mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-05-09 16:58:26 +02:00
311f04e46e04c52c0a1b17370da418faacd942ca
1443 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Peter Müller
|
311f04e46e |
squid-asnbl: Update to 0.2.5
This upstream release incorporates the patch added for resolving #13023. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
Arne Fitzenreiter
|
cd78363404 |
Merge remote-tracking branch 'origin/master' into next
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> |
||
|
Arne Fitzenreiter
|
285740b926 |
linux-firmware: update to 20230804
also updated amd_familiy_19h patch which was not in 20230804 yet. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> |
||
|
Arne Fitzenreiter
|
a04ae8c43b |
gcc: fix build on riscv64
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
Adolf Belka
|
0d46ef0ce7 |
libloc: Update to version 0.9.17
- Update from version 0.9.16 to 0.9.17
- Update of rootfile
- Changelog
0.9.17
* The importer is now parsing Geofeeds where available. This helps us to create a
database with better accuracy for large ISPs or cloud providers.
* The database writer is trying to compress the database harder: It will now look
for any duplicate networks and merge neighbouring networks which will reduce the
size of the database by about half.
* The importer has been improved so that it runs more efficient SQL queries to
create the database faster.
* Temuri Doghonadze contributed a Georgian translation.
* Hans-Christoph Steiner contributed bash-completion for the location(8) command.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
Matthias Fischer
|
692ad21dd0 |
squid: Update to 6.2
For details see: https://github.com/squid-cache/squid/commits/v6 Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
27a3ef9834 |
ppp: Fixes bug#13164 - Update to version 2.5.0
- Update from version 2.4.9 to 2.5.0
This includes breaking changes for third-party plugins but as far as I can see IPFire
is not using any third party plugins
- Update of rootfile
- Update of patches and sed commands
- pcap-int.h and if_pppol2tp.h files have not been in source file since at least 2014
- Some of the patches required updates as additional lines needing to be patched are
now present. nThis was related to the O_CLOEXEC & SOCK_CLOEXEC related patches
- connect-errors file location is now defined by a configure command --with-logfile-dir
- install-etcppp is no longer provided. However the install command in this version still
has the same files available in /etc/ppp as previously. There is a new file,
openssl.cnf, which I have commented out. If it is required in future it can always be
uncommented in future releases.
- Build went without any problems with the updated patches.
- I cannot test this as I don't use ppp, however the original bug reporter has agreed to
test this out when it is released into Testing unless anyone else is capable of testing
it.
- Changelog
What's new in ppp-2.5.0.
The 2.5.0 release is a major release of pppd which contains breaking
changes for third-party plugins, a complete revamp of the build-system
and that allows for flexibility of configuring features as needed.
In Summary:
* Support for PEAP authentication by Eivind Næss and Rustam Kovhaev
* Support for loading PKCS12 certificate envelopes
* Adoption of GNU Autoconf / Automake build environment, by Eivind Næss
and others.
* Support for pkgconfig tool has been added by Eivind Næss.
* Bunch of fixes and cleanup to PPPoE and IPv6 support by Pali Rohár.
* Major revision to PPPD's Plugin API by Eivind Næss.
- Defines in which describes what features was included in pppd
- Functions now prefixed with explicit ppp_* to indicate that
pppd functions being called.
- Header files were renamed to better align with their features,
and now use proper include guards
- A pppdconf.h file is supplied to allow third-party modules to use
the same feature defines pppd was compiled with.
- No extern declarations of internal variable names of pppd,
continued use of these extern variables are considered
unstable.
* Lots of internal fixes and cleanups for Radius and PPPoE by Jaco Kroon
* Dropped IPX support, as Linux has dropped support in version 5.15
for this protocol.
* Many more fixes and cleanups.
* Pppd is no longer installed setuid-root.
* New pppd options:
- ipv6cp-noremote, ipv6cp-nosend, ipv6cp-use-remotenumber,
ipv6-up-script, ipv6-down-script
- -v, show-options
- usepeerwins, ipcp-no-address, ipcp-no-addresses, nosendip
* On Linux, any baud rate can be set on a serial port provided the
kernel serial driver supports that.
Note that if you have built and installed previous versions of this
package and you want to continue having configuration and TDB files in
/etc/ppp, you will need to use the --sysconfdir option to ./configure.
For a list of the changes made during the 2.4 series releases of this
package, see the Changes-2.4 file.
Compression methods.
This package supports two packet compression methods: Deflate and
BSD-Compress. Other compression methods which are in common use
include Predictor, LZS, and MPPC. These methods are not supported for
two reasons - they are patent-encumbered, and they cause some packets
to expand slightly, which pppd doesn't currently allow for.
BSD-Compress and Deflate (which uses the same algorithm as gzip) don't
ever expand packets.
Fixes: bug#13164
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
e9c5d591e5 |
openldap: Update to version 2.6.5
- Update from version 2.6.1 to 2.6.5
- Update of rootfile not required
- Update of patch script from LFS
- Changelog
2.6.5 Release (2023/07/10)
Fixed libldap handling of TCP KEEPALIVE options (ITS#10015)
Fixed libldap with async connections (ITS#10023)
Fixed libldap openssl TLSv1.3 cipher suite handling (ITS#10035)
Fixed slapd callback handling with overlays that do extended operations (ITS#9990)
Fixed slapd conversion of pcache configurations (ITS#10031)
Fixed slapd cn=config modification handling with abandon (ITS#10045)
Fixed slapd-mdb online indexer termination and cleanup (ITS#9993)
Fixed slapd-mdb online indexer when interrupted (ITS#10047)
Fixed slapd-monitor connection cleanup (ITS#10042)
Fixed slapo-constraint handling of push replication (ITS#9953)
Fixed slapo-dynlist filter evaluation efficiency (ITS#10041)
Fixed slapo-pcache handling of invalid schema (ITS#10032)
Fixed slapo-ppolicy handling of push replication (ITS#9953)
Fixed slapo-ppolicy handling of pwdMinDelay (ITS#10028)
Fixed slapo-syncprov abandon handling (ITS#10016)
Fixed slapo-translucent handling of invalid schema (ITS#10032)
Fixed slapo-unique handling of push replication (ITS#9953)
Fixed slapo-variant to improve regex handling (ITS#10048)
Build Environment
Fixed compatibility with stricter C99 compilers (ITS#10011)
Keep .pc files during make clean (ITS#9989)
Contrib
Fixed slapo-variant handling of push replication (ITS#9953)
Minor Cleanup
ITS#9855
ITS#9995
ITS#9996
ITS#9997
ITS#9998
ITS#9999
ITS#10000
ITS#10003
ITS#10004
ITS#10033
ITS#10037
ITS#10039
ITS#10046
ITS#10063
2.6.4 Release (2023/02/08)
Fixed client tools to remove 'h' and 'p' options (ITS#9917,ITS#8618)
Fixed ldapsearch memory leak with paged results (ITS#9860)
Fixed libldap ldif_open_urlto check for failure (ITS#9904)
Fixed libldap ldap_url_parsehosts check for failure (ITS#9904)
Fixed liblunicode UTF8bvnormalize buffer size (ITS#9955)
Fixed lloadd memory leaks (ITS#9907)
Fixed lloadd shutdown code to protect memory correctly (ITS#9913)
Fixed lloadd race in epoch.c (ITS#9947)
Fixed lloadd potential deadlock with cn=monitor (ITS#9951)
Fixed lloadd to keep listener base around when not active (ITS#9984)
Fixed lloadd object reclamation sequencing (ITS#9983)
Fixed slapd memory leak with olcAuthIDRewrite (ITS#6035)
Fixed slapd free of redundant cmdline option (ITS#9912)
Fixed slapd transactions extended operations cleanup after write (ITS#9892)
Fixed slapd deadlock with replicated cn=config (ITS#9930,ITS#8102)
Fixed slapd connection close logic (ITS#9991)
Fixed slapd bconfig locking of cn=config entries (ITS#9045)
Fixed slapd-mdb max number of index databases to 256 (ITS#9895)
Fixed slapd-mdb to always release entries from ADD operations (ITS#9942)
Fixed slapd-mdb to fully init empty DN in tool_entry_get (ITS#9940)
Fixed slapd-monitor memory leaks with lloadd (ITS#9906)
Fixed slapd-monitor to free remembered cookies (ITS#9339)
Fixed slapo-accesslog reqStart ordering matching rule (ITS#9880)
Fixed slapo-deref memory leak (ITS#9924)
Fixed slapo-dynlist to ignore irrelevant objectClasses (ITS#9897)
Fixed slapo-dynlist to avoid unnecessary searches (ITS#9929)
Fixed slapo-dynlist to mark internal searches as such (ITS#9960)
Fixed slapo-pcache crash in consistency_check (ITS#9966)
Fixed slapo-remoteauth memory leaks (ITS#9438)
Fixed slapo-rwm memory leaks (ITS#9817)
Build Environment
Fixed ancient DOS related ifdef checks (ITS#9925)
Fixed build process to not use gmake specific features (ITS#9894)
Fixed source tree to remove symlinks (ITS#9926)
Fixed slapo-otp testdir creation (ITS#9437)
Fixed slapd-tester memory leak (ITS#9908)
Fixed usage of non-standard C syntax (ITS#9898, ITS#9899, ITS#9901)
Fixed usage of bashism (ITS#9900)
Fixed test suite portability (ITS#9931)
Documentation
Fixed ldap_bind(3) to document ber_bvfree in ldap_sasl_bind (ITS#9976)
Fixed slapo-asyncmeta(5) to clarify scheduling for target connections
(ITS#9941)
Fixed slapo-dynlist(5) to clarify configuration settings (ITS#9957)
Fixed slapo-unique(5) to clarify when quoting should be used (ITS#9915)
Minor cleanup
ITS#9935
ITS#9336
ITS#9337
ITS#9985
2.6.3 Release (2022/07/14)
Fixed libldap to check for NULL ld (ITS#9157)
Fixed libldap memory leaks (ITS#9876)
Fixed lloadd to correctly tag Notice of Disconnection (ITS#9856)
Fixed slapd kqueue support (ITS#9847)
Fixed slapd delta-sync DN leak on ADD ops (ITS#9866)
Fixed slapd replication with back-glue (ITS#9868)
Fixed slapd lastbind replication with chaining (ITS#9863)
Fixed slapd-ldap to correctly set authzid (ITS#9863)
Fixed slapd-mdb to check for stale readers on MDB_READERS_FULL (ITS#7165)
Fixed slapd-mdb indexer task with replicated config (ITS#9858)
Fixed slapo-accesslog onetime memory leak (ITS#9864)
Fixed slapo-ppolicy interaction with slapo-rwm (ITS#9871)
Fixed slapo-rwm to handle escaping special characters (ITS#9817)
