This has been removed a long time ago and we should probably spend a
little bit more time on keeping the networking code tidy :)
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
QMI is a proprietary interface from Qualcomm which are absolute pioneers
when it comes to interfacing with modems. I don't think there would be
any way to make this any more complicated and bloated.
So, bascially we will put the modem into a raw IP mode which changes the
interface into Point-to-Point mode.
We then configure the provider settings using qmicli. After that, the
modem will try to connect to the provider and obtain an IP address.
We will then start a DHCP client which does not do any DHCP-ing because
implementing that would be too complicated. Instead we do something even
*more* complicated where we would launch a custom script which asks the
modem for the allocated IP address and will configure it into the
device. The DHCP client then reads that IP address from the device and
pretends it came up with it by itself. Such an easy way to do this.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This ensures restoring a backup won't silently bring back an insecure
Diffie-Hellman parameter (which could also not be inspected through the
web interface anymore).
Reported-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Full changelog:
Changes in version 0.4.7.12 - 2022-12-06
This version contains a major change that is a new key for moria1. Also, new
metrics are exported on the MetricsPort for the congestion control
subsystem.
o Directory authority changes (moria1):
- Rotate the relay identity key and v3 identity key for moria1. They
have been online for more than a decade and refreshing keys
periodically is good practice. Advertise new ports too, to avoid
confusion. Closes ticket 40722.
o Minor feature (Congestion control metrics):
- Add additional metricsport relay metrics for congestion control.
Closes ticket 40724.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on December 06, 2022.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2022/12/06.
o Minor bugfixes (cpuworker, relay):
- Fix an off by one overload calculation on the number of CPUs being
used by our thread pool. Fixes bug 40719; bugfix on 0.3.5.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
This patch will gracefully terminate the daemon when it loses its
connection to the OpenVPN daemon.
Fixes: #12963
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
- On CU172 Testing Build: master/eb9e29f9 when selecting the OpenVPN menu it showed the
Diffie-Hellman info and pressing back took you to the same DH page.
- Tested patch suggestion from Erik on vm testbed and confirmed that it worked.
Suggested-by: Erik Kapfer <erik.kapfer@ipfire.org>
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Again, xz currently present on an IPFire machine is linked
against this. Thus, deleting this file causes the unpack
routine to fail, which is why we should have never deleted
it in the first place.
Reported-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
On November 30, 2022, Mozilla decided to take the following
actions as a response to the concerns raised about the merits
of this root CA operator (excerpt taken from
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ):
> 1. Set "Distrust for TLS After Date" and "Distrust for S/MIME
> After Date" to November 30, 2022, for the 3 TrustCor root
> certificates (TrustCor RootCert CA-1, TrustCor ECA-1,
> TrustCor RootCert CA-2) that are currently included in
> Mozilla's root store.
>
> 2. Remove those root certificates from Mozilla's root store
> after the existing end-entity TLS certificates have expired.
As far as the latter is concerned, the offending certificates
have these expiry dates set:
- TrustCor RootCert CA-1: Mon, 31 Dec 2029 17:23:16 GMT
- TrustCor RootCert CA-2: Sun, 31 Dec 2034 17:26:39 GMT
- TrustCor ECA-1: Mon, 31 Dec 2029 17:28:07 GMT
The way IPFire 2 currently processes Mozilla's trust store
does not feature a way of incorporate a "Distrust for XYZ After
Date" attribute. This means that despite TrustCor Systems root
CAs are no longer trusted by browsers using Mozilla's trust
store, IPFire would still accept certificates directly or
indirectly issued by this CA until December 2029 or December 2034.
To protect IPFire users, this patch therefore suggests to
patch our copy of Mozilla's trust store in order to remove
TrustCor Systems' root CAs: The vast majority of HTTPS connections
established from an IPFire machine take place in a non-interactive
context, so there is no security benefit from a "Distrust After
Date" information. Instead, if we do not want IPFire installations
to trust this CA, we have no other option other than remove it
unilaterally from our copy of Mozilla's trust store.
