- Update from version 5.62 to 5.63
- Update of rootfile not required
- Changelog
Version 5.63, 2022.03.15
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.2.
* New features
- Updated stunnel.spec to support bash completion
* Bugfixes
- Fixed possible PRNG initialization crash (thx to Gleydson Soares).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.0.4 to 1.0.5
- Update of rootfile not required
- Changelog
Version 1.0.5
* Added CI test for GitHub.
* Migrated manpage system to txt2man.
* Modernized system install.
* Set right permissions to source code.
* Updated README and added a CONTRIBUTING file.
* Other minor changes and improvements.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from 5.14 to 5.17
- Update of rootfile not required
- Changelog
Noteworthy changes in release 5.17 (2022-03-26)
* Improvements
* Added 64-bit LoongArch architecture support.
* Extended personality designation syntax of syscall specification expressions
to support all@pers and %class@pers.
* Enhanced rejection of invalid syscall numbers in syscall specification
expressions.
* Implemented decoding of set_mempolicy_home_node syscall, introduced
in Linux 5.17.
* Implemented decoding of IFLA_GRO_MAX_SIZE and TCA_ACT_IN_HW_COUNT netlink
attributes.
* Implemented decoding of PR_SET_VMA operation of prctl syscall.
* Implemented decoding of siginfo_t.si_pkey field.
* Implemented decoding of LIRC ioctl commands.
* Updated lists of FAN_*, IORING_*, IOSQE_*, KEY_*, KVM_*, MODULE_INIT_*,
TCA_ACT_*, and *_MAGIC constants.
* Updated lists of ioctl commands from Linux 5.17.
Noteworthy changes in release 5.16 (2022-01-10)
* Improvements
* Implemented --secontext=mismatch option to find mismatches in SELinux
contexts.
* Implemented decoding of futex_waitv syscall introduced in Linux 5.16.
* Implemented decoding of BPF_LINK_GET_NEXT_ID and BPF_LINK_GET_FD_BY_ID bpf
syscall commands.
* Enhanced decoding of BPF_MAP_CREATE, BPF_PROG_TEST_RUN, and BPF_PROG_LOAD
bpf syscall commands.
* Enhanced decoding of BTRFS_IOC_FS_INFO ioctl command.
* Updated lists of AUDIT_*, BPF_*, BTRFS_*, DEVCONF_*, FAN_*, ETH_P_*,
IPV4_DEVCONF_*, KVM_*, NDA_*, SO_*, and V4L2_* constants.
* Updated lists of ioctl commands from Linux 5.16.
* Bug fixes
* Fixed build for older Android.
Noteworthy changes in release 5.15 (2021-12-01)
* Improvements
* Implemented --strings-in-hex=non-ascii-chars option for using hexadecimal
numbers instead of octal ones in escape sequences in the output strings.
* Implemented --decode-pids=comm option (and its alias -Y) for printing
command names for PIDs.
* Implemented --decode-pids=pidns as an alias to --pidns-translation option.
* Implemented printing of current working directory when AT_FDCWD constant
is used with --decode-fds=path option enabled.
* Improved printing of syscall names in places where the associated
AUDIT_ARCH_* value is present (ptrace PTRACE_GET_SYSCALL_INFO request,
SIGSYS siginfo_t).
* Implemented decoding of process_mrelease syscall, introduced in Linux 5.15.
* Implemented decoding of SECCOMP_GET_NOTIF_SIZES operation of seccomp
syscall.
* Implemented decoding of HDIO_*, KD*, and SECCOMP_* ioctl commands.
* Implemented decoding of RTM_NEWCACHEREPORT, RTM_{NEW,DEL,GET}NEXTHOP,
and RTM_{NEW,GET}STATS NETLINK_ROUTE netlink messages.
* Implemented decoding of AF_ALG, AF_IEEE802154, AF_MCTP, AF_NFC, AF_QIPCRTR,
AF_RRPC, AF_VSOCK, and AF_XDP socket addresses.
* Implemented decoding of AF_BRIDGE and AF_MCTP protocols for IFLA_AF_SPEC
netlink attribute.
* Implemented decoding of IFLA_BR_MCAST_QUERIER_STATE, IFLA_BR_MULTI_BOOLOPT,
IFLA_INET6_RA_MTU, IFLA_INFO_SLAVE_DATA, and IFLA_VFINFO_LIST netlink
attributes.
* Enhanced decoding of io_uring_register and times syscalls.