Fixed slapo-syncprov memory leaks (ITS#9867)
Fixed slapo-syncprov fallback in delta-sync mode (ITS#9823)
Fixed slapo-unique to not release NULL entry (ITS#8245)
Build Environment
Added slapd-watcher -c contextDN option (ITS#9865)
Fixed librewrite declaration of calloc (ITS#9841)
Fixed parallel builds (ITS#9840)
Fixed test020 to skip back-wt (ITS#9859)
Fixed slapd-watcher SID handling with single URI (ITS#9850)
Fixed test043 with workaround for ITS#9878
Contrib
Added slapo-emptyds contrib module (ITS#8882)
Added slapo-ciboolean contrib module (ITS#9855)
Fixed slapo-autogroup backwards compat (ITS#9020)
Update ppm module to the 2.2 release (ITS#9846)
Documentation
Fixed ldap_get_option(3) to clarify ldap_get/set_option restrictions
(ITS#9824)
Fixed slapd-ldap(5),slapd-meta(5) missing bold tag on authz parameter
(ITS#9872)
2.6.2 Release (2022/05/04)
Added libldap support for OpenSSL 3.0 (ITS#9436)
Added slapd support for OpenSSL 3.0 (ITS#9436)
Fixed ldapdelete to prune LDAP subentries (ITS#9737)
Fixed libldap to drop connection when non-LDAP data is received (ITS#9803)
Fixed libldap to allow newlines at end of included file (ITS#9811)
Fixed slapd slaptest conversion of olcLastBind (ITS#9808)
Fixed slapd to correctly init global_host earlier (ITS#9787)
Fixed slapd bconfig locking for cn=config replication (ITS#9584)
Fixed slapd usage of thread local counters (ITS#9789)
Fixed slapd to clear runqueue task correctly (ITS#9785)
Fixed slapd idletimeout handling (ITS#9820)
Fixed slapd syncrepl handling of new sessions (ITS#9584)
Fixed slapd to clear connections on bind (ITS#9799)
Fixed slapd to correctly advance connections index (ITS#9831)
Fixed slapd syncrepl ODSEE replication of unknown attr (ITS#9801)
Fixed slapd-asyncmeta memory leak in keepalive setting (ITS#9802)
Fixed slapd-ldap memory leak in keepalive setting (ITS#9802)
Fixed slapd-meta SEGV on config rewrite (ITS#9802)
Fixed slapd-meta ordering on config rewrite (ITS#9802)
Fixed slapd-meta memory leak in keepalive setting (ITS#9802)
Fixed slapd-monitor SEGV on shutdown (ITS#9809)
Fixed slapd-monitor crash when hitting sizelimit (ITS#9832)
Fixed slapd-sql to properly escape filter value (ITS#9815)
Added slapo-autoca support for OpenSSL 3.0 (ITS#9436)
Added slapo-otp support for OpenSSL 3.0 (ITS#9436)
Fixed slapo-dynlist dynamic group regression (ITS#9825)
Fixed slapo-pcache SEGV on shutdown (ITS#9809)
Fixed slapo-ppolicy operation handling to be consistent (ITS#9794)
Fixed slapo-translucent to correctly duplicate substring filters (ITS#9818)
Build Environment
Add ability to override default compile time paths (ITS#9675)
Fix compilation with certain versions of gcc (ITS#9790)
Fix compilation with openssl exclusions (ITS#9791)
Fix warnings from make jobserver (ITS#9788)
Contrib
Update ppm module to the 2.1 release (ITS#9814)
Documentation
admin26 Document new lloadd features (ITS#9780)
Fixed slapd.conf(5)/slapd-config(5) syncrepl sizelimit/timelimit
documentation (ITS#9804)
Fixed slapd-sock(5) to clarify "sockresps result" behavior (ITS#8255)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
63fb1beb81 |
procps: Add patch to fix errors that prevent build with gettext-0.22
- Gettext earlier than 0.21 would still build when it found errors in language files etc. With gettext-0.22 if it finds any errors it now stops. - There were two lines in the french po file in procps that had erros in them. procps have raised a commit to fix those. The patch included here carries out that commit. - Update of rootfile not required. - This patch will not be needed when the next update of procps occurs. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
1f26a78259 |
mpfr: Update to version 4.2.0p12
- Update from version 4.2.0p9 to 4.2.0p12
- Update of rootfile not required
- Changelog - additional patches from 10 to 12 over previous update
10 - GCC 12 emits a spurious "may be used uninitialized" warning on tests/tfpif.c
with -O1, and GCC 13 has the same issue also with -O2 (GCC bug 106155). This can
make some test scripts fail for the developers. The gcc-pr106155-workaround
patch provides a workaround for this bug in GCC.
Corresponding changeset in the 4.2 branch: c0031f1af.
11 - The mpfr_inp_str function does not handle the '\0' character correctly when it
is not a whitespace character (which is almost always the case in practice, or
really always the case). For instance, if the word is the sequence
{ '1', '\0', '2' }, the string "1" is passed to mpfr_set_str because '\0' is
regarded as a terminating null character, and one gets a valid number (1) while
'\0' in a word is necessarily invalid. This is fixed by the inp_str-nullchar
patch. The testcase in the repository cannot be provided in the patch because of
the null character in one of the files.
Corresponding changeset in the 4.2 branch: 6a68387b2.
12 - When '\0' is a whitespace character, i.e. when isspace(0) is true in the current
locale (as allowed by ISO C for non-"C" locales), the mpfr_strtofr function
regards a '\0' in the leading whitespace sequence as a whitespace. This is
incorrect, since from the definition of a string, the first '\0' is the
terminating null character (before the notion of whitespace is involved). In
such locales, this is a vulnerability, because characters after the terminating
null character are read to determine the result; however, such locales are rare
or nonexistent (Mutt's lib.h suggests that some systems have such locales, but
this was in 1998). This is fixed by the strtofr-nullchar patch.
Corresponding changeset in the 4.2 branch: 964fbaa31.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
85c32fb394 |
ebtables: Update to version 2.0.11
- Update from version 2.0.10-4 (Sep 2014) to 2.0.11 (Dec 2019) - Update of rootfile - Deletion of patch to prevent installing in usr/local as new tarball now has a ./configure file that enables setting prefix to /usr and sysconfdir to /etc Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
Michael Tremer
|
5c4faba67b |
linux-firmware: Fix AMD microcode updates for Zenbleed
https://lock.cmpxchg8b.com/zenbleed.html Fixes: CVE-2023-20593 Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Arne Fitzenreiter
|
f2d5cb7c99 |
kernel: update to 6.1.39
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Michael Tremer
|
607d3a26d8 |
fireinfo: Fix SEGV in detect_hypervisor()
Fixes: #13155 - _fireinfo.detect_hypervisor() rises Segmentation fault Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Acked-by: Peter Müller <peter.mueller@ipfire.org> |
||
|
Adolf Belka
|
a6039dc9d1 |
squidclamav: Remove package from IPFire as agreed in dev video call 3rd Jul 2023
- Removal of lfs file - Removal of rootfile - Removal of backup includes file - Removal of three patches - Removal of paks files - Adjustment of make.sh to remove squidclamav Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> |
||
|
Adolf Belka
|
df30842927 |
squid-asnbl: Fix for bug#13023 - squid-asnbl-helper segfaulting and shutdown squid
- Patch provided by bug reporter. Here is the description of the problem from the bug. First I discovered that the helper only sometimes throwing the error and quits even for the same values and queries. Also the timespan until the error happens was quite different for every restart of squid (minutes to hours). And it does not depend on the traffic on the proxy, even one connection could cause a crash while ten or hundrets won't. After a few days of testing different solutions and done a lot of debugging, redesigning the function did not fully solve the problem. Such standard things like checking the result variable for NULL (or it's equivalent "is None" in python) before evaluating it's subfunction produces the exact same error message. But with that knowledge it more and more turns out that python3 sometimes 'detects' the local return variable if it was a misused global. So for a full fix, the return variable also has to be initialized that python3 won't detect it's usage as an 'UnboundLocalError' to succesfully fix this bug. - LFS file updated to run patch before copying helper into place. - Update of rootfile not needed. - Bug reporter has been requested to raise this issue at the git repo for squid-asnbl. Fixes: Bug#13023 Tested-by: Nicolas Pӧhlmann <business@hardcoretec.com> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> |
||
|
Adolf Belka
|
89d5a7b29f |
ntp: Update to version 4.2.8p17
- Update from version 4.2.8p15 to 4.2.8p17
- Update of rootfile not required
- Tested out on vm testbed. Time correctly updated every hour and pakfire was able to
download and install various addons without any problems indicating that the time
is working correctly.
- patch to enable build with glibc-2.34 no longer needed. ntp updated to work correctly
with glibc-2.34 but IPFire running with version 2.37. Version 2.4.8p17 built without
any problems without the patch.
- Changelog
4.2.8p17 2023/06/06 Released by Harlan Stenn <stenn@ntp.org>
* [Bug 3824] Spurious "ntpd: daemon failed to notify parent!" logged at
event_sync. Reported by Edward McGuire. <hart@ntp.org>
* [Bug 3822] ntpd significantly delays first poll of servers specified by name.
<hart@ntp.org> Miroslav Lichvar identified regression in 4.2.8p16.
* [Bug 3821] 4.2.8p16 misreads hex authentication keys, won't interop with
4.2.8p15 or earlier. Reported by Matt Nordhoff, thanks to
Miroslav Lichvar and Matt for rapid testing and identifying the
problem. <hart@ntp.org>
* Add tests/libntp/digests.c to catch regressions reading keys file or with
symmetric authentication digest output.
4.2.8p16 2023/05/31 Released by Harlan Stenn <stenn@ntp.org>
* [Sec 3808] Assertion failure in ntpq on malformed RT-11 date <perlinger@ntp.org>
* [Sec 3807] praecis_parse() in the Palisade refclock driver has a
hypothetical input buffer overflow. Reported by ... stenn@
* [Sec 3806] libntp/mstolfp.c needs bounds checking <perlinger@ntp.org>
- solved numerically instead of using string manipulation
* [Sec 3767] An OOB KoD RATE value triggers an assertion when debug is enabled.
<stenn@ntp.org>
* [Bug 3819] Updated libopts/Makefile.am was missing NTP_HARD_* values. <stenn@>
* [Bug 3817] Bounds-check "tos floor" configuration. <hart@ntp.org>
* [Bug 3814] First poll delay of new or cleared associations miscalculated.
