For details see:
https://mmonit.com/monit/changes/
New: Issue #715: The PostgreSQL protocol test has been improved and
now supports authentication with username, password and database
when testing connection. Example:
if failed port 5432
protocol pgsql username "username" password "12345" database "test"
then alert
Previous Monit versions used hardcoded credentials when testing
connection to postgresql (user=root and database=root). This could
trigger thousands of messages like this in the postgresql log:
root@root FATAL: password authentication failed for user "root"
root@root DETAIL: Role "root" does not exist.
Note: Monit will continue to use the hardcoded credentials (for
backward compatibility) unless username and password are set.
New: Issue #973: You can now test program output using a regular
expression. Syntax:
IF CONTENT [!]= <regex> THEN action
Example:
check program disk0_smart with path "/usr/sbin/nvme smart-log /dev/nvme0"
if content != "critical_warning[ ]+: 0" then alert
New: Issue #974: Monit CLI: Added support for the -g (group) option
to the report command. Example:
monit -g database report
Fixed: Issue #991 (Monit 5.28.1 regression): MacOS: Monit didn't
compile on MacOS 10.13 or older. Thanks to Lutz Mader.
Fixed: Issue #994 (Monit 5.28.1 regression): The check program
statement with every did not work properly.
Fixed: Issue #995: Monit start delay was vulnerable to time jumps
when Monit is waiting for the delay to pass. Thanks to Daniel Crowe.
Fixed: Issue #975: Monit CLI: Monit did not report a warning if -s,
-p, -l, -g or -c command-line options were specified multiple times
and silently used the last value only. Monit will generate a warning
now.
Fixed: Issue #972: Monit GUI: The log view had no size limit when
reading the Monit log file and could block the browser if the log
file was large.
Fixed: Issue #955: If more than one every statement is used in
a check-service context only the last value is (silently) used.
We now report a warning in this case.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 3.3.7 to 3.3.8
- Update of rootfile not required
- Changelog
Version 3.3.8
**Enhancements**
* Documentation for the MQTT interface. Many thanks to [minix1234](https://github.com/minix1234)!
**Bug Fixes**
* Fix a bug in the `alsa` back end. In the interval between checking that the alsa
device handle was non-`NULL` and actually using it, the handle could be set to
`NULL`. The interval between check and usage is now protected.
* Fix a bug in the `alsa` precision timing code. Thanks to
[durwin99](https://github.com/durwin99),
[Nicolas Da Mutten](https://github.com/cleverer),
[mistakenideas](https://github.com/mistakenideas),
[Ben Willmore](https://github.com/ben-willmore) and
[giggywithit](https://github.com/giggywithit) for the
[report](https://github.com/mikebrady/shairport-sync/issues/1158).
* Fix a bug that caused Shairport Sync to hang, but not actually crash, if an
`on-...` script failed.
* Fix a crash that occurred if metadata support is enabled during compilation but
turned off in the configuration file. Thanks to
[Tim Curtis](https://github.com/moodeaudio) for the report.
* Fix a crash that occurred playing from AirPower on Android. Thanks to
[Ircama](https://github.com/Ircama) for the report.
* Fix the configure.ac file so that `--without-<feature>` configuration options
are not interpreted as `--with-<feature>` options instead! Thanks to
[David Racine](https://github.com/bassdr) for the report.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Addition of mdadm module to logwatch
- Addition of logwatch to sudoers list to run mdadm commands
- patch to change logwatch mdadm.conf to allow scan for raid drives, change mdadm script
to run mdadm scan commands with sudo, allow clean but degraded drives to be listed
in the output.
Fixes: 12080
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 9.54 to 9.55.0
- Update rootfile
- Changelog
Version 9.55.0 (2021-09-27)
Highlights in this release include:
This release includes the fix for the %pipe% security issue (CVE-2021-3781).
New PDF Interpreter: This is an entirely new implementation written in C (rather
than PostScript, as before). For a full discussion of this change and reasons for
it see: Changes Coming to the PDF Interpreter.
In this (9.55.0) release, the new PDF interpreter is disabled by default in
Ghostscript, but can be used by specifying -dNEWPDF. We hope to make it the
default in 9.56.0, and fully deprecate the PostScript implementation shortly
after that (depending on the feedback we get).