See also: https://lists.ipfire.org/pipermail/development/2022-November/014681.html
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Full changelog:
Security #5710: smb: crash inside of streaming buffer Grow() (6.0.x backport)
Security #5694: smtp/base64: crash / memory corruption (6.0.x backport)
Security #5688: decoder/tunnel: tunnel depth not limited properly (6.0.x backport)
Security #5600: ips: encapsulated packet logged as dropped, but not actually dropped (6.0.x backport)
Bug #5715: smb: file not tracked on smb2 async (6.0.x backport)
Bug #5714: SMB2 async responses are not matched with its request (6.0.x backport)
Bug #5709: HTTP/2 decompression bug (6.0.x backport)
Bug #5696: Integer overflow at dcerpc.rs:846 (6.0.x backport)
Bug #5695: readthedocs: not showing pdf download option for recent versions (6.0.x backport)
Bug #5683: FlowSwapFileFlags function is incorrect (6.0.x backport)
Bug #5635: track by_rule|by_both incorrectly rejected for global thresholds (6.0.x backport)
Bug #5633: Pass rules on 6.0.8 are generating alert events when passing tunneled traffic
Bug #5608: base64: skip over all invalid characters for RFC 2045 mode (6.0.x backport)
Bug #5607: base64_decode does not populate base64_data buffer once hitting non-base64 chars (6.0.x backport)
Bug #5602: dcerpc: rust integer underflow (6.0.x backport)
Bug #5599: eve: mac address logging for packet records reverses direction (6.0.x backport)
Bug #5598: detect/tag: timeout handling issues on windows (6.0.x backport)
Bug #5594: ips/tap: in layer 2 ips/tap setups, warn that mixed usage of ips and tap will be removed in 8.0 (6.0.x backport)
Bug #4883: Netmap configuration -- need a configuration option for non-standard library locations (6.0.x backport)
Feature #5478: Support for RFC2231 (6.0.x backport)
Task #5698: libhtp 0.5.42
Task #5570: transversal: update references to suricata webpage version 2 (backport 6.0.x)
Task #4852: netmap: new API version (14) supports multi-ring software mode (6.0.x backport)
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 1.3.3 to 1.4.2
- Update of rootfile
- several libraries with so bump. Checked with find-dependencies - nothing flagged
- Changelog
This changelog is not exhaustive, review [the git commit log
(https://github.com/xiph/flac/commits) for an exhaustive list of changes.
## FLAC 1.4.2 (22-Oct-2022)
Once again, this release only has a few changes. A problem with FLAC playback in GStreamer (and possibly other libFLAC users) was the reason for the short time since the last release
* General
* Remove xmms plugin (Martijn van Beurden, TokyoBlackHole)
* Remove all pure assembler, removing build dependency on nasm
* Made console output more uniform across different platforms and CPUs
* Improve ability to tune compile for a certain system (for example with -march=native) when combining with --disable-asm-optimizations: plain C functions can now be better optimized
* Build system
* Default CFLAGS are now prepended instead of dropped when user CFLAGS are set
* -msse2 is no longer added by default (was only applicable to x86)
* Fix cross-compiling and out-of-tree building when pandoc and doxygen are not available
* Fix issue with Clang not compiling functions with intrinsics
* Fix detection of bswap intrinsics (Ozkan Sezer)
* Improve search for libssp on MinGW (Ozkan Sezer, Martijn van Beurden)
* libFLAC
* Fix issue when the libFLAC user seeks in a file instead of libFLAC itself
## FLAC 1.4.1 (22-Sep-2022)
This release only has a few changes. It was triggered by a problem in the 1.4.0 tarball: man pages were empty and api documentation missing
* CMake fixes (Tomasz Kłoczko)
* Add checks that man pages and api docs end up in tarball
* Enable installation of prebuilt man pages and api docs
* Fix compiler warnings (Johannes Kauffmann, Ozkan Sezer)
* Fix format specifier (manxorist)
* Enable building on Universal Windows Platform (Steve Lhomme)
* Fix versioning from git
## FLAC 1.4.0 (09-Sep-2022)
As there have been changes to the library interfaces, the libFLAC version number is incremented to 12, the libFLAC++ version number is incremented to 10. As some changes were breaking, the version age numbers (see [libtool versioning](https://www.gnu.org/software/libtool/manual/libtool.html#Libtool-versioning)) have been reset to 0. For more details on the changes to the API, see the [porting guide](https://xiph.org/flac/api/group__porting__1__3__4__to__1__4__0.html).
