- Update from 1.9.9 to 1.9.10
- Update of rootfile not required
- Changelog
What's new in Sudo 1.9.10
* Added new "log_passwords" and "passprompt_regex" sudoers options.
If "log_passwords" is disabled, sudo will attempt to prevent passwords
from being logged. If sudo detects any of the regular expressions in
the "passprompt_regex" list in the terminal output, sudo will log '*'
characters instead of the terminal input until a newline or carriage
return is found in the input or an output character is received.
* Added new "log_passwords" and "passprompt_regex" settings to
sudo_logsrvd that operate like the sudoers options when logging
terminal input.
* Fixed several few bugs in the cvtsudoers utility when merging
multiple sudoers sources.
* Fixed a bug in sudo_logsrvd when parsing the sudo_logsrvd.conf
file, where the "retry_interval" in the [relay] section was not
being recognized.
* Restored the pre-1.9.9 behavior of not performing authentication
when sudo's -n option is specified. A new "noninteractive_auth"
sudoers option has been added to enable PAM authentication in
non-interactive mode. GitHub issue #131.
* On systems with /proc, if the /proc/self/stat (Linux) or
/proc/pid/psinfo (other systems) file is missing or invalid,
sudo will now check file descriptors 0-2 to determine the user's
terminal. Bug #1020.
* Fixed a compilation problem on Debian kFreeBSD. Bug #1021.
* Fixed a crash in sudo_logsrvd when running in relay mode if
an alert message is received.
* Fixed an issue that resulting in "problem with defaults entries"
email to be sent if a user ran sudo when the sudoers entry in
the nsswitch.conf file includes "sss" but no sudo provider is
configured in /etc/sssd/sssd.conf. Bug #1022.
* Updated the warning displayed when the invoking user is not
allowed to run sudo. If sudo has been configured to send mail
on failed attempts (see the mail_* flags in sudoers), it will
now print "This incident has been reported to the administrator."
If the "mailto" or "mailerpath" sudoers settings are disabled,
the message will not be printed and no mail will be sent.
GitHub issue #48.
* Fixed a bug where the user-specified command timeout was not
being honored if the sudoers rule did not also specify a timeout.
* Added support for using POSIX extended regular expressions in
sudoers rules. A command and/or arguments in sudoers are treated
as a regular expression if they start with a '^' character and
end with a '$'. The command and arguments are matched separately,
either one (or both) may be a regular expression.
Bug #578, GitHub issue #15.
* A user may now only run "sudo -U otheruser -l" if they have a
"sudo ALL" privilege where the RunAs user contains either "root"
or "otheruser". Previously, having "sudo ALL" was sufficient,
regardless of the RunAs user. GitHub issue #134.
* The sudo lecture is now displayed immediately before the password
prompt. As a result, sudo will no longer display the lecture
unless the user needs to enter a password. Authentication methods
that don't interact with the user via a terminal do not trigger
the lecture.
* Sudo now uses its own closefrom() emulation on Linux systems.
The glibc version may not work in a chroot jail where /proc is
not available. If close_range(2) is present, it will be used
in preference to /proc/self/fd.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 7.81.0 to 7.82.0
- Update of rootfile not required
- Changelog
Versionl 7.82.0
This release includes the following changes:
o curl: add --json [67]
o mesalink: remove support [23]
This release includes the following bugfixes:
o appveyor: update images from VS 2019 to 2022
o appveyor: use VS 2017 image for the autotools builds
o azure-pipelines: add a build on Windows with libssh [154]
o bearssl: fix connect error on expired cert and no verify [132]
o bearssl: fix EXC_BAD_ACCESS on incomplete CA cert [131]
o bearssl: fix session resumption (session id) [133]
o build: enable -Warith-conversion
o build: fix -Wenum-conversion handling
o build: fix ngtcp2 crypto library detection [63]
o checkprefix: remove strlen calls [128]
o checksrc: fix typo in comment [34]
o CI: move 'distcheck' job from zuul to azure pipelines [60]
o CI: move scan-build job from Zuul to Azure Pipelines [59]
o CI: move the NSS job from zuul to GHA [84]
o ci: move the OpenSSL + c-ares job from Zuul to Circle CI [75]
o CI: move the rustls CI job to GHA from Zuul [8]
o CI: move two jobs from Zuul to Circle CI [73]
o CI: test building wolfssl with --enable-opensslextra [42]
o CI: workflows/wolfssl: install impacket [47]
o circleci: add a job using libssh [121]
o cirlceci: also run a c-ares job on arm with debug enabled [74]
o cmake: fix iOS CMake project generation error [13]
o cmdline-opts/gen.pl: fix option matching to improve references [50]
o config.d: Clarify _curlrc filename is still valid on Windows [95]
o configure.ac: use user-specified gssapi dir when using pkg-config [136]
o configure: change output for cross-compiled alt-svc support [140]