<hart@ntp.org>
* [Bug 3802] ntp-keygen -I default identity modulus bits too small for
OpenSSL 3. Reported by rmsh1216@163.com <hart@ntp.org>
* [Bug 3801] gpsdjson refclock gps_open() device name mishandled. <hart@ntp.org>
* [Bug 3800] libopts-42.1.17 does not compile with Microsoft C. <hart@ntp.org>
* [Bug 3799] Enable libopts noreturn compiler advice for MSC. <hart@ntp.org>
* [Bug 3797] Windows getaddrinfo w/AI_ADDRCONFIG fails for localhost when
disconnected, breaking ntpq and ntpdc. <hart@ntp.org>
* [Bug 3795] pollskewlist documentation uses | when it shouldn't.
- ntp.conf manual page and miscopt.html corrections. <hart@ntp.org>
* [Bug 3793] Wrong variable type passed to record_raw_stats(). <hart@ntp.org>
- Report and patch by Yuezhen LUAN <wei6410@sina.com>.
* [Bug 3786] Timer starvation on high-load Windows ntpd. <hart@ntp.org>
* [Bug 3784] high-load ntpd on Windows deaf after enough ICMP TTL exceeded.
<hart@ntp.org>
* [Bug 3781] log "Unable to listen for broadcasts" for IPv4 <hart@ntp.org>
* [Bug 3774] mode 6 packets corrupted in rawstats file <hart@ntp.org>
- Reported by Edward McGuire, fix identified by <wei6410@sina.com>.
* [Bug 3758] Provide a 'device' config statement for refclocks <perlinger@ntp.org>
* [Bug 3757] Improve handling of Linux-PPS in NTPD <perlinger@ntp.org>
* [Bug 3741] 4.2.8p15 can't build with glibc 2.34 <perlinger@ntp.org>
* [Bug 3725] Make copyright of clk_wharton.c compatible with Debian.
Philippe De Muyter <phdm@macqel.be>
* [Bug 3724] ntp-keygen with openSSL 1.1.1 fails on Windows <perlinger@ntp.org>
- openssl applink needed again for openSSL-1.1.1
* [Bug 3719] configure.ac checks for closefrom() and getdtablesize() missing.
Reported by Brian Utterback, broken in 2010 by <hart@ntp.org>
* [Bug 3699] Problems handling drift file and restoring previous drifts <perlinger@ntp.org>
- command line options override config statements where applicable
- make initial frequency settings idempotent and reversible
- make sure kernel PLL gets a recovered drift componsation
* [Bug 3695] Fix memory leak with ntpq on Windows Server 2019 <perlinger@ntp.org>
* [Bug 3694] NMEA refclock seems to unnecessarily require location in messages
- misleading title; essentially a request to ignore the receiver status.
Added a mode bit for this. <perlinger@ntp.org>
* [Bug 3693] Improvement of error handling key lengths <perlinger@ntp.org>
- original patch by Richard Schmidt, with mods & unit test fixes
* [Bug 3692] /dev/gpsN requirement prevents KPPS <perlinger@ntp.org>
- implement/wrap 'realpath()' to resolve symlinks in device names
* [Bug 3691] Buffer Overflow reading GPSD output
- original patch by matt<ntpbr@mattcorallo.com>
- increased max PDU size to 4k to avoid truncation
* [Bug 3690] newline in ntp clock variable (parse) <perlinger@ntp.org>
- patch by Frank Kardel
* [Bug 3689] Extension for MD5, SHA-1 and other keys <perlinger@ntp.org>
- ntp{q,dc} now use the same password processing as ntpd does in the key
file, so having a binary secret >= 11 bytes is possible for all keys.
(This is a different approach to the problem than suggested)
* [Bug 3688] GCC 10 build errors in testsuite <perlinger@ntp.org>
* [Bug 3687] ntp_crypto_rand RNG status not known <perlinger@ntp.org>
- patch by Gerry Garvey
* [Bug 3682] Fixes for warnings when compiled without OpenSSL <perlinger@ntp.org>
- original patch by Gerry Garvey
* [Bug 3677] additional peer events not decoded in associations listing <perlinger@ntp.org>
- original patch by Gerry Garvey
* [Bug 3676] compiler warnings (CMAC, interrupt_buf, typo, fallthrough)
- applied patches by Gerry Garvey
* [Bug 3675] ntpq ccmds[] stores pointer to non-persistent storage
* [Bug 3674] ntpq command 'execute only' using '~' prefix <perlinger@ntp.org>
- idea+patch by Gerry Garvey
* [Bug 3672] fix biased selection in median cut <perlinger@ntp.org>
* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
- follow-up: fix inverted sense in check, reset shortfall counter
* [Bug 3660] Revert 4.2.8p15 change to manycast. <hart@ntp.org>
* [Bug 3640] document "discard monitor" and fix the code. <hart@ntp.org>
- fixed bug identified by Edward McGuire <perlinger@ntp.org>
* [Bug 3626] (SNTP) UTC offset calculation needs dst flag <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3428] ntpd spinning consuming CPU on Linux router with full table.
Reported by Israel G. Lugo. <hart@ntp.org>
* [Bug 3103] libopts zsave_warn format string too few arguments <bkorb@gnu.org>
* [Bug 2990] multicastclient incorrectly causes bind to broadcast address.
Integrated patch from Brian Utterback. <hart@ntp.org>
* [Bug 2525] Turn on automake subdir-objects across the project. <hart@ntp.org>
* [Bug 2410] syslog an error message on panic exceeded. <brian.utterback@oracle.com>
* Use correct rounding in mstolfp(). perlinger/hart
* M_ADDF should use u_int32. <hart@ntp.org>
* Only define tv_fmt_libbuf() if we will use it. <stenn@ntp.org>
* Use recv_buffer instead of the longer recv_space.X_recv_buffer. hart/stenn
* Make sure the value returned by refid_str() prints cleanly. <stenn@ntp.org>
* If DEBUG is enabled, the startup banner now says that debug assertions
are in force and that ntpd will abort if any are violated. <stenn@ntp.org>
* syslog valid incoming KoDs. <stenn@ntp.org>
* Rename a poorly-named variable. <stenn@ntp.org>
* Disable "embedded NUL in string" messages in libopts, when we can. <stenn@>
* Use https in the AC_INIT URLs in configure.ac. <stenn@ntp.org>
* Implement NTP_FUNC_REALPATH. <stenn@ntp.org>
* Lose a gmake construct in ntpd/Makefile.am. <stenn@ntp.org>
* upgrade to: autogen-5.18.16
* upgrade to: libopts-42.1.17
* upgrade to: autoconf-2.71
* upgrade to: automake-1.16.15
* Upgrade to libevent-2.1.12-stable <stenn@ntp.org>
* Support OpenSSL-3.0
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
|
||
|
Peter Müller
|
79da0b3159 |
CUPS: Update to 2.4.6
Several security-relevant bugs have been fixed since version 2.4.2, please refer to https://github.com/OpenPrinting/cups/releases for the respective changelogs. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> |
||
|
Michael Tremer
|
f08637c587 |
gdb: Update to 13.2
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> |
||
|
Adolf Belka
|
db9c7fb826 |
wavemon: Update to version 0.9.4
- Update from version 0.7.5 to 0.9.4 - Update of rootfile - wavemon would not build because it could not find the netlink include files. wavemon was still looking in include/netlink/ as for libnl version 1 but with libnl3 the include files are in include/libnl3/netlink/ - Based on an issue entry in the wavemon github repo I created the patch to force wavemon to look in the correct place. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
8e498000ec |
mpfr: Update with latest bug patches
- Update version 4.2.0 from 4 bug patches to 9 bug patches
- Update of rootfile not required
- Bug fix changelog
5 The mpfr_reldiff function, which computes |b−c|/b, is buggy on special values,
e.g. on the following (b,c) values: (+Inf,+Inf) gives ±0 instead of NaN (like
NaN/Inf); (+0,+0) gives 1 instead of NaN (like 0/0); (+0,1) gives 1 instead of
Inf (like 1/0). Moreover, the sign of 0 for (+Inf,+Inf) or (−Inf,−Inf) is not
set, i.e. it is just the sign of the destination before the call; as a
consequence, results are not even consistent. These bugs are fixed by the
reldiff patch.
Corresponding changeset in the 4.2 branch: 81e4d4427.
6 The reuse tests are incomplete: the sign of a result zero is not checked, so
that it can miss bugs (one of the mpfr_reldiff bugs mentioned above, in
particular). The tests-reuse patch adds a check of the sign of zero and
contains other minor improvements.
Corresponding changeset in the 4.2 branch: e6d47b8f5.
7 The general code for the power function (mpfr_pow_general internal function) has
two bugs in particular cases: the first one is an incorrect computation of the
error bound when there has been an intermediate underflow or overflow (in such
a case, the computation is performed again with a rescaling, thus with an
additional error term, but there is a bug in the computation of this term), so
that the result may be rounded incorrectly (in particular, a spurious overflow
is possible); the second one occurs in a corner case (destination precision 1,
rounding to nearest, and where the rounded result assuming an unbounded
exponent range would be 2emin−2 and the exact result is larger than this value),
with the only consequence being a missing underflow exception (the underflow
flag is not set). These two bugs are fixed by the pow_general patch, which also
provides testcases.
Note: The second bug was introduced by commit 936df8ef6 in MPFR 4.1.0 (the code
simplification was incorrect, and there were no associated tests in the
testsuite).
Corresponding changesets in the 4.2 branch: 85bc7331c, 5fa407a6c, 9a16c173e.
8 The mpfr_compound_si function can take a huge amount of memory and time in some
cases (when the argument x is a large even integer and xn is represented exactly
in the target precision) and does not correctly detect overflows and underflows.
This is fixed by the compound patch, which also provides various tests.
Corresponding changesets in the 4.2 branch: 7635c4a35, 74d86a61f, 952fb0f5c,
a4894f68d, 7bb748775, f5cb40571, d87459969.
9 MPFR can crash when a formatted output function is called with %.2147483648Rg in
the format string. For instance: mpfr_snprintf (NULL, 0, "%.2147483648Rg\n", x);
This is fixed by the printf_large_prec_for_g patch, which also provides
testcases.