* Enhanced IFLA_BR_FORWARD_DELAY, IFLA_BR_MAX_AGE, IFLA_EXT_MASK,
IFLA_PROTINFO, *_INTVL, and *_TIMER netlink attribute decoding.
* Enhanced decoding of AF_IPX and AF_NETLINK socket addresses.
* Updated lists o AF_*, ARPHRD_*, BTRFS_*, DEVCONF_*, DM_*, ETH_P_*,
FAN_REPORT_*, IORING_*, MOVE_MOUNT_*, MPOL_*, PACKET_*, RTM_*, SO_*,
and XFRM_MSG_* constants.
* Updated lists of ioctl commands from Linux 5.15.
* Bug fixes
* Fixed printing of struct bpf_prog_info.map_ids array.
* Fixed behaviour of "dev", "pidfd", and "socket" arguments of the --print-fds
option to no longer imply the "path" argument.
* Fixed insufficient buffer size used for network interface name printing,
that previously led to assertions on attempts of printing interface names
that require quoting, for example, names longer than 4 characters in -xx
mode (addresses RHBZ bug #2028146).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 0.5.7 (2016) to 0.5.9 (2017)
- Update of rootfile
- This patch brings lcdproc up to date with the most recent release.
- Although there are no new releases there are continuing ongoing commits and issue fixes
being done in the repository with the last commit being in Dec 2021.
Not sure why no new releases are being done. It looks like any of the commits that fix
issuse people have raised have to be patched by the interested people.
- Changelog
0.5.9
This is mostly a code cleanup, bugfix and maintainance release.
Drivers supporting new hardware or additional functionality
HD44780 connection type "serial" supports Portwell EZIO-100 and EZIO-300
HD44780 connection type "gpio" supports dual controller displays.
This connection type is now a full replacement for the obsolete "rpi"
connection type.
Removed configure flags
enable-permissive-menu-goto is replaced by a setting in LCDd.conf
enable-seamless-hbars is now selected by drivers that need it automatically
Other important changes
The build system now specifies the language as C99.
API: drivers need to include "shared/report.h" instead of "report.h"
libftdi1 is used if it is available instead of obsolete libftdi
display update interval is selectable from LCDd.conf
0.5.8
New drivers
futaba: for Futaba TOSD-5711BB VFDisplay commonly used on Elonex Artisan,
Fujitsu Scaleo E and FIC Spectra Media Centre PCs
linux_input: supporting event devices from the linux input subsystem
Olimex_MOD_LCD1x9: for Olimex MOD-LCD1x9
yard2LCD: for yard2
New connection types for hd44780 driver
lcm162 is a differently wired 8 bit connection type used on Nextgate NSA
network appliances
gpio is using the linux sysfs gpio interface to control a display in
4-bit mode. To build this sub-driver you need
libugpio, which is a new dependency
for lcdproc.
Obsolete connection types for hd44780 driver
The following connection types are obsolete and probably won't get bug
and security fixes:
raspberrypi: use the gpio connection type instead
piplate: use the gpio connection type together with the gpio-mcp23s08
kernel module.
pifacecad: use the gpio connection type together with the gpio-mcp23s08
kernel module.
i2c: support for this sub-driver might continue for the users of
non-linux operating systems. On linux systems it is recommended to
use the gpio connection type together with the gpio-pcf857x kernel
module.
Drivers supporting new hardware or additional functionality
icp_a106 now also supports A125 displays
NoritakeVFD added some non-essential features
Other important changes
Development of lcdproc moved to github.
Some internal data structures have changed. If you have custom LCDd
drivers, you will need to recompile them against the new version. Of
course submitting such drivers in pull requests is appreciated.
For a detailed list of bug fixes, see the ChangeLog.md included in the
distribution archive.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from 7.11 to 7.15
- Update of rootfile
- Changelog
7.15
Kernel part changes
netfilter: ipset: Fix maximal range check in hash_ipportnet4_uadt()
7.14
Userspace changes
Add missing function to libipset.map and bump library version
Kernel part changes
64bit division isn't allowed on 32bit, replace it with shift
7.13
Userspace changes
When parsing protocols by number, do not check it in /etc/protocols.
