-09-21 Torbjörn Granlund <tg@gmplib.org>
* mpz/n_pow_ui.c: Detect and report overflow.
2020-07-04 Torbjörn Granlund <tg@gmplib.org>
* mpn/arm64/bdiv_q_1.asm: Use LEA_HI/LEA_LO
* mpn/arm64/invert_limb.asm: Likewise.
* mpn/arm64/arm64-defs.m4: New file.
* mpn/arm64/darwin.m4: New file.
* configure.ac: Use arm64/arm64-defs.m4 and arm64/darwin.m4.
2020-06-20 Torbjörn Granlund <tg@gmplib.org>
* longlong.h (add_sssaaaa arm32/arm64): Generalise allowed operands
when using adds for sub and subs for add, while disallowing 0.
(sub_ddmmss ppc64): Disallow 0 when using addic. Also disallow
constants for register-only middle addic operand.
(C add_sssaaaa and sub_ddmmss): Use more temps to make operation more
well-defined.
2020-06-18 Torbjörn Granlund <tg@gmplib.org>
* tests/devel/gen-test-longlong_h.c: New file.
* tests/devel/Makefile.am: Compile and use gen-test-longlong_h.c.
2020-06-10 Torbjörn Granlund <tg@gmplib.org>
* configure.ac: Recognise armcortexa55.
2020-05-25 Torbjörn Granlund <tg@gmplib.org>
* tests/cxx/t-assign.cc: Use reference parameter for 'catch'.
* tests/cxx/t-constr.cc: Likewise.
* tests/cxx/t-ops2z.cc: Likewise.
* tests/cxx/t-rand.cc: Likewise.
* tests/cxx/t-do-exceptions-work-at-all-with-this-compiler.cc: Likewise.
* tune/speed.c: Undo 2020-05-24 _POSIX_C_SOURCE change, it breaks on
many broken systems.
* tune/freq.c: Likewise.
* tune/time.c: Likewise.
* tune/tuneup.c: Likewise.
* tests/devel/try.c: Revert 2020-05-24 changes.
2020-05-21 Torbjörn Granlund <tg@gmplib.org>
* tune/freq.c (_POSIX_C_SOURCE): Define.
* tune/tuneup.c (print_define_with_speedup): Fall back from snprintf to
sprintf for C90.
(_POSIX_C_SOURCE): Define.
(max_opsize): Set by #define instead of const size_t to please C90.
(n_measurements): Likewise.
(speed_mpn_pre_set_str): Adhere to C90 declaration rules.
* tune/tune-gcd-p.c: Back out 2020-01-10 change to comply to C90.
* tune/time.c (speed_endtime): Cast printf args to right type.
(_POSIX_C_SOURCE): Define.
* tune/speed.h (CACHE_LINE_SIZE): Do #undef before defining.
(SPEED_ROUTINE_MPN_GCD_1): Provide dummy first argument for standard
compliance.
(SPEED_ROUTINE_MPN_HGCD2): Adhere to C90 declaration rules.
* tune/speed.c (main): Cast printf args to right type.
(_POSIX_C_SOURCE): Define.
* tests/mpz/reuse.c: Avoid using non-standard function fileno().
* tests/spinner.c: Likewise.
* tests/mpz/convert.c (str_casecmp): New function.
(main): Use it instead of non-standard strcasecmp.
* tests/misc.c (tests_start): Fall back from snprintf to sprintf for
C90.
* tests/devel/try.c: Avoid getpagesize and use POSIX sysconf instead.
(_POSIX_C_SOURCE): Define.
* mpn/generic/mod_1_1.c: Don't use C++ comments.
* mpn/generic/get_d.c: Add clarifying parens.
2020-05-18 Torbjörn Granlund <tg@gmplib.org>
* mpn/generic/toom_interpolate_12pts.c (DO_mpn_addlsh_n): Define only
when needed.
* mpn/generic/toom_interpolate_16pts.c: Likewise.
2020-05-17 Marco Bodrato <bodrato@mail.dm.unipi.it>
* mpz/cmp.c: Avoid overflow on int even for huge sizes.
* mpq/cmp.c: Likewise.
* mpn/generic/mul_fft.c (mpn_fft_mul_modF_K):
Fully handle carry propagation in basecase multiplication.
2020-05-16 Torbjörn Granlund <tg@gmplib.org>
* mpn/generic/hgcd2.c (tabp): Combine several undefined tabp
variable definitions with a macro.
* mpn/generic/gcd_22.c: Avoid C99 constructs.
2020-05-12 Torbjörn Granlund <tg@gmplib.org>
* mpn/generic/compute_powtab.c: Avoid C99 constructs.