The XMMS plugin and 'common' plugin code (used only by the XMMS plugin) are deprecated, they will be removed in a future release.
* General:
* It is now possible to limit the minimum bitrate of a FLAC file generated by libFLAC and with the `flac` tool to 1 bit/sample. This function can be used to aid live streaming, for example for internet radio
* Encoding files with sample rates up to 1'048'575Hz is now possible. (Con Kolivas)
* Compression of preset -3 through -8 was slightly improved at the cost of a small decrease in encoding speed by increasing the precision with which autocorrelation was calculated (Martijn van Beurden)
* Encoding speed of preset -0, -1 and -2 was slightly improved
* Compression of presets -1 and -4 was slighly improved on certain material by changing the adaptive mid-side heuristics
* Speedups specifically targeting 64-bit ARMv8 devices using NEON were integrated (Ronen Gvili, Martijn van Beurden)
* Speedups for x86_64 CPUs having the FMA instruction set extention are added
* Encoding and decoding of 32-bit PCM is now possible
* (Ogg) FLAC format:
* The FLAC format document is being rewritten by the IETF CELLAR working group. The latest draft can be found on [https://datatracker.ietf.org/doc/draft-ietf-cellar-flac/](https://datatracker.ietf.org/doc/draft-ietf-cellar-flac/)
* The FLAC format document specifies no bounds for the residual. In other to match current decoder implementations, it is proposed to bound the residual to the range provided by a 32-bit int signed two's complement. This limit must be checked by FLAC encoders as to keep FLAC decoders free from the complexity of being to decode a residual exceeding a 32-bit int.
* There is now a set of files available to test whether a FLAC decoder implements the format correctly. This FLAC decoder testbench can be found at [https://github.com/ietf-wg-cellar/flac-test-files](https://github.com/ietf-wg-cellar/flac-test-files). Also, results of testing hard- and software can be found here at [https://wiki.hydrogenaud.io/index.php?title=FLAC_decoder_testbench](https://wiki.hydrogenaud.io/index.php?title=FLAC_decoder_testbench).
* flac:
* The option --limit-min-bitrate was added to aid streaming, see [github #264](https://github.com/xiph/flac/pull/264)
* The option --keep-foreign-metadata-if-present is added. This option works the same as --keep-foreign-metadata, but does return a warning instead of an error if no foreign metadata was found to store or restore
* The warning returned by the foreign metadata handling is now clearer in case a user tries to restore foreign metadata of the wrong type, for example decoding a FLAC file containing AIFF foreign metadata to a WAV file
* A problem when using the analyse function causing the first frame to have a wrong size and offset was fixed
* Fix bug where channel mask of a file is unintentionally reused when several files are processed with one command
* The order of compression-related commands is no longer important, i.e. -8ep gives the same result as -ep8. Previously, a compression level (like -8) would override a more specific setting (like -e or -p). This is no longer the case
* flac now checks the block-align property of WAV files to ensure non-standard WAV files (for which flac has no handling) are not mangled
* metaflac:
* (none)
* build system:
* MSVC and Makefile.lite build system files have been removed. Building with MSVC (Visual Studio) can be done by using CMake
* Various CMake improvements, especially for creating MSVC build files (Martijn van Beurden, martinRenou, CookiePLMonster, David Callu, Tyler Dunn, Cameron Cawley)
* Various fixes for MinGW (Martijn van Beurden, Cameron Cawley)
* Removed obsolete autotools macro's to silence warnings
* Fixes for FreeBSD PowerPC (pkubaj)
* Fixed some compiler warnings (Martijn van Beurden, Tyler Dunn)
* Fix building with uclibc (Fabrice Fontaine)
* testing/validation:
* Addition of new encoder fuzzer, adding fuzzing for 8, 24 and 32-bit inputs
* Addition of new decoder fuzzer, adding coverage of seeking code
* Addition of metadata fuzzer, adding coverage of metadata APIs
* Various improvements to fuzzers to improve code coverage, fuzzing speed and stability
* Many changes to test suite to improve cross-platform compatibility (Rosen Penev)
* Windows CI now also builds the whole test suite
* Clang-format file added (Rosen Penev)
* Add warning on using v141_xp platform toolset with /MT (Martijn van Beurden, Paul Sanders)
* libraries:
* Various seeking fixes (Martijn van Beurden, Robert Kausch)
* Various bugs fixed found by fuzzing
* On decoding, it is now checked whether residuals can be contained by a 32-bit int, preventing integer overflow
* Add check that samples supplied to libFLAC actually fall within the bps set
* Add checks when parsing metadata blocks to not allocate excessive amounts of memory and not overread
* Undocumented Windows-only utf8 functions are no longer exported to the DLL interface
* Removed all assembler and intrinsics code from the decoder to improve fuzzing, as they provided only a small speed benefit
* The bitwriter buffer is limited in size to 2^24 bytes, so it cannot write excessively large files. This is a backup in case another bug in this area creeps (back) in.