Add missing hunk to patch "Allow specifying protocols by number"
Kernel part changes
Limit the maximal range of consecutive elements to add/delete fix
7.12
Userspace changes
Allow specifying protocols by number
Fix example in ipset.8 manpage
tests: add tests ipset to nftables
add ipset to nftables translation infrastructur
lib: Detach restore routine from parser
lib: split parser from command execution
Fix patch "Parse port before trying by service name"
Kernel part changes
Limit the maximal range of consecutive elements to add/delete
Backport "netfilter: use nfnetlink_unicast()"
Backport "netfilter: nfnetlink: consolidate callback type"
Backport "netfilter: nfnetlink: add struct nfnl_info and pass it to
callbacks"
Backport "netfilter: add helper function to set up the nfnetlink header
and use it"
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from 3.4.0 to 4.2.0
- Update of rootfile
- Changelog
Overview of changes leading to 4.2.0
Wednesday, March 30, 2022
- Source code reorganization, splitting large hb-ot-layout files into smaller,
per-subtable ones under OT/Layout/*. Code for more tables will follow suit in
later releases. (Garret Rieger, Behdad Esfahbod)
- Revert Indic shaper change in previous release that broke some fonts and
instead make per-syllable restriction of “GSUB” application limited to
script-specific Indic features, while applying them and discretionary
features in one go. (Behdad Esfahbod)
- Fix decoding of private in gvar table. (Behdad Esfahbod)
- Fix handling of contextual lookups that delete too many glyphs. (Behdad Esfahbod)
- Make “morx” deleted glyphs don’t block “GPOS” application. (Behdad Esfahbod)
- Various build fixes. (Chun-wei Fan, Khaled Hosny)
- New API
+hb_set_next_many() (Andrew John)
Overview of changes leading to 4.1.0
Wednesday, March 23, 2022
- Various OSS-Fuzz fixes. (Behdad Esfahbod)
- Make fallback vertical-origin match FreeType’s. (Behdad Esfahbod)
- Treat visible viramas like dependent vowels in USE shaper. (David Corbett)
- Apply presentation forms features and discretionary features in one go in
Indic shaper, which seems to match Uniscribe and CoreText behaviour.
(Behdad Esfahbod, David Corbett)
- Various bug fixes.
- New API
+hb_set_add_sorted_array() (Andrew John)
Overview of changes leading to 4.0.1
Friday, March 11, 2022
- Update OpenType to AAT mappings for “hist” and “vrtr” features.
(Florian Pircher)
- Update IANA Language Subtag Registry to 2022-03-02. (David Corbett)
- Update USE shaper to allow any non-numeric tail in a symbol cluster, and
remove obsolete data overrides. (David Corbett)
- Fix handling of baseline variations to return correctly scaled values.
(Matthias Clasen)
- A new experimental hb_subset_repack_or_fail() to repack an array of objects,
eliminating offset overflows. The API is not available unless HarfBuzz is
built with experimental APIs enabled. (Qunxin Liu)
- New experimental API
+hb_link_t
+hb_object_t
+hb_subset_repack_or_fail()
Overview of changes leading to 4.0.0
Tuesday, March 1, 2022
- New public API to create subset plan and gather information on things like
glyph mappings in the final subset. The plan can then be passed on to perform
the subsetting operation. (Garret Rieger)
- Draw API for extracting glyph shapes have been extended and finalized and is
no longer an experimental API. The draw API supports glyf, CFF and CFF2
glyph outlines tables, and applies variation settings set on the font as well
as synthetic slant. The new public API is not backward compatible with the
previous, non-public, experimental API. (Behdad Esfahbod)
- The hb-view tool will use HarfBuzz draw API to render the glyphs instead of
cairo-ft when compiled with Cairo 1.17.5 or newer, setting HB_DRAW
environment variable to 1 or 0 will force using or not use the draw API,
respectively. (Behdad Esfahbod)
- The hb-shape and hb-view tools now default to using HarfBuzz’s own font
loading functions (ot) instead of FreeType ones (ft). They also have a new
option, --font-slant, to apply synthetic slant to the font. (Behdad Esfahbod)
- HarfBuzz now supports more than 65535 (the OpenType limit) glyph shapes and
metrics. See https://github.com/be-fonts/boring-expansion-spec/issues/6 and
https://github.com/be-fonts/boring-expansion-spec/issues/7 for details.
(Behdad Esfahbod)
- New API to get the dominant horizontal baseline tag for a given script.
(Behdad Esfahbod)
- New API to get the baseline positions from the font, and synthesize missing
ones. As well as new API to get font metrics and synthesize missing ones.