o configure: fix '--enable-code-coverage' typo [110]
o configure: remove support for "embedded ares" [82]
o configure: requires --with-nss-deprecated to build with NSS [114]
o configure: set CURL_LIBRARY_PATH for nghttp2 [58]
o configure: support specification of a nghttp2 library path [101]
o configure: use correct CFLAGS for threaded resolver with xlC on AIX [54]
o curl tool: erase some more sensitive command line arguments [22]
o curl-functions.m4: fix LIBRARY_PATH adjustment to avoid eval [5]
o curl-functions.m4: revert DYLD_LIBRARY_PATH tricks in CURL_RUN_IFELSE [9]
o curl-openssl: fix SRP check for OpenSSL 3.0 [86]
o curl-openssl: remove the OpenSSL headers and library versions check [35]
o curl.h: fix typo [129]
o curl: remove "separators" (when using globbed URLs) [32]
o curl_getdate.3: remove pointless .PP line [68]
o curl_multi_socket.3: remove callback and typical usage descriptions [7]
o curl_url_set.3: mention when CURLU_ALLOW_SPACE was added
o CURLMOPT_TIMERFUNCTION/DATA.3: fix the examples [27]
o CURLOPT_PROGRESSFUNCTION.3: fix example struct assignment [147]
o CURLOPT_RESOLVE.3: change example port to 443
o CURLOPT_XFERINFOFUNCTION.3: fix example struct assignment [153]
o CURLOPT_XFERINFOFUNCTION.3: fix typo in example [81]
o CURLSHOPT_LOCKFUNC.3: fix typo "relased" -> "released" [71]
o des: fix compile break for OpenSSL without DES [141]
o docs/cmdline-opts: add "mutexed" options for more http versions [25]
o docs/DEPRECATE: remove NPN support in August 2022 [64]
o docs: capitalize the name 'Netscape' [77]
o docs: document HTTP/2 not insisting on TLS 1.2 [49]
o docs: fix mandoc -T lint formatting complaints [2]
o docs: update IETF links to use datatracker [41]
o examples/curlx: support building with OpenSSL 1.1.0+ [148]
o examples/multi-app.c: call curl_multi_remove_handle as well [19]
o formdata: avoid size_t => long typecast overflows [37]
o ftp: provide error message for control bytes in path [66]
o gen.pl: terminate "example" sections better [4]
o gha: add a macOS CI job with libssh [142]
o gskit: Convert to using Curl_poll [111]
o gskit: Fix errors from Curl_strerror refactor [113]
o gskit: Fix initialization of Curl_ssl_gskit struct [112]
o h2/h3: allow CURLOPT_HTTPHEADER change ":scheme" [88]
o hostcheck: fixed to not touch used input strings [38]
o hostcheck: reduce strlen calls on chained certificates [92]
o hostip: avoid unused parameter error in Curl_resolv_check [144]
o http2: move two infof calls to debug-h2-only [145]
o http: make Curl_compareheader() take string length arguments too [87]
o if2ip: make Curl_ipv6_scope a blank macro when IPv6-disabled [104]
o KNOWN_BUGS: fix typo "libpsl"
o ldap: return CURLE_URL_MALFORMAT for bad URL [24]
o lib: remove support for CURL_DOES_CONVERSIONS [96]
o libssh2: don't typecast socket to int for libssh2_session_handshake [151]
o libssh: fix include files and defines use for Windows builds [156]
o Makefile.am: Generate VS 2022 projects
o maketgz: return error if 'make dist' fails [79]
o mbedtls: enable use of mbedtls without CRL support [57]
o mbedtls: enable use of mbedtls without filesystem functions support [100]
o mbedtls: fix CURLOPT_SSLCERT_BLOB (again)
o mbedtls: fix ssl_init error with mbedTLS 3.1.0+ [12]
o mbedtls: remove #include <mbedtls/certs.h> [56]
o mbedtls: return CURLcode result instead of a mbedtls error code [1]
o md5: check md5_init_func return value
o mime: use a define instead of the magic number 24 [89]
o misc: allow curl to build with wolfssl --enable-opensslextra [43]
o misc: remove BeOS code and references [30]
o misc: remove the final watcom references [29]
o misc: remove unused data when IPv6 is not supported [80]
o mqtt: free 'sendleftovers' in disconnect [115]
o mqtt: free any send leftover data when done [36]
o multi: allow user callbacks to call curl_multi_assign [126]
o multi: grammar fix in comment [69]
o multi: remember connection_id before returning connection to pool [76]
o multi: set in_callback for multi interface callbacks [28]
o netware: remove support [72]
o next.d. remove .fi/.nf as they are handled by gen.pl [3]
o ngtcp2: adapt to changed end of headers callback proto [39]
o ngtcp2: fix declaration of ‘result’ shadows a previous local [14]
o ngtcp2: Reset dynbuf when it is fully drained [143]
o nss: handshake callback during shutdown has no conn->bundle [55]
o ntlm: remove unused feature defines [117]
o openldap: fix compiler warning when built without SSL support [70]
o openldap: implement SASL authentication [16]
o openldap: pass string length arguments to client_write() [116]
o openssl.h: avoid including OpenSSL headers here [15]
o openssl: check if sessionid flag is enabled before retrieving session [125]
o openssl: check SSL_get_ex_data to prevent potential NULL dereference [40]
o openssl: check the return value of BIO_new_mem_buf() [18]
o openssl: fix `ctx_option_t` for OpenSSL v3+
o openssl: fix build for version < 1.1.0 [134]
o openssl: return error if TLS 1.3 is requested when not supported [45]
o os400: Add function wrapper for system command [138]