Corresponding changesets in the 4.2 branch: 686f82776, 769ad91a6.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
aec620df45 |
minidlna: Update to version 1.3.2
- Update from version 1.3.0 to 1.3.2 - Update of rootfile not required - Patch for CVE-2022-26505 is now built into the source tarball - Changelog 1.3.2 - Released 30-Aug-2022 - Improved DNS rebinding attack protection. - Added Samsung Neo QLED series (2021) support. - Added webm/rm/rmvb support. 1.3.1 - Released 11-Feb-2022 - Fixed a potential crash in SSDP request parsing. - Fixed a configure script failure on some platforms. - Protect against DNS rebinding attacks. - Fix an socket leakage issue on some platforms. - Minor bug fixes. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
e031838684 |
dhcpcd: Update to version 10.0.1
- Update from version 9.4.1 to 10.0.1 - Update of rootfile not required - Changelog is no longer provided. For details of changes you have to look at the commits log - https://github.com/NetworkConfiguration/dhcpcd/commits Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Matthias Fischer
|
bf0aa7f25b |
suricata: Update to 6.0.12
"6.0.12 -- 2023-05-08 Bug #6040: tcp: failed assertion ASSERT: !(ssn->state != TCP_SYN_SENT) (6.0.x backport) Bug #6039: TCP resets have incorrect len, nh in IPv6 (6.0.x backport) Bug #6034: time: integer comparison with different signs (6.0.x backport) Bug #6031: af-packet: reload not occurring until packets are seen (6.0.x backport) Bug #6020: smtp: fuzz debug assertion trigger (6.0.x backport) Bug #6018: scan-build warning for mime decoder (6.0.x backport) Bug #6017: scan-build warnings for ac implementations (6.0.x backport) Bug #6016: scan-build warnings in radix implementation (6.0.x backport) Bug #6015: scan-build warning for detect sigordering (6.0.x backport) Bug #6014: scan-build warnings for detect address handling (6.0.x backport) Bug #6013: scan-build warning for detect port handling (6.0.x backport) Bug #6007: Unexpected behavior of `endswith` in combination with negated content matches (6.0.x backport) Bug #5999: exception/policy: make work with simulated flow memcap (6.0.x backport) Bug #5997: perf shows excessive time in IPOnlyMatchPacket (6.0.x backport) Bug #5980: rust: warning for future compile errors Bug #5961: smb: wrong endian conversion when parse NTLM Negotiate Flags (6.0.x backport) Bug #5958: bpf: postpone IPS check after IPS runmode is determined from the configuration file (6.0.x backport) Bug #5934: app-layer-htp: Condition depending on enabled IPS mode never true (6.0.x backport) Optimization #6033: detect using uninitialized engine mode (6.0.x backport) Feature #5996: Add support for 'inner' PF_RING clustering modes (6.0.x backport) Task #6052: github-ci: add windows + windivert build (6.0.x backport)" Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org> |
||
|
Arne Fitzenreiter
|
6a005bd9aa |
kernel: update to 6.1.28
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> |
||
|
Adolf Belka
|
b2e7b0a28b |
mpfr: Update to include the latest four bug patches
- The base version has not changed but patches to fix 4 bugs have been released.
- Update to rootfile not required.
- Bug fix changelog
1 A test of the thousands separator in tsprintf.c is based on the output from
the GNU C Library up to 2.36, which is incorrect. The output has changed in
2.37 (partly fixed), so that tsprintf fails with glibc 2.37. The
tsprintf-thousands patch modifies the test to conform to POSIX and also
avoid the buggy case in 2.36 and below. However, this new test, which was
expected to succeed, triggers a serious bug in 2.37
(bug 30068 / CVE-2023-25139). We did not modify the test again since this
bug affects MPFR's mpfr_sprintf function, with a possible buffer overflow
in particular cases. This bug has been fixed in the 2.37 branch. In short,
this patch is useful (and needed) for a fixed glibc 2.37 and some other
libraries, depending on the current locales.
Corresponding changesets in the 4.2 branch: 4f03d40b5, 78ff7526d, e66bb7121.
2 The mpfr_ui_pow_ui function has infinite loop in case of overflow. This can
affect mpfr_log10, which uses this function (this is how this bug was
found). This bug is fixed by the ui_pow_ui-overflow patch (with testcases).
Corresponding changeset in the 4.2 branch: 0216f40ed.
3 The tfprintf and tprintf tests may fail in locales where decimal_point has
several bytes, such as ps_AF. This is fixed by the multibyte-decimal_point
patch, which makes the tests aware of the length of decimal_point.
Corresponding changeset in the 4.2 branch: 0383bea85.
4 In particular cases that are very hard to round, mpfr_rec_sqrt may yield a
stack overflow due to many small allocations in the stack, based on alloca().
This is due to the fact that the working precision is increased each step
(Ziv loop) by 32 or 64 bits only, until the approximate result can be
rounded (thus we have an arithmetic progression here, while a geometric
progression is used for the other functions), and that at each iteration,
the previous allocations in the stack cannot be freed. Individual
allocations in the stack are limited to 16384 bytes, so that the issue can
occur only when there are many iterations in working precisions that are
not too large, which is possible with an arithmetic progression. This bug
is fixed by the rec_sqrt-zivloop patch, which changes the Ziv loop to use
the standard MPFR_ZIV_* macros; the patch also provides a testcase obtained
by a function that constructs a hard-to-round case involving large enough
precisions (this function is commonly used in the MPFR testsuite, but not
with so large precisions). This bug was originally reported by Fredrik
Johansson.
Corresponding changeset in the 4.2 branch: 934dd8842.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
|
||
|
Arne Fitzenreiter
|
cb73ca19a6 |
kernel: patch CVE-2023-32233
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Reviewed-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Adolf Belka
|
25ac6657c1 |
cups: Fixes Bug#12924 - Can't access https pages in cups
- Version 2.4.2 had some bugs that caused the self signed certificates to not be read or created properly. The two involved bug fix patches are applied in this submission. - Corrected the configure options related to avahi and TLS. Using Openssl for the TLS. - Built .ipfire package installed into vm testbed and tested. With existing 2.4.2 any https pages come up with an error for the secure connection. With this version the https admin page opens up and config file was able to be successfully modified via it. Fixes: Bug#12924 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> |
||
|
Arne Fitzenreiter
|
6a0c5ef65a |
kernel: update to 6.1.27
the layer7 patch is rebased to apply without fuzzing. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> |
||
|
Arne Fitzenreiter
|
8b251380b6 |
u-boot: add OrangePi R1 Plus LTS
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> |
||
|
Arne Fitzenreiter
|
0a7f6097bc |
u-boot: add nanopi r2c support
this patch add nanopi r2c plus support. if this u-boot is installed on the eMMC this is also supported. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> |
||
|
Peter Müller
|
68a18ea0a9 |
Postfix: Update to 3.8.0
Please refer to https://www.postfix.org/announcements/postfix-3.8.0.html for this versions' release announcement. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> |
||
|
Peter Müller
|
489e0494dc |
OpenSSL: Update to 3.1.0
In a future Core Update, the following remnants of OpenSSL 1.1.1 need to be removed: /usr/lib/engines-1.1/afalg.so /usr/lib/engines-1.1/capi.so /usr/lib/engines-1.1/padlock.so /usr/lib/libcrypto.so.1.1 /usr/lib/libssl.so.1.1 Signed-off-by: Peter Müller <peter.mueller@ipfire.org> |
||
|
Adolf Belka
|
094bbe083b |
pmacct: Update to version 1.7.8
- Update from version 1.7.6 to 1.7.8
- Update of rootfile not required
- patch to remove Werror no longer required as the build with this version of pmacct
had no problems with errors being flagged as warnings anymore unlike with the
previous version.
- Changelog
The keys used are:
!: fixed/modified feature, -: deleted feature, +: new feature
1.7.8 -- 31-12-2022
+ Introduced support for eBPF for all daemons: if SO_REUSEPORT is
supported by the OS and eBPF support is compiled in, this allows
to load a custom load-balancer. To load-share, daemons have to
be part of the same cluster_name and each be configured with a
distinct cluster_id.
+ Introduced support for listening on VRF interfaces on Linux for
all daemons. The feature can be enabled via nfacctd_interface,
bgp_daemon_interface and equivalent knobs. Many thanks to
Marcel Menzel ( @WRMSRwasTaken ) for this contribution.
+ pre_tag_map: introduced limited tagging / labelling support for
BGP (pmbgpd), BMP (pmbmpd), Streaming Telemetry (pmtelemetryd)
daemons. ip, set_tag, set_label keys being currently supported.
+ pre_tag_map: defined a new pre_tag_label_encode_as_map config
knob to encode the output 'label' value as a map for JSON and
Apache Avro encodings, ie. in JSON "label": { "key1": "value1",
"key2": "value2" }. For keys and values to be correctly mapped,
the '%' delimiter is used when composing a pre_tag_map, ie.
"set_label=key1%value1,key2%value2 ip=0.0.0.0/0". Thanks to
Salvatore Cuzzilla ( @scuzzilla ) for this contribution.
+ pre_tag_map: introduced support for IP prefixes for src_net
and dst_net keys for indexed maps (maps_index set to true).
Indexing being an hash map, this feature currently tests data
against all defined IP prefix lenghts in the map for a match
(first defined matching prefix wins).
+ pre_tag_map: introduced two new 'is_nsel', 'is_nel' keys to
check for the presence of firewallEvent field (233) and
natEvent field (230) in NetFlow/IPFIX respectively in order
to infer whether data is NSEL / NEL. If set to 'true' this
does match NSEL / NEL data, if set to 'false' it does match
non NSEL / NEL data respectively.
+ Introduced a new mpls_label_stack primitive, encoded as a
string and includes a comma-separated list of integers (label
values). Thanks to Salvatore Cuzzilla ( @scuzzilla ) for this
contribution.
+ Introduced a new fw_event primitive, to support NetFlow v9/
IPFIX firewallEvent 233 Information Element.
+ Introduced a new tunnel_tcp_flags primitive for pmacctd and
sfacctd to record TCP flags for the inner layer of a tunneled
technology (ie. VXLAN). Also tunnel_dst_port decoding was
fixed for sfacctd.
+ Introduced support for in/out VLAN support for sfacctd. To be
savy, 'in_vlan' and 'vlan' were muxed onto the same primitive
depending on the daemon being used. Thanks to Jim Westfall
( @jwestfall69 ) for this contribution.
+ Introduced a new mpls_label_stack_encode_as_array config knob
to encode the MPLS label stack as an array for JSON and Apache
Avro encodings, ie. in JSON "mpls_label_stack": [ "0-label0",
"1-label1", "2-label2", "3-label3", "4-label4", "5-label5" ]
and in Avro "name": "mpls_label_stack", "type": { "type":
"array", "items": { "type": "string" } }. Thanks to Salvatore
Cuzzilla ( @scuzzilla ) for this contribution.