(Matthias Clasen)
- Improvements to finding dependencies on Windows when building with Visual
Studio. (Chun-wei Fan)
- New buffer flag, HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT, that must be set
during shaping for HB_GLYPH_FLAG_UNSAFE_TO_CONCAT flag to be reliably
produced. This is to limit the performance hit of producing this flag to when
it is actually needed. (Behdad Esfahbod)
- Documentation improvements. (Matthias Clasen)
- New API
- General:
+HB_BUFFER_FLAG_PRODUCE_UNSAFE_TO_CONCAT
+hb_var_num_t
- Draw:
+hb_draw_funcs_t
+hb_draw_funcs_create()
+hb_draw_funcs_reference()
+hb_draw_funcs_destroy()
+hb_draw_funcs_is_immutable()
+hb_draw_funcs_make_immutable()
+hb_draw_move_to_func_t
+hb_draw_funcs_set_move_to_func()
+hb_draw_line_to_func_t
+hb_draw_funcs_set_line_to_func()
+hb_draw_quadratic_to_func_t
+hb_draw_funcs_set_quadratic_to_func()
+hb_draw_cubic_to_func_t
+hb_draw_funcs_set_cubic_to_func()
+hb_draw_close_path_func_t
+hb_draw_funcs_set_close_path_func()
+hb_draw_state_t
+HB_DRAW_STATE_DEFAULT
+hb_draw_move_to()
+hb_draw_line_to()
+hb_draw_quadratic_to()
+hb_draw_cubic_to()
+hb_draw_close_path()
+hb_font_get_glyph_shape_func_t
+hb_font_funcs_set_glyph_shape_func()
+hb_font_get_glyph_shape()
- OpenType layout
+HB_OT_LAYOUT_BASELINE_TAG_IDEO_FACE_CENTRAL
+HB_OT_LAYOUT_BASELINE_TAG_IDEO_EMBOX_CENTRAL
+hb_ot_layout_get_horizontal_baseline_tag_for_script()
+hb_ot_layout_get_baseline_with_fallback()
- Metrics:
+hb_ot_metrics_get_position_with_fallback()
- Subset:
+hb_subset_plan_t
+hb_subset_plan_create_or_fail()
+hb_subset_plan_reference()
+hb_subset_plan_destroy()
+hb_subset_plan_set_user_data()
+hb_subset_plan_get_user_data()
+hb_subset_plan_execute_or_fail()
+hb_subset_plan_unicode_to_old_glyph_mapping()
+hb_subset_plan_new_to_old_glyph_mapping()
+hb_subset_plan_old_to_new_glyph_mapping()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from 22.02.0 to 22.04.0
- Update of rootfile
- Changelog
Release 22.04.0:
core:
* Fix underline sometimes being drawn only partially
* Fix Adobe Reader not reading some of the contents we write correctly
* Fix code that workarounds some broken-ish files
* FoFiTrueType: Parse CFF2 fonts too
* FoFiTrueType: Support cmap types 2 and 13
* Fix a few small memory leaks
* code improvements
qt:
* Handle SaveAs named action
* Annotations: don't change the text color when changing the font
utils:
* pdftotext: print creation and modification date when using htmlmeta param
glib:
* Fix returning internal data of temporary strings
cpp:
* Fix code incompatibility with MSVC
build system:
* poppler internal library is no longer forced to static on MSVC
* Error out if iconv is not available and the cpp frontend is enabled
* Require FreeType 2.8
Release 22.03.0:
core:
* Signature: Fix finding Signatures that are in Pages not not in the global the Forms object
* Signature: Improve getting the path to the firefox certificate database
* Splash: Fix rendering of some joints. Issue #1212
* Fix get_poppler_localdir for relocatable Windows builds
* Minor code improvements
qt:
* Minor code improvements
utils:
* pdfimages: Fix the wrong Stream being passed for drawMaskedImage
build system:
* Small code improvements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from 1.0.11 to 1.0.12
- Update of rootfile not required
- Changelog
Overview of changes between 1.0.11 and 1.0.12
* Various fuzzing fixes.
- Looking at the details in the commits it looks like fribidi's use of the word fuzzing
fixes basically means bug fixes. Included are fixes for a segmentation violation and a
stack buffer overflow
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 3.7.0 to 3.8.0
- Update of rootfile
- Changelog
* Released as 3.8.0.
* Filters can now match devices based on partially specified
class code and also on the programming interface.
* Reporting of link speeds, power limits, and virtual function tags
has been updated to the current PCIe specification.
* We decode the Data Object Exchange capability.
* Bus mapping mode works in non-zero domains.
* pci_fill_info() can fetch more fields: bridge bases, programming
interface, revision, subsystem vendor and device ID, OS driver,
and also parent bridge. Internally, the implementation was rewritten,
significantly reducing the number of corner cases to be handled.
* The Windows port was revived and greatly improved by Pali Rohár.