* mpn/generic/get_str.c: Likewise.
* mpn/generic/set_str.c: Likewise.
* gmp-impl.h (memset): Move ASSERT to before decls.
* tests/refmpn.c: Likewise.
* mpn/generic/hgcd2.c (tabp): Combine several undefined tabp variable
definitions with a macro.
* mpn/generic/strongfibo.c: Avoid defining helper function when unused.
* mpn/generic/dcpi1_bdiv_q.c (mpn_dcpi1_bdiv_q_n_itch): Disable unused
static function.
* mpz/mul.c: Add some {} to suppress warning.
* tests/mpn/t-gcd_11.c: Exit main() properly.
* tests/mpn/t-gcd_22.c: Likewise.
* tests/mpn/t-gcdext_1.c: Likewise.
2020-04-28 Torbjörn Granlund <tg@gmplib.org>
* tests/mpz/reuse.c (realloc_if_reducing): New function.
(INVOKE_RRS, etc): Use realloc_if_reducing.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 0.19.8.1 to 0.21
- Update of rootfiles
- Changelog is too long to include here
Full details can be found in the ChangeLog file in source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://lists.gnu.org/archive/html/info-gnu/2021-03/msg00005.html
"This is a bugfix release, fixing a bug in ECDSA signature
verification that could lead to a denial of service attack
(via an assertion failure) or possibly incorrect results. It
also fixes a few related problems where scalars are required
to be canonically reduced modulo the ECC group order, but in
fact may be slightly larger.
Upgrading to the new version is strongly recommended."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- The PAK_VER number was not incremented in patch 3947
- All other addon patches raised by Adolf Belka at that time checked
and all others have the PAK_VER correctly incremented
- Fixes bug #12598
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update of rootfiles due to perl update from 5.30.0 to 5.32.1
- Update of directory paths in lfs with perl version number change
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 5.30.0 to 5.32.1
- Update of rootfile carried out
- Removal of perl-5.30.0.fix.build.failure-against-gcc-10.patch as no
longer required
- Changelog is too large to fit here.
Full details for release 5.33.1 from 5.32.0 are in the source tarball
in pod/perldelta.pod
For the details of changes in previous releases, see the individual
perlNNNdelta.pod files. For example, pod/perl588delta.pod describes the
changes between versions 5.8.7 and 5.8.8.
- Updated iso from build of perl and all other changes has been installed
in a vm testbed. All pages and graphs that have been looked at worked
without any hiccups.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 4.13.4 to 4.13.7
- Update of x68_64 rootfile
- Changelog
Release Notes for Samba 4.13.7 March 24, 2021
This is a security release in order to address the following defects:
o CVE-2020-27840:
An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
crafted DNs as part of a bind request. More serious heap corruption is likely
also possible.
Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 14595: CVE-2020-27840: Fix unauthenticated remote heap corruption via
bad DNs.
o CVE-2021-20277:
User-controlled LDAP filter strings against the AD DC LDAP server may crash
the LDAP server.
Andrew Bartlett <abartlet@samba.org>
* BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
Release Notes for Samba 4.13.5 March 09, 2021
This is the latest stable release of the Samba 4.13 release series.
o Trever L. Adams <trever.adams@gmail.com>
* BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite
start-up failure.
o Jeremy Allison <jra@samba.org>
* BUG 13992: s3: libsmb: Add missing cli_tdis() in error path if encryption
setup failed on temp proxy connection.
* BUG 14604: smbd: In conn_force_tdis_done() when forcing a connection closed
force a full reload of services.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14593: dbcheck: Check Deleted Objects and reduce noise in reports about
expired tombstones.
o Ralph Boehme <slow@samba.org
* BUG 14503: s3: Fix fcntl waf configure check.
* BUG 14602: s3/auth: Implement "winbind:ignore domains".
* BUG 14617: smbd: Use fsp->conn->session_info for the initial
delete-on-close token.
o Peter Eriksson <pen@lysator.liu.se>
* BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error
path.
o Björn Jacke <bj@sernet.de>
* BUG 14624: classicupgrade: Treat old never expires value right.
o Volker Lendecke <vl@samba.org>
* BUG 14636: g_lock: Fix uninitalized variable reads.
o Stefan Metzmacher <metze@samba.org>
* BUG 13898: s3:pysmbd: Fix fd leak in py_smbd_create_file().
o Andreas Schneider <asn@samba.org>
* BUG 14625: lib:util: Avoid free'ing our own pointer.
o Paul Wise <pabs3@bonedaddy.net>
* BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 4.1.4 to 5.1.0
- Update of rootfile carried out
- Changelog is too long to fit in here.
