Quoted from #12433:
> Uprobes is the user-space counterpart to kprobes: they enable instrumentation
> applications (such as 'perf probe') to establish unintrusive probes in
> user-space binaries and libraries, by executing handler functions when the
> probes are hit by user-space applications.
>
> ( These probes come in the form of single-byte breakpoints, managed by the
> kernel and kept transparent to the probed application. )
IMHO this can be safely disabled, as there is little if any need to debug
userspace programs _that_ deeply on an IPFire machine.
Fixes: #12433
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
This is dangerous as it allows replacing the running kernel without
rebooting. Kernel Self Protection Project people recommend to keep it
disabled.
Fixes: #12372
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
o1 (Other country) and yu (Yugoslavia) have been used in the past
and are not part of libloc and therefore cannot be used anymore.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
> This option checks for a stack overrun on calls to schedule(). If the stack
> end location is found to be over written always panic as the content of the
> corrupted region can no longer be trusted. This is to ensure no erroneous
> behaviour occurs which could result in data corruption or a sporadic crash at a
> later stage once the region is examined. The runtime overhead introduced is
> minimal.
Fixes: #12376
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
> This option enables the uselib syscall a system call used in the dynamic
> linker from libc5 and earlier. glibc does not use this system call. If you
> intend to run programs built on libc5 or earlier you may need to enable this
> syscall. Current systems running glibc can safely disable this.
In my point of view, the last sentence matches our situation.
Fixes: #12379
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
These are not needed anymore since Sony announced EOL in 2010 and there
is no legitimate use case for such hardware on a firewall system.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The bluetooth addon was recently removed by commit
592be1d206, which is why we do not need to
carry the corresponding kernel modules around anymore.
The second version of this patch correctly updates kernel configuration
files via "make oldconfig" as requested by Arne.
Cc: Arne Fitzenreiter <arne.fitzenreiter@ipfire.org>
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.19/RELEASE-NOTES-bind-9.11.19.html
"Security Fixes
To prevent exhaustion of server resources by a maliciously
configured domain, the number of recursive queries that can be
triggered by a request before aborting recursion has been further
limited. Root and top-level domain servers are no longer exempt from
the max-recursion-queries limit. Fetches for missing name server
address records are limited to 4 for any domain. This issue was
disclosed in CVE-2020-8616. [GL #1388]
Replaying a TSIG BADTIME response as a request could trigger
an assertion failure. This was disclosed in CVE-2020-8617. [GL
#1703]
Feature Changes
Message IDs in inbound AXFR transfers are now checked for
consistency. Log messages are emitted for streams with inconsistent
message IDs. [GL #1674]
Bug Fixes
When running on a system with support for Linux capabilities, named
drops root privileges very soon after system startup. This was
causing a spurious log message, "unable to set effective uid to 0:
Operation not permitted", which has now been silenced. [GL #1042]
[GL #1090]
When named-checkconf -z was run, it would sometimes incorrectly set
its exit code. It reflected the status of the last view found;
if zone-loading errors were found in earlier configured views but
not in the last one, the exit code indicated success. Thanks
to Graham Clinch. [GL #1807]
When built without LMDB support, named failed to restart after
a zone with a double quote (") in its name was added with rndc
addzone. Thanks to Alberto Fernández. [GL #1695]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
