with some kernel build changes KVER also contains the -ipfire string
so this has to be removed in u-boot.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If we set up our /dev manually, we fail to deal with dynmically allocated loop
devices which are more common on modern distributions.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This reverts commit 7ad12edfb0.
This patch does not fix the original problem and still leaves the build
environment without usable loop devices.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20240813 to 20240910
- Update of rootfile not required
- Changelog
20240910
Security updates for INTEL-SA-01103
Security updates for INTEL-SA-01097
Update for functional issues. Refer to Intel® Core™ Ultra Processor for details.
Update for functional issues. Refer to 13th Generation Intel® Core™ Processor
Specification Update for details.
Update for functional issues. Refer to 12th Generation Intel® Core™ Processor
Family for details.
Update for functional issues. Refer to Intel® Processors and Intel® Core™ i3
N-Series for details.
For information on New Platforms and Updated Platforms see
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases/tag/microcode-20240910
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
It probably doesn't matter much as the get_memory_consumption function just returns 0 when no pids are found. But it shouldn't even try as the mem var is never used when the service is not running.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Adds Zabbix Agent userparameter `ipfire.services.get` for the agent to get details about configured IPFire services (builtin and addon-services)
- Includes `ipfire_services.pl` script in sudoers for Zabbix Agent as it needs root permission to call addonctrl for addon service states.
- Adapts lfs install script to install new script
- Adds new script to rootfiles
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
There seems to be a different way how to create loop devices. On my
Debian system, the first loop device is a block device with major=7 and
minor=0, the second device is major=7 and minor=1, and so on.
On a system running Grml, the second loop device has major=7 and
minor=32, and all following ones are increasing their minor by 32
as well instead of one.
Since I don't have an easy way to detect this, we will simply bind-mount
all available loop devices in to the build environment.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.5.9 to 2.5.10
- Update of rootfile not required
- 3 CVE Fixes in this version but all are for Windows installations.
- Changelog
2.5.10
Security fixes
- CVE-2024-27459: Windows: fix a possible stack overflow in the
interactive service component which might lead to a local privilege
escalation.
Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
- CVE-2024-24974: Windows: disallow access to the interactive service
pipe from remote computers.
Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
- CVE-2024-27903: Windows: disallow loading of plugins from untrusted
installation paths, which could be used to attack openvpn.exe via
a malicious plugin. Plugins can now only be loaded from the OpenVPN
install directory, the Windows system directory, and possibly from
a directory specified by HKLM\SOFTWARE\OpenVPN\plugin_dir.
Reported-by: Vladimir Tokarev <vtokarev@microsoft.com>
User visible changes
- License amendment: all NEW commits fall under a modified license that
explicitly permits linking with Apache2 libraries (mbedTLS, OpenSSL) -
see COPYING for details. Existing code in the release/2.5 branch
will not been relicensed (only in release/2.6 and later branches).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.9.15p5 to 1.9.16
- Update of rootfile
- Changelog
1.9.16
* Added the "cmddenial_message" sudoers option to provide additional
information to the user when a command is denied by the sudoers
policy. The default message is still displayed.
* The time stamp used for file-based logs is now more consistent
with the time stamp produced by syslog. GitHub issues #327.
* Sudo will now warn the user if it can detect the user's terminal
but cannot determine the path to the terminal device. The sudoers
time stamp file will now use the terminal device number directly.
GitHub issue #329.
* The embedded copy of zlib has been updated to version 1.3.1.
* Improved error handling if generating the list of signals and signal
names fails at build time.
* Fixed a compilation issue on Linux systems without process_vm_readv().
* Fixed cross-compilation with WolfSSL.
* Added a "json_compact" value for the sudoers "log_format" option
which can be used when logging to a file. The existing "json"
value has been aliased to "json_pretty". In a future release,
"json" will be an alias for "json_compact". GitHub issue #357.
* A new "pam_silent" sudoers option has been added which may be
negated to avoid suppressing output from PAM authentication modules.
GitHub issue #216.
* Fixed several cvtsudoers JSON output problems.
GitHub issues #369, #370, #371, #373, #381.
* When sudo runs a command in a pseudo-terminal and the user's
terminal is revoked, the pseudo-terminal's foreground process
group will now receive SIGHUP before the terminal is revoked.
This emulates the behavior of the session leader exiting and is
consistent with what happens when, for example, an ssh session
is closed. GitHub issue #367.
* Fixed "make test" with Python 3.12. GitHub issue #374.
* In schema.ActiveDirectory, fixed the quoting in the example command.
