This fixes an HTML error that is briefly visible
on the "magic packet sent" page.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 10.39 to 10.40
- Update of rootfile
- Changelog
Version 10.40 15-April-2022
1. Merged patch from @carenas (GitHub #35, 7db87842) to fix pcre2grep incorrect
handling of multiple passes.
2. Merged patch from @carenas (GitHub #36, dae47509) to fix portability issue
in pcre2grep with buffered fseek(stdin).
3. Merged patch from @carenas (GitHub #37, acc520924) to fix tests when -S is
not supported.
4. Revert an unintended change in JIT repeat detection.
5. Merged patch from @carenas (GitHub #52, b037bfa1) to fix build on GNU Hurd.
6. Merged documentation and comments patches from @carenas (GitHub #47).
7. Merged patch from @carenas (GitHub #49) to remove obsolete JFriedl test code
from pcre2grep.
8. Merged patch from @carenas (GitHub #48) to fix CMake install issue #46.
9. Merged patch from @carenas (GitHub #53) fixing NULL checks in matching and
substituting.
10. Add null_subject and null_replacement modifiers to pcre2test.
11. Add check for NULL subject to POSIX regexec() function.
12. Add check for NULL replacement to pcre2_substitute().
13. For the subject arguments of pcre2_match(), pcre2_dfa_match(), and
pcre2_substitute(), and the replacement argument of the latter, if the pointer
is NULL and the length is zero, treat as an empty string. Apparently a number
of applications treat NULL/0 in this way.
14. Added support for Bidi_Class and a number of binary Unicode properties,
including Bidi_Control.
15. Fix some minor issues raised by clang sanitize.
16. Very minor code speed up for maximizing character property matches.
17. A number of changes to script matching for \p and \P:
(a) Script extensions for a character are now coded as a bitmap instead of
a list of script numbers, which should be faster and does not need a
loop.
(b) Added the syntax \p{script:xxx} and \p{script_extensions:xxx} (synonyms
sc and scx).
(c) Changed \p{scriptname} from being the same as \p{sc:scriptname} to being
the same as \p{scx:scriptname} because this change happened in Perl at
release 5.26.
(d) The standard Unicode 4-letter abbreviations for script names are now
recognized.
(e) In accordance with Unicode and Perl's "loose matching" rules, spaces,
hyphens, and underscores are ignored in property names, which are then
matched independent of case.
18. The Python scripts in the maint directory have been refactored. There are
now three scripts that generate pcre2_ucd.c, pcre2_ucp.h, and pcre2_ucptables.c
(which is #included by pcre2_tables.c). The data lists that used to be
duplicated are now held in a single common Python module.
19. On CHERI, and thus Arm's Morello prototype, pointers are represented as
hardware capabilities, which consist of both an integer address and additional
metadata, meaning they are twice the size of the platform's size_t type, i.e.
16 bytes on a 64-bit system. The ovector member of heapframe happens to only be
8 byte aligned, and so computing frame_size ended up with a multiple of 8 but
not 16. Whilst the first frame was always suitably aligned, this then
misaligned the frame that follows, resulting in an alignment fault when storing
a pointer to Fecode at the start of match. Patch to fix this issue by Jessica
Clarke PR#72.
20. Added -LP and -LS listing options to pcre2test.
21. A user discovered that the library names in CMakeLists.txt for MSVC
debugger (PDB) files were incorrect - perhaps never tried for PCRE2?
22. An item such as [Aa] is optimized into a caseless single character match.
When this was quantified (e.g. [Aa]{2}) and was also the last literal item in a
pattern, the optimizing "must be present for a match" character check was not
being flagged as caseless, causing some matches that should have succeeded to
fail.
23. Fixed a unicode properrty matching issue in JIT. The character was not
fully read in caseless matching.
24. Fixed an issue affecting recursions in JIT caused by duplicated data
transfers.
25. Merged patch from @carenas (GitHub #96) which fixes some problems with
pcre2test and readline/readedit:
* Use the right header for libedit in FreeBSD with autoconf
* Really allow libedit with cmake
* Avoid using readline headers with libedit
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 1.29 to 1.31
- Update of rootfile not required
- Changelog
Version 1.31
In ipvsadm(8) add using nft or an eBPF program to set a packet mark
Add --pe sip option in ipvsadm(8) man page
ipvsadm: allow tunneling with gre encapsulation
Merge branch 'GUE-encap'
ipvsadm: allow tunneling with gue encapsulation
ipvsadm: convert options to unsigned long long
Version 1.30
Merge: ipvsadm: Document/add support for fo/ovf/mh schedulers
Add support for mh scheduler
Document support of ovf scheduler
Document support of fo scheduler
libipvs: fix some buffer sizes
libipvs: discrepancy with libnl genlmsg_put
ipvsadm: catch the original errno from netlink answer
Version 1.29
ipvsadm: new attributes for sync daemon
ipvsadm: support 64-bit stats and rates
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from 2.2.4 to 2.2.7
- Update of rootfile
- Changelog
Release 2.2.7 brings lots of improvements and fix some minor issues reported. It add
some new VRRP features as well. Stability has been even more extended.
New
ipvs: Add support to twos scheduler.
vrrp: Add vrf option for unicast without specifying an interface.
vrrp: Add option unicast_fault_no_peer. Previously if unicast_src_ip (or any
other unicast option) was specified, but no unicast peers were
configured, then the VRRP instance would operate in multicast mode. A
user has identified that, due to automatic configuration generation,
they could have a configuration that should operate in unicast mode,
but that no unicast peers were configured. In this case, they did not
want the VRRP instance to revert to multicast mode. In order to
maintain backward compatibility, keepalived can’t simply change to not
allowing no unicast peers. Instead, this commit adds the configuration
option “unicast_fault_no_peer”, which if specified causes the VRRP
instance to go to fault state if no unicast peers are configured.
vrrp: Allow specification of multicast address to be used.
vrrp: Add vrf option to static and vrrp routes.
vrrp: Add option to resend vrrp states on fifos after reload. Since
keepalived restarts FIFOs scripts it is managing when a reload occurs,
it can be helpful to send the VRRP instance and group states after a
reload. This commit adds option fifo_write_vrrp_states_on_reload to do
that, and it means that what is written to the FIFOs with default
configuration does not change.
vrrp: Allow duplication of VRIDs on an interface with unicast peers. If two
VRRP instances are using unicast peers and there is no overlap of
unicast peers between the vrrp instances, then the vrrp instances can
use the same VRIDs.
global: Don’t assume running as user root.
systemd: Add keepalived-non-root.service systemd service file.
keepalived-non-root.service allows keepalived to be run as a non
root user, but with specific added capabilities to allow all the
functionality that keepalived needs.
