- This issue was found by Peter Müller in the CU179 Testing evaluation.
- The issue was found to have already been raised and closed on the ppp github issues page.
- Patch for fix downloaded and applied to this submission.
- When ppp-2.5.1 is released then this patch can be removed.
- update of rootfile not required.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- The original poster of the bug#13164 has already tested out ppp-2.5.0 in CU179 (master)
and identified that the startup could not find the directory /usr/var/run/. This is due
to the change in use of the prefix command in 2.5.0 vs 2.4.9 so --localstatedir set to
/var. runstatedir is then set to localstatedir/run ie /var/run which is then correct
for IPFire.
- This fix needs to be implemented into CU179 so that the bug poster can test out the update
- Updated rootfile to remove additional empty line
Fixes: Bug#13164
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.5.8 to 2.5.9 which is the last version in the 2.5 series
- Update of rootfile not required
- Tested openvpn-2.5.9 in my vm testbed. OpenVPN RW connection worked fine. Also tested
OpenVPN N2N connection with CU179 & OpenVPN version 2.5.9 at one end and CU177 &
OpenVPN version 2.5.8 at the other end. N2N connection worked with no problemns.
- Changelog
2.5.9
Implement optional cipher in --data-ciphers prefixed with ?
Fix handling an optional invalid cipher at the end of data-ciphers
Ensure that argument to parse_line has always space for final sentinel
Improve documentation on user/password requirement and unicodize function
Remove unused gc_arena
Fix corner case that might lead to leaked file descriptor
msvc: always call git-version.py
git-version.py: proper support for tags
Check if pkcs11_cert is NULL before freeing it
Do not add leading space to pushed options
pull-filter: ignore leading "spaces" in option names
Do not include auth-token in pulled option digest
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.2.7 to 2.2.8
- Update of rootfile not required
- Changelog
2.2.8 31th May 2023
This release brings improvements and fix some minor issues reported. It add some
new VRRP and BFD features as well.
New
vrrp: Add support for Infiniband over IPv6. Github issue #2100 reported that
attempting to use IPv6 over Infinband was causing keepalived to segfault
It turned out that vrrp_ndisc.c had a comment that it still needed to be
implemented, which we have now been able to do with someone in a position
to test it. With many thanks for Itel Levy of NVIDIA, Israel for
reporting the issue and and testing the patch to confirm that it works.
vrrp: Add no_virtual_ipaddress keyword. This keyword suppresses warnings for
no virtual ipaddresses configured and allows none to be configured when
using VRRPv3.
vrrp: Add –enable-nm configure option. –enable-nm adds support for Keepalived
telling NetworkManager not to manage VMAC interfaces the keepalived
creates. Early versions of NM (i.e. at least up to v1.12, but resolved
at the latest by v1.18) would set the VMAC inerfaces as managed by
NetworkManager, and then if the underlying interface went down, NM
would down the VMAC interface and the VRRP instance would never recover
from fault state.
vrrp: add v3_checksum_as_v2 configuration option. RFC 5798 (the VRRPv3 RFC)
states regarging the checksum:
5.2.8. Checksum
The checksum field is used to detect data corruption in the VRRP
message. The checksum is the 16-bit one’s complement of the one’s
complement sum of the entire VRRP message starting with the
version field and a “pseudo-header” as defined in Section 8.1 of
[RFC2460]. The next header field in the “pseudo-header” should be
set to 112 (decimal) for VRRP. For computing the checksum, the
checksum field is set to zero. See RFC1071 for more detail
Some manufacturers (e.g. Cisco) interpret this to mean that the
pseudo- header is not included in the checksum calculation, since
RFC2460 only defines a pseudo-header for IPv6. RFC3768 (the last
VRRPv2 RFC) did not include a pseudo-header in the checksum.
