For reasons I have not been able to determine, the RTC
module for the Ten64 board (rtc-rx8025) is not automatically
loaded at startup, despite every other relevant modules being
loaded.
modprobe it manually if we are on a Ten64 board.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
These two patches are needed to support SFP's on NXP DPAA2 platforms
(e.g Traverse Ten64).
The deadlock issue patch was submitted upstream a while ago and
rejected, however I am not aware of any better solutions at present.
The 10G mode additions are part of mainline since 5.16.
These two .patches were sourced from our patchset over here:
https://gitlab.com/traversetech/traverse-kernel-patches/-/tree/lts-5-15/patches
Signed-off-by: Mathew McBride <matt@traverse.com.au>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.2.4 plus CVE-2022-29154 patch to 3.2.6
- Patch for CVE-2022-29154 applied in CU170 turned out to have a bug within it causing
rsync to fail with an error. Four additional commits were done to fix this bug and
its consequences but these were all applied in the rsync git repo after the patch had
been merged into CU170.
- Version 3.2.5 onwards contains the CVE-2022-29154 fix and associated commits.
- No update of rootfile required.
- Changelog
NEWS for rsync 3.2.6 (9 Sep 2022)
BUG FIXES:
More path-cleaning improvements in the file-list validation code to avoid
rejecting of valid args.
A file-list validation fix for a --files-from file that ends without a
line-terminating character.
Added a safety check that prevents the sender from removing destination
files when a local copy using --remove-source-files has some files that are
shared between the sending & receiving hierarchies, including the case
where the source dir & destination dir are identical.
Fixed a bug in the internal MD4 checksum code that could cause the digest to
be sporadically incorrect (the openssl version was/is fine).
A minor tweak to rrsync added "copy-devices" to the list of known args, but
left it disabled by default.
ENHANCEMENTS:
Rename --protect-args to --secluded-args to make it clearer how it differs
from the default backslash-escaped arg-protecting behavior of rsync. The
old option names are still accepted. The environment-variable override did
not change its name.
PACKAGING RELATED:
The configure option --with-protected-args was renamed to
--with-secluded-args. This option makes --secluded-args the default rsync
behavior instead of using backslash escaping for protecting args.
The mkgitver script now makes sure that a .git dir/file is in the top-level
source dir before calling git describe. It also runs a basic check on the
version value. This should avoid using an unrelated git description for
rsync's version.
DEVELOPER RELATED:
The configure script no longer sets the -pedantic