Changes for versions 5.0.0 and 5.1.0 can be found in the ChangeLog file
in the source tarball
Changes for versions 4.2.0 and 4.2.1 can be found in the ChangeLog.1
file in the source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 0.2 to 1.17
- Update of rootfile carried out
- ed-0.2-mkstemp-1.patch from LFS is no longer required in later versions
of ed or LFS
- Changelog is a bit too long to add here.
Full change log can be found by viewing ChangeLog file in tar sourceball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 3.6 to 3.7
- No update of rootfile required
- Changelog
2018-12-31 Jim Meyering <meyering@fb.com>
version 3.7
* NEWS: Record release date.
maint: distribute new file, init.cfg
Otherwise, strip-trailing-cr would fail on a system without valgrind.
* tests/Makefile.am (EXTRA_DIST): Include init.cfg.
2018-12-30 Dennis Lambe Jr <malsyned@malsyned.net>
diff: adjust ANSI escapes for compatibility with less -R
GNU less can display ANSI-colored text with the -R flag, but this
support has some limitations. One of them is that if an escape
sequence starts on one line and ends on a different line, only the
first line will be colored in less.
As a result, when diff creates colored output with multi-line deletes
or adds, less will only color the first line.
This change resets ANSI color to the default at the end of
each line and restarts it at the beginning of the next. It patches
normal and context mode. Side-by-side already worked in my testing.
* src/context.c (print_context_label, pr_context_hunk): As above.
(pr_unidiff_hunk, print_context_header): Likewise.
* src/normal.c (print_normal_hunk): Likewise.
* tests/colors: Adjust existing tests to accommodate this.
* NEWS (Improvements): Mention it.
Proposed in http://bugs.gnu.org/31105
2018-12-29 Jim Meyering <meyering@fb.com>
tests: fix colors test on systems lacking fractional timestamp support
* tests/colors: The .NNNNNNNNN suffix is not printed on some systems.
Adapt the test to accommodate those systems.
tests: strip-trailing-cr: avoid failure with ASAN
Valgrind cannot operate on an ASAN-compiled binary.
* tests/strip-trailing-cr (valgrind): Define as no-op when diff
was compiled with sanitizer support.
2018-12-28 Jim Meyering <meyering@fb.com>
tests: add test for --strip-trailing-cr UMR bug
* tests/strip-trailing-cr: New file. Test for today's bug fix.
* tests/Makefile.am (TESTS): Add it.
tests: import test infrastructure from coreutils
* tests/init.cfg: New file, for require_valgrind_ definition (from coreutils).
* tests/Makefile.am (PATH): Don't set stderr_fileno_ here, since it is
now initialized in init.cfg.
2018-12-28 Paul Eggert <eggert@cs.ucla.edu>
Jim Meyering <jim@meyering.net>
diff: fix UMR with --strip-trailing-cr
Problem reported by Hongxu Chen (Bug#31935).
* src/io.c (prepare_text): Strip trailing CR before
doing the rest of the analysis.
* NEWS: Mention the fix.
2018-12-28 Bruno Haible <bruno@clisp.org>
tests: colors: avoid test failure on AIX 7
* tests/colors: Splice the argument into the printf format string.
2018-12-27 Bruno Haible <address@hidden>
maint: don't use an undocumented Autoconf macro
* configure.ac: Use AC_CONFIG_HEADERS instead of AC_CONFIG_HEADER.
2018-12-23 Jim Meyering <meyering@fb.com>
build: avoid build failure with --enable-gcc-warnings and latest gcc
* src/diff.c (usage): Assert that each line length is no longer than
the minimum required size of 4095. This lets newer gcc (currently
9.0.0 20181219) infer that it need not issue this warning:
diff.c:1012:19: error: '%.*s' directive output between 0 and 2147483647
bytes may exceed minimum required size of 4095
[-Werror=format-overflow=]
1012 | printf (" %.*s", msglen, msg);
build: update gnulib to latest; and bootstrap and init.sh
build: make the autoconf-2.63 requirement explicit
* configure.ac: AC_PREREQ: Require 2.63, not 2.59. And quote properly.
Autoconf-2.63 has been required for some time via gnulib.
This merely makes it explicit.
2018-12-20 Jim Meyering <meyering@fb.com>
maint: use https: in gnu mirror URL prefix, not http
This appears in the generated release announcement message.
* cfg.mk (url_dir_list): Use https: prefix, not http:.
2018-07-24 Paul Eggert <eggert@cs.ucla.edu>
cmp: fix bug in -b diagnostic
Problem reported by mancha (Bug#32249).