However, keepalived has always included a pseudo-header in the
VRRPv3 IPv4 checksum, which is also consistent with the default
setting in Wireshark. In order to allow interoperation with
Cisco routers, and possibly other manufacturers, the
“v3_checksum_as_v2” keyword, when configured in global_defs to
set the default for all vrrp_instances, or in individual
vrrp_instances, causes those vrrp_instances to exclude the
pseudo- header from the checksum. The default action of including
the pseudo- header in the checksum remains unchanged.
vrrp: Add option to revert to backup if thread timer expires. If the VRRP
process is not scheduled for sufficiently long, another VRRP instance
may have taken over as master. For some users, minimising the number of
master switches is desired, and so if nopreempt is configured (if it is
not configured the highest priority instance will take over as master
again), and if it is too long after a thread timer expires before
keepalived is scheduled to run so that another instance will probably
have taken over as master, we will just revert to backup state rather
than sending further adverts. The keyword that configures this is
thread_timer_expired.
vrrp: Add optional new JSON format including track_process details. The
original JSON format did not allow for adding additional object types
other than the original vrrp instances. This commit adds a json_version
2, which puts the vrrp instances in a named array and adds an array of
the track_processes.
core: add option to check for malloc’s etc returning NULL. Configure option
–enable-malloc-check will cause the returned value of
malloc/realloc/strdup/strndup to be checked to ensure that they do not
return NULL. If any such call does return NULL a message will be logged
and the process will terminate. Unless sysctl vm.overcommit_memory == 2
(default is usually 0), or the malloc would cause the process virtual
address space to exceed the limit, malloc etc will not return NULL. It
is only once there is a write into the memory block that the memory is
actually allocated, and if there is insufficient memory (including swap
space), then the OOM killer will step in to either kill keepalived, or
kill another process. Consequently checking for NULL being returned is
generally a waste of time and program size.
ipvs: Add option to check OpenSSL mallocs/frees for validity.
ipvs: Add option to let SSL_GET shutdown comply with TLS spec.
bfd: Add multihop option to conform with RFC5883. RFCs 5881 and 5883 state
that port 3784 is used for single hop BFD and port 4784 is used for
multihop. The commit adds configuration option “multihop” to use port
4784 rather than port 3784.
Improvements
vrrp: Don’t adjust vrrp receive timeout during delayed start. The timeout for
a vrrp instance to become master should not be changed if an advert is
received during the delayed start - the timeout is set to include the
delayed start and the (3 to 4) * advert int delay to take over as master.
vrrp: Remove redundant checks of snmp_option.
vrrp: deley freeing vrrp instances until all references are freed. Trackers
etc have lists for vrrp instances that are tracking them. Therefore the
trackers, and their references, must be freed before the vrrp instances
are freed.
vrrp: restore the vmac ipv6 link-local after flapping. The user is not
supposed to shutdown a vmac interface created by keepalived. However,
it can mistakenly happen. When the link is re-established, the
link-local has disappear (the kernel removes all IPv6 addresses on link
down except if keep_addr_on_down sysctl is on) and sending VRRP packet
is no nore possible. Restore the IPv6 Link-Local after a VMAC interface
flapping. A Link-Local is not set when the VRRP packets are sent from
the base interface (vmac-xmit-base). Note that the IPv6 Virtual
Addresses are also removed on link down which is the desired behavior.
Enabling keep_addr_on_down sysctl would keep the link-local without
this patch but would break this behavior.
doc: Man pages and documentation updates. Add explanation of why unicast
VRRPv3 checksum changed.
configure: Add systemd auto option. fix default config file with ${prefix}
use. use back-ticks rather than $(…) for commmands. Improve
checking for ${prefix}.
ipvs: Don’t report HTTP_CHECK when it is an SSL_CHECK.
ipvs: Work around OpenSSL memory leak in versions 3.0.0 to 3.0.4. The memory
leak was observed with OpenSSL 3.0.1, and it is resolved by version
3.0.5. Also the leak is not observed in v1.1.1n.
ipvs: Simplify SSL_GET handling code.