Improvements
vrrp: Stop receiving any data on garp and ndisc sockets. This is a send-only
channel.
vrrp: Open gratuitous ARP socket as an ARP socket rather than RARP. Now that
the receiving of packets on the garp socket has been stopped, we can
open the socket with the correct type of binding, and we won’t have a
queue of received messages build up.
vrrp: Extend cBPF filtering code to support standard definition.
vrrp: Optimise nftables configuration to limit some rules to macvlans. If we
are moving messages that have been generated on a macvlan, we nftables
rules can be optimised to restrict them to macvlan interfaces.
vrrp: Drop ICMPV6 Router Solicitation messages from vmac interfaces. When we
create a vmac interface, a short time afterwards the kernel sends a
router solicition message with the source MAC address of the vmac
interface. The problem is that this will upset snooping switches if
the VRRP instance is in backup state. Furthermore, we can’t simply
move the packet onto the underlying interface since the ICMPV6 payload
also contains the MAC address of the vmac interface. We can’t just
change the MAC address in the ICMPV6 message, since there is also a
checksum which would need to be recalculated. The only solution at the
moment is to drop the packet. This shouldn’t be a problem since the
underlying interface should have sent a Router solicitation message
when it came up.
vrrp: Add option to specify MAC address for VMACs.
vrrp: Don’t lose some configuration faults. The following errors were being
detected in vrrp_complete_instance() and the VRRP instance was then
supposed to be put into fault state since it couldn’t operate.
However, the need to go to fault state was subsequently being lost.
The configuration errors that were being lost were: (a) Configuring
use of a VMAC on a non Ethernet interface (b) Attempting to use
multicast on an interface that doesn’t support it (c) Using an ipvlan
without a source IP address (d) ipvlan address family not matching
VRRP isntance’s (e) VRID conflicts on an interface which could be
deleted an recreated on a different interface (f) An interface
specified for a VIP is the same as the VRRP instance’s VMAC or another
VRRP instance’s VMAC. This improvement ensures that the VRRP instance
will be put into, and remain in, fault state, since it cannot
successfully operate. As can be seen from the list of circumstances
above, they were very unlikely to occur, but were possible.
vrrp: Bind IPv6 socket to multicast address. Previously IPv6 sockets were
being bound to the ::1 address, since trying to bind to the multicast
address was failing. The reason for failing has now been discovered to
be that the scope_id needed to be set (i.e. the interface index),
since the multicast addresses that we use are link-local multicast
addresses. This improvement now sets the scope_id, so the socket can
successfully be bound to the multicast address.
vrrp: Set IPV6_MULTICAST_ALL on IPv6 sockets if available.
vrrp: Some SNMP extension and improvements: - Correct FastOpenNoCookie and
L3Mdev variable types - Don’t write multicast address to SNMP when
using unicast. - Don’t write unconfigured LVS sync daemon address to
SNMP. - Define and use SNMP_TruthValue. - Define and use
SNMP_InetAddressType. - Correct reporting accept mode for VRRPv3 SNMP.
vrrp: Misc DBus improvements (Opening, logging, data_dir, policy, …)
vrrp: Handle VMAC’s interface changing on reload properly.
vrrp: If accept traffic for VIPs changes on reload, update firewall.
vrrp: Stop going to backup if reload IPv6 and change vmac_xmit_base.
vrrp: Add add/prepend/append options to static and virtual routes. The
kernel by default prepends routes, whereas the ip (iproute2) utility
be default adds routes (adding a route does not allow duplicates
whereas appending or prepending does). keepalived previously has not
set the flags relating to this, and so has always prepended routes.
This means that duplicate routes could be created.
lib: Update Red Black tree code to Linux 5.15-rc4.
script: Extend sample_notify_fifo.sh.
doc: Misc documentation updates.
docker: Upate docker file.
init: Init handling extensions. Make parent process exit with meaningful
status on error. Ensure systemd is not notified of successful start if
failed. fix building without systemd notify suport.
bfd: handle unexpected closure of pipe to checker and vrrp processes. If the
parent process abnormally terminates and then the BFD process
terminates due to PDEATHSIG before the vrrp or checker processes
terminate, the vrrp and checker processes can get a read error on the
pipes used to communicate with the BFD process.
bfd: make BFD work when IPv6 disabled on system.
Fixes
lib: Fix calculating CLOCK_REALTIME and CLOCK_MONOTONIC offsets.
lib: scheduler: Handle cancelling timer thread on ready queue. The timer
thread on the ready queue, if cancelled, was corrupting the read
list_head, since it assumed it was on a red black tree.
snap: Fix building snaps.
ipvs: Fix building with glibc prior to v2.19 (released 2014).
bfd: Handle interface down/address missing when keepalived starts. This
resolves a segfault, and also makes bfd retry once per minute to create
send socket if it cannot do so due to no address to bind to on an
interface.
vrrp: Fix unicast with interface in a VRF domain.
vrrp: Fix moving excess VIPs to eVIPs, by properly handling vip_cnt.
vrrp: Fix configured IPv6 multicast addresses with VMACs. Using different
multicast addresses with IPv6 on the same interface without using
VMACs is only supported if the kernel supports IPV6_MULTICAST_ALL
(from Linux v4.20).
vrrp: Fix checking for unicast with VMAC/ipvlan and no peers.
vrrp: Fix checking if have unicast ppers if unicast_ttl specified.
vrrp: Don’t segfault if duplicate VMAC name, but ignore second name.
vrrp: Don’t delete and recreate VMAC on reload if only VRID has changed.
There seems to be an issue deleting and then immediately recreating a
VMAC on the same interface. This commit therefore simply changes the
MAC address if the only change is the VRID.
vrrp: Fix nftables config if VMAC interface changed on reload.
vrrp: Don’t segfault if don’t have permission for ARP/NDISC socket.
vrrp: Fix IPv6 with vmac_xmit_base.
vrrp: fix disabling vmac-xmit-base with VRRPv3 IPv6 use_vmac.