GitHub issue #376.
* Paths specified via a Chdir_Spec or Chroot_Spec in sudoers may
now be double-quoted.
* Sudo insults are now included by default, but disabled unless
the --with-insults configure option is specified or the "insults"
sudoers option is enabled.
* The default sudoers file now enables the "secure_path" option by
default and preserves the EDITOR, VISUAL, and SUDO_EDITOR environment
variables when running visudo. The new --with-secure-path-value
configure option can be used to set the value of "secure_path" in
the default sudoers file. GitHub issue #387.
* A sudoers schema for IBM Directory Server (aka IBM Tivoli Directory
Server, IBM Security Directory Server, and IBM Security Verify
Directory) is now included.
* When cross-compiling sudo, the configure script now assumes that
the snprintf() function is C99-compliant if the C compiler
supports the C99 standard. Previously, configure would use
sudo's own snprintf() when cross-compiling. GitHub issue #386.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 10.0.8 to 10.0.10
- Update of rootfile not required
- Patch for free selection of MTU has been removed as in version 10.0.9 the MTU code
was changed to not apply limits to it.
- Changelog
10.0.10
Reversion of commit "linux: make if_getnetworknamespace static"
10.0.9
Option 2: Fix stdin parsing by @holmanb in #289
IPv4LL: Restart ARP probling on address conflict by @LeoRuan in #340
DHCP: Handle option 108 correctly when receiving 0.0.0.0 OFFER by @taoyl-g
in #342
DHCP: No longer set interface mtu by @rsmarples in #346
Update privsep-linux.c to allow statx by @Jabrwock in #349
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.3.1 to 1.3.2
- Update of rootfile
- 2 CVE Fixes
- Changelog
1.3.2
- [CVE-2024-20506](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20506):
Changed the logging module to disable following symlinks on Linux and Unix
systems so as to prevent an attacker with existing access to the 'clamd' or
'freshclam' services from using a symlink to corrupt system files.
This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to Detlef for identifying this issue.
- [CVE-2024-20505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-20505):
Fixed a possible out-of-bounds read bug in the PDF file parser that could
cause a denial-of-service (DoS) condition.
This issue affects all currently supported versions. It will be fixed in:
- 1.4.1
- 1.3.2
- 1.0.7
- 0.103.12
Thank you to OSS-Fuzz for identifying this issue.
- Removed unused Python modules from freshclam tests including deprecated
'cgi' module that is expected to cause test failures in Python 3.13.
- Fix unit test caused by expiring signing certificate.
- Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1305)
- Fixed a build issue on Windows with newer versions of Rust.
Also upgraded GitHub Actions imports to fix CI failures.
Fixes courtesy of liushuyu.
- Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1307)
- Fixed an unaligned pointer dereference issue on select architectures.
Fix courtesy of Sebastian Andrzej Siewior.
- Backport of [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1293)
- Fixes to Jenkins CI pipeline.
For details, see [GitHub pull request](https://github.com/Cisco-Talos/clamav/pull/1330)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.6.2 to 2.6.3
- Update of rootfile
- 3 CVE Fixes in this release.
- Changelog
2.6.3
Security fixes:
#887#890 CVE-2024-45490 -- Calling function XML_ParseBuffer with
len < 0 without noticing and then calling XML_GetBuffer
will have XML_ParseBuffer fail to recognize the problem
and XML_GetBuffer corrupt memory.
With the fix, XML_ParseBuffer now complains with error
XML_ERROR_INVALID_ARGUMENT just like sibling XML_Parse
has been doing since Expat 2.2.1, and now documented.
Impact is denial of service to potentially artitrary code
execution.
#888#891 CVE-2024-45491 -- Internal function dtdCopy can have an
integer overflow for nDefaultAtts on 32-bit platforms
(where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
#889#892 CVE-2024-45492 -- Internal function nextScaffoldPart can
have an integer overflow for m_groupSize on 32-bit
platforms (where UINT_MAX equals SIZE_MAX).
Impact is denial of service to potentially artitrary code
execution.
Other changes:
#851#879 Autotools: Sync CMake templates with CMake 3.28
#853 Autotools: Always provide path to find(1) for portability
#861 Autotools: Ensure that the m4 directory always exists.