Fixes
rpm: Fix RPM spec file to use kmod-lib and kmod-devel rather than libkmod.
vrrp: Fix NFT support to properly handle build with L4PROTO support.
vrrp: Resolve segfault when enable_snmp_vrrp is added at a reload.
vrrp: workaround GCC LTO bug causing incorrect VRRPv3 checksum. The problem
was observed with GCC versions 11.2, 11.3.1 and 12.1.1, on Ubuntu 22.04,
Fedora 34, Fedora 36 and Fedora 37 (Rawhide). The problem did not occur
when not using LTO, nor when using clang, even with LTO.
vrrp: fix ipv6 vrrp in fault state because no ipv4 address. Setting an IPv6
VRRP virtual address on an interface that has no IPv4 address results
in a persistent FAULT state.
core: Fix segfault when receive netlink message for static default route added.
build: Fix order of -lssl -lcrypto. This needs to be correct in order to be
able to use static library linking on Alpine Linux.
build: Fix build with libressl. SSL_set0_rbio is provided by libressl since
version 3.4.0 and libressl/openbsd@c99939f but SSL_set0_wbio is not
provided resulting in build failure.
build: Fix out of tree builds. Fix build error with –disable-track-process.
build: Fix building with –disable-vmac.
build: Fix compiler warning when building without VRRP authentication.
parser: Fix segfault caused by extra ‘}’ and other parser fixes. If there was
a configuration error in a block, e.g. a vrrp_instance, keepalived
would apply the configuration in the rest of the block to the
previous object of that type, e.g. the previous vrrp instance. If
there had been no previous instance, keepalived would probably
segfault. This commit changes the way the parser works. A new
instance of an object, e.g. a VRRP instance or a virtual server, is
only added to the list of those objects once the configuration of
that object is complete. In particular it no longer applies the
configuration to the last entry on the list of the relevant object
type, but keeps a point to the object currently being configured.
parser: Optimise fixing recalculating updated line length.
ipvs: Fix memory leaks when configuration is repeated. Use last entry if
duplicate definition.
lib: Fix malloc check code for CPUs without unaligned memory access.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
The rewritten version of ExtraHD no longer stores entries in /etc/fstab
which is why they have to be removed during the update.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The system should perform all write operations when sync is called and
only return when the write queues are empty.
There is no additional benefit for calling sync again as the buffers
should be empty. If data is still being lost, then that is a bug in
either the storage device or driver.
As the (re-)boot process is already so slow, I would like to get rid of
any unnecessary delays.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Full changelog:
Changes in version 0.4.7.14 - 2023-07-26
This version contains several minor fixes and one major bugfix affecting
vanguards (onion service). As usual, we recommend upgrading to this version
as soon as possible.
o Major bugfixes (vanguards):
- Rotate to a new L2 vanguard whenever an existing one loses the
Stable or Fast flag. Previously, we would leave these relays in
the L2 vanguard list but never use them, and if all of our
vanguards end up like this we wouldn't have any middle nodes left
to choose from so we would fail to make onion-related circuits.
Fixes bug 40805; bugfix on 0.4.7.1-alpha.
o Minor feature (CI):
- Update CI to use Debian Bullseye for runners.
o Minor feature (lzma):
- Fix compiler warnings for liblzma >= 5.3.1. Closes ticket 40741.
o Minor features (directory authorities):
- Directory authorities now include their AuthDirMaxServersPerAddr
config option in the consensus parameter section of their vote.
Now external tools can better predict how they will behave.
Implements ticket 40753.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on July 26, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/07/26.
o Minor bugfix (relay, logging):
- The wrong max queue cell size was used in a protocol warning
logging statement. Fixes bug 40745; bugfix on 0.4.7.1-alpha.
o Minor bugfixes (compilation):
- Fix all -Werror=enum-int-mismatch warnings. No behavior change.