* The metadata iterations should now never return a vorbiscomment entry with NULL as an entry, now always at least an empty string is returned
* documentation:
* Removed html documentation and generate man pages from markdown
* Interface changes:
* libFLAC:
* Addition of FLAC__stream_encoder_set_limit_min_bitrate() and FLAC__stream_encoder_get_limit_min_bitrate(), see [github #264](https://github.com/xiph/flac/pull/264)
* get_client_data_from_decoder is renamed FLAC__get_decoder_client_data(), see [github #124](https://github.com/xiph/flac/pull/124)
* All API functions taking a filename as an argument now take UTF-8 filenames on Windows, and no longer accept filenames using the current codepage
* FLAC__Frame struct has changed: warmup samples are now stored in FLAC__int64 instead of FLAC__int32 types, and verbatim samples can now be stored in either FLAC__int32 or FLAC__int64 depending on whether samples fix the former or latter
* The FLAC__StreamMetadata struct now has a tag, so it can be forward declared
* libFLAC++:
* Addition of ::set_limit_min_bitrate() and ::get_limit_min_bitrate(), see [github #264](https://github.com/xiph/flac/pull/264)
* All API functions taking a filename as an argument now take UTF-8 filenames on Windows, and no longer accept filenames using the current codepage
* The ::FLAC__Frame struct has changed, see the libFLAC interface change.
## FLAC 1.3.4 (20-Feb-2022)
This release mostly fixes (security related) bugs. When building with MSVC, using CMake is preferred, see the README under "Building with CMake" for more information. Building with MSVC using solution files is deprecated and these files will be removed in the future. As there have been no changes to the library interfaces, the libFLAC version number remains 11, and libFLAC++ version number remains 9.
* General:
* Fix 12 decoder bugs found by oss-fuzz, including CVE-2020-0499 (erikd, Martijn van Beurden)
* Fix encoder bug CVE-2021-0561 (NeelkamalSemwal)
* Integrate oss-fuzzers (erikd, Guido Vranken)
* Seeking fixes (NeelkamalSemwal, Robert Kausch)
* Various fixes and improvements (Andrei Astafev, Rosen Penev, Håkan Kvist, oreo639, erikd, Tamás Zahola, Ulrik Mikaelsson, Tyler Dunn, tmkk)
* FLAC format:
* (none)
* Ogg FLAC format:
* (none)
* flac:
* Various fixes and improvements (Andrei Astafev, Martijn van Beurden)
* metaflac:
* (none)
* build system:
* CMake improvements (evpobr, Vitaliy Kirsanov, erikd, Ozkan Sezer, Tyler Dunn, tg-m DeadSix27, ericLemanissier, Chocobo1).
* Fixes for MinGW and MSVC (Ozkan Sezer).
* Fix for clang (Ozkan Sezer)
* Fix for PowerPC (Peter Seiderer, Thomas BERNARD)
* Fix for FreeBSD PowerPC (pkubaj).