#870 Autotools: Simplify handling of SIZEOF_VOID_P
#869 Autotools: Support non-GNU sed
#856 Autotools|CMake: Fix main() to main(void)
#865 Autotools|CMake: Fix compile tests for HAVE_SYSCALL_GETRANDOM
#863 Autotools|CMake: Stop requiring dos2unix
#854#855 CMake: Fix check for symbols size_t and off_t
#864 docs|tests: Convert README to Markdown and update
#741 Windows: Drop support for Visual Studio <=15.0/2017
#886 Drop needless XML_DTD guards around is_param access
#885 Fix typo in a code comment
#894#896 Version info bumped from 10:2:9 (libexpat*.so.1.9.2)
to 10:3:9 (libexpat*.so.1.9.3); see https://verbump.de/
for what these numbers do
Infrastructure:
#880 Readme: Promote the call for help
#868 CI: Fix various issues
#849 CI: Allow triggering GitHub Actions workflows manually
#851#872 ..
#873#879 CI: Adapt to breaking changes in GitHub Actions
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.6.1 to 1.7.1
- Move to before qemu build as it now requires a system libfdt for build as the bundled
version has been removed.
- Change HOME= to HOME=/usr so that the include files are placed in /usr/include which
is where qemu is looking for them when it checks that libfdt is available.
- Update disable_Werror patch to take account of differences in the source tarball
- Update of architectures from only aarch64 to all.
- Move rootfile from common/aarch64 to common/
- The previous fdt python files were commented out, hence not used at runtime and are
not needed at buildtime. From 9.0.1 onwards they require swig and python to be built
but as they are not needed there was no point to move swig to before dtc
- Changelog
1.7.1
* dtc
* Fix -Oasm output on PA-RISC by avoiding ';' separators
* Put symbolic label references in -Odts output when possible
* Add label relative path references
* Don't incorrectly attempt to create fixups for reference to path
in overlays
* Warning rather than hard error if integer expression results are
truncated due to cell size
* libfdt
* Add fdt_get_property_by_offset_w() function
* pylibfdt
* Fixed to work with Python 3.10
* A number of extra methods
* Fix out of tree build
* fdtget
* Add raw bytes output mode
* General
* Fixes for mixed-signedness comparison warnings
* Assorted other warning fixes
* Assorted updates to checks
* Assorted bugfixes
* Fix scripts to work with dash as well as bash
* Allow static builds
* Formalize Signed-off-by usage
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 9.0.0 to 9.0.2
- Update of rootfile not required
- From version 9.0.1 onwards the bundled dtc has been removed but is required for the
build. In an associated patch dtc has been moved to before qemu.
- Changelog is only available at x.0 level
9.0 https://wiki.qemu.org/ChangeLog/9.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.1.2 to 9.0.0
- Update of rootfile
- Version 9.0.1 and 9.0.2 no longer have the bundled dtc package to provide the libfdt
library and require a system version but identify the 1.7.1 version of dtc as being
older than 1.5.1. So currently qemu has only been updated to 9.0.0 until the reason
for this is identified and can be fixed. It has been raised as an issue on the qemu
gitlab site.
- Changelog is only available at x.0 level
9.0 https://wiki.qemu.org/ChangeLog/9.0
8.2 https://wiki.qemu.org/ChangeLog/8.2
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Possible denial of service in X.509 name checks (CVE-2024-6119)
===============================================================
Severity: Moderate
Issue summary: Applications performing certificate name checks (e.g., TLS
clients checking server certificates) may attempt to read an invalid memory
address resulting in abnormal termination of the application process.
Impact summary: Abnormal termination of an application can a cause a denial of
service.
Applications performing certificate name checks (e.g., TLS clients checking
server certificates) may attempt to read an invalid memory address when
comparing the expected name with an `otherName` subject alternative name of an
X.509 certificate. This may result in an exception that terminates the
application program.
Note that basic certificate chain validation (signatures, dates, ...) is not
affected, the denial of service can occur only when the application also
specifies an expected DNS name, Email address or IP address.
TLS servers rarely solicit client certificates, and even when they do, they
generally don't perform a name check against a "reference identifier" (expected
identity), but rather extract the presented identity after checking the
certificate chain. So TLS servers are generally not affected and the severity
of the issue is Moderate.
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
OpenSSL 1.1.1 and 1.0.2 are also not affected by this issue.
OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Possible denial of service in X.509 name checks (CVE-2024-6119)
===============================================================
Severity: Moderate
Issue summary: Applications performing certificate name checks (e.g., TLS
clients checking server certificates) may attempt to read an invalid memory
address resulting in abnormal termination of the application process.
Impact summary: Abnormal termination of an application can a cause a denial of
service.