+ Introduced a new tcpflags_encode_as_array config knob to encode
TCP flags as an array for JSON and Apache Avro, ie. in JSON
"tcp_flags": [ "URG", "ACK", "PSH", "RST", "SYN", "FIN" ] and
in Avro "name": "tcp_flags", "type": { "type": "array",
"items": { "type": "string" } }. Thanks to Salvatore Cuzzilla
( @scuzzilla ) for this contribution.
+ Introduced a new fwd_status_encode_as_string config knob to
encode the 'fwd_status' primitive in human-readable format
like described by RFC-7270 Section 4.12 when JSON or Avro
formats are selected for output. Thanks to Salvatore Cuzzilla
( @scuzzilla ) for this contribution.
+ Introduced a new protos_file to define a list of (known/
interesting/meaningful) IP protocols. Both protocol names, ie.
"tcp", and protocol numbers, ie. 1 (for icmp), are accepted.
IANA reserved protocol value 255 is used to bucket as 'others'
those IP protocols not matching the ones defined in the list.
+ Introduced a new tos_file to define a list of (meaningful) IP
ToS values; if tos_encode_as_dscp is set to true then DSCP
values are expected as part of the file. The directive uses
value 255 to bucket as 'others' those ToS/DSCP values not
matching the ones defined in the list.
+ A new tos_encode_as_dscp config knob makes pmacct to honour
only the 6 bits used by DSCP and report only on those.
+ BGP, BMP, Streaming Telemetry daemons: introduced a new
dump_time_slots config knob to spread the load deriving by
dumps over the configured refresh time interval. The interval
is divided into time slots and nodes are assigned to such
slots. The slot for each node is determined using its IP
address. Thanks to Raphael Barazzutti ( @rbarazzutti ) for
this contribution.
+ BGP, BMP daemons: End-of-RIB messages are now being exposed
in the output feed in order to facilitate tracking their
arrival (or not!).
+ pmtelemetryd: aligned daemon to the latest Unyte UDP-Notif API
(0.6.1) and related standardization draft-ietf-netconf-udp-notif
+ RPKI daemon: added case for input "asn" value being integer (ie.
"asn" : 2914) on top of the string case (ie. "asn" : "AS2914").
+ Kafka, amqp plugins: introduced a new writer_id_string config
knob to allow to customize the the "writer_id" field value. A
few variables are supported along with static text definitions.
+ Added a new aggregate_unknown_etype config knob to account also
frames with EtherTypes for which there is no decoding support
and allow to aggregate them by the available Ethernet L2 fields
(ie. 'src_mac', 'dst_mac', 'vlan', 'cos', 'etype'). Thanks to
@singularsyntax for this contribution.
+ Added a new bgp_daemon_add_path_ignore config knob to ignore
(do not advertise back) the ADD-PATH capability advertised by
remote BGP peers.
+ nfacctd, sfacctd: extended the possibility to run daemons from
a user with non root privileges to these daemons.
+ nfacctd: if Information Element 90 (MPLS VPN RD) is present in
NetFlow v9/IPFIX, make it available for BGP/BMP correlation.
+ pmacctd, sfacctd: introduced basic support for QinQ, 802.1AD.
+ [print|kafka|amqp]_preprocess: added suppport for 'maxp',
'maxb' and 'maxf' keys when preprocessing aggregates of non-
SQL plugins. Thanks to Andrew R. Lake ( @arlake228 ) for this
contribution.
+ nDPI: newer versions of the library (ie. >= 4.0) bring changes
to the API. pmacct is now aligned to compile against these. At
the same time support for nDPI 3.x was dropped.
! fix, plugin_common.[ch]: when stitching feature was enabled,
ie. nfacctd_stitching, timestamp_min was never reset. Also both
timestamp_min and timestamp_max were clamped to sec granularity.
! fix, BGP, BMP daemons: added a tmp_bgp_daemon_origin_type_int to
print out BGP "origin" field as int (legacy behaviour) instead
of string (current behaviour). In a future major release the
legacy behaviour will be dropped.
! fix, BGP, BMP daemons: MPLS labels are now encoded in both JSON
and Apache Avro as 'mpls_label' instead of 'label'. This is to
align behaviour with pre_tag_map where 'label' has a different
semantic.
! fix, BGP, BMP daemons: resolved memory leak when encoding log
messaging (logmsg) in Avro format with Schema Registry support.
! fix, BGP daemon: improved handling of ADD-PATH capability,
making it per-AF (as it is supposed to be) and not global.
! fix, BMP daemon: now checking that ADD-PATH capability is
enabled at both ends of the monitored session (check both BGP
OPEN in a Peer Up message) in order to infer that the capability
exchange was successful. Also some heuristics were added to
conciliate BGP Open vs BGP Update 4-bytes ASN reality.
! fix, nfacctd: improved parsing of NetFlow v9 Options data
particularly when multiple IEs are packed as part of a flowset.
! fix, nfacctd: corrected parsing of Information Element 351
(layer2SegmentId).
! fix, pmacctd: improved processing of pcap_interfaces_map for
cases where the same interface is present multiple times (maybe
with different directions). Also, if the map is empty then bail
out at startup.
! fix, pmacctd: SEGV when ICMP/ICMPv6 traffic was processed and
'flows' primitive was enabled.
! fix, pmacctd: sampling_rate primitive value was not reported
correctly when 'sampling_rate' config directive was specified.
! fix, pmbgpd, pmpmbd, pmtelemtryd: changed SIGCHLD handler to
prevent zombification of last spawned data dump writer.
! fix, Kafka plugin: moved the schema registration from the dump
writer to the plugin process in order to register the schemas
only once at plugin startup and not on every start of a writer
process. Thanks to Uwe Storbeck ( @ustorbeck ) for this
contribution.
! fix, Kafka plugin: a check for kafka_partition was missing,
leading the plugin to always use the default partitioner
instead of sending data to the configured fixed partition.
Thanks to Martin Pels ( @rodecker ) for this contribution.
! fix, nfprobe plugin: BGP data enrichment was not working due to
a mistakenly moved pointer.
! fix, sfprobe plugin: AS-PATH was being populated even when null;
added a check to see if the destination AS is not zero in order
to put the destination AS into the AS-PATH for sFlow packets.
Thanks to Marcel Menzel ( @WRMSRwasTaken ) for this contribution.
! fix, networks_file: remove_dupes() was making partial commits
of valid rows hence creating data inconsistencies.
! fix, pre_tag_map: resolved a potential string overflow that was
being triggered in pretag_append_label() when data would be
assigned more than one single label. Also now allow ',' chars
in set_label.
! fix, maps_index: uninitialized var could cause SEGV in case no
results are found in the map index. Also introduced support for
catch-all rules, ie. "set_label=unknown".
! fix, maps_index: optimized the case of no 'ip' key specified
(for nfacctd and sfacctd): when indexing is enabled, prevent
recirculation from happening, ie. test v4 first then v6, since
the 'ip' key is not going to be part of the hash serializer.
! fix, pretag.c: allow to allocate maps greater than 2GB in size.
Also several optimizations were carried out yelding to a better
memory utilization for allocated maps along with improved times
to resolve JEQs.
! fix, pre_tag_label_filter: optimized and improved runtime
evaluation part of this feature, avoiding a costly strdup() and
returning immediately on certain basic mismatch conditions.
! fix, kafka_common.[ch]: a new p_kafka_produce_data_and_free()
is invoked to optimize memory allocations and releases.
! fix, plugin_cmn_avro.c: when a schema registry is being defined,
ie. kafka_avro_schema_registry, the logic to generate the schema
name has been changed: use topic plus record name as the schema
name, use underscore as separator within the record name, stop
adding a "-value" suffix. Thanks to Uwe Storbeck ( @ustorbeck )
for this contribution.
! fix, util.c: roundoff_time() to reason always with the locally
configured time, like for the rest of functional (as in non-data)
timestamps, ie. refresh time, deadline, etc.
! fix, log.c: when log messages are longer than message buffer,
the message gets cut off. As the trailing newline also gets cut
off the message will be concatenated with the following message
which makes the log hard to read. Thanks to Uwe Storbeck
( @ustorbeck ) for this contribution.
- Completed the retirement of legacy packet classification based
on home-grown code (Shared Objects) and the L7 layer project.
- Removed the mpls_stck_depth primitive due to the introduction
of the mpls_label_stack primitive.
1.7.7 -- 07-11-2021
+ BGP, BMP, Streaming Telemetry daemons: introduced parallelization
of dump events via a configurable amount of workers where the unit
of parallelization is the exporter (BGP, BMP, telemetry exporter),
ie. in a scenario where there are 4 workers and 4 exporters each
worker is assigned one exporter data to dump.
+ pmtelemetryd: added support for draft-ietf-netconf-udp-notif:
a UDP-based notification mechanism to collect data from networking
devices. A shim header is proposed to facilitate the data streaming
directly from the publishing process on network processor of line
cards to receivers. The objective is a lightweight approach to
enable higher frequency and less performance impact on publisher
and receiver process compared to already established notification
mechanisms. Many thanks to Alex Huang Feng ( @ahuangfeng ) and the
whole Unyte team.
+ BGP, BMP, Streaming Telemetry daemons: now correctly honouring the
supplied Kafka partition key for BGP, BMP and Telemetry msg logs
and dump events.
+ BGP, BMP daemons: a new "rd_origin" field is added to output log/
dump to specify the source of Route Distinguisher information (ie.
flow vs BGP vs BMP).
+ pre_tag_map: added ability to tag new NetFlow/IPFIX and sFlow
sample_type types: "flow-ipv4", "flow-ipv6", "flow-mpls-ipv4" and
"flow-mpls-ipv6". Also added a new "is_bi_flow" true/false key to
tag (or exclude) NSEL bidirectional flows. Added as well a new
"is_multicast" true/false config key to tag (or exclude) IPv4/IPv6
multicast destinations.
+ maps_index: enables indexing of maps to increase lookup speeds on
large maps and/or sustained lookup rates. The feature has been
remplemented using stream-lined structures from libcdada. This is
a major work that helps preventing the unpredictable behaviours
caused by the homegrown map indexing mechanism. Many thanks to
Marc Sune ( @msune ).
+ maps_index: support for indexing src_net and dst_net keywords has
been added.
+ Added <daemon_name>_ipv6_only config directives to optionally
enable the IPV6_V6ONLY socket option. Also changed the wrong
setsockopt() IPV6_BINDV6ONLY id to IPV6_V6ONLY.
+ Added log function to libserdes to debug transactions with the
Schema Registry when kafka_avro_schema_registry is set.
+ nDPI: newer versions of the library (ie. >= 3.5) bring changes
to the API. pmacct is now aligned to compile against these.