o os400: Add link to QADRT devkit to README.OS400 [137]
o os400: Default build to target current release [139]
o OS400: fix typos in rpg include file [149]
o projects: add support for Visual Studio 17 (2022) [124]
o projects: fix Visual Studio wolfSSL configurations
o projects: remove support for MSVC before VC10 (Visual Studio 2010) [123]
o quiche: after leaving h3_recving state, poll again [108]
o quiche: change qlog file extension to `.sqlog` [44]
o quiche: fix upload for bigger content-length [146]
o quiche: handle stream reset [83]
o quiche: remove two leftover debug infof() outputs
o quiche: verify the server cert on connect [33]
o quiche: when *recv_body() returns data, drain it before polling again [109]
o README.md: fix links [118]
o remote-header-name.d: clarify [10]
o runtests.pl: disable debuginfod [51]
o runtests.pl: properly print the test if it contains binary zeros
o runtests.pl: support the nonewline attribute for the data part [21]
o runtests.pl: tolerate test directories without Makefile.inc [98]
o runtests: allow client/file to specify multiple directories
o runtests: make 'rustls' a testable feature
o runtests: make 'wolfssl' a testable feature [6]
o runtests: set 'oldlibssh' for libssh versions before 0.9.5 [122]
o rustls: add CURLOPT_CAINFO_BLOB support [26]
o schannel: move the algIds array out of schannel.h [135]
o scripts/cijobs.pl: output data about all currect CI jobs [78]
o scripts/completion.pl: improve zsh completion [46]
o scripts/copyright.pl: support many provided file names on the cmdline
o scripts/delta: check the file delta for current branch
o sectransp: mark a 3DES cipher as weak [130]
o setopt: do bounds-check before strdup [99]
o setopt: fix the TLSAUTH #ifdefs for proxy-disabled builds [53]
o sha256: Fix minimum OpenSSL version [102]
o smb: pass socket for writing and reading data instead of FIRSTSOCKET [90]
o ssl: reduce allocated space for ssl backend when FTP is disabled [127]
o test3021: disable all msys2 path transformation
o test374: gif data without new line at the end [20]
o tests/disable-scan.pl: properly detect multiple symbols per line [94]
o tests/unit/Makefile.am: add NSS_LIBS to build with NSS fine [85]
o tool_findfile: check ~/.config/curlrc too [17]
o tool_getparam: DNS options that need c-ares now fail without it [31]
o TPF: drop support [97]
o unit1610: init SSL library before calling SHA256 functions [152]
o url: exclude zonefrom_url when no ipv6 is available [103]
o url: given a user in the URL, find pwd for that user in netrc [11]
o url: keep trailing dot in host name [62]
o url: make Curl_disconnect return void [48]
o urlapi: handle "redirects" smarter [119]
o urldata: CONN_IS_PROXIED replaces bits.proxy when proxy can be disabled [52]
o urldata: remove conn->bits.user_passwd [105]
o version_win32: fix warning for `CURL_WINDOWS_APP` [93]
o vtls: fix socket check conditions [150]
o vtls: pass on the right SNI name [61]
o vxworks: drop support [65]
o winbuild: add parameter WITH_SSH [120]
o wolfssl: return CURLE_AGAIN for the SSL_ERROR_NONE case [106]
o wolfssl: when SSL_read() returns zero, check the error [107]
o write-out.d: Fix num_headers formatting
o x509asn1: toggle off functions not needed for diff tls backends [91]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 9.55.0 to 9.56.1
- Update of rootfile
- Changelog
Version 9.56.0 (2022-02-22)
Highlights in this release include:
New PDF Interpreter: This is an entirely new implementation written in C
(rather than PostScript, as before). For a full discussion of this change
and reasons for it see: Changes Coming to the PDF Interpreter.
In this (9.56.0) release, the new PDF interpreter is now ENABLED by default
in Ghostscript, but the old PDF interpreter can be used as a fallback by
specifying -dNEWPDF=false. We've provided this so users that encounter
issues with the new interpreter can keep working while we iron out those
issues, the option will not be available in the long term.
This also allows us to offer a new executable (gpdf, or gpdfwin??.exe on
Windows) which is purely for PDF input. For this release, those new binaries
are not included in the "install" make targets, nor in the Windows installers.
Calling Ghostscript via the GS API is now thread safe. The one limitation is
that the X11 devices for Unix-like systems (x11, x11alpha, x11cmyk, x11cmyk2,
x11cmyk4, x11cmyk8, x11gray2, x11gray4 and x11mono) cannot be made thread
safe, due to their interaction with the X11 server, those devices have been
modified to only allow one instance in an executable.
The PSD output device now writes ICC profiles to their output files, for
improved color fidelity.
Our efforts in code hygiene and maintainability continue.
The usual round of bug fixes, compatibility changes, and incremental
improvements.
Included below are incompatible changes from recent releases (the specific release
in question is listed in parentheses). We include these, for now, as we are aware
that not everyone upgrades with every release.