It requires less magic to compile. More importantly, it runs on both
old and recent Windows systems (see README.Windows for details).
* Added a new Windows back-end using the cfgmgr32 interface.
It does not provide direct access to the configuration space,
but basic information about the device is reported via pci_fill_info().
For back-ends of this type, we now provide an emulated read-only
config space.
* If the configuration space is not readable for some reason
(e.g., the cfgmgr32 back-end, but also badly implemented sleep mode
of some devices), lspci prints only information provided by the OS.
* The Hurd back-end was greatly improved thanks to Joan Lledó.
* Various minor bug fixes and improvements.
* We officially require a working C99 compiler. Sorry, MSVC.
* As usually, updated pci.ids to the current snapshot of the database.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
This patch adds default values and removes a missing translation
to fix "uninitialized value" and "odd number of elements" warnings.
Removes function calls from functions.pl that have already been
handled by the header before it is loaded by eval().
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Full changelog as per https://github.com/rhboot/efibootmgr/releases/tag/17:
various CI updates
Make.defaults: fix pkg-config invocation for LDFLAGS
make_linux_load_option(): add some more efi_error() calls
Change the default partition choice.
Don't set LIBEFIBOOT_REPORT_GPT_ERRORS=1
Make it easier to build with a devel branch of efivar
efibootmgr -e: improve parsing for efivar-36 compat
Fix an invalid free()
Propogate verbosity to libefivar 36's internal logging facility
Add a bit more logging
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
By default, both SSH server and client rely on TCP-based keep alive
messages to detect broken sessions, which can be spoofed rather easily
in order to keep a broken session opened (and vice versa).
Since we rely on SSH-based keep alive messages, which are not vulnerable
to this kind of tampering, there is no need to double-check connections
via TCP keep alive as well.
This patch thereof disables using TCP keep alive for both SSH client and
server scenario. For usability reasons, a timeout of 5 minutes (10
seconds * 30 keep alive messages = 300 seconds) will be used for both
client and server configuration, as 60 seconds were found to be too
short for unstable connectivity scenarios.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This algorithm was introduced in OpenSSH 9.0p1; also, align the
curve25519-sha256* key exchanges to keep things tidy.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Relevant changelog part, as retrieved from https://www.openssh.com/txt/release-9.0:
Changes since OpenSSH 8.9
=========================
This release is focused on bug fixing.
Potentially-incompatible changes
--------------------------------
This release switches scp(1) from using the legacy scp/rcp protocol
to using the SFTP protocol by default.
Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.
This creates one area of potential incompatibility: scp(1) when using
the SFTP protocol no longer requires this finicky and brittle quoting,
and attempts to use it may cause transfers to fail. We consider the
removal of the need for double-quoting shell characters in file names
to be a benefit and do not intend to introduce bug-compatibility for
legacy scp/rcp in scp(1) when using the SFTP protocol.
Another area of potential incompatibility relates to the use of remote
paths relative to other user's home directories, for example -
"scp host:~user/file /tmp". The SFTP protocol has no native way to
expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later
support a protocol extension "expand-path@openssh.com" to support
this.
In case of incompatibility, the scp(1) client may be instructed to use
the legacy scp/rcp using the -O flag.
New features
------------
* ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
exchange method by default ("sntrup761x25519-sha512@openssh.com").
The NTRU algorithm is believed to resist attacks enabled by future
quantum computers and is paired with the X25519 ECDH key exchange
(the previous default) as a backstop against any weaknesses in
NTRU Prime that may be discovered in the future. The combination
ensures that the hybrid exchange offers at least as good security
as the status quo.
We are making this change now (i.e. ahead of cryptographically-
relevant quantum computers) to prevent "capture now, decrypt
later" attacks where an adversary who can record and store SSH
session ciphertext would be able to decrypt it once a sufficiently
advanced quantum computer is available.
* sftp-server(8): support the "copy-data" extension to allow server-
side copying of files/data, following the design in
draft-ietf-secsh-filexfer-extensions-00. bz2948
* sftp(1): add a "cp" command to allow the sftp client to perform
server-side file copies.
Bugfixes
--------
* ssh(1), sshd(8): upstream: fix poll(2) spin when a channel's output
fd closes without data in the channel buffer. bz3405 and bz3411
* sshd(8): pack pollfd array in server listen/accept loop. Could
cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE
* ssh-keygen(1): avoid NULL deref via the find-principals and
check-novalidate operations. bz3409 and GHPR#307 respectively.