vrrp: Fix specifying user/group for vrrp_scripts.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from v3.3.16 to v4.0.0
- added --disable-static to ./configure to remove static libs from rootfile
- Update of rootfile
- Changed lib name. Ran ./make.sh find-dependencies. No dependencies on old libraries
- Changelog
procps-ng-4.0.0
* Rename pwait to pidwait
* free: Add committed line option merge #25
* free: Fix -h --si combined options issue #133, #223
* free: Fix first column justification issue #229, #204, #206, Debian #1001689
* free: Better spacing for Chinese language issue #213
* library: renamed to libproc-2 and reset to 0:0:0
* library: add support for accessing smaps_rollup issue #112, #201
* library: add support for accessing autogroups
* library: add support for LIBPROC_HIDE_KERNEL env var merge #147
* library: add support for cpu utilization to pids i/f
* pkill: Check for lt- variants of program name issue #192
* pgrep: Add newline after regex error message merge #91
* pgrep: Fix selection where uid/gid > 2^31 merge !146
* pgrep: Select on cgroup v2 paths issue #168
* ps: Add OOM and OOMADJ fields issue #198
* ps: Add IO Accounting fields issue #184
* ps: Add PSS and USS fields issue #112
* ps: Add two new autogroup fields
* ps: Ignore SIGURG merge !142
* slabtop: Don't combine d and o options issue #160
* sysctl: Add support for systemd glob patterns issue #191
* sysctl: Check resolved path to be under /proc/sys issue #179
* sysctl: return non-zero if EINVAL return for write merge #76
* sysctl.conf.5: Note max line length issue #77
* top: added LOGID similar to 3.3.13 ps LUID
* top: added EXE identical to 3.3.17 ps EXE
* top: exploit some library smaps_rollup provisions issue #112
* top: added four new IO accounting fields issue #184
* top: 'F' key is now a new forest view 'focus' toggle
* top: summary area memory lines can print two abreast
* top: added two new autogroup fields
* top: added long versions of command line options
* top: added cpu utilization & 2 time related fields
* top: the time related fields can now be user scaled
* uptime: print short/pretty format correctly issue #217
* vmstat: add -y option to remove first line merge !72
procps-ng-3.3.17
* library: Incremented to 8:3:0
(no removals or additions, internal changes only)
* all: properly handle utf8 cmdline translations issue #176
* kill: Pass int to signalled process merge #32
* pgrep: Pass int to signalled process merge #32
* pgrep: Check sanity of SG_ARG_MAX issue #152
* pgrep: Add older than selection merge #79
* pidof: Quiet mode merge #83
* pidof: show worker threads Redhat #1803640
* ps.1: Mention stime alias issue #164
* ps: check also match on truncated 16 char comm names
* ps: Add exe output option Redhat #1399206
* pwait: New command waits for a process merge #97
* sysctl: Match systemd directory order Debian #950788
* sysctl: Document directory order Debian #951550
* top: ensure config file backward compatibility Debian #951335
* top: add command line 'e' for symmetry with 'E' issue #165
* top: add '4' toggle for two abreast cpu display issue #172
* top: add '!' toggle for combining multiple cpus
* top: fix potential SEGV involving -p switch merge #114
* vmstat: Wide mode gives wider proc columns merge #48
* watch: Add environment variable for interval merge #62
* watch: Add no linewrap option issue #182
* watch: Support more colors merge #106,#109
* free,uptime,slabtop: complain about extra ops issue #181
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 1.50.4 to 1.50.6
- Update of rootfile
- Changelog
Overview of changes in 1.50.6, 19-03-2022
- Drop hb-glib dependency
- Fix test font configuration
- Maintain order in pango_attr_list_change
- Fix a use-after-free in pango_attr_list_change
Overview of changes in 1.50.5, 03-03-2022
* Fix compiler warnings
* Enable cairo by default
* pango-view: Show more baselines
* layout: Handle baselines
* Windows: build cleanups
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
This attribute is recommended by W3C, because it is used by
screen readers to provide the correct pronunciation.
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 4.15.5 to 4.16.0
- Update of rootfile
- perl-JSON now added to samba requirements. Additional patch combined with this on for
install of perl-JSON
- Changelog
Release Notes for Samba 4.16.0
NEW FEATURES/CHANGES
New samba-dcerpcd binary to provide DCERPC in the member server setup
In order to make it much easier to break out the DCERPC services
from smbd, a new samba-dcerpcd binary has been created.
samba-dcerpcd can be used in two ways. In the normal case without
startup script modification it is invoked on demand from smbd or
winbind --np-helper to serve DCERPC over named pipes. Note that
in order to run in this mode the smb.conf [global] section has
a new parameter "rpc start on demand helpers = [true|false]".
This parameter is set to "true" by default, meaning no changes to
smb.conf files are needed to run samba-dcerpcd on demand as a named
pipe helper.
It can also be used in a standalone mode where it is started
separately from smbd or winbind but this requires changes to system
startup scripts, and in addition a change to smb.conf, setting the new
[global] parameter "rpc start on demand helpers = false". If "rpc
start on demand helpers" is not set to false, samba-dcerpcd will
refuse to start in standalone mode.
Note that when Samba is run in the Active Directory Domain Controller
mode the samba binary that provides the AD code will still provide its
normal DCERPC services whilst allowing samba-dcerpcd to provide
services like SRVSVC in the same way that smbd used to in this
configuration.
The parameters that allowed some smbd-hosted services to be started
externally are now gone (detailed below) as this is now the default
setting.
samba-dcerpcd can also be useful for use outside of the Samba
framework, for example, use with the Linux kernel SMB2 server ksmbd or
possibly other SMB2 server implementations.
Heimdal-8.0pre used for Samba Internal Kerberos, adds FAST support
Samba has since Samba 4.0 included a snapshot of the Heimdal Kerberos
implementation. This snapshot has now been updated and will closely
match what will be released as Heimdal 8.0 shortly.
This is a major update, previously we used a snapshot of Heimdal from
2011, and brings important new Kerberos security features such as
Kerberos request armoring, known as FAST. This tunnels ticket
requests and replies that might be encrypted with a weak password
inside a wrapper built with a stronger password, say from a machine
account.
In Heimdal and MIT modes Samba's KDC now supports FAST, for the
support of non-Windows clients.
Windows clients will not use this feature however, as they do not
attempt to do so against a server not advertising domain Functional
Level 2012. Samba users are of course free to modify how Samba
advertises itself, but use with Windows clients is not supported "out
of the box".
Finally, Samba also uses a per-KDC, not per-realm 'cookie' to secure part of
the FAST protocol. A future version will align this more closely with
Microsoft AD behaviour.
If FAST needs to be disabled on your Samba KDC, set
kdc enable fast = no
in the smb.conf.
Certificate Auto Enrollment
Certificate Auto Enrollment allows devices to enroll for certificates from
Active Directory Certificate Services. It is enabled by Group Policy.
To enable Certificate Auto Enrollment, Samba's group policy will need to be
enabled by setting the smb.conf option `apply group policies` to Yes. Samba
Certificate Auto Enrollment depends on certmonger, the cepces certmonger
plugin, and sscep. Samba uses sscep to download the CA root chain, then uses
certmonger paired with cepces to monitor the host certificate templates.