Applications performing certificate name checks (e.g., TLS clients checking
server certificates) may attempt to read an invalid memory address when
comparing the expected name with an `otherName` subject alternative name of an
X.509 certificate. This may result in an exception that terminates the
application program.
Note that basic certificate chain validation (signatures, dates, ...) is not
affected, the denial of service can occur only when the application also
specifies an expected DNS name, Email address or IP address.
TLS servers rarely solicit client certificates, and even when they do, they
generally don't perform a name check against a "reference identifier" (expected
identity), but rather extract the presented identity after checking the
certificate chain. So TLS servers are generally not affected and the severity
of the issue is Moderate.
The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
OpenSSL 1.1.1 and 1.0.2 are also not affected by this issue.
OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.0.1 to 2.0.2
- Update of rootfile
- Changelog
2.0.2
* Fix parsing of ID3v2.2 frames.
* Tolerate MP4 files with unknown atom types as generated by Android tools.
* Support setting properties with arbitrary names in MP4 tags.
* Windows: Fix "-p" option in tagwriter example.
* Support building with older utfcpp versions.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 4.3.2 to 4.3.4
- Update of rootfile
- Changelog is only defined for 4.3, 4.2 etc so the below changelog is for all of 4.3
Cannot determine which things were alreday fixed in 4.3.2 and earlier and which are
from 4.3.3 onwards.
4.3
**Security Updates**
* A crashing bug in NQPTP has been fixed.
* The communications protocol used between NQPTP and Shairport Sync has been
revised and made more resilient to attempted misuse.
* In Linux systems, NQPTP no longer runs as `root` -- instead it runs as the
restriced user `nqptp`, with access to ports 319 and 320 set by the installer
via the `setcap` utility.
**Enhancements**
* A new volume control profile called `dasl-tapered` has been added in which
halving the volume control setting halves the output level.
For example, moving the volume slider from full to half reduces the output
level by 10dB, which roughly corresponds with a perceived halving of the audio
volume level.
Moving the volume slider from half to a quarter reduces the output level by a
a further 10dB.
The tapering rate is slightly modified at the lower end of the range if the
device's attenuation range is restricted (less than about 55dB).
To activate the `dasl-tapered` profile, set the `volume_control_profile` to
`"dasl_tapered"` in the configuration file and restart Shairport Sync.
Many thanks to David Leibovic, aka [dasl-](https://github.com/dasl-), for this.
* On graceful shutdown, an `active_end` signal should now be generated if the
system was in the active state. Addresses issue
[#1647](https://github.com/mikebrady/shairport-sync/issues/1647). Thanks to
[Tucker Kern](https://github.com/mill1000) for raising the issue.
**Bug Fixes**
* Fixed a bug that causes the Docker image to crash occasionally when OwnTone
interrupted an existing iOS session. Thanks to
[aaronk6](https://github.com/aaronk6) for the report.
* Fixed a cross-compliation error caused by not looking for the correct version
of the `ar` tool. The fix was to substitute the correct version during the
`autoreconf` phase. Thanks to
[sternenseemann](https://github.com/sternenseemann) for raising the
[issue](https://github.com/mikebrady/shairport-sync/issues/1705) and the
[PR](https://github.com/mikebrady/shairport-sync/pull/1706) containing the fix.
* Updated the mDNS strings for the Classic AirPlay feature of AP2, so that it
does not appear to provide MFi authentication. Addresses
[this discussion](https://github.com/mikebrady/shairport-sync/discussions/1691).
* Always uses a revision number of 1 when looking for status updates on the DACP
remote control port. This follows a suggestion in
[Issue #1658](https://github.com/mikebrady/shairport-sync/issues/1658). Thanks
to [ejurgensen](https://github.com/ejurgensen), as ever, for the report and
the suggested fix.
* Fixed a `statistics` bug (the minimum buffer size was incorrectly logged) and
also tidy up the statistics logging interval logic for resetting min and max
counters.
* Added an important missing format string argument to a call in the Jack Audio
backend. Many thanks to [michieldwitte] for their
[PR](https://github.com/mikebrady/shairport-sync/pull/1693).
**Maintenance**
* Stopped using a deprecated FFmpeg data structure reference.
* Stopped using deprecated OpenSSL calls. Thanks to [yubiuser] for their
[PR](https://github.com/mikebrady/shairport-sync/pull/1684) -- which did some
of the updating -- and for their guidance.
* Run workflow-based tests on PRs automatically. Thanks to [yubiuser]
for their [PR](https://github.com/mikebrady/shairport-sync/pull/1687).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