(9.55.0) Changes to the device API. This will affect developers and
maintainers of Ghostscript devices. Firstly, and most importantly,
the way device-specific "procs" are specified has been rewritten
to make it (we think!) clearer and less confusing. See The
Interface between Ghostscript and Device Drivers and The Great
Device Rework Of 2021 for more details.
(9.55.0) The command line options -sGraphicsICCProfile=___,
-dGraphicsIntent=#, -dGraphicsBlackPt=#, -dGraphicsKPreserve=# have
been changed to -sVectorICCProfile=___, -dVectorIntent=#,
-dVectorBlackPt=#, -dVectorKPreserve=#.
(9.53.0) As of 9.53.0, we have (re-)introduced the patch level to the
version number, this helps facilitate a revised policy on handling
security-related issues.
Note for GSView Users: The patch level addition breaks GSView 5 (it is
hardcoded to check for versions 704-999. It is possible, but not guaranteed
that a GSView update might be forthcoming to resolve this.
(9.52) -dALLOWPSTRANSPARENCY: The transparency compositor (and related
features), whilst we are improving it, remains sensitive to being
driven correctly, and incorrect use can have unexpected/undefined
results. Hence, as part of improving security, we limited access to
these operators, originally using the -dSAFER feature. As we made
"SAFER" the default mode, that became unacceptable, hence the new
option -dALLOWPSTRANSPARENCY which enables access to the operators.
(9.50) There are a couple of subtle incompatibilities between the old and
new SAFER implementations. Firstly, as mentioned in the 9.50 release
notes, SAFER now leaves standard PostScript functionality unchanged
(except for the file access limitations). Secondly, the interaction
with save/restore operations has changed. See SAFER.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 5.16.0 to 5.17.0
- Update of rootfile not required
- Changelog
v5.17.0
ip/geneve: add support for IFLA_GENEVE_INNER_PROTO_INHERIT
Merge branch 'gtp-netdev' into next
f_flower: Implement gtp options support
ip: GTP support in ip link Wojciech
man: bridge: document per-port mcast_router settings
bridge: support for controlling mcast_router per port
Update kernel headers
vdpa: Update man page with added support to configure max vq pair
link_xfrm: if_id must be non zero
testsuite: link xfrm delete no if_id test
vdpa: Support reading device features
vdpa: Support for configuring max VQ pairs for a device
vdpa: Allow for printing negotiated features of a device
vdpa: Remove unsupported command line option
Makefile: move HAVE_MNL check to top-level Makefile
Merge branch 'bridge-broadcast-flooding' into next
Merge branch 'main' into next
man: ip-link: whitespace fixes to odd line breaks mid sentence
man: ip-link: mention bridge port's default mcast_flood state
man: ip-link: document new bcast_flood flag on bridge ports
ip: iplink_bridge_slave: support for broadcast flooding
man: bridge: add missing closing " in bridge show mdb
man: bridge: document new bcast_flood flag for bridge ports
bridge: support for controlling flooding of broadcast per port
rdma: make RES_PID and RES_KERN_NAME alternative to each other
uapi: update vdpa.h
ipaddress: remove 'label' compatibility with Linux-2.0 net aliases
lib/fs: fix memory leak in get_task_name()
ip/batadv: allow to specify RA when creating link
Import batman_adv.h header from last kernel sync point
uapi: update magic.h
Revert "configure: Allow command line override of toolchain"
tc: separate action print for filter and action dump
rdma: Fix the logic to print unsigned int.
Revert "rdma: Fix res_print_uint() and add res_print_u64()"
Merge branch 'libbpf-fixups' into next
bpf: Remove use of bpf_create_map_xattr
bpf: Export bpf syscall wrapper
bpf_glue: Remove use of bpf_load_program from libbpf
rdma: Fix res_print_uint() and add res_print_u64()
uapi: update to xfrm.h
ss: display advertised TCP receive window and out-of-order counter
Merge branch 'link-layer-protocols' into next
tc: bash-completion: Add profinet and ethercat to procotol completion list
lib: add profinet and ethercat as link layer protocol names
Merge branch '802.1X-locked-bridge-ports' into next
man8/ip-link.8: add locked port feature description and cmd syntax
man8/bridge.8: add locked port feature description and cmd syntax
ip: iplink_bridge_slave: add locked port flag support
bridge: link: add command to set port in locked mode
Update kernel headers
configure: Allow command line override of toolchain
mptcp: add port support for setting flags
mptcp: add fullmesh support for setting flags
mptcp: add fullmesh check for adding address
bond: add ns_ip6_target option
Merge branch 'main' into next
devlink: Remove strtouint8_t in favor of get_u8
devlink: Remove strtouint16_t in favor of get_u16
devlink: Remove strtouint32_t in favor of get_u32
devlink: Remove strtouint64_t in favor of get_u64
Update kernel headers
f_flower: fix indentation for enc_key_id and u32
bridge: Remove vlan listing from `bridge link`
bridge: Fix error string typo
lnstat: fix strdup leak in -w argument parsing
iplink_can: print_usage: typo fix, add missing spaces
dcb: Fix error reporting when accessing "dcb app"
tc: fix duplicate fall-through
libnetlink: fix socket leak in rtnl_open_byproto()
tc_util: Fix parsing action control with space and slash