This also allows us to offer a new executable (gpdf, or gpdfwin??.exe on Windows)
which is purely for PDF input. For this release, those new binaries are not
included in the "install" make targets, nor in the Windows installers (they will
be from 9.56.0 onwards).
We would ask that as many users as possible take the opportunity to test with the
new PDF implementation (i.e. using -dNEWPDF on your gs command line), and discuss
any problems with us, before the new implementation becomes the default.
The pdfwrite device now supports "passthrough" for JPX/JPG2000 data images (as
well as the already supported JPEG/DCT Encoded). That means that if no rescaling
or color conversion of the image data is required, the encoded/compressed image
data from the input file will be written unchanged to the output, preventing
potential image degradation caused by decompressing and recompressing.
The Ghostscript/GhostPDL demo apps for C, C#, Java and Python have all had
improvements and the C#/Java/Python language bindings have now been documented,
see Ghostscript Language Bindings
The Zugferd compliant PDF generating definitions (lib/zugferd.ps) have been
updated and expanded to support the current version (2.1.1) of the Zugferd spec,
and optionally different versions of the specification.
The PCL/m output devices now support Duplex/Tumble.
The internal support for "n-up" style simple imposition (introduced in 9.54.0) has
been extended and improved for better support across all input formats.
Ghostscript now supports object specific halftone - for example, different
halftones can be specified for text and images, reflecting the differing needs of
rendering those two types of object.
Our efforts in code hygiene and maintainability continue.
The usual round of bug fixes, compatibility changes, and incremental improvements.
(9.53.0) We have added the capability to build with the Tesseract OCR engine. In
such a build, new devices are available (pdfocr8/pdfocr24/pdfocr32) which render
the output file to an image, OCR that image, and output the image "wrapped" up as
a PDF file, with the OCR generated text information included as "invisible" text
(in PDF terms, text rendering mode 3).
Mainly due to time constraints, we only support including Tesseract from source
included in our release packages, and not linking to Tesseract/Leptonica shared
libraries. Whether we add this capability will be largely dependent on community
demand for the feature.
See Enabling OCR for more details.
For a list of open issues, or to report problems, please visit bugs.ghostscript.com.
Incompatible changes
(9.55.0) Changes to the device API. This will affect developers and maintainers of
Ghostscript devices. Firstly, and most importantly, the way device-specific
"procs" are specified has been rewritten to make it (we think!) clearer and less
confusing. See The Interface between Ghostscript and Device Drivers and The Great
Device Rework Of 2021 for more details.
(9.55.0) The command line options -sGraphicsICCProfile=___, -dGraphicsIntent=#,
-dGraphicsBlackPt=#, -dGraphicsKPreserve=# have been changed to
-sVectorICCProfile=___, -dVectorIntent=#, -dVectorBlackPt=#,
-dVectorKPreserve=#.
From 9.55.0 onwards, in recognition of how unwieldy very large HTML files can become
(History9.html had reached 8.1Mb!), we intend to only include the summary
highlights (above).
For anyone wanting the full details of the changes in a release, we ask them to look
at the history in our public git repository: ghostpdl-9.55.0 log.
If this change does not draw negative feedback, History?.htm file(s) will be removed
from the release archives.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 4.14.0.2 to 4.14.0.4
- Update of rootfile
- Changelog
v4.14.0.4 Release date: 2021-09-17
Changed:
Rebased with official coreboot repository commit d9f5d90
Enabled EHCI controller by default on apu3-apu6 platforms
Updated sortbootorder to v4.6.22
Added:
Safeguard against setting watchdog timeout too low
Known issues:
apuled driver doesn't work in FreeBSD. Check the GPIOs document for workaround.
Some PCIe cards are not detected on certain OSes and/or in certain mPCIe slots.
Check the mPCIe modules document for solution/workaround.
Booting with 2 USB 3.x sticks plugged in apu4 sometimes results in detecting
only 1 stick
Certain USB 3.x sticks happen to not appear in boot menu
Booting Xen is unstable
v4.14.0.3 Release date: 2021-08-06
Changed:
Rebased with official coreboot repository commit c049c80
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 1.19.1 to 1.19.2
- Update of rootfile not required
- Changelog
Major changes in 1.19.2 (2021-07-22)
This is a bug fix release.