* scp(1): fix a memory leak in argument processing. bz3404
* sshd(8): don't try to resolve ListenAddress directives in the sshd
re-exec path. They are unused after re-exec and parsing errors
(possible for example if the host's network configuration changed)
could prevent connections from being accepted.
* sshd(8): when refusing a public key authentication request from a
client for using an unapproved or unsupported signature algorithm
include the algorithm name in the log message to make debugging
easier.
Portability
-----------
* sshd(8): refactor platform-specific locked account check, fixing
an incorrect free() on platforms with both libiaf and shadow
passwords (probably only Unixware) GHPR#284,
* ssh(1), sshd(8): Fix possible integer underflow in scan_scaled(3)
parsing of K/M/G/etc quantities. bz#3401.
* sshd(8): provide killpg implementation (mostly for Tandem NonStop)
GHPR#301.
* Check for missing ftruncate prototype. GHPR#301
* sshd(8): default to not using sandbox when cross compiling. On most
systems poll(2) does not work when the number of FDs is reduced
with setrlimit, so assume it doesn't when cross compiling and we
can't run the test. bz#3398.
* sshd(8): allow ppoll_time64 in seccomp sandbox. Should fix sandbox
violations on some (at least i386 and armhf) 32bit Linux platforms.
bz#3396.
* Improve detection of -fzero-call-used-regs=all support in
configure script.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Full changelog as retrieved from https://cisofy.com/changelog/lynis/#307:
- MALW-3290 - Show status of malware components
- OS detection for RHEL 6 and Funtoo Linux
- Added service manager openrc
- DBS-1804 - Added alias for MariaDB
- FINT-4316 - Support for newer Ubuntu versions
- MALW-3280 - Added Trend Micro malware agent
- NETW-3200 - Allow unknown number of spaces in modprobe blacklists
- PKGS-7320 - Support for Garuda Linux and arch-audit
- Several improvements for busybox shell
- Russian translation of Lynis extended
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.28/doc/arm/html/notes.html#notes-for-bind-9-16-28
"Notes for BIND 9.16.28
New Features
Add a new configuration option reuseport to disable load balancing
on sockets in situations where processing of Response Policy Zones
(RPZ), Catalog Zones, or large zone transfers can cause service
disruptions. See the BIND 9 ARM for more detail. [GL #3249]
Bug Fixes
Invalid dnssec-policy definitions, where the defined keys did not
cover both KSK and ZSK roles for a given algorithm, were being
accepted. These are now checked, and the dnssec-policy is rejected
if both roles are not present for all algorithms in use. [GL #3142]
Handling of TCP write timeouts has been improved to track the
timeout for each TCP write separately, leading to a faster
connection teardown in case the other party is not reading the data.
[GL #3200]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Changelog:
"5.0.9 -- 2022-04-21
Security #4889: ftp: SEGV at flow cleanup due to protocol confusion
Security #5025: ftp: GetLine function buffers data indefinitely if 0x0a was not found int the frag'd input
Security #5028: smtp: GetLine function buffers data indefinitely if 0x0a was not found in the frag'd input
Security #5253: Infinite loop in JsonFTPLogger
Feature #4644: pthreads: set minimum stack size
Bug #4466: dataset file not written when run as user
Bug #4678: Configuration test mode succeeds when reference.config file contains invalid content
Bug #4745: Absent app-layer protocol is always enabled by default
Bug #4819: tcp: insert_data_normal_fail can hit without triggering memcap
Bug #4823: conf: quadratic complexity
Bug #4825: pppoe decoder fails when protocol identity field is only 1 byte
Bug #4827: packetpool: packets in pool may have capture method ReleasePacket callbacks set
Bug #4838: af-packet: cluster_id is not used when trying to set fanout support
Bug #4878: datasets: memory leak in 5.0.x
Bug #4887: dnp3: buffer over read in logging base64 empty objects
Bug #4891: protodetect: SMB vs TLS protocol detection in midstream
Bug #4893: TFTP: memory leak due to missing detect state
Bug #4895: Memory leak with signature using file_data and NFS
Bug #4897: profiling: Invalid performance counter when using sampling
Bug #4901: eve: memory leak related to dns
Bug #4932: smtp: smtp transaction not logged if no email is present
Bug #4955: stream: too aggressive pruning in lossy streams
Bug #4957: SMTP assertion triggered
Bug #4959: suricatasc loop if recv returns no data
Bug #4961: dns: transaction not created when z-bit set
Bug #4963: Run stream reassembly on both directions upon receiving a FIN packet
Bug #5058: dns: probing/parser can return error when it should return incomplete
Bug #5063: Not keyword matches in Kerberos requests
Bug #5096: output: timestamp missing usecs on Arm 32bit + Musl
Bug #5099: htp: server personality radix handling issue
Bug #5101: defrag: policy config can setup radix incorrectly
Bug #5103: Application log cannot to be re-opened when running as non-root user
Bug #5105: iprep: cidr support can set up radix incorrectly
Bug #5107: detect/iponly: rule parsing does not always apply netmask correctly
Bug #5109: swf: coverity warning
Bug #5115: detect/ip_proto: inconsistent behavior when specifying protocol by string
Bug #5117: detect/iponly: mixing netblocks can lead to FN/FP
Bug #5119: smb: excessive CPU utilization and higher packet processing latency due to excessive calls to Vec::extend_from_slice()
Bug #5137: smb: excessive memory use during file transfer
Bug #5150: nfs: Integer underflow in NFS
Bug #5157: xbits: noalert is allowed in rule language with other commands
Bug #5164: iprep: use_cnt can get desynchronized (SIGABRT)
Bug #5171: detect/iponly: non-cidr netmask settings can lead incorrect radix tree
Bug #5193: SSL : over allocation for certificates
Bug #5213: content:"22 2 22"; is parsed without error
Bug #5227: 5.0.x: SMB: Wrong buffer being checked for possible overflow.