Fixes bug 40824; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (metrics):
- Decrement hs_intro_established_count on introduction circuit
close. Fixes bug 40751; bugfix on 0.4.7.12.
o Minor bugfixes (sandbox):
- Allow membarrier for the sandbox. And allow rt_sigprocmask when
compiled with LTTng. Fixes bug 40799; bugfix on 0.3.5.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
this contain kernel-6.1.45, intel-microcode-20230808, linux-firmware-20230804 + fam19h patches and a fix
for early microcode load from initramdisk.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
i had disabled CONFIG_GCC_PLUGIN_LATENT_ENTROPY because this
fails to compile on riscv64.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
this is a work around for often hanging processes eg. at
rust builds.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 0.9.16 to 0.9.17
- Update of rootfile
- Changelog
0.9.17
* The importer is now parsing Geofeeds where available. This helps us to create a
database with better accuracy for large ISPs or cloud providers.
* The database writer is trying to compress the database harder: It will now look
for any duplicate networks and merge neighbouring networks which will reduce the
size of the database by about half.
* The importer has been improved so that it runs more efficient SQL queries to
create the database faster.
* Temuri Doghonadze contributed a Georgian translation.
* Hans-Christoph Steiner contributed bash-completion for the location(8) command.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 7.1.0 to 8.0.3
- Update of rootfile not required
- Update qemu-ga in lockstep with qemu
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.4.3 to 1.4.4
- Update of rootfile not required
- Changelog
1.4.4
* Use AC_SYS_LARGEFILE macro to control largefile support
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 11.3.0 to 11.5.0
- Update of rootfile
- Changelog
11.5.0: release
* This release consists entirely of changes made by M. Holger.
Mostly this is changes to the private API, performance
enhancements, code cleanup, and reformatting to 100 columns
instead of 80. For qpdf development, we are starting to use
JetBrains CLion, so a lot of the changes are moving us toward a
cleaner development experience in that environment.
* Bug fix: when a the same page is copied multiple times, copy
the annotations rather than having multiple pages share an
annotation object. Thanks to M. Holger for the fix. Fixes#600.
* Add "FUTURE" build option for enabling experimental APIs. Do not
package qpdf built with the FUTURE option as there are no binary
compatibility or even source compatibility guarantees. The option
is intended for developers who want to ensure that future
potentially breaking changes are compatible with their code or
provide feedback on upcoming changes. At present, the only feature
enabled by FUTURE is a move constructor for QPDFObjectHandle.
While this shouldn't break any code, it would change details about
how many copies of a specific QPDFObjectHandle were in existence,
so it could potentially break code that was relying on internal
shared pointer reference counts. Thanks to M. Holger for the idea
and contribution.
* Add new method Buffer::copy and deprecate Buffer copy
constructor and assignment operator. Buffer copy operations are
expensive as they always involve copying the buffer content. Use
"buffer2 = buffer1.copy();" or "Buffer buffer2{buffer1.copy()};"
to make it explicit that copying is intended. This change was
contributed by M. Holger.
11.4.0: release
* From M. Holger: add QPDF::newReserved as a better alternative to
QPDFObjectHandle::newReserved. The operation of creating a new
reserved object fits better in the QPDF API. The old call just
delegates to the new one.
* When an annotation dictionary's appearance dictionary (`/AP`)
has a key that is a stream, disregard `/AS` (which is supposed to
point to a subkey). This enables qpdf to not ignore annotations
that have incorrect values for `/AS` when the appearance stream is
directly in the `/AP` dictionary instead of in a subkey.
Fixes#949.
* Allow QPDFJob's workflow to be split into a reading phase and a
writing phase to allow the caller to operate on the QPDF object
before it is written. This adds methods QPDFJob::createQPDF and
QPDFJob::writeQPDF and corresponding C API functions
qpdfjob_create_qpdf and qpdfjob_write_qpdf. Thanks to M. Holger
for the contribution.
* From M. Holger: throw a logic error if an uninitialized or
foreign QPDFObjectHandle is added to an array.
* Enhance --optimize-images to support images nested inside of
form XObjects. Thanks to Connor Osborne (github user cdosborn) for
the contribution. Fixes#923.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