+ pmacctd: added pcap_arista_trailer_offset config directive since
Arista has changed the structure of the trailer format in recent
releases of EOS. Thanks to Jeremiah Millay ( @floatingstatic )
for his patch.
+ More improvements carried out on the Continuous Integration
(CI) side by migrating from Travis CI to GitHub Actions. Huge
thanks to Marc Sune ( @msune ) to make all of this possible.
+ More improvements also carried out in the space of the Docker
images being created: optimized image size and a better layered
pipeline. Thanks to Marc Sune ( @msune ) and Daniel Caballero
( @dcaba ) to make all of this possible.
+ libcdada shipped with pmacct was upgraded to version 0.3.5. Many
thanks Marc Sune ( @msune ) for his work with libcdada.
! build system: several improvements carried out in this area,
ie. improved MySQL checks, introduced pcap-config tool for
libpcap, compiling on BSD/old compilers, etc. Monumental thanks
to Marc Sune ( @msune ) for his continued help.
! fix, nfacctd: improved euristics to support the case of flows
with both IPv4 and IPv6 source / destination addresses (either
or populated). Also improved euristics to distinguish event data
vs traffic data in NetFlow v9/IPFIX from Cisco 9300/9500, ASA
firewalls and Cisco 4500X.
! fix, nfacctd: improved support for initiatorOctets (IE #231) and
responderOctets (IE #232). Thanks to Esben Laursen ( @hyberdk )
for reporting the issue.
! fix, nfacctd: in NF_mpls_vpn_id_handler() double ntohl() calls
were applied for the case of 'vrfid'-encoded mpls_vpn_rd field.
! fix, sfacctd: wrong ethertype set for VLAN-tagged, MPLS-labelled
IPv6 traffic. Impacting BGP resolution among others. Thanks to
Jeremiah Millay ( @floatingstatic ) for his help resolving the
problem.
! fix, BGP, BMP daemons: parsing improvements: added a check for
BGP Open message and BGP Open Options lengths. Strengthened
parsing of Peer Up, Route Monitoring and Peer Down v4 messages.
! fix, BGP, BMP daemon: when using Avro encoding and Avro Schema
Registry, attempt to reconnect if serdes schemas are voided.
Also now checking for serdes schema definitions before doing a
serdes_schema_serialize_avro() to avoid triggering a SEGV.
Finally improved serdes logging.
! fix, BGP, Streaming Telemetry daemons: in daemon logs, summary
counters for amount of tables / entries dumped were wrong.
! fix, BGP daemon: distinguish among null and zero value AIGP
and Prefix SID attributes. Same applies for Local Preference
and MED attributes.
! fix, BMP daemon: resolved a memory leak in bgp_peers_free().
Thanks to Pether Pothier ( @pothier-peter ) for his patch. Also
resolved a leak caused by an invalid BGP message contained in a
BMP Route Message v4.
! fix, BMP daemon: correctly setting peer_ip and peer_tcp_port
JSON fields for Term messages. Also the correct bmp_router
value when bmp_daemon_parse_proxy_header feature is enabled.
! fix, BMP daemon: several encoding issues when using Apache Avro
ie. u_int64_t now correctly encoded with avro_value_set_long(),
certain u_int32_t fields switched to avro_value_set_long() due
to lack of unsignedness in Avro encoding, improved various
aspectes of Avro-JSON format output, etc.
! fix, pmtelemetryd: wrong parsing of pm_tfind() output was
leading to mistaken data attribution of UDP-based peers (always
first peer to connect was being picked).
! fix, pmtelemetryd: when set, the pidfile config directive was
not being correctly honoured.
! fix, RPKI: the RTR PDU element for maxLength is uint8, therefore
it might have been possible to transmit incorrect RTR data.
Thanks to Job Snijders ( @job ) for his patch.
! fix, SQL plugins: amended the text composition of SQL queries
that are involving latitude and longitude keys.
! fix, MySQL plugin: check for 'unix:' prefix string only when a
sql_host configuration directive is specified.
! fix, nfprobe: modernized Application Information export. Until
the previous release pmacct was adhering to aging NBAR model
whereas now NBAR2 has been implemented. Thanks to Rob Cowart
( @robcowart ) for helping out resolving this issue.
! fix, tee plugin: restored usefulness of tee_source_ip which was
broken in 1.7.6. Thanks to Jeremiah Millay ( @floatingstatic )
for reporting the issue.
! fix, maps_index: indexing of mpls_pw_id was broken. Also now,
when the feature is enabled, actual data is being referenced in
the index structure instead of creating a copy of it; thanks to
Sander van Delden ( @SanderDelden ) for reporting the memory
leak that was resulting from the copy.
! fix, kafka_common.c: solved memory leak in p_kafka_set_topic()
when Kafka session was getting in down state. Many thanks to
Peter Pothier ( @pothier-peter ) for nailing the issue.
! fix, net_aggr.[ch]: when a networks_file is specified in the
config, gracefully handle max memory structure depth; added
also de-duplication of entries.
! fix, pmacct-defines.h: if PCAP_NETMASK_UNKNOWN is not defined,
ie. in libpcap < 1.1.0, let's define it.
! fix, SO_REUSEPORT feature was being restricted to Linux only in
previous releases: now it has been unlocked to all other OS that
do support the feature.
! fix, split SO_REUSEPORT and SO_REUSEADDR setsockopt() calls.
Thanks to @eduarrrd for reporting and resolving the issue.
! fix, several code warnings catched gcc9 and clang.
- Obsoleted sql_history_since_epoch, pre_tag_map_entries and
refresh_maps configuration directives.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
|
||
|
Adolf Belka
|
7ea6cba07a |
bash: Update version to 5.2 with patches 1 to 15
- Update from version 5.2 patches 1-9 to 5.2 patches 1-15 - Update of rootfile not required - Changelog bash52-015 There are several cases where bash is too aggressive when optimizing out forks in subshells. For example, `eval' and traps should never be optimized. bash52-014 Bash defers processing additional terminating signals when running the EXIT trap while exiting due to a terminating signal. This patch allows the new terminating signal to kill the shell immediately. bash52-013 Bash can leak memory when referencing a non-existent associative array element. bash52-012 When running in bash compatibility mode, nested command substitutions can leave the `extglob' option enabled. bash52-011 Using timeouts and readline editing with the `read' builtin (read -e -t) can leave the readline timeout enabled, potentially resulting in an erroneous timeout on the next call. bash52-010 Bash-5.2 checks the first 128 characters of an executable file that execve() refuses to execute to see whether it's a binary file before trying to execute it as a shell script. This defeats some previously-supported use cases like "self-executing" jar files or "self-uncompressing" scripts. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> |
||
|
Adolf Belka
|
48af3df725 |
openssh: Update to version 9.3p1
- Update from version 9.2p1 to 9.3p1
- Update of rootfile not required
- Removal of patch as this was only required for i586 builds which are no longer done in
IPFire
- Changelog
9.3p1 (2023-03-15)
This release fixes a number of security bugs.
Security
This release contains fixes for a security problem and a memory
safety problem. The memory safety problem is not believed to be
exploitable, but we report most network-reachable memory faults as
security bugs.
* ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
per-hop destination constraints (ssh-add -h ...) added in OpenSSH
8.9, a logic error prevented the constraints from being
communicated to the agent. This resulted in the keys being added
without constraints. The common cases of non-smartcard keys and
keys without destination constraints are unaffected. This problem
was reported by Luci Stanescu.
* ssh(1): Portable OpenSSH provides an implementation of the
getrrsetbyname(3) function if the standard library does not
provide it, for use by the VerifyHostKeyDNS feature. A
specifically crafted DNS response could cause this function to
perform an out-of-bounds read of adjacent stack data, but this
condition does not appear to be exploitable beyond denial-of-
service to the ssh(1) client.
The getrrsetbyname(3) replacement is only included if the system's
standard library lacks this function and portable OpenSSH was not
compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
problem was found by the Coverity static analyzer.
New features
* ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
outputting SSHFP fingerprints to allow algorithm selection. bz3493
* sshd(8): add a `sshd -G` option that parses and prints the
effective configuration without attempting to load private keys
and perform other checks. This allows usage of the option before
keys have been generated and for configuration evaluation and
verification by unprivileged users.
Bugfixes
* scp(1), sftp(1): fix progressmeter corruption on wide displays;
bz3534
* ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
of private keys as some systems are starting to disable RSA/SHA1
in libcrypto.
* sftp-server(8): fix a memory leak. GHPR363
* ssh(1), sshd(8), ssh-keyscan(1): remove vestigal protocol
compatibility code and simplify what's left.
* Fix a number of low-impact Coverity static analysis findings.
These include several reported via bz2687
* ssh_config(5), sshd_config(5): mention that some options are not
first-match-wins.
* Rework logging for the regression tests. Regression tests will now
capture separate logs for each ssh and sshd invocation in a test.
* ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
says it should; bz3532.
* ssh(1): ensure that there is a terminating newline when adding a
new entry to known_hosts; bz3529
Portability
* sshd(8): harden Linux seccomp sandbox. Move to an allowlist of
mmap(2), madvise(2) and futex(2) flags, removing some concerning
kernel attack surface.
* sshd(8): improve Linux seccomp-bpf sandbox for older systems;
bz3537
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
|
||
|
Peter Müller
|
53c4a960ce |
ca-certificates: Rebase patch for removing TrustCor root CAs
This is necessary since the certdata2pem.py script does not take meta information such as "distrust after date" into account, hence Mozilla's changes to TrustCor's root CAs are not sufficient to have them removed from or distrusted on IPFire installations. Signed-off-by: Peter Müller <peter.mueller@ipfire.org> |
||
|
Adolf Belka
|
56db79acab |
texinfo: Update to version 7.0.2
- Update from version 6.8 to 7.0.2
- Update of rootfile
- Removal of patch which was needed due to inability to build texinfo-6.8 with glibc-2.34
Problem was fixed for building with glibc-2.34 and onwards with texinfo-7.0
- Changelog
7.0.2 (22 January 2023)
This is a bug-fix release with minimal changes.
* texi2any
. do not distribute architecture-dependent files
. build fixed on OpenIndiana 11
* info
. further fix of recoding of UTF-8 files to ASCII
. fix check for presence of man pages on Solaris
* install-info
. fix build by avoiding function name clash on some platforms
. compiler warning re strncat silenced
7.0.1 (30 November 2022)
This is a bug-fix release with minimal changes.