Bug #5251: smb: integer underflows and overflows
Task #5006: libhtp 0.5.40"
Additionally, I moved the 'suricata' patch files into a separate directory.
Apart from some line numbers, nothing else was changed.
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
For details see:
http://midnight-commander.org/wiki/NEWS-4.8.28
Summary:
"Major changes since 4.8.27
Core
VFS
Remove SMB support (#1)
Editor
Add syntax highlighting:
Ngspice/SPICE (http://ngspice.sourceforge.net/) (#4316, #4319)
DOT/Graphviz (https://graphviz.org/doc/info/lang.html) (#4322)
Viewer
Support file/dir macros from mc.ect for standalone viewer (#4150)
Misc
Minimal version of "check" utility is 0.9.10.
Code cleanup (#4270, #4330)
Support Shift+Fn keys for KiTTY (#4325)
Filehighlight:
graphical formats: avif, jp2, jxl, heic, heif, psb, psd (#4328)
Markdown (#4351)
Fixes
FTBFS with ncurses build with --disable-widec (#4200)
There is no exit on Ubuntu PPC64 big endian (#3887)
Segfault on change panel mode (#4323)
Accelerator conflict in Left/Right? menu (#4284)
move a lot of files across filesystems is slow (#4287)
mc.ext: wrong order of rules: general matches are made before more specific ones (#4273)
mc.ext: compressed man pages are shown unformatted (#4272)
ext.d/misc.sh: invoking /bin/cat on systems that have no /bin/cat (like NixOS) (#4298)
mcedit: errors in syntax definitions (#4286)
VFS: FISH: when uploading a symbolic link, it creates both the link and its target (#4281)
VFS: SFTP: timestamps are not preserved for uploaded symlink (#4285)
VFS: EXTFS: incorrect test of isoinfo (#4326)
Typo in skin files (#3146)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
in kernel 5.15.32 the driver for ATH9K wlan cards is unstable.
This is one of the most used cards so we need this update before
releasing core167 final.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
LSM was found to render firmware flashing unusable, and patching out LSM
functionality for all features needed (such as /dev/io, direct memory
access and probably raw PCI access for older cards), this would
effectively render much of LSM's functionality useless as well.
For the time being, we do ship LSM, but do not enforce any protection
mode. Users hence can run it in "integrity" or even "confidentiality"
mode by custom commands; hopefully, we will be able to revert this
change at a future point.
Acked-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
flashrom needs access to /dev/io ports for flashing firmware, a
functionality we cannot cease to support. Therefore, LSM constraints are
disabled for ioport.c, hopefully permitting us to keep it enabled.