Certificates are installed in /var/lib/samba/certs and private keys are
installed in /var/lib/samba/private/certs.
Ability to add ports to dns forwarder addresses in internal DNS backend
The internal DNS server of Samba forwards queries non-AD zones to one or more
configured forwarders. Up until now it has been assumed that these forwarders
listen on port 53. Starting with this version it is possible to configure the
port using host:port notation. See smb.conf for more details. Existing setups
are not affected, as the default port is 53.
CTDB changes
* The "recovery master" role has been renamed "leader"
Documentation and logs now refer to "leader".
The following ctdb tool command names have changed:
recmaster -> leader
setrecmasterrole -> setleaderrole
Command output has changed for the following commands:
status
getcapabilities
The "[legacy] -> recmaster capability" configuration option has been
renamed and moved to the cluster section, so this is now:
[cluster] -> leader capability
* The "recovery lock" has been renamed "cluster lock"
Documentation and logs now refer to "cluster lock".
The "[cluster] -> recovery lock" configuration option has been
deprecated and will be removed in a future version. Please use
"[cluster] -> cluster lock" instead.
If the cluster lock is enabled then traditional elections are not
done and leader elections use a race for the cluster lock. This
avoids various conditions where a node is elected leader but can not
take the cluster lock. Such conditions included:
- At startup, a node elects itself leader of its own cluster before
connecting to other nodes
- Cluster filesystem failover is slow
The abbreviation "reclock" is still used in many places, because a
better abbreviation eludes us (i.e. "clock" is obvious bad) and
changing all instances would require a lot of churn. If the
abbreviation "reclock" for "cluster lock" is confusing, please
consider mentally prefixing it with "really excellent".
* CTDB now uses leader broadcasts and an associated timeout to
determine if an election is required
The leader broadcast timeout can be configured via new configuration
option
[cluster] -> leader timeout
This specifies the number of seconds without leader broadcasts
before a node calls an election. The default is 5.
REMOVED FEATURES
Older SMB1 protocol SMBCopy command removed
SMB is a nearly 30-year old protocol, and some protocol commands that
while supported in all versions, have not seen widespread use.
One of those is SMBCopy, a feature for a server-side copy of a file.
This feature has been so unmaintained that Samba has no testsuite for
it.
The SMB1 command SMB_COM_COPY (SMB1 command number 0x29) was
introduced in the LAN Manager 1.0 dialect and it was rendered obsolete
in the NT LAN Manager dialect.
Therefore it has been removed from the Samba smbd server.
We do note that a fully supported and tested server-side copy is
present in SMB2, and can be accessed with "scopy" subcommand in
smbclient)
SMB1 server-side wildcard expansion removed
Server-side wildcard expansion is another feature that sounds useful,
but is also rarely used and has become problematic - imposing extra
work on the server (both in terms of code and CPU time).
In actual OS design, wildcard expansion is handled in the local shell,
not at the remote server using SMB wildcard syntax (which is not shell
syntax).
In Samba 4.16 the ability to process file name wildcards in requests
using the SMB1 commands SMB_COM_RENAME (SMB1 command number 0x7),
SMB_COM_NT_RENAME (SMB1 command number 0xA5) and SMB_COM_DELETE (SMB1
command number 0x6) has been removed.
SMB1 protocol has been deprecated, particularly older dialects
We take this opportunity to remind that we have deprecated and
disabled by default, but not removed, the whole SMB1 protocol since
Samba 4.11. If needed for security purposes or code maintenance we
will continue to remove older protocol commands and dialects that are
unused or have been replaced in more modern SMB1 versions.
We specifically deprecate the older dialects older than "NT LM 0.12"
(also known as "NT LANMAN 1.0" and "NT1").
Please note that "NT LM 0.12" is the dialect used by software as old
as Windows 95, Windows NT and Samba 2.0, so this deprecation applies
to DOS and similar era clients.
We do reassure that that 'simple' operation of older clients than
these (eg DOS) will, while untested, continue for the near future, our
purpose is not to cripple use of Samba in unique situations, but to
reduce the maintaince burden.
Eventually SMB1 as a whole will be removed, but no broader change is
announced for 4.16.
In the rare case where the above changes cause incompatibilities,
users requiring support for these features will need to use older
versions of Samba.
No longer using Linux mandatory locks for sharemodes
smbd mapped sharemodes to Linux mandatory locks. This code in the Linux kernel
was broken for a long time, and is planned to be removed with Linux 5.15. This
Samba release removes the usage of mandatory locks for sharemodes and the
"kernel share modes" config parameter is changed to default to "no". The Samba
VFS interface is kept, so that file-system specific VFS modules can still use
private calls for enforcing sharemodes.
smb.conf changes
Parameter Name Description Default
-------------- ----------- -------
kernel share modes New default No
dns forwarder Changed
rpc_daemon Removed
rpc_server Removed
rpc start on demand helpers Added true
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from 2.35.1 to 2.36.0
- Update of rootfile
- Changelog
2.36 Release Notes
These are too long to include here. To see the details go to the following link
https://raw.githubusercontent.com/git/git/master/Documentation/RelNotes/2.36.0.txt
2.35.3.txt Release Notes
This release merges up the fixes that appear in v2.35.3.
2.35.2 Release Notes
This release merges up the fixes that appear in v2.30.3,
v2.31.2, v2.32.1, v2.33.2 and v2.34.2 to address the security
issue CVE-2022-24765; see the release notes for these versions
for details.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 5.62 to 5.63
- Update of rootfile not required
- Changelog
Version 5.63, 2022.03.15
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.2.
* New features
- Updated stunnel.spec to support bash completion
* Bugfixes
- Fixed possible PRNG initialization crash (thx to Gleydson Soares).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.0.4 to 1.0.5
- Update of rootfile not required
- Changelog
Version 1.0.5
* Added CI test for GitHub.
* Migrated manpage system to txt2man.
* Modernized system install.
* Set right permissions to source code.
* Updated README and added a CONTRIBUTING file.
* Other minor changes and improvements.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from 5.14 to 5.17
- Update of rootfile not required
- Changelog
Noteworthy changes in release 5.17 (2022-03-26)
* Improvements
* Added 64-bit LoongArch architecture support.
* Extended personality designation syntax of syscall specification expressions
to support all@pers and %class@pers.
* Enhanced rejection of invalid syscall numbers in syscall specification
expressions.
* Implemented decoding of set_mempolicy_home_node syscall, introduced
in Linux 5.17.
* Implemented decoding of IFLA_GRO_MAX_SIZE and TCA_ACT_IN_HW_COUNT netlink
attributes.