* Fix a denial of service attack against the KDC encrypted challenge
code [CVE-2021-36222].
* Fix a memory leak when gss_inquire_cred() is called without a
credential handle.
krb5-1.19.2 changes by ticket ID
8989 Fix typo in enctypes.rst
8992 Avoid rand() in aes-gen test program
9005 Fix argument type errors on Windows
9006 doc build fails with Sphinx 4.0.2
9007 Fix KDC null deref on bad encrypted challenge
9014 Using locking in MEMORY krb5_cc_get_principal()
9015 Fix use-after-free during krad remote_shutdown()
9016 Memory leak in krb5_gss_inquire_cred
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Create lfs and rootfile
- Add exfatprogs to make.sh
- exfat is supported as a native kernel module since kernel 5.7
- This package requires CONFIG_EXFAT_FS=m to be set for the kernel module for each
architecture that will be supported. Currently that is only i586
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 3.0.9 (2013) to 4.2 (2021)
- Update rootfile
- Program names changed in version 2.0.18
dosfslabel became fatlabel
dosfsck became fsck.fat
and mkdosfs became mkfs.fat
- Added --enable-compat-symlinks to ./configure command to maintain original names as
symlinks
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Upstream commit 500b9137d0a9dd31e40f0d1effdba0aafeb94ca4 changes the
behaviour of this script in case of invalid or unresolvable FQDNs,
preventing Squid from eventually shutting down due to too many BH's per
time.
Since this allows (authenticated) users to run a DoS against the Squid
instance, it is considered to be security relevant.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
this u-boot version cannot build without python2 that is removed
with core161 so this copy the binary from older build.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Final patch for removal of python2 from IPFire. This can be implemented in an
appropriate Core Update after all other python2 related patches have been implemented
and confirmed working.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This package adds an ASNBL helper for detecting Fast Flux setups and
selectively announced networks (i. e. FQDNs resolving to IP addresses
not being announced by an Autonomous System) to the distribution.
Afterwards, the helper script is located at /usr/bin/asnbl-helper.py .
The second version of this patch updates squid-asnbl to upstream version
0.2.2, improving logging in case of detected Fast Flux setups.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
rockchip has a large bootloader so this also increase the gap between partitiontable
and fist partition to 16MB on aarch64
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
u-boot for nanopi r2s (rockchip rk3328) need dtc to build the image
so this adds dtc as build dependency for u-boot
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Impementation of libyang-2.0.7 as a dependency for the build of frr
- Creation of rootfile with all entries commented out so that it is only used for the build
libyang is a YANG data modelling language parser and toolkit written (and providing API)
in C.In the future if there is demand to use these functions in frr then this package
may need to be moved from a build only option to a dependency for frr providing the
yang libraries.
- Added into make.sh just before frr
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- This v2 version used the frr-8.0.1 source instead of the frr-frr-8.0 source
- Update from 6.0 to 8.0.1
- 8.0.1 requires libyang for the build. Introduced with separate patch in this series.
- 6.0 is only compilable with python2.
python3 compatability was introduced in version 7.4
- Previously confirmed that building frr-8.0 was successful with only python3 available
- Added --disable-static to the ./configure options.
- Rootfile updated
- Changelog from 6.0 to 8.0.1 is too large to include here. It can be viewed to obtain
more details at https://github.com/FRRouting/frr/releases
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Added --without-rlm_python to ./configure to allow running without python2
- Updated rootfile
- Updated patch for preventing cert generation during buildtime to work with new
version of source code
- Update from 3.0.21 to 3.0.23
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- v2 version adds $(MAKETUNING) variable to ninja build command
- Update from 0.12.13 to 0.14.3
- Update rootfile
- Remove automake py-compile line from lfs. This only works with python2
Not clear why this line was put into the lfs. Searched the documentation of spice
and qemu and could not find any reference to needing any of the python modules in spice
to be installed either as modules or compiled in. The only references found in general
searches were to modules such as python-virtinst, python-spice-client-gtk or
python-websockify, none of which are in the python modules in spice.