tunnel: Fix missing space after local/remote print
Merge branch 'ioam-insert-freq' into next
Update documentation
Add support for the IOAM insertion frequency
Update kernel headers
iplink: add ip-link documentation
iplink: add gro_max_size attribute handling
tc: u32: add json support in `print_raw`, `print_ipv4`, `print_ipv6`
tc: u32: add support for json output
iprule: Allow option dsfield in 'ip rule show'
tc/f_flower: fix indentation
tc_util: fix breakage from clang changes
tc: add skip_hw and skip_sw to control action offload
ss: use freecon() instead of free() when appropriate
man: Fix a typo in the flag documentation of ip address
dcb: app: Add missing "dcb app show dev X default-prio"
Merge branch 'clang-compile' into next
json_print: suppress clang format warning
libbpf: fix clang warning about format non-literal
tunnel: fix clang warning
tipc: fix clang warning about empty format string
can: fix clang warning
ipl2tp: fix clang warning
tc_util: fix clang warning in print_masked_type
flower: fix clang warnings
netem: fix clang warnings
utils: add format attribute
tc: add format attribute to tc_print_rate
Merge branch 'main' into next
uapi: update kernel headers from 5.17-rc1
tc/action: print error to stderr
mptcp: add id check for deleting address
dcb: Rewrite array-formatting code to not cause warnings with Clang
f_flower: fix checkpatch warnings
netem: fix checkpatch warnings
Merge branch 'main' into next
lib: fix ax25.h include for musl
uapi: add missing virtio headers
uapi: add missing rose and ax25 files
q_cake: allow changing to diffserv3
iplink_can: add ctrlmode_{supported,_static} to the "--details --json" output
Update kernel headers
Merge branch 'rdma-clang-compile' into next
rdma: Don't allocate sparse array
rdma: Limit copy data by the destination size
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 1.28.10 to 1.28.14
- Update of rootfile not required
- Changelog
CHANGES IN V1.28.14
- pdftopdf: Correct the output when suppressing auto-rotation
(option "nopdfAutoRotate"). Depending on the situation pages
got cropped in the wrong orientation or de-centered.
- pdftopdf: Correct the output when the
"orientation-requested" or the "landscape" option is
supplied. Output could be de-centered (Issue #456),
portrait-oriented pages be wrongly cropped and division of
the output page into cells for N-up done in the wrong
orientation.
- rastertopdf: In PCLm output mode the filter failed to
generate PCLm if the printer has no
"pclm-source-resolution-default" IPP attribute.
CHANGES IN V1.28.13
- pdftopdf: Fix N-up printing when paper is taken
long-edge-first by the printer.
- pdftopdf: Fix cropping ("print-scaling=none" and
"print-scaling=fill") when paper is taken long-edge-first by
the printer (Issue #454).
- pdftops: Use Poppler for all Apple LaserWriter models (Issue
#452).
CHANGES IN V1.28.12
- imagetoraster, imagetopdf: Fixed comparison of the image
size with the page size for print-scaling=auto. The image
size in pixels was compared with the page size in PostScript
points (1/72 inch).
- imagetoraster, imagetopdf: Fixed the "print-scaling=none"
(crop-to-fit) mode, also use crop-to-fit always when
requested, do not fall back to fit-to-page when the image
size differs significantly from the page size (Issue #362).
- libcupsfilters: Changed the default PPI resolution for
images as input files from 128 to 200 (Pull request #446).
- implicitclass: Do not check availability of "gs" and
"pdftops" executables, instead, check by the presence of
"gstoraster" and "pdftoraster" filters whether we have
configured cups-filters for Ghostscript and/or Poppler use.
- libcupsfilters: In the PPD generator for the driverless
utility and cups-browsed add "*cupsFilter2: ..." lines for
all supported driverless data formats (PDF, Apple/PWG
Raster, PCLm), and add lines for legacy data formats (PCL,
PostScript) only if no driverless formats available.
- libcupsfilters: Always use encryption for ipps. RFC7472
requires that 'ipps' must be used over HTTPS, but the
driverless utility does not enforce encryption (Pull request
#433).
- serial: Add a 10-msec sleep and at the end add a tcdrain().
For some unknown reason, every printing file need sleep a
little time to make sure the serial printer receive data is
right (Pull request #431).
- libcupsfilters: Fix resolver functions for DNS-SD-based
URIs, to make resolve_uri() also work when DEVICE_URI env
variable is set and to make ippfind_based_uri_converter()
not re-direct stdin.
- pdftopdf: Set default for print-scaling to avoid "should
never happem" log messages and undefined behavior.
- pdftopdf: Fix orientation-requested = 0. Consider
this as "automatic selection and not as error.
- pdftopdf: Fixed all combinations of print-scaling and
number-up for printers with asymmetric margins (top !=
bottom or left != right) and for input files containing
pages with different sizes and/or orientations. Fixes
backported from 2.x branch.
- pdftopdf: Add 2% tolerance for input size larger than output
page when "print-scaling=auto" or "print-scaling=auto-fit"
is used and too large input pages should be scaled, fitting
documents not. This prevents a random-looking behavior if
input and output page size seem to be equal, but in reality
there are slight differences between size dimensions.