* testing/validation:
* Add Windows target to CI, improve logging (Ralph Giles)
* CI improvements (Ralph Giles, Ewout ter Hoeven)
* documentation:
* Doxygen fixes (Tyler Dunn)
* Fix typos (Tim Gates, maxz)
* Interface changes:
* libFLAC:
* (none)
* libFLAC++:
* (none)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- In Arch Linux the file -L command comes up with "static-pie linked" instead of
"statically linked"
- This patch makes the grep look for either one of those strings.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 12.5.4 to 12.7.1
- Update of rootfile
- Changelog
2022/11/06: Version 12.7.1:
Fix possible overflow in sa_common.c (GHSL-2022-074) [12.6.1].
sadf: Add support for option -t with SVG output to make it possible to display timestamps in the same locale as that of the file creator.
sadf: Print timezone instead of UTC in true time mode. Timezone is also displayed in local time.
sadf: PCP: Fix timestamps written to PCP archive file.
sar: Add new environment variable S_REPEAT_HEADER.
pidstat: Return exit code of the process that was monitored with option -e.
mpstat: Add option -H to handle vCPU physical hotplug.
Add local, xlocal and debug targets to iconfig script.
Turn off gcc's tree-slp-vectorize option which was making sadf crash in some situations.
sa_conv.c: Make size of statistics structures from older sysstat versions immutable [12.6.1].
[Bernhard M. Wiedemann]: Declare sadc dependency on libsyscom.a [12.6.1].
[Steve Kay]: Fix gcc v11.2 warnings [12.6.1].
[Steve Kay]: Various cosmetic fixes [12.6.1].
[Jan Christoph Uhde]: sar: Remove `-I int_list` from man-page and help [12.6.1].
[Frank Dana]: Consolidate systemctl commands in README file [12.6.1].
[Rong Tao]: Remove whitespace characters at the end of lines [12.6.1].
Update configure file to deal with newer autoconf version. configure.in file is renamed to configure.ac.
Update DTD and XSD documents.
sar and sysstat manual pages updated.
NLS updated. Add new Georgian translation.
Non regression tests updated.
2022/05/29: Version 12.6.0:
sar: Fix maximum value for A_IRQ activity.
sar/sadf: A_NET_SOFT: Add new metric softnet network backlog.
sadc: A_NET_SOFT: Use CPU id from /proc/net/softnet_stat.
Update DTD and XSD documents (softnet backlog).
[Chris Bagwell]: sar/sadf: Convert 64-bit time value to time_t as needed.
sadf: Add basic colorization to sadf's output.
sadf: Add sanity checks on values read from file.
sadf: PCP: Fix multiple metrics name problems.
sa_common.c: Remove unneeded variable assignment.
[Lukáš Zaoral]: Take into account LDFLAGS passer to configure script.
Various janitorial fixes and updated.
Update FAQ.
Update sar manual page.
Update NLS translations.
Update non regression tests.
2022/02/28: Version 12.5.6:
sar/sadc: Rewrite code used to collect and display interrupts statistics. Statistics are now collected from /proc/interrupts (instead of /proc/stat) and are displayed for each installed CPU.
sar/sadf: Add new "--int=" option to enter a list of interrupts on the command line.
sadf: Update the various output formats to deal with the new per-CPU interrupts statistics.
Update DTD and XSD documents. CPU elements may be non-existent when all selected CPU are offline.
Update sar and sadf manual pages.
mpstat: Create its own function to read the total number of interrupts from /proc/stat file.
mpstat: Remove unneeded "aligned" attribute from struct stats_irqcpu definition.
sar: Fix index value used in online_cpu_bitmap array.
sar/sadf: Make sure that datafiles with unknown activities can be read by sar and sadf [12.4.5].
sar/sadf: Don't reallocate buffers for activities not present in file [12.4.5].
sar: Make sure that all buffers are copied in copy_structures() function [12.4.5].
PCP: Fix flow_limit_count metric's unit (A_NET_SOFT activity).
PCP: Fix instance names for getattr call (A_NET_NFS(D) activities).
Use sizeof() macro instead of hard-coded values with snprintf() functions.
rndr_stats.c: Use NOVAL instead of NULL as last argument for cons() function.