* texi2any
. avoid crashes on empty @image argument and other potential crashes
(with "Can't use an undefined value as an ARRAY reference" message)
. avoid hang on @ref command inside section command
* info
. fix recoding of UTF-8 files to ASCII when run in C locale
* js
. index search fixed for new HTML output
. some obsolete files removed from distribution
7.0 (7 November 2022)
* texi2any
. LaTeX added as an output format, selected with --latex
. EPUB 3 added as an output format, selected with --epub3
. reform throughout the code in general
. thorough review of character encoding issues
. new customization variables involved with character encoding:
INPUT_FILE_NAME_ENCODING, OUTPUT_FILE_NAME_ENCODING,
DOC_ENCODING_FOR_INPUT_FILE_NAME, DOC_ENCODING_FOR_OUTPUT_FILE_NAME,
MESSAGE_ENCODING and COMMAND_LINE_ENCODING
. warn if full-text commands (@ref, @footnote, @anchor) appear in @w
. new variable NO_TOP_NODE_OUTPUT
. IGNORE_BEFORE_SETFILENAME variable removed. former effect
is now always on.
. HTML output:
. use manual_name_html as output directory for split HTML instead of
manual_name or manual_name.html
. default DOCTYPE declaration changed to plain HTML5 style rather than
HTML4 DTD reference
. output only the CSS rules that are needed in an output file
. remove CSS_LINES variable and add SHOW_BUILTIN_CSS_RULES
(custom CSS can still be output using EXTRA_HEAD)
. use <code> tag for the output of @t and @verb instead of <tt>
. use <abbr> for @acronym instead of <acronym>
. link to table of contents from short table of contents only if a
table of contents is actually output
. prefix classes from @example arguments with `user-'
. percent encode URL in @url/@uref, @email, @image and external
manual file
. new USE_XML_SYNTAX, HTML_ROOT_ELEMENT_ATTRIBUTES and
NO_CUSTOM_HTML_ATTRIBUTE variables can be used to output
valid XHTML
. systematic addition of classes attribute in HTML elements based on the
Texinfo @-command names. renaming of class attributes to avoid
confusion with @-commands formatting and describe the role in the
document rather than the formatting style.
. COPIABLE_ANCHORS renamed to COPIABLE_LINKS
. do not add a title by default; SHOW_TITLE or NO_TOP_NODE_OUTPUT has
to be set
. USE_TITLEPAGE_FOR_TITLE is now true by default
. L2H variable removed, replaced by HTML_MATH set to `l2h'
. rename OVERVIEW_LINK_TO_TOC to SHORT_TOC_LINK_TO_TOC
. rename BEFORE_OVERVIEW to BEFORE_SHORT_TOC_LINE
. rename AFTER_OVERVIEW to AFTER_SHORT_TOC_LINES
. remove PRE_ABOUT, AFTER_ABOUT, and add PROGRAM_NAME_IN_ABOUT
. remove KEEP_TOP_EXTERNAL_REF
. new variables IGNORE_REF_TO_TOP_NODE_UP, CONVERT_TO_LATEX_IN_MATH,
HTMLXREF_MODE and HTMLXREF_FILE
. DocBook output:
. do not output Top node or text before the first @node or sectioning
@-command. NO_TOP_NODE_OUTPUT can be set to false to output Top node
for now.
. replace @definfocenlose defined @-commands by the argument as-is
to be more consistent with printed output
. HTML/DocBook output:
. USE_NUMERIC_ENTITY changed to mean to use numeric entities instead
of named entities. former effect is now always on.
. ENABLE_ENCODING_USE_ENTITY variable removed. former effect is now
always off.
. Info output
. quote problematic node names (with :, comma...) by default
. new customization variable ASCII_PUNCTUATION to use plain ASCII
characters for quotation marks and a few other symbols
* texinfo.tex
. `@microtype on' uses microtypography in formatting for pdfTeX and LuaTeX
. do not ignore @part page immediately following Top node
. do `@set txicodevaristt' to get slanted typewriter for @var in code,
`@clear txicodevaristt' to use slanted, variable-width roman font for
@var everywhere. flag is @set by default, but we may turn this off
in the future.
. new file doc/texinfo-zh.tex for Texinfo documents in Chinese.
new support file doc/txi-zh.tex for Chinese. doc/short-sample-zh.texi is
a sample document.
* info
. better support for index entries containing parentheses
. better support for getting bold text etc. when displaying manpages
. bug fixed where the first index entry in a file could be ignored
. M-C-f closes as well as opens footnotes window
. do not crash if run in Brazilian Portuguese locale
* Language
. @deftype* commands use typewriter font in argument list
. new commands @latex, @iflatex, @ifnotlatex for new LaTeX output format
. do `@set txidefnamenospace' to omit space after a definition name
* Other
. build fixed for glibc 2.34
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
|
||
|
Adolf Belka
|
4de715dbe2 |
curl: Update to version 7.88.1
- Update from version 7.87.0 to 7.88.1
- Update of rootfile not required
- Patch removed as fix now built into source tarball
- Changelog
Fixed in 7.88.1 - February 20 2023
Bugfixes:
build-openssl.bat: keep OpenSSL 3 engine binaries
cmake: fix Windows check for CryptAcquireContext
connnect: fix timeout handling to use full duration
curl: make --silent work stand-alone
curl_setup: Suppress OpenSSL 3 deprecation warnings
CURLOPT_WS_OPTIONS.3: fix the availability version
GHA: update rustls dependency to 0.9.2
http2: buffer/pausedata and output flush fix.
http2: set drain on stream end
http: include stdint.h more readily
krb5: silence cast-align warning
lib1560: add IPv6 canonicalization tests
os400: correct Curl_os400_sendto()
remote-header-name.d: mention that filename* is not supported
runtests: fix "uninitialized value $port"
setopt: allow HTTP3 when HTTP2 is not defined
socketpair: allow EWOULDBLOCK when reading the pair check bytes
socks: allow using DoH to resolve host names
tests-httpd: add proxy tests
tests: make sure gnuserv-tls has SRP support before using it
tests: make the telnet server shut down a socket gracefully
tool_getparam: make --get a true boolean
tool_operate: allow debug builds to set buffersize
urlapi: do the port number extraction without using sscanf()
urldata: remove `now` from struct SingleRequest - not needed
Fixed in 7.88.0 - February 15 2023
Changes:
curl.h: add CURL_HTTP_VERSION_3ONLY
share: add sharing of HSTS cache among handles
src: add --http3-only
tool_operate: share HSTS between handles
urlapi: add CURLU_PUNYCODE
writeout: add %{certs} and %{num_certs}
Bugfixes:
cf-socket: fix build when not HAVE_GETPEERNAME
cf-socket: keep sockaddr local in the socket filters
cfilters:Curl_conn_get_select_socks: use the first non-connected filter
CI: add a workflow to automatically label pull requests
CI: add pytest GHA to CI test/tests-httpd on a HTTP/3 setup
CI: Retry failed downloads to reduce spurious failures
CI: update wolfssl / wolfssh to 5.5.4 / 1.4.12
cmake: bump requirement to 3.7
cmake: check for sendmsg
cmake: delete redundant macro definition `SECURITY_WIN32`
cmake: fix dev warning due to mismatched arg
cmake: fix the snprintf detection
cmake: remove deprecated symbols check
cmake: set SOVERSION also for macOS
cmake: use list APPEND syntax for CMAKE_REQUIRED_DEFINITIONS
cmdline-opts/Makefile: on error, do not leave a partial
CODEOWNERS: remove the peeps mentioned as CI owners
connect: fix access of pointer before NULL check
connect: fix build when not ENABLE_IPV6
connect: fix strategy testing for attempts, timeouts and happy-eyeball
connections: introduce http/3 happy eyeballs
content_encoding: do not reset stage counter for each header
CONTRIBUTE: More formally specify the commit description
cookies: fp is always not NULL
copyright.pl: cease doing year verifications
copyright: update all copyright lines and remove year ranges
curl.1: make help, version and manual sections "custom"
curl.h: allow up to 10M buffer size
curl.h: mark CURLSSLBACKEND_MESALINK as deprecated
curl/websockets.h: extend the websocket frame struct
curl: output warning at --verbose output for debug-enabled version
curl_free.3: fix return type of `curl_free`
curl_global_sslset.3: clarify the openssl situation
curl_log: for failf/infof and debug logging implementations
curl_setup: Disable by default recv-before-send in Windows
curl_version_info.3: fix typo
curl_ws_send.3: clarify how to send multi-frame messages
CURLOPT_HEADERDATA.3: warn DLL users must set write function
CURLOPT_READFUNCTION.3: the callback 'size' arg is always 1
CURLOPT_WRITEFUNCTION.3: fix memory leak in example
dict: URL decode the entire path always
docs/DEPRECATE.md: deprecate gskit
docs: add link to GitHub Discussions
docs: mention indirect effects of --insecure
docs: POSTFIELDSIZE must be set to -1 with read function
doh: ifdef IPv6 code
easyoptions: fix header printing in generation script
escape: hex decode with a lookup-table
escape: use table lookup when adding %-codes to output
examples: remove the curlgtk.c example
fopen: remove unnecessary assignment
ftpserver: lower the DATA connect timeout to speed up torture tests
GHA/macos.yml: bump to gcc-12
GHA/macos: use Xcode_14.0.1 for cmake builds
GHA: add job on Slackware 15.0
GHA: bump ngtcp2 workflow dependencies
GHA: enable websockets in the torture job
GHA: move the quiche job here from zuul
GHA: use designated ngtcp2 and its dependencies versions
haxproxy: send before TLS handhshake
header.d: add a header file example
hsts.d: explain hsts more
hsts: handle adding the same host name again
HTTP/[23]: continue upload when state.drain is set
http2: aggregate small SETTINGS/PRIO/WIN_UPDATE frames
http2: fix compiler warning due to uninitialized variable
http2: minor buffer and error path fixes
http2: when using printf %.*s, the length arg must be 'int'
HTTP3: mention what needs to be in place to remove EXPERIMENTAL label
http: add additional condition for including stdint.h
http: decode transfer encoding first
http: fix "part of conditional expression is always false"
http: remove the trace message "Mark bundle... multiuse"
http_aws_sigv4: remove typecasts from HMAC_SHA256 macro
http_proxy: do not assign data->req.p.http use local copy
INSTALL: document how to use multiple TLS backends
lib670: make test.h the first include
lib: connect/h2/h3 refactor
lib: fix typos
lib: fix typos in comments which repeat a word
libssh2: try sha2 algos for hostkey methods
libtest: add a sleep macro for Windows
Linux CI: update some dependecies to latest tag
Makefile.mk: fix wolfssl and mbedtls default paths
man pages: call the custom user pointer 'clientp' consistently
md4: fix build with GnuTLS + OpenSSL v1
misc: fix grammar and spelling
misc: fix spelling
misc: reduce struct and struct field sizes
msh3: add support for request payload
msh3: update to v0.5 Release
msh3: update to v0.6
multi: stop sending empty HTTP/3 UDP datagrams on Windows
multihandle: turn bool struct fields into bits
ngtcp2: add CURLOPT_SSL_CTX_FUNCTION support for openssl+wolfssl
ngtcp2: fix the build without 'sendmsg'
ngtcp2: replace removed define and stop using removed function
no-clobber.d: only use long form options in man page text
noproxy: support for space-separated names is deprecated
nss: implement data_pending method
openldap: fix missing sasl symbols at build in specific configs