CHANGES IN V1.28.11
- libcupsfilters: Let PPD generator take default ColorModel
from printer (CUPS issue #277).
- Braille: In vectortopdf check inkscape version to call
inkscape with the correct command line (Issue #315, Pull
request #443).
- Build system: Make missing DejaVuSans.ttf non-fatal in
./configure as the font is only needed for test programs,
not for actual use of cups-filters (Issue #411).
- libcupsfilters: In imagetoraster() fixed crash with SGray
(Issue #435).
- cups-browsed: Naming of local queues is matched to CUPS'
current naming of temporary queues (no leading or trailing
underscores), to avoid duplicates in print dialogs which
support CUPS' temporary queues.
- libcupsfilters: Make cupsRasterParseIPPOptions() work correctly
with PPDs (Issue #436).
- libcupsfilters: Let colord_get_profile_for_device_id() not
return empty file name, to avoid error messages in CUPS
error_log.
- foomatic-rip: Debug message was wrongly sent to stdout and
not to log (Issue #422).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 6.13 to 6.14
- Update of rootfile not required
- Changelog
September, 2021: Release 6.14
cifs-utils: bump version to 6.14
setcifsacl: fix formatting
smbinfo: add support for new key dump ioctl
mount.cifs: fix crash when mount point does not exist
cifs.upcall: fix regression in kerberos mount
smbinfo: Add command for displaying alternate data streams
Reorder ACEs in preferred order during setcifsacl
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
This is recommended by KSPP, Lynis, and others. Indeed, there is no
legitimate reason why an unprivileged user on IPFire should do any
profiling. Unfortunately, this change never landed in the mainline
kernel, hence a distribution patch is necessary.
The second version of this patch rebases the kernel patch by Jeff
Vander Stoep against Linux 5.15.17 to avoid fuzzying.
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
This reverts commit 77e3829dc1.
For the time being, shipping this was found to be too difficult, since
we cannot get linux-firmware down to an acceptable size limit.
Compressing the firmware on installations would work, but takes about 4
minutes on an Intel Xenon CPU alone, hence it is an unacceptable
workload to do for IPFire installation running on weaker hardware.
Therefore, we do not proceed with this at the moment.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Full changelog, as retrieved from https://www.zlib.net/ChangeLog.txt :
Changes in 1.2.12 (27 Mar 2022)
- Cygwin does not have _wopen(), so do not create gzopen_w() there
- Permit a deflateParams() parameter change as soon as possible
- Limit hash table inserts after switch from stored deflate
- Fix bug when window full in deflate_stored()
- Fix CLEAR_HASH macro to be usable as a single statement
- Avoid a conversion error in gzseek when off_t type too small
- Have Makefile return non-zero error code on test failure
- Avoid some conversion warnings in gzread.c and gzwrite.c
- Update use of errno for newer Windows CE versions
- Small speedup to inflate [psumbera]
- Return an error if the gzputs string length can't fit in an int
- Add address checking in clang to -w option of configure
- Don't compute check value for raw inflate if asked to validate
- Handle case where inflateSync used when header never processed
- Avoid the use of ptrdiff_t
- Avoid an undefined behavior of memcpy() in gzappend()
- Avoid undefined behaviors of memcpy() in gz*printf()
- Avoid an undefined behavior of memcpy() in _tr_stored_block()
- Make the names in functions declarations identical to definitions
- Remove old assembler code in which bugs have manifested
- Fix deflateEnd() to not report an error at start of raw deflate
- Add legal disclaimer to README
- Emphasize the need to continue decompressing gzip members
- Correct the initialization requirements for deflateInit2()
- Fix a bug that can crash deflate on some input when using Z_FIXED
- Assure that the number of bits for deflatePrime() is valid
- Use a structure to make globals in enough.c evident
- Use a macro for the printf format of big_t in enough.c
- Clean up code style in enough.c, update version
- Use inline function instead of macro for index in enough.c
- Clarify that prefix codes are counted in enough.c
- Show all the codes for the maximum tables size in enough.c
- Add gznorm.c example, which normalizes gzip files
- Fix the zran.c example to work on a multiple-member gzip file
- Add tables for crc32_combine(), to speed it up by a factor of 200
- Add crc32_combine_gen() and crc32_combine_op() for fast combines
- Speed up software CRC-32 computation by a factor of 1.5 to 3
- Use atomic test and set, if available, for dynamic CRC tables
- Don't bother computing check value after successful inflateSync()
- Correct comment in crc32.c
- Add use of the ARMv8 crc32 instructions when requested
- Use ARM crc32 instructions if the ARM architecture has them
- Explicitly note that the 32-bit check values are 32 bits
- Avoid adding empty gzip member after gzflush with Z_FINISH
- Fix memory leak on error in gzlog.c
- Fix error in comment on the polynomial representation of a byte
- Clarify gz* function interfaces, referring to parameter names
- Change macro name in inflate.c to avoid collision in VxWorks
- Correct typo in blast.c
- Improve portability of contrib/minizip
- Fix indentation in minizip's zip.c
- Replace black/white with allow/block. (theresa-m)
- minizip warning fix if MAXU32 already defined. (gvollant)
- Fix unztell64() in minizip to work past 4GB. (Daniël Hörchner)
- Clean up minizip to reduce warnings for testing
- Add fallthrough comments for gcc
- Eliminate use of ULL constants
- Separate out address sanitizing from warnings in configure
- Remove destructive aspects of make distclean
- Check for cc masquerading as gcc or clang in configure
- Fix crc32.c to compile local functions only if used
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Some files are identical which is why we don't need to ship them mutiple
times. This will save about 13 MiB of disk space and presumably the same
on the compressed distro image.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://mmonit.com/monit/changes/
"Fixed: Issue #1028: If the Monit statefile was removed, the monit
start <service> action for services with onreboot nostart option
started the service, but did not enable monitoring of said service.