Reported-by: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 1.1.17 to 1.2.0
- Update of rootfile
- v2 version has x86_64 replaced by xxxMACHINExxx in the rootfile
- borgbackup now requires the python module pkgconfig, installed as a set with this patch
- Changelog
Compatibility notes:
dropped support / testing for older Pythons, minimum requirement is 3.8. In
case your OS does not provide Python >= 3.8, consider using our binary,
which does not need an external Python interpreter. Or continue using
borg 1.1.x, which is still supported.
freeing repository space only happens when “borg compact” is invoked.
mount: the default for --numeric-ids is False now (same as borg extract)
borg create --noatime is deprecated. Not storing atime is the default
behaviour now (use --atime if you want to store the atime).
list: corrected mix-up of “isomtime” and “mtime” formats. Previously,
“isomtime” was the default but produced a verbose human format, while
“mtime” produced a ISO-8601-like format. The behaviours have been swapped
(so “mtime” is human, “isomtime” is ISO-like), and the default is now
“mtime”. “isomtime” is now a real ISO-8601 format (“T” between date and
time, not a space).
create/recreate --list: file status for all files used to get announced
AFTER the file (with borg < 1.2). Now, file status is announced BEFORE the
file contents are processed. If the file status changes later (e.g. due to
an error or a content change), the updated/final file status will be
printed again.
removed deprecated-since-long stuff (deprecated since):
command “borg change-passphrase” (2017-02), use “borg key …”
option “--keep-tag-files” (2017-01), use “--keep-exclude-tags”
option “--list-format” (2017-10), use “--format”
option “--ignore-inode” (2017-09), use “--files-cache” w/o “inode”
option “--no-files-cache” (2017-09), use “--files-cache=disabled”
removed BORG_HOSTNAME_IS_UNIQUE env var. to use borg you must implement one
of these 2 scenarios:
the combination of FQDN and result of uuid.getnode() must be unique
and stable (this should be the case for almost everybody, except
when having duplicate FQDN and MAC address or all-zero MAC address)
if you are aware that 1) is not the case for you, you must set
BORG_HOST_ID env var to something unique.
exit with 128 + signal number, #5161. if you have scripts expecting rc == 2
for a signal exit, you need to update them to check for >= 128.
Fixes:
diff: reduce memory consumption, fix is_hardlink_master, #6295
compact: fix / improve freeable / freed space log output
derive really freed space from quota use before/after, #5679
do not say “freeable”, but “maybe freeable” (based on hint, unsure)
fix race conditions in internal SaveFile function, #6306#6028
implement internal safe_unlink (was: truncate_and_unlink) function more
safely: usually it does not truncate any more, only under “disk full”
circumstances and only if there is only one hardlink. see:
https://github.com/borgbackup/borg/discussions/6286
Other changes:
info: use a pre12-meta cache to accelerate stats for borg < 1.2 archives.
the first time borg info is invoked on a borg 1.1 repo, it can take a
rather long time computing and caching some stats values for 1.1 archives,
which borg 1.2 archives have in their archive metadata structure. be
patient, esp. if you have lots of old archives. following invocations are
much faster due to the cache. related change: add archive name to
calc_stats progress display.
docs:
add borg 1.2 upgrade notes, #6217
link to borg placeholders and borg patterns help
init: explain the encryption modes better
clarify usage of patternfile roots
put import-tar docs into same file as export-tar docs
explain the difference between a path that ends with or without a slash,
#6297
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- These lines were introduced with another patch related to removing IPFire start/stop
capability from wio
- The lines were introduced in commented out form and so are doing nothing.
- It looks like they were added as part of a debugging or investigation work on wio
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
- The lines to scan the red interface were introduced at the time of a patch to remove
the IPFire start/stop function from wio. These lines are not related to that change
but were included in the patch with no commit message. The same lines were also added
into wio.cgi in the same patch set but in that case the lines were all commented out.
- These lines look like they were most likely added to the code for investigation or
debugging purposes. Looking at the lines in wio.pl the results obtained are not
used elsewhere in wio for obtaining info on the status of the red interface. Deleting
the lines did not affect anything related to the scanning, setup or monitoring of
systems by wio.
- The lines were wasting space but generally not creating a huge impact on pertformance.
On my production system it scans my red and comes up with a list of 1022 IP's because
of the subnet my ISP uses - xxx.yy.216.0/20
- Scanning those 1022 IP's and sorting them takes my system about 3 seconds. Without
sorting it is around the same level.
- In Bug#12799 the originator has an ISP that is using a private network that has a
defined subnet of 10.0.0.0/8 This is 16,777,214 IP's to be scanned. Even without sorting
my system would end up taking around 13 hours to do that. The bug originator found that
on certain machines that he had IPFire on wio just never stopped scanning.
- As these lines just seem to collect a large amount of IP's on red that are not related
to the actual running red IP, as there was no commit message related to their
introduction and as removing the lines on vm's running dhcp and static red interfaces
and also on my running production system for 4 weeks has shown no impact on the
monitoring capability this patch is being submitted to remove these lines from wio
Fixes: Bug#12799
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