openssl: adapt to boringssl's error code type
openssl: don't ignore CA paths when using Windows CA store (redux)
openssl: don't log raw record headers
openssl: make the BIO_METHOD a local variable in the connection filter
openssl: only use CA_BLOB if verifying peer
openssl: remove attached easy handles from SSL instances
openssl: store the CA after first send (ClientHello)
os400: fixes to make-lib.sh and initscript.sh
packages: remove Android, update README
release-notes.pl: check fixes/closes lines better
Revert "x509asn1: avoid freeing unallocated pointers"
runtest.pl: add expected fourth return value
runtests: tear down http2/http3 servers when https server is stopped
runtests: consider warnings fatal and error on them
runtests: fix detection of TLS backends
runtests: make 'mbedtls' a testable feature
rustls: improve error messages
scripts/delta: show percent of number of files changed since last tag
scripts: fix Appveyor job detection in cijobs.pl
scripts: set file mode +x on all perl and shell scripts
sectransp: fix for incomplete read/writes
SECURITY-PROCESS.md: document severity levels
setopt: Address undefined behaviour by checking for null
setopt: move the SHA256 opt within #ifdef libssh2
setopt: use >, not >=, when checking if uarg is larger than uint-max
smb: return error on upload without size
socketpair: allow localhost MITM sniffers
strdup: name it Curl_strdup
system.h: assume OS400 is always built with ILEC compiler
test1560: use a UTF8-using locale when run
test2304: remove stdout verification
tests-httpd: basic infra to run curl against an apache httpd
tests: add 3 new HTTP/2 test cases, plus https: support for nghttpx
tests: add tests for HTTP/2 and HTTP/3 to verify the header API
tests: avoid use of sha1 in certificates
tls: fixes for wolfssl + openssl combo builds
tool_getparam: fix hiding of command line secrets
tool_operate: fix `CURLOPT_SOCKS5_GSSAPI_NEC` type
tool_operate: fix error codes during DOS filename sanitize
tool_operate: fix error codes on bad URL & OOM
tool_operate: fix headerfile writing
tool_operate: repair --rate
transfer: break the read loop when RECV is cleared
typecheck: accept expressions for option/info parameters
url: fix part of conditional expression is always true
urlapi: avoid Curl_dyn_addf() for hex outputs
urlapi: fix part of conditional expression is always true: qlen
urlapi: skip path checks if path is just "/"
urlapi: skip the extra dedotdot alloc if no dot in path
urldata: cease storing TLS auth type
urldata: make 'ftp_create_missing_dirs' depend on FTP || SFTP
urldata: make set.http200aliases conditional on HTTP being present
urldata: move the cookefilelist to the 'set' struct
urldata: remove unused struct fields, made more conditional
vquic: stabilization and improvements
vtls: fix hostname handling in filters
vtls: manage current easy handle in nested cfilter calls
vtls: use ALPN HTTP/1.0 when HTTP/1.0 is used
winbuild: document that arm64 is supported
windows: always use curl's basename() implementation
wolfssl: remove deprecated post-quantum algorithms
workflows/linux.yml: merge 3 common packages
write-out.d: add 'since version' to %{header_json} documentation
write-out.d: clarify Windows % symbol escaping
ws: fix autoping handling
ws: fix multiframe send handling
ws: fix recv of larger frames
ws: remove bad assert
ws: unstick connect-only shutdown
ws: use %Ou for outputting curl_off_t with info()
x509asn1: fix compile errors and warnings
zuul: stop using this CI service
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
|
||
|
Adolf Belka
|
60cbad9204 |
colm: Update to version 0.14.7
- Update from version 0.13.0.6 to 0.14.7 - Update of rootfile - patch from colm commit fc61ecb required to fix bug of make looking for static and dynamic libs even if one of them was disabled - Changelog is not available in source tarball or on website etc. Changes have to be reviewed by the commits https://github.com/adrian-thurston/colm/commits/0.14.7 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> |
||
|
Arne Fitzenreiter
|
66a5ad1e88 |
efivar: fix build for correct cpu
the makefile add --march=native which optimize the code to the cpu of the buildhost which can result in unsupported instructions on other machines. |
||
|
Arne Fitzenreiter
|
1b6047b3ee |
riscv64: enable EFI support and tools for riscv64
grub is still buggy! grub-install fails with an error: Relocation 0x13 is not implented! Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> |
||
|
Arne Fitzenreiter
|
8e28bbc067 |
xradio: remove driver and firmware
this module was build only for arm 32bit arch. Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Michael Tremer
|
a6c331a8d6 |
glibc: Update to 2.37
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Michael Tremer
|
32bbae10a0 |
gcc: Update to 12.2.0
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Michael Tremer
|
39f94ee8eb |
Drop support for armv6l (and armv7hl)
This removes support for building IPFire for 32 bit ARM architectures. This has been decided in August 2022 with six months notice as there are not very many users and hardware is generally not available any more. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Peter Müller
|
f964e92579 |
libloc: Update to 0.9.16
https://lists.ipfire.org/pipermail/location/2022-October/000602.html Signed-off-by: Peter Müller <peter.mueller@ipfire.org> |
||
|
Peter Müller
|
d95e4d0dd5 |
Revert "colm: Update to version 0.14.7"
This reverts commit
|
||
|
Adolf Belka
|
e44d567877 |
cairo: Update to version 1.17.6
- Update from version 1.16.0 to 1.17.6 - Update of rootfile - Next version will only build with meson and as there were some bugs with the autoconf tools build which required a hack to overcome, this version was changed to run with meson. beos and os2 backends are no longer supported and windows only builds if the platform being used for the build is windows based. Therefore those options are no longer needed. meson uses shared libraries only by default. - The cairo-1.16.0-binutils-2.34 patch is no longer needed as the changes have been included in the source tarball. - tarball had to be changed to .bz2 as xz is no longer provided. - Changelog Release 1.17.6 (2022-03-18 Emmanuele Bassi <ebassi@gnome.org>) I spy with my little eye… a Cairo snapshot! First of all, many, many thanks to everyone who contributed to Cairo during this development cycle. A special thank you goes to: - Adrian Johnson - Uli Schlachter for their tireless efforts in ensuring that the lights are still on in the Cairo project. This snapshot sees the removal of the following backends and platform support: - Qt4 - BeOS - OS/2 - DirectFB - DRM - Cogl - OpenVG Thanks to all past contributors for their work on them. If you were using any of these backends then you will need to stick to Cairo 1.16. To offset the removal of the backends above, Adrian Johnson landed the DWrite font rendering backend on Windows. There have been multiple improvements in the Quartz backend, courtesy of John Ralls. Tim-Philipp Müller has kept the Meson build in top shape. This snapshot is going to be the **last** release of Cairo with the Autotools build system. The Meson build has seen many improvements and it is considerably easier to maintain and faster to build. Release 1.17.4 (2020-11-27 Bryce Harrington <bryce@bryceharrington.org>) Thank you to the many people who have contributed the large number of bug fixes and refinements since 1.17.2. A particularly noteworthy improvement in this release is the addition of the meson build system as an alternative to autotools. Autotools is still used for producing the releases, so will be the default in the tarball and presumably will still be preferred by distro packagers of Cairo. It should be possible to build the release tarball using meson, but as this is new functionality consider it still a work in progress. The meson configuration has striven to track the autotools implementation but be aware there may still be some differences between the two. Continuous Integration configurations have been added that enable testing on a variety of platforms including Fedora, Windows MSVC, etc. This work has helped in identifying updates and fixes including adjusting to changes in API calls in dependencies like rsvg and fontconfig, and to fix platform-specific build issues. The cogl Cairo backend underwent significant development this cycle. Cogl provides GPU accelerated drawing support. The development work includes implementation of core functionality, performance optimizations, and stabilization. Subpixel positioning support allows improved glyph outlines with the Freetype font backend. For a complete log of changes, please see https://cairographics.org/releases/ChangeLog.1.17.4 [On a personal note, this will be my last release for Cairo. My Cairo time availability has been non-existent (particularly this crazy past year). The release process is well documented and hopefully will help whomever picks up the baton from here.] Release 1.17.2 (2019-01-31 Bryce Harrington <bryce@bryceharrington.org>) This snapshot provides the new support for writing floating point formats as 16 bpc PNGs, with support for RGBA128F and RGB96F formats. This new feature increases Cairo's pixman version requirement to 0.36.0. Beyond this are a range of bugfixes and some work on establishing CI for Cairo. For a complete log of changes, please see https://cairographics.org/releases/ChangeLog.1.17.2 API Changes None Dependency Changes pixman 0.36.0 Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> |
||
|
Adolf Belka
|
a72263c6c5 |
lz4: Update to version 1.9.4
- Update from version 1.9.3 to 1.9.4 - Update of rootfile - Changelog v1.9.4 perf : faster decoding speed (~+20%) on aarch64 platforms perf : faster decoding speed (~+70%) for -BD4 setting in CLI api : new function `LZ4_decompress_safe_partial_usingDict()` by @yawqi api : lz4frame: ability to provide custom allocators at state creation api : can skip checksum validation for improved decoding speed api : new experimental unit `lz4file` for file i/o API, by @anjiahao1 api : new experimental function `LZ4F_uncompressedUpdate()`, by @alexmohr cli : `--list` works on `stdin` input, by @Low-power cli : `--no-crc` does not produce (compression) nor check (decompression) checksums cli : fix: `--test` and `--list` produce an error code when parsing invalid input cli : fix: support skippable frames when passed via `stdin`, reported by @davidmankin build: fix: Makefile respects CFLAGS directives passed via environment variable build: `LZ4_FREESTANDING`, new build macro for freestanding environments, by @t-mat build: `make` and `make test` are compatible with `-j` parallel run build: AS/400 compatibility, by @jonrumsey build: Solaris 10 compatibility, by @pekdon build: MSVC 2022 support, by @t-mat build: improved meson script, by @eli-schwartz doc : Updated LZ4 block format, provide an "implementation notes" section Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> |