The same problem occurred if a new onreboot nostart service was
added, even if the statefile did exist.
Fixed: Issue #1029: The generic protocol test truncated received
data if the response contained zeros.
Fixed: PAM authentication: Users with a valid password for
a disabled account could still login to Monit. Thanks to Youssef
Rebahi-Gilbert.
Fixed: The Monit HTTP interface could be blocked by sending
a request with an infinite stream of HTTP headers. Thanks to Youssef
Rebahi-Gilbert for report."
For more details see:
https://bitbucket.org/tildeslash/monit/commits/tag/release-5-32-0
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This package installs some firmware files. Since linux-firmware is now
compressed, files will no longer be overwritten, but this package will
put the uncompressed files next to the compressed ones.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch enabled that we can compress any firmware files on disk. This
will save some space since /lib/firmware is becoming larger with every
release.
From formerly 828MiB, this is now using ~349MiB which is a saving of
about 480MiB on disk. This is helping us a lot fighting to contain the
distribution to 2GB on /.
Some other firmware that is installed in other packages is not
compressed with this patch which is a bit sad, but potentially not worth
the effort.
In order to ship this change with a Core Update, it might be intuitive
to remove /lib/firmware first and then extract the new update with all
new files. However, I do not know if this all will compress as well as
before since now the files are already individually compressed. It might
be a challenge to ship this.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.27/doc/arm/html/notes.html#notes-for-bind-9-16-27
"Security Fixes
The rules for acceptance of records into the cache have been
tightened to prevent the possibility of poisoning if forwarders send
records outside the configured bailiwick. (CVE-2021-25220)
ISC would like to thank Xiang Li, Baojun Liu, and Chaoyi Lu from
Network and Information Security Lab, Tsinghua University, and
Changgen Zou from Qi An Xin Group Corp. for bringing this
vulnerability to our attention. [GL #2950]
TCP connections with keep-response-order enabled could leave the TCP
sockets in the CLOSE_WAIT state when the client did not properly
shut down the connection. (CVE-2022-0396) [GL #3112]
Feature Changes
DEBUG(1)-level messages were added when starting and ending the BIND
9 task-exclusive mode that stops normal DNS operation (e.g. for
reconfiguration, interface scans, and other events that require
exclusive access to a shared resource). [GL #3137]
Bug Fixes
The max-transfer-time-out and max-transfer-idle-out options were not
implemented when the BIND 9 networking stack was refactored in 9.16.
The missing functionality has been re-implemented and outgoing zone
transfers now time out properly when not progressing. [GL #1897]
TCP connections could hang indefinitely if the other party did not
read sent data, causing the TCP write buffers to fill. This has been
fixed by adding a “write” timer. Connections that are hung while
writing now time out after the tcp-idle-timeout period has elapsed.
[GL #3132]
The statistics counter representing the current number of clients
awaiting recursive resolution results (RecursClients) could
be miscalculated in certain resolution scenarios, potentially
causing the value of the counter to drop below zero. This has been
fixed. [GL #3147]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://github.com/oetiker/rrdtool-1.x/releases/tag/v1.8.0
"Bugfixes
python bindings: properly convert double values of rrd info
failed to expand 'Py_UNUSED', Invalid usage when expanding 'Py_UNUSED'
document --showtime in xport help output
fix --use-nan-for-all-missing-data
update rrdruby.pod
add missing rrdruby.pod and rrdpython.pod to dist
Set first_weekday to 0 (Sunday), when HAVE__NL_TIME_WEEK_1STDAY is not defined
fix median calculation for all NaN inputs
fix potential leak in xport during failure
fix many warnings raised by Cppcheck
fix many compiler warnings from latest gcc
ensure proper initialization in rrd_daemon
cleanup testsuite
better testing
avoid invalid read in rrd_client
add symbols from rrdc to librrd
Fix duplicate write_changes_to_disk() calls when HAVE_LIBRADOS is true and HAVE_MMAP is false
documentation updates
for SMIN example in docs
fix for pyton3 compatibility
freemem only for valid status <Christian Kr"oger>
fix double meaning of time 0 as uninitialized value
fix for zfs not supporting fallocate. this makes resize work on zfs
add rrdrados.pod to dist
fetch - do not call rrd_freemem on uninitialized pointers
use separate pango fontmap per thread
switch to python 3
do not leak filename when opening a broken file
fix leaks in rrdcached
avoid segfault when flushing cache
escape json in legend entries
fix leak in xport
make rrdcgi param parsing more robust
fix race in journal_write"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
This script appeared in the rootfiles for Core Updates 65 and 66, being
released in late 2012 and early 2013. It is not used elsewhere, and
there is no sense in keeping it around on IPFire installations.