- Removing the automake py-compile line from the lfs enables spice-protocol, spice and
qemu to build without python2 being present.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- v2 version of series to add $(MAKETUNING) variable to ninja in spice-protocol
- Update from 0.14.0 to 0.15.0
- Update rootfile
- Version 0.15.0 of spice requires version 0.14.3 or higher of spice-protocol
- Changelog
Major Changes in 0.15:
This is the first release in the new 0.15.x stable series. This release should
be ready for production use.
* Minor updates to CI
* Some compatibility with OpenSSL
* Change the behavior of handle_dev_start ignoring multiple start requests
* Ignore multiple calls to handle_dev_stop
* Pick up newer spice-common to fix a buffer overflow issue
Major Changes in 0.14.91:
**IMPORTANT**
0.14.91 is the first release candidate for the stable 0.15.x series. While some
bugs might still be present, it should be reasonably stable. If you are looking
for stability for daily use, please keep using the latest 0.14.x release.
* Support UNIX abstract sockets
* Fix some potential thread race condition in RedClient
* Many cleanups in the code
* Improve migration test script
* Update in protocol documentation
* Improve Meson build
* Removed CELT support
* Update CI
* Removed QXLWorker definition, it was deprecated 6 years ago
* Fix some compatibility with MacOS
* Fix some compatibility with Windows
* Move the project to C++
* Some fixes for SASL dealing with WebDAV
* Fix minor Coverity reports
* Add Doxygen support, manually built with "make doxy"
* Support more mouse buttons (up to 16 buttons)
* CVE-2020-14355 multiple buffer overflow vulnerabilities in QUIC decoding
code
Major Changes in 0.14.3:
Main changes are WebSocket and support for Windows.
* Add support for WebSocket, this will allow to use spice-html5 without proxy
* Support Windows, now Qemu Windows can be build enabling Spice
* Fix some alignment problem
* Converted some documentation to Asciidoc format to make easier to update,
updated some
* Minor compatibility fix for PPC64EL and ARMHF
* Minor fixes for big endian machines like MIPS
* Avoid some crashes with some buggy guest drivers, simply ignore the invalid
request
* Fix for old OpenSSL versions
* Minor fix for Windows clients and brushes, fixed an issue with Photoshop
under Windows 7
* Add ability to query video-codecs
* Small use-after-free fix
* Fix for debugging recording/replaying using QUIC images
* Fix a regression where spice reported no monitors to the client
* Fix DoS in spicevmc if WebDAV used
* Updated and improved test migration script
* Some minor fixes to smartcard support
* Avoid possible disconnection using proxies using a in-flow keepalive
mechanism
Major Changes in 0.14.2:
Main changes are support for Meson build and graphic device info
messages allowing to better support multi-monitor configurations.
* CVE-2019-3813: fix off-by-one error in group/slot boundary check
* support H265 in stream-channel
* add support for building with meson/ninja
* minor tests fixes improving CI
* set char device state for smartcard, allowing Qemu optimization
* improve red-parse-qxl.c interface making it more consistent
* add some instrumentation for streaming device
* QXL interface: add a function to identify monitors in the guest
(spice_qxl_set_device_info)
* add support for GraphicsDeviceInfo messages
* video-stream: prevent crash on stream reattach
* make channel client callbacks virtual functions
* bumped minimum required glib version to 2.38
* attempt to have a reliable led state for keyboard modifiers
Major Changes in 0.14.1:
The main change in this release is the addition of a new protocol extension
in order to support streaming the remote display as a video stream rather than
going through the QXL protocol. Together with spice-streaming-agent, and/or with
more work on the qemu/spice-server side, this should allow streaming of 3D
accelerated VMs in the future. At this point, this part of spice-server is
still a work in progress (multi-monitor support and various features are
missing).