Use strings definitions whenever possible.
Add new non regression tests. Update some existing ones.
Various cosmetic fixes.
2021/12/05: Version 12.5.5:
iostat: Add --compact option.
iostat: Always display persistent names with option -j [12.4.4].
iostat: Fix how device mapper names are taken into account when entered on the command line [12.4.4].
iostat: Update manual page.
mpstat: Don't display offline CPU [12.4.4].
mpstat: Fix values displayed when an offline CPU goes back online [12.4.4].
mpstat: Fix untrusted loop bound [12.4.4].
mpstat: Update non regression tests [12.4.4].
sar: Tell the user to convert the file when needed.
sadc: Reuse count results for sub-items.
[Ville Skyttä]: Use `grep -E` instead of deprecated `egrep` [12.4.4].
[Ville Skyttä]: Spelling and grammar fixes [12.4.4].
Update FAQ.
[Nathan Naze]: Update man pages with correct spelling of "JavaScript" [12.4.4].
Update non regression tests.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 4.17.0 to 4.17.3
- Update of rootfile (x86_64) - other architectures will need to be adjusted.
- Changelog
Release Notes for Samba 4.17.3
This is a security release in order to address the following defects:
o CVE-2022-42898: Samba's Kerberos libraries and AD DC failed to guard against
integer overflows when parsing a PAC on a 32-bit system, which
allowed an attacker with a forged PAC to corrupt the heap.
https://www.samba.org/samba/security/CVE-2022-42898.html
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15203: CVE-2022-42898
o Nicolas Williams <nico@twosigma.com>
* BUG 15203: CVE-2022-42898
Release Notes for Samba 4.17.2
This is a security release in order to address the following defects:
o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
unwrap_des() and unwrap_des3() routines of Heimdal (included
in Samba).
https://www.samba.org/samba/security/CVE-2022-3437.html
o CVE-2022-3592: A malicious client can use a symlink to escape the exported
directory.
https://www.samba.org/samba/security/CVE-2022-3592.html
o Volker Lendecke <vl@samba.org>
* BUG 15207: CVE-2022-3592.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15134: CVE-2022-3437.
Release Notes for Samba 4.17.1
o Jeremy Allison <jra@samba.org>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
* BUG 15174: smbXsrv_connection_shutdown_send result leaked.
* BUG 15182: Flush on a named stream never completes.
* BUG 15195: Permission denied calling SMBC_getatr when file not exists.
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
* BUG 15191: pytest: add file removal helpers for TestCaseInTempDir.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
* BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later.
over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
o Ralph Boehme <slow@samba.org>
* BUG 15182: Flush on a named stream never completes.
o Volker Lendecke <vl@samba.org>
* BUG 15151: vfs_gpfs silently garbles timestamps > year 2106.
o Gary Lockyer <gary@catalyst.net.nz>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
o Stefan Metzmacher <metze@samba.org>
* BUG 15200: multi-channel socket passing may hit a race if one of the
involved processes already existed.
* BUG 15201: memory leak on temporary of struct imessaging_post_state and
struct tevent_immediate on struct imessaging_context (in
rpcd_spoolss and maybe others).
o Noel Power <noel.power@suse.com>
* BUG 15205: Since popt1.19 various use after free errors using result of
poptGetArg are now exposed.
o Anoop C S <anoopcs@samba.org>
* BUG 15192: Remove special case for O_CREAT in SMB_VFS_OPENAT from
vfs_glusterfs.
o Andreas Schneider <asn@samba.org>
* BUG 15169: GETPWSID in memory cache grows indefinetly with each NTLM auth.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
atomically.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.2.6 to 3.2.7
- Update of rootfile not required
- Changelog
# NEWS for rsync 3.2.7 (20 Oct 2022)
### BUG FIXES:
- Fixed the client-side validating of the remote sender's filtering behavior.
- More fixes for the "unrequested file-list name" name, including a copy of
"/" with `--relative` enabled and a copy with a lot of related paths with
`--relative` enabled (often derived from a `--files-from` list).