* Implemented decoding of PR_SET_VMA operation of prctl syscall.
* Implemented decoding of siginfo_t.si_pkey field.
* Implemented decoding of LIRC ioctl commands.
* Updated lists of FAN_*, IORING_*, IOSQE_*, KEY_*, KVM_*, MODULE_INIT_*,
TCA_ACT_*, and *_MAGIC constants.
* Updated lists of ioctl commands from Linux 5.17.
Noteworthy changes in release 5.16 (2022-01-10)
* Improvements
* Implemented --secontext=mismatch option to find mismatches in SELinux
contexts.
* Implemented decoding of futex_waitv syscall introduced in Linux 5.16.
* Implemented decoding of BPF_LINK_GET_NEXT_ID and BPF_LINK_GET_FD_BY_ID bpf
syscall commands.
* Enhanced decoding of BPF_MAP_CREATE, BPF_PROG_TEST_RUN, and BPF_PROG_LOAD
bpf syscall commands.
* Enhanced decoding of BTRFS_IOC_FS_INFO ioctl command.
* Updated lists of AUDIT_*, BPF_*, BTRFS_*, DEVCONF_*, FAN_*, ETH_P_*,
IPV4_DEVCONF_*, KVM_*, NDA_*, SO_*, and V4L2_* constants.
* Updated lists of ioctl commands from Linux 5.16.
* Bug fixes
* Fixed build for older Android.
Noteworthy changes in release 5.15 (2021-12-01)
* Improvements
* Implemented --strings-in-hex=non-ascii-chars option for using hexadecimal
numbers instead of octal ones in escape sequences in the output strings.
* Implemented --decode-pids=comm option (and its alias -Y) for printing
command names for PIDs.
* Implemented --decode-pids=pidns as an alias to --pidns-translation option.
* Implemented printing of current working directory when AT_FDCWD constant
is used with --decode-fds=path option enabled.
* Improved printing of syscall names in places where the associated
AUDIT_ARCH_* value is present (ptrace PTRACE_GET_SYSCALL_INFO request,
SIGSYS siginfo_t).
* Implemented decoding of process_mrelease syscall, introduced in Linux 5.15.
* Implemented decoding of SECCOMP_GET_NOTIF_SIZES operation of seccomp
syscall.
* Implemented decoding of HDIO_*, KD*, and SECCOMP_* ioctl commands.
* Implemented decoding of RTM_NEWCACHEREPORT, RTM_{NEW,DEL,GET}NEXTHOP,
and RTM_{NEW,GET}STATS NETLINK_ROUTE netlink messages.
* Implemented decoding of AF_ALG, AF_IEEE802154, AF_MCTP, AF_NFC, AF_QIPCRTR,
AF_RRPC, AF_VSOCK, and AF_XDP socket addresses.
* Implemented decoding of AF_BRIDGE and AF_MCTP protocols for IFLA_AF_SPEC
netlink attribute.
* Implemented decoding of IFLA_BR_MCAST_QUERIER_STATE, IFLA_BR_MULTI_BOOLOPT,
IFLA_INET6_RA_MTU, IFLA_INFO_SLAVE_DATA, and IFLA_VFINFO_LIST netlink
attributes.
* Enhanced decoding of io_uring_register and times syscalls.
* Enhanced IFLA_BR_FORWARD_DELAY, IFLA_BR_MAX_AGE, IFLA_EXT_MASK,
IFLA_PROTINFO, *_INTVL, and *_TIMER netlink attribute decoding.
* Enhanced decoding of AF_IPX and AF_NETLINK socket addresses.
* Updated lists o AF_*, ARPHRD_*, BTRFS_*, DEVCONF_*, DM_*, ETH_P_*,
FAN_REPORT_*, IORING_*, MOVE_MOUNT_*, MPOL_*, PACKET_*, RTM_*, SO_*,
and XFRM_MSG_* constants.
* Updated lists of ioctl commands from Linux 5.15.
* Bug fixes
* Fixed printing of struct bpf_prog_info.map_ids array.
* Fixed behaviour of "dev", "pidfd", and "socket" arguments of the --print-fds
option to no longer imply the "path" argument.
* Fixed insufficient buffer size used for network interface name printing,
that previously led to assertions on attempts of printing interface names
that require quoting, for example, names longer than 4 characters in -xx
mode (addresses RHBZ bug #2028146).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 0.5.7 (2016) to 0.5.9 (2017)
- Update of rootfile
- This patch brings lcdproc up to date with the most recent release.
- Although there are no new releases there are continuing ongoing commits and issue fixes
being done in the repository with the last commit being in Dec 2021.
Not sure why no new releases are being done. It looks like any of the commits that fix
issuse people have raised have to be patched by the interested people.
- Changelog
0.5.9
This is mostly a code cleanup, bugfix and maintainance release.
Drivers supporting new hardware or additional functionality
HD44780 connection type "serial" supports Portwell EZIO-100 and EZIO-300
HD44780 connection type "gpio" supports dual controller displays.
This connection type is now a full replacement for the obsolete "rpi"
connection type.
Removed configure flags
enable-permissive-menu-goto is replaced by a setting in LCDd.conf
enable-seamless-hbars is now selected by drivers that need it automatically
Other important changes
The build system now specifies the language as C99.
API: drivers need to include "shared/report.h" instead of "report.h"
libftdi1 is used if it is available instead of obsolete libftdi
display update interval is selectable from LCDd.conf
0.5.8
New drivers
futaba: for Futaba TOSD-5711BB VFDisplay commonly used on Elonex Artisan,
Fujitsu Scaleo E and FIC Spectra Media Centre PCs
linux_input: supporting event devices from the linux input subsystem
Olimex_MOD_LCD1x9: for Olimex MOD-LCD1x9
yard2LCD: for yard2
New connection types for hd44780 driver
lcm162 is a differently wired 8 bit connection type used on Nextgate NSA
network appliances
gpio is using the linux sysfs gpio interface to control a display in
4-bit mode. To build this sub-driver you need
libugpio, which is a new dependency
for lcdproc.
Obsolete connection types for hd44780 driver
The following connection types are obsolete and probably won't get bug
and security fixes:
raspberrypi: use the gpio connection type instead
piplate: use the gpio connection type together with the gpio-mcp23s08
kernel module.
pifacecad: use the gpio connection type together with the gpio-mcp23s08
kernel module.
i2c: support for this sub-driver might continue for the users of
non-linux operating systems. On linux systems it is recommended to
use the gpio connection type together with the gpio-pcf857x kernel
module.
Drivers supporting new hardware or additional functionality
icp_a106 now also supports A125 displays
NoritakeVFD added some non-essential features
Other important changes
Development of lcdproc moved to github.