* src/cmp.c (count_newlines): Restore old value of sentinel.
* tests/cmp: Test for the bug.
build: update gnulib submodule to latest
2018-05-14 Paul Eggert <eggert@cs.ucla.edu>
doc: prepend "GNU" to NAME in man pages
Requested by RMS.
* src/cmp.c, src/diff.c, src/diff3.c, src/sdiff.c:
Prepend "GNU" to first comment, so that the man page says "GNU".
2018-04-20 Paul Eggert <eggert@cs.ucla.edu>
sdiff: port to mingw
Problem reported by Ross Burton (Bug#31218).
* src/sdiff.c (checksigs): Use ‘raise’, not ‘kill’.
2018-03-23 Paul Eggert <eggert@cs.ucla.edu>
build: update gnulib submodule to latest
2018-01-14 Jim Meyering <meyering@fb.com>
tests: fix quoting error in previous change
* tests/colors: Double-quote $PATH.
2018-01-06 Jim Meyering <meyering@fb.com>
tests: port tests/colors to some env-munging shell
* tests/colors: Also set PATH="$PATH" in env invocation.
maint: update gnulib and copyright dates for 2018
* gnulib: Update to latest.
* all files: Run "make update-copyright".
* bootstrap: Update from gnulib.
maint: suppress gcc's new -Wcast-function-type in gnulib
* configure.ac (WERROR_CFLAGS): Suppress gcc's new -Wcast-function-type
warning in gnulib, because it would trigger on this:
sig-handler.h:47:12: error: cast between incompatible function types\
from 'void (* const)(int, siginfo_t *, void *)' \
{aka 'void (* const)(int, struct <anonymous> *, void *)'} \
to 'void (*)(int)' [-Werror=cast-function-type]
return (sa_handler_t) a->sa_sigaction;
2017-10-22 Jim Meyering <meyering@fb.com>
tests: add expected-failing test for minor subopimality
In some unusual cases, diff -u prints suboptimal output.
* tests/large-subopt: New test script.
* tests/Makefile.am (TESTS): Add it.
(XFAIL_TESTS): Add it here, too, to record that this test is
currently expected to fail.
* tests/large-subopt.in1, tests/large-subopt.in2: Inputs derived from
those in http://bugs.gnu.org/28796
2017-09-23 Jim Meyering <meyering@fb.com>
gnulib: update to latest
2017-05-21 Jim Meyering <meyering@fb.com>
maint: make the announcement template Cc the devel- list
* cfg.mk (announcement_Cc_): Define.
maint: post-release administrivia
* NEWS: Add header line for next release.
* .prev-version: Record previous version.
* cfg.mk (old_NEWS_hash): Auto-update.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 1.0.6 to 1.0.8
- Update of rootfile
- Changelog
1.0.8 (13 Jul 19)
* Accept as many selectors as the file format allows.
This relaxes the fix for CVE-2019-12900 from 1.0.7
so that bzip2 allows decompression of bz2 files that
use (too) many selectors again.
* Fix handling of large (> 4GB) files on Windows.
* Cleanup of bzdiff and bzgrep scripts so they don't use
any bash extensions and handle multiple archives correctly.
* There is now a bz2-files testsuite at
https://sourceware.org/git/bzip2-tests.git
1.0.7 (27 Jun 19)
* Fix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH
* bzip2: Fix return value when combining --test,-t and -q.
* bzip2recover: Fix buffer overflow for large argv[0]
* bzip2recover: Fix use after free issue with outFile (CVE-2016-3189)
* Make sure nSelectors is not out of range (CVE-2019-12900)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 3.7.1 to 3.7.6
- No update of rootfile required
- Changelog is too large to include here
Full changelog can be viewed in ChangeLog file in the source tarball
3.7.6 1 bug fix
3.7.5 4 bug fixes
3.7.4 2 bug fixes
3.7.3 2 bug fixes
3.7.2 6 bug fixes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If you have 2GB RAM the build of dnsdist will fail because MAX_PARALLELISM was
set to zero by RAM/2048 because a bit of RAM is used by the system.
This patch ensure that the lowest PARALLELISM value is 1.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Full changelog as per https://gitweb.torproject.org/tor.git/plain/ChangeLog?h=tor-0.4.5.7:
Changes in version 0.4.5.7 - 2021-03-16
Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier
versions of Tor.
One of these vulnerabilities (TROVE-2021-001) would allow an attacker
who can send directory data to a Tor instance to force that Tor
instance to consume huge amounts of CPU. This is easiest to exploit
against authorities, since anybody can upload to them, but directory
caches could also exploit this vulnerability against relays or clients
when they download. The other vulnerability (TROVE-2021-002) only
affects directory authorities, and would allow an attacker to remotely
crash the authority with an assertion failure. Patches have already
been provided to the authority operators, to help ensure
network stability.