- When rsync gets an unpack error on an ACL, mention the filename.
- Avoid over-setting sanitize_paths when a daemon is serving "/" (even if
"use chroot" is false).
### ENHANCEMENTS:
- Added negotiated daemon-auth support that allows a stronger checksum digest
to be used to validate a user's login to the daemon. Added SHA512, SHA256,
and SHA1 digests to MD5 & MD4. These new digests are at the highest priority
in the new daemon-auth negotiation list.
- Added support for the SHA1 digest in file checksums. While this tends to be
overkill, it is available if someone really needs it. This overly-long
checksum is at the lowest priority in the normal checksum negotiation list.
See [`--checksum-choice`](rsync.1#opt) (`--cc`) and the `RSYNC_CHECKSUM_LIST`
environment var for how to customize this.
- Improved the xattr hash table to use a 64-bit key without slowing down the
key's computation. This should make extra sure that a hash collision doesn't
happen.
- If the `--version` option is repeated (e.g. `-VV`) then the information is
output in a (still readable) JSON format. Client side only.
- The script `support/json-rsync-version` is available to get the JSON style
version output from any rsync. The script accepts either text on stdin
**or** an arg that specifies an rsync executable to run with a doubled
`--version` option. If the text we get isn't already in JSON format, it is
converted. Newer rsync versions will provide more complete json info than
older rsync versions. Various tweaks are made to keep the flag names
consistent across versions.
- The [`use chroot`](rsyncd.conf.5#) daemon parameter now defaults to "unset"
so that rsync can use chroot when it works and a sanitized copy when chroot
is not supported (e.g., for a non-root daemon). Explicitly setting the
parameter to true or false (on or off) behaves the same way as before.
- The `--fuzzy` option was optimized a bit to try to cut down on the amount of
computations when considering a big pool of files. The simple heuristic from
Kenneth Finnegan resuled in about a 2x speedup.
- If rsync is forced to use protocol 29 or before (perhaps due to talking to an
rsync before 3.0.0), the modify time of a file is limited to 4-bytes. Rsync
now interprets this value as an unsigned integer so that a current year past
2038 can continue to be represented. This does mean that years prior to 1970
cannot be represented in an older protocol, but this trade-off seems like the
right choice given that (1) 2038 is very rapidly approaching, and (2) newer
protocols support a much wider range of old and new dates.
- The rsync client now treats an empty destination arg as an error, just like
it does for an empty source arg. This doesn't affect a `host:` arg (which is
treated the same as `host:.`) since the arg is not completely empty. The use
of [`--old-args`](rsync.1#opt) (including via `RSYNC_OLD_ARGS`) allows the
prior behavior of treating an empty destination arg as a ".".
### PACKAGING RELATED:
- The checksum code now uses openssl's EVP methods, which gets rid of various
deprecation warnings and makes it easy to support more digest methods. On
newer systems, the MD4 digest is marked as legacy in the openssl code, which
makes openssl refuse to support it via EVP. You can choose to ignore this
and allow rsync's MD4 code to be used for older rsync connections (when
talking to an rsync prior to 3.0.0) or you can choose to configure rsync to
tell openssl to enable legacy algorithms (see below).
- A simple openssl config file is supplied that can be installed for rsync to
use. If you install packaging/openssl-rsync.cnf to a public spot (such as
`/etc/ssl/openssl-rsync.cnf`) and then run configure with the option
`--with-openssl-conf=/path/name.cnf`, this will cause rsync to export the
configured path in the OPENSSL_CONF environment variable (when the variable
is not already set). This will enable openssl's MD4 code for rsync to use.
- The packager may wish to include an explicit "use chroot = true" in the top
section of their supplied /etc/rsyncd.conf file if the daemon is being
installed to run as the root user (though rsync should behave the same even
with the value unset, a little extra paranoia doesn't hurt).
- I've noticed that some packagers haven't installed support/nameconvert for
users to use in their chrooted rsync configs. Even if it is not installed
as an executable script (to avoid a python3 dependency) it would be good to
install it with the other rsync-related support scripts.
- It would be good to add support/json-rsync-version to the list of installed
support scripts.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