Some internal data structures have changed. If you have custom LCDd
drivers, you will need to recompile them against the new version. Of
course submitting such drivers in pull requests is appreciated.
For a detailed list of bug fixes, see the ChangeLog.md included in the
distribution archive.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from 7.11 to 7.15
- Update of rootfile
- Changelog
7.15
Kernel part changes
netfilter: ipset: Fix maximal range check in hash_ipportnet4_uadt()
7.14
Userspace changes
Add missing function to libipset.map and bump library version
Kernel part changes
64bit division isn't allowed on 32bit, replace it with shift
7.13
Userspace changes
When parsing protocols by number, do not check it in /etc/protocols.
Add missing hunk to patch "Allow specifying protocols by number"
Kernel part changes
Limit the maximal range of consecutive elements to add/delete fix
7.12
Userspace changes
Allow specifying protocols by number
Fix example in ipset.8 manpage
tests: add tests ipset to nftables
add ipset to nftables translation infrastructur
lib: Detach restore routine from parser
lib: split parser from command execution
Fix patch "Parse port before trying by service name"
Kernel part changes
Limit the maximal range of consecutive elements to add/delete
Backport "netfilter: use nfnetlink_unicast()"
Backport "netfilter: nfnetlink: consolidate callback type"
Backport "netfilter: nfnetlink: add struct nfnl_info and pass it to
callbacks"
Backport "netfilter: add helper function to set up the nfnetlink header
and use it"
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from 3.4.0 to 4.2.0
- Update of rootfile
- Changelog
Overview of changes leading to 4.2.0
Wednesday, March 30, 2022
- Source code reorganization, splitting large hb-ot-layout files into smaller,
per-subtable ones under OT/Layout/*. Code for more tables will follow suit in
later releases. (Garret Rieger, Behdad Esfahbod)
- Revert Indic shaper change in previous release that broke some fonts and
instead make per-syllable restriction of “GSUB” application limited to
script-specific Indic features, while applying them and discretionary
features in one go. (Behdad Esfahbod)
- Fix decoding of private in gvar table. (Behdad Esfahbod)
- Fix handling of contextual lookups that delete too many glyphs. (Behdad Esfahbod)
- Make “morx” deleted glyphs don’t block “GPOS” application. (Behdad Esfahbod)
- Various build fixes. (Chun-wei Fan, Khaled Hosny)
- New API
+hb_set_next_many() (Andrew John)
Overview of changes leading to 4.1.0
Wednesday, March 23, 2022
- Various OSS-Fuzz fixes. (Behdad Esfahbod)
- Make fallback vertical-origin match FreeType’s. (Behdad Esfahbod)
- Treat visible viramas like dependent vowels in USE shaper. (David Corbett)
- Apply presentation forms features and discretionary features in one go in
Indic shaper, which seems to match Uniscribe and CoreText behaviour.
(Behdad Esfahbod, David Corbett)
- Various bug fixes.
- New API
+hb_set_add_sorted_array() (Andrew John)
Overview of changes leading to 4.0.1
Friday, March 11, 2022
- Update OpenType to AAT mappings for “hist” and “vrtr” features.
(Florian Pircher)
- Update IANA Language Subtag Registry to 2022-03-02. (David Corbett)
- Update USE shaper to allow any non-numeric tail in a symbol cluster, and
remove obsolete data overrides. (David Corbett)
- Fix handling of baseline variations to return correctly scaled values.
(Matthias Clasen)
- A new experimental hb_subset_repack_or_fail() to repack an array of objects,
eliminating offset overflows. The API is not available unless HarfBuzz is
built with experimental APIs enabled. (Qunxin Liu)
- New experimental API
+hb_link_t
+hb_object_t
+hb_subset_repack_or_fail()
Overview of changes leading to 4.0.0
Tuesday, March 1, 2022
- New public API to create subset plan and gather information on things like
glyph mappings in the final subset. The plan can then be passed on to perform
the subsetting operation. (Garret Rieger)
- Draw API for extracting glyph shapes have been extended and finalized and is
no longer an experimental API. The draw API supports glyf, CFF and CFF2
glyph outlines tables, and applies variation settings set on the font as well
as synthetic slant. The new public API is not backward compatible with the
previous, non-public, experimental API. (Behdad Esfahbod)
- The hb-view tool will use HarfBuzz draw API to render the glyphs instead of
cairo-ft when compiled with Cairo 1.17.5 or newer, setting HB_DRAW
environment variable to 1 or 0 will force using or not use the draw API,
respectively. (Behdad Esfahbod)
- The hb-shape and hb-view tools now default to using HarfBuzz’s own font
loading functions (ot) instead of FreeType ones (ft). They also have a new
option, --font-slant, to apply synthetic slant to the font. (Behdad Esfahbod)
- HarfBuzz now supports more than 65535 (the OpenType limit) glyph shapes and
metrics. See https://github.com/be-fonts/boring-expansion-spec/issues/6 and
https://github.com/be-fonts/boring-expansion-spec/issues/7 for details.
(Behdad Esfahbod)
- New API to get the dominant horizontal baseline tag for a given script.
(Behdad Esfahbod)
- New API to get the baseline positions from the font, and synthesize missing
ones. As well as new API to get font metrics and synthesize missing ones.