We recommend that everybody upgrade to one of the releases that fixes
these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available
to you.
This release also updates our GeoIP data source, and fixes a few
smaller bugs in earlier releases.
o Major bugfixes (security, denial of service):
- Disable the dump_desc() function that we used to dump unparseable
information to disk. It was called incorrectly in several places,
in a way that could lead to excessive CPU usage. Fixes bug 40286;
bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021-
001 and CVE-2021-28089.
- Fix a bug in appending detached signatures to a pending consensus
document that could be used to crash a directory authority. Fixes
bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002
and CVE-2021-28090.
o Minor features (geoip data):
- We have switched geoip data sources. Previously we shipped IP-to-
country mappings from Maxmind's GeoLite2, but in 2019 they changed
their licensing terms, so we were unable to update them after that
point. We now ship geoip files based on the IPFire Location
Database instead. (See https://location.ipfire.org/ for more
information). This release updates our geoip files to match the
IPFire Location Database as retrieved on 2021/03/12. Closes
ticket 40224.
o Minor bugfixes (directory authority):
- Now that exit relays don't allow exit connections to directory
authority DirPorts (to prevent network reentry), disable
authorities' reachability self test on the DirPort. Fixes bug
40287; bugfix on 0.4.5.5-rc.
o Minor bugfixes (documentation):
- Fix a formatting error in the documentation for
VirtualAddrNetworkIPv6. Fixes bug 40256; bugfix on 0.2.9.4-alpha.
o Minor bugfixes (Linux, relay):
- Fix a bug in determining total available system memory that would
have been triggered if the format of Linux's /proc/meminfo file
had ever changed to include "MemTotal:" in the middle of a line.
Fixes bug 40315; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (metrics port):
- Fix a BUG() warning on the MetricsPort for an internal missing
handler. Fixes bug 40295; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (onion service):
- Remove a harmless BUG() warning when reloading tor configured with
onion services. Fixes bug 40334; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (portability):
- Fix a non-portable usage of "==" with "test" in the configure
script. Fixes bug 40298; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (relay):
- Remove a spammy log notice falsely claiming that the IPv4/v6
address was missing. Fixes bug 40300; bugfix on 0.4.5.1-alpha.
- Do not query the address cache early in the boot process when
deciding if a relay needs to fetch early directory information
from an authority. This bug resulted in a relay falsely believing
it didn't have an address and thus triggering an authority fetch
at each boot. Related to our fix for 40300.
o Removed features (mallinfo deprecated):
- Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it.
Closes ticket 40309.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
From https://www.openssl.org/news/secadv/20210325.txt:
OpenSSL Security Advisory [25 March 2021]
=========================================
CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450)
========================================================================
Severity: High
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
certificates present in a certificate chain. It is not set by default.
Starting from OpenSSL version 1.1.1h a check to disallow certificates in
the chain that have explicitly encoded elliptic curve parameters was added
as an additional strict check.
An error in the implementation of this check meant that the result of a
previous check to confirm that certificates in the chain are valid CA
certificates was overwritten. This effectively bypasses the check
that non-CA certificates must not be able to issue other certificates.
If a "purpose" has been configured then there is a subsequent opportunity
for checks that the certificate is a valid CA. All of the named "purpose"
values implemented in libcrypto perform this check. Therefore, where
a purpose is set the certificate chain will still be rejected even when the
strict flag has been used. A purpose is set by default in libssl client and
server certificate verification routines, but it can be overridden or
removed by an application.
In order to be affected, an application must explicitly set the
X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
for the certificate verification or, in the case of TLS client or server
applications, override the default purpose.
OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1k.
OpenSSL 1.0.2 is not impacted by this issue.
This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk
from Akamai and was discovered by Xiang Ding and others at Akamai. The fix was
developed by Tomáš Mráz.
NULL pointer deref in signature_algorithms processing (CVE-2021-3449)
=====================================================================
Severity: High
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits
the signature_algorithms extension (where it was present in the initial
ClientHello), but includes a signature_algorithms_cert extension then a NULL
pointer dereference will result, leading to a crash and a denial of service
attack.
A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which
is the default configuration). OpenSSL TLS clients are not impacted by this
issue.
All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions
should upgrade to OpenSSL 1.1.1k.
OpenSSL 1.0.2 is not impacted by this issue.
This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was
developed by Peter Kästle and Samuel Sapalski from Nokia.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