Should this patch be accepted, a corresponding 'rm' statement is
necessary in the update.sh script of the Core Update it will go into.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://dlcdn.apache.org/httpd/CHANGES_2.4.53
Short summary of the most important SECURITY changes:
"Changes with Apache 2.4.53
*) SECURITY: CVE-2022-23943: mod_sed: Read/write beyond bounds
(cve.mitre.org)
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP
Server allows an attacker to overwrite heap memory with possibly
attacker provided data.
This issue affects Apache HTTP Server 2.4 version 2.4.52 and
prior versions.
Credits: Ronald Crane (Zippenhop LLC)
*) SECURITY: CVE-2022-22721: core: Possible buffer overflow with
very large or unlimited LimitXMLRequestBody (cve.mitre.org)
If LimitXMLRequestBody is set to allow request bodies larger
than 350MB (defaults to 1M) on 32 bit systems an integer
overflow happens which later causes out of bounds writes.
This issue affects Apache HTTP Server 2.4.52 and earlier.
Credits: Anonymous working with Trend Micro Zero Day Initiative
*) SECURITY: CVE-2022-22720: HTTP request smuggling vulnerability
in Apache HTTP Server 2.4.52 and earlier (cve.mitre.org)
Apache HTTP Server 2.4.52 and earlier fails to close inbound
connection when errors are encountered discarding the request
body, exposing the server to HTTP Request Smuggling
Credits: James Kettle <james.kettle portswigger.net>
*) SECURITY: CVE-2022-22719: mod_lua Use of uninitialized value of
in r:parsebody (cve.mitre.org)
A carefully crafted request body can cause a read to a random
memory area which could cause the process to crash.
This issue affects Apache HTTP Server 2.4.52 and earlier.
Credits: Chamal De Silva
..."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
OpenSSL Security Advisory [15 March 2022]
============================================
Infinite loop in BN_mod_sqrt() reachable when parsing certificates
(CVE-2022-0778)
==================================================================================
Severity: High
The BN_mod_sqrt() function, which computes a modular square root,
contains
a bug that can cause it to loop forever for non-prime moduli.
Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve
parameters with a base point encoded in compressed form.
It is possible to trigger the infinite loop by crafting a certificate
that
has invalid explicit curve parameters.
Since certificate parsing happens prior to verification of the
certificate
signature, any process that parses an externally supplied certificate
may thus
be subject to a denial of service attack. The infinite loop can also be
reached when parsing crafted private keys as they can contain explicit
elliptic curve parameters.
Thus vulnerable situations include:
- TLS clients consuming server certificates
- TLS servers consuming client certificates
- Hosting providers taking certificates or private keys from customers
- Certificate authorities parsing certification requests from
subscribers
- Anything else which parses ASN.1 elliptic curve parameters
Also any other applications that use the BN_mod_sqrt() where the
attacker
can control the parameter values are vulnerable to this DoS issue.
In the OpenSSL 1.0.2 version the public key is not parsed during initial
parsing of the certificate which makes it slightly harder to trigger
the infinite loop. However any operation which requires the public key
from the certificate will trigger the infinite loop. In particular the
attacker can use a self-signed certificate to trigger the loop during
verification of the certificate signature.
This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was
addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022.
OpenSSL 1.0.2 users should upgrade to 1.0.2zd (premium support customers
only)
OpenSSL 1.1.1 users should upgrade to 1.1.1n
OpenSSL 3.0 users should upgrade to 3.0.2
This issue was reported to OpenSSL on the 24th February 2022 by Tavis
Ormandy
from Google. The fix was developed by David Benjamin from Google and
Tomáš Mráz
from OpenSSL.
Note
====
OpenSSL 1.0.2 is out of support and no longer receiving public updates.
Extended
support is available for premium support customers:
https://www.openssl.org/support/contracts.html
OpenSSL 1.1.0 is out of support and no longer receiving updates of any
kind.
It is affected by the issue.
Users of these versions should upgrade to OpenSSL 3.0 or 1.1.1.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv/20220315.txt
Note: the online version of the advisory may be updated with additional
details
over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/policies/secpolicy.html
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This file contains our custom settings:
* Always load microcodes as early as possible
* We now compress the initrd using Zstandard which is substanstically
faster than XZ, but offers better compression ratios
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
To solve the behavior discribed in bug 12404 I added the path
/var/ipfire/cups to the backup.
Signed-off-by: Daniel Weismueller <daniel.weismueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://lists.gnu.org/archive/html/info-gnu/2022-02/msg00017.html
"This is a minor bugfix release.
...
* Noteworthy changes in release 1.21.3 (2022-02-26)
** Fix computation of total bytes downloaded during FTP transfers (#61277)
** Add option to select TLS 1.3 on the command line
** Fix HSTS build issues on some 64-bit big-endian systems
** Hide password during status report in --no-verbose
** Remove a spurious print statement that showed up even during --quiet
** Some more cleanups and bug-fixes"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