(Matthias Clasen)
- Improvements to finding dependencies on Windows when building with Visual
Studio. (Chun-wei Fan)
- New buffer flag, HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT, that must be set
during shaping for HB_GLYPH_FLAG_UNSAFE_TO_CONCAT flag to be reliably
produced. This is to limit the performance hit of producing this flag to when
it is actually needed. (Behdad Esfahbod)
- Documentation improvements. (Matthias Clasen)
- New API
- General:
+HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT
+hb_var_num_t
- Draw:
+hb_draw_funcs_t
+hb_draw_funcs_create()
+hb_draw_funcs_reference()
+hb_draw_funcs_destroy()
+hb_draw_funcs_is_immutable()
+hb_draw_funcs_make_immutable()
+hb_draw_move_to_func_t
+hb_draw_funcs_set_move_to_func()
+hb_draw_line_to_func_t
+hb_draw_funcs_set_line_to_func()
+hb_draw_quadratic_to_func_t
+hb_draw_funcs_set_quadratic_to_func()
+hb_draw_cubic_to_func_t
+hb_draw_funcs_set_cubic_to_func()
+hb_draw_close_path_func_t
+hb_draw_funcs_set_close_path_func()
+hb_draw_state_t
+HB_DRAW_STATE_DEFAULT
+hb_draw_move_to()
+hb_draw_line_to()
+hb_draw_quadratic_to()
+hb_draw_cubic_to()
+hb_draw_close_path()
+hb_font_get_glyph_shape_func_t
+hb_font_funcs_set_glyph_shape_func()
+hb_font_get_glyph_shape()
- OpenType layout
+HB_OT_LAYOUT_BASELINE_TAG_IDEO_FACE_CENTRAL
+HB_OT_LAYOUT_BASELINE_TAG_IDEO_EMBOX_CENTRAL
+hb_ot_layout_get_horizontal_baseline_tag_for_script()
+hb_ot_layout_get_baseline_with_fallback()
- Metrics:
+hb_ot_metrics_get_position_with_fallback()
- Subset:
+hb_subset_plan_t
+hb_subset_plan_create_or_fail()
+hb_subset_plan_reference()
+hb_subset_plan_destroy()
+hb_subset_plan_set_user_data()
+hb_subset_plan_get_user_data()
+hb_subset_plan_execute_or_fail()
+hb_subset_plan_unicode_to_old_glyph_mapping()
+hb_subset_plan_new_to_old_glyph_mapping()
+hb_subset_plan_old_to_new_glyph_mapping()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from 22.02.0 to 22.04.0
- Update of rootfile
- Changelog
Release 22.04.0:
core:
* Fix underline sometimes being drawn only partially
* Fix Adobe Reader not reading some of the contents we write correctly
* Fix code that workarounds some broken-ish files
* FoFiTrueType: Parse CFF2 fonts too
* FoFiTrueType: Support cmap types 2 and 13
* Fix a few small memory leaks
* code improvements
qt:
* Handle SaveAs named action
* Annotations: don't change the text color when changing the font
utils:
* pdftotext: print creation and modification date when using htmlmeta param
glib:
* Fix returning internal data of temporary strings
cpp:
* Fix code incompatibility with MSVC
build system:
* poppler internal library is no longer forced to static on MSVC
* Error out if iconv is not available and the cpp frontend is enabled
* Require FreeType 2.8
Release 22.03.0:
core:
* Signature: Fix finding Signatures that are in Pages not not in the global the Forms object
* Signature: Improve getting the path to the firefox certificate database
* Splash: Fix rendering of some joints. Issue #1212
* Fix get_poppler_localdir for relocatable Windows builds
* Minor code improvements
qt:
* Minor code improvements
utils:
* pdfimages: Fix the wrong Stream being passed for drawMaskedImage
build system:
* Small code improvements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from 1.0.11 to 1.0.12
- Update of rootfile not required
- Changelog
Overview of changes between 1.0.11 and 1.0.12
* Various fuzzing fixes.
- Looking at the details in the commits it looks like fribidi's use of the word fuzzing
fixes basically means bug fixes. Included are fixes for a segmentation violation and a
stack buffer overflow
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 3.7.0 to 3.8.0
- Update of rootfile
- Changelog
* Released as 3.8.0.
* Filters can now match devices based on partially specified
class code and also on the programming interface.
* Reporting of link speeds, power limits, and virtual function tags
has been updated to the current PCIe specification.
* We decode the Data Object Exchange capability.
* Bus mapping mode works in non-zero domains.
* pci_fill_info() can fetch more fields: bridge bases, programming
interface, revision, subsystem vendor and device ID, OS driver,
and also parent bridge. Internally, the implementation was rewritten,
significantly reducing the number of corner cases to be handled.
* The Windows port was revived and greatly improved by Pali Rohár.
It requires less magic to compile. More importantly, it runs on both
old and recent Windows systems (see README.Windows for details).
* Added a new Windows back-end using the cfgmgr32 interface.
It does not provide direct access to the configuration space,
but basic information about the device is reported via pci_fill_info().
For back-ends of this type, we now provide an emulated read-only
config space.
* If the configuration space is not readable for some reason
(e.g., the cfgmgr32 back-end, but also badly implemented sleep mode
of some devices), lspci prints only information provided by the OS.
* The Hurd back-end was greatly improved thanks to Joan Lledó.
* Various minor bug fixes and improvements.
* We officially require a working C99 compiler. Sorry, MSVC.
* As usually, updated pci.ids to the current snapshot of the database.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
This patch adds default values and removes a missing translation
to fix "uninitialized value" and "odd number of elements" warnings.
Removes function calls from functions.pl that have already been
handled by the header before it is loaded by eval().
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Full changelog as per https://github.com/rhboot/efibootmgr/releases/tag/17:
various CI updates
Make.defaults: fix pkg-config invocation for LDFLAGS
make_linux_load_option(): add some more efi_error() calls
Change the default partition choice.
Don't set LIBEFIBOOT_REPORT_GPT_ERRORS=1
Make it easier to build with a devel branch of efivar
efibootmgr -e: improve parsing for efivar-36 compat
Fix an invalid free()
Propogate verbosity to libefivar 36's internal logging facility
Add a bit more logging
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
By default, both SSH server and client rely on TCP-based keep alive
messages to detect broken sessions, which can be spoofed rather easily
in order to keep a broken session opened (and vice versa).
Since we rely on SSH-based keep alive messages, which are not vulnerable
to this kind of tampering, there is no need to double-check connections
via TCP keep alive as well.
This patch thereof disables using TCP keep alive for both SSH client and
server scenario. For usability reasons, a timeout of 5 minutes (10
seconds * 30 keep alive messages = 300 seconds) will be used for both
client and server configuration, as 60 seconds were found to be too
short for unstable connectivity scenarios.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This algorithm was introduced in OpenSSH 9.0p1; also, align the
curve25519-sha256* key exchanges to keep things tidy.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Relevant changelog part, as retrieved from https://www.openssh.com/txt/release-9.0:
Changes since OpenSSH 8.9
=========================
This release is focused on bug fixing.
Potentially-incompatible changes
--------------------------------
This release switches scp(1) from using the legacy scp/rcp protocol
to using the SFTP protocol by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path@openssh.com" to support
this.
In case of incompatibility, the scp(1) client may be instructed to use
the legacy scp/rcp using the -O flag.
New features
------------
* ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
exchange method by default ("sntrup761x25519-sha512@openssh.com").
The NTRU algorithm is believed to resist attacks enabled by future
quantum computers and is paired with the X25519 ECDH key exchange
(the previous default) as a backstop against any weaknesses in
NTRU Prime that may be discovered in the future. The combination
ensures that the hybrid exchange offers at least as good security
as the status quo.
We are making this change now (i.e. ahead of cryptographically-
relevant quantum computers) to prevent "capture now, decrypt
later" attacks where an adversary who can record and store SSH
session ciphertext would be able to decrypt it once a sufficiently
advanced quantum computer is available.