* add new org.spice-space.stream.0 channel used for passing an encoded video
stream from the guest to the client
* add support for TCP_CORK to reduce the amount of packets that we send
* fix CVE-2018-10873
* fix cursor related migration crash
* fix regression causing sound recording to be muted after
client disconnection/reconnection (introduced in 0.13.90)
* fix regression in corner cases where images could be sent uncompressed
when they used to be compressed with QUIC
* disable TLS 1.0 support
* CELT 0.5.1 support is now disabled by default. If celt051-devel is installed
at build-time, --enable-celt051/--disable-celt051 must be explicitly specified
* drop support for unsupported OpenSSL version. OpenSSL 1.0.0 or newer is now
required
* bumped minimum required glib version to 2.32
* endianness fixes
* (small) leak fixes
* usual round of code cleanups
* not directly related to this release, but the upstream git repository is now
hosted on gitlab.freedesktop.org
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Implement python3 version of certdata2pem.py script from fedora
- Modify build.sh to work with python3 script that uses p11-kit based on fedora
approach - https://src.fedoraproject.org/rpms/ca-certificates/tree/rawhide
- Extraction of cert files now uses p11-kit which requires libtasn1 as a build
dependency
- Updated rootfile
- Updated ca-certificates installed into a vm and confirmed to download a file from an
https site with the same results as with existing ca-certfictaes system
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 0.9.3 to 0.9.6
0.9.4 and 0.9.6 are security releases
- Update rootfile
- Changelog
libssh 0.9.6 security release
This is a security release of libssh to address CVE-2021-3634 (moderate impact), a
possible heap-buffer overflow when rekeying. A workaround exists. More details can be
found in the advisory.
In addition the 0.9.6 version addresses some memory leaks in error path, an AEAD
handshake and some more.
CVE-2021-3634: Fix possible heap-buffer overflow when rekeying with different key exchange mechanism
Fix several memory leaks on error paths
Reset pending_call_state on disconnect
Fix handshake bug with AEAD ciphers and no HMAC overlap
Use OPENSSL_CRYPTO_LIBRARIES in CMake
Ignore request success and failure message if they are not expected
Support more identity files in configuration
Avoid setting compiler flags directly in CMake
Support build directories with special characters
Include stdlib.h to avoid crash in Windows
Fix sftp_new_channel constructs an invalid object
Fix Ninja multiple rules error
Several tests fixes
libssh 0.9.5
The libssh team is happy to announce another bugfix release of libssh as version
0.9.5. It offers bug fixes for several issues found by our users.
This includes a fix for CVE-2020-16135, however we do not see how this would be
exploitable at all. If you find a security bug in libssh please don’t just assign a
CVE, talk to us first.
CVE-2020-16135: Avoid null pointer dereference in sftpserver (T232)
Improve handling of library initialization (T222)
Fix parsing of subsecond times in SFTP (T219)
Make the documentation reproducible
Remove deprecated API usage in OpenSSL
Fix regression of ssh_channel_poll_timeout() returning SSH_AGAIN
Define version in one place (T226)
Prevent invalid free when using different C runtimes than OpenSSL (T229)
Compatibility improvements to testsuite
libssh 0.9.4 security release
This is a security release of libssh to address CVE-2020-1730 (moderate impact), a
possible Denial of Service (DoS) in client and server when handling AES-CTR keys with
OpenSSL. A workaround exists. More details can be found in the advisory.
In addition the this version addresses several memory leaks and adds support for
diffie-hellman-group14-sha256 key exchange.
Fixed CVE-2020-1730 (Possible DoS in client and server when handling AES-CTR keys with OpenSSL)
Added diffie-hellman-group14-sha256
Fixed several possible memory leaks
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 5.9.2 to 5.9.3
- Update of rootfile not required
- Changelog
strongswan-5.9.3
- Added AES_ECB, SHA-3 and SHAKE-256 support to wolfssl plugin.
- Added AES_CCM and SHA-3 signature support to openssl plugin.
- The x509 and openssl plugins now consider the authorityKeyIdentifier, if
available, before verifying signatures, which avoids unnecessary signature
verifications after a CA key rollover if both certificates are loaded.
- The pkcs11 plugin better handles optional attributes like CKA_TRUSTED, which
previously depended on a version check.
- charon-nm now supports using SANs as client identities, not only full DNs.
- charon-tkm now handles IKE encryption.
- A MOBIKE update is sent again if a a change in the NAT mappings is detected
but the endpoints stay the same.
- Converted most of the test case scenarios to the vici interface
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