* sftp-server(8): support the "copy-data" extension to allow server-
side copying of files/data, following the design in
draft-ietf-secsh-filexfer-extensions-00. bz2948
* sftp(1): add a "cp" command to allow the sftp client to perform
server-side file copies.
Bugfixes
--------
* ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's output
fd closes without data in the channel buffer. bz3405 and bz3411
* sshd(8): pack pollfd array in server listen/accept loop. Could
cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE
* ssh-keygen(1): avoid NULL deref via the find-principals and
check-novalidate operations. bz3409 and GHPR#307 respectively.
* scp(1): fix a memory leak in argument processing. bz3404
* sshd(8): don't try to resolve ListenAddress directives in the sshd
re-exec path. They are unused after re-exec and parsing errors
(possible for example if the host's network configuration changed)
could prevent connections from being accepted.
* sshd(8): when refusing a public key authentication request from a
client for using an unapproved or unsupported signature algorithm
include the algorithm name in the log message to make debugging
easier.
Portability
-----------
* sshd(8): refactor platform-specific locked account check, fixing
an incorrect free() on platforms with both libiaf and shadow
passwords (probably only Unixware) GHPR#284,
* ssh(1), sshd(8): Fix possible integer underflow in scan_scaled(3)
parsing of K/M/G/etc quantities. bz#3401.
* sshd(8): provide killpg implementation (mostly for Tandem NonStop)
GHPR#301.
* Check for missing ftruncate prototype. GHPR#301
* sshd(8): default to not using sandbox when cross compiling. On most
systems poll(2) does not work when the number of FDs is reduced
with setrlimit, so assume it doesn't when cross compiling and we
can't run the test. bz#3398.
* sshd(8): allow ppoll_time64 in seccomp sandbox. Should fix sandbox
violations on some (at least i386 and armhf) 32bit Linux platforms.
bz#3396.
* Improve detection of -fzero-call-used-regs=all support in
configure script.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Full changelog as retrieved from https://cisofy.com/changelog/lynis/#307:
- MALW-3290 - Show status of malware components
- OS detection for RHEL 6 and Funtoo Linux
- Added service manager openrc
- DBS-1804 - Added alias for MariaDB
- FINT-4316 - Support for newer Ubuntu versions
- MALW-3280 - Added Trend Micro malware agent
- NETW-3200 - Allow unknown number of spaces in modprobe blacklists
- PKGS-7320 - Support for Garuda Linux and arch-audit
- Several improvements for busybox shell
- Russian translation of Lynis extended
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.28/doc/arm/html/notes.html#notes-for-bind-9-16-28
"Notes for BIND 9.16.28
New Features
Add a new configuration option reuseport to disable load balancing
on sockets in situations where processing of Response Policy Zones
(RPZ), Catalog Zones, or large zone transfers can cause service
disruptions. See the BIND 9 ARM for more detail. [GL #3249]
Bug Fixes
Invalid dnssec-policy definitions, where the defined keys did not
cover both KSK and ZSK roles for a given algorithm, were being
accepted. These are now checked, and the dnssec-policy is rejected
if both roles are not present for all algorithms in use. [GL #3142]
Handling of TCP write timeouts has been improved to track the
timeout for each TCP write separately, leading to a faster
connection teardown in case the other party is not reading the data.
[GL #3200]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Changelog:
"5.0.9 -- 2022-04-21
Security #4889: ftp: SEGV at flow cleanup due to protocol confusion
Security #5025: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input
Security #5028: smtp: GetLine function buffers data indefinitely if 0x0a was not found in the frag'd input
Security #5253: Infinite loop in JsonFTPLogger
Feature #4644: pthreads: set minimum stack size
Bug #4466: dataset file not written when run as user
Bug #4678: Configuration test mode succeeds when reference.config file contains invalid content
Bug #4745: Absent app-layer protocol is always enabled by default
Bug #4819: tcp: insert_data_normal_fail can hit without triggering memcap
Bug #4823: conf: quadratic complexity
Bug #4825: pppoe decoder fails when protocol identity field is only 1 byte
Bug #4827: packetpool: packets in pool may have capture method ReleasePacket callbacks set
Bug #4838: af-packet: cluster_id is not used when trying to set fanout support
Bug #4878: datasets: memory leak in 5.0.x
Bug #4887: dnp3: buffer over read in logging base64 empty objects
Bug #4891: protodetect: SMB vs TLS protocol detection in midstream
Bug #4893: TFTP: memory leak due to missing detect state
Bug #4895: Memory leak with signature using file_data and NFS
Bug #4897: profiling: Invalid performance counter when using sampling
Bug #4901: eve: memory leak related to dns
Bug #4932: smtp: smtp transaction not logged if no email is present
Bug #4955: stream: too aggressive pruning in lossy streams
Bug #4957: SMTP assertion triggered
Bug #4959: suricatasc loop if recv returns no data
Bug #4961: dns: transaction not created when z-bit set
Bug #4963: Run stream reassembly on both directions upon receiving a FIN packet
Bug #5058: dns: probing/parser can return error when it should return incomplete
Bug #5063: Not keyword matches in Kerberos requests
Bug #5096: output: timestamp missing usecs on Arm 32bit + Musl
Bug #5099: htp: server personality radix handling issue
Bug #5101: defrag: policy config can setup radix incorrectly
Bug #5103: Application log cannot to be re-opened when running as non-root user
Bug #5105: iprep: cidr support can set up radix incorrectly
Bug #5107: detect/iponly: rule parsing does not always apply netmask correctly
Bug #5109: swf: coverity warning
Bug #5115: detect/ip_proto: inconsistent behavior when specifying protocol by string
Bug #5117: detect/iponly: mixing netblocks can lead to FN/FP
Bug #5119: smb: excessive CPU utilization and higher packet processing latency due to excessive calls to Vec::extend_from_slice()
Bug #5137: smb: excessive memory use during file transfer
Bug #5150: nfs: Integer underflow in NFS
Bug #5157: xbits: noalert is allowed in rule language with other commands
Bug #5164: iprep: use_cnt can get desynchronized (SIGABRT)
Bug #5171: detect/iponly: non-cidr netmask settings can lead incorrect radix tree
Bug #5193: SSL : over allocation for certificates
Bug #5213: content:"22 2 22"; is parsed without error
Bug #5227: 5.0.x: SMB: Wrong buffer being checked for possible overflow.
Bug #5251: smb: integer underflows and overflows
Task #5006: libhtp 0.5.40"
Additionally, I moved the 'suricata' patch files into a separate directory.
Apart from some line numbers, nothing else was changed.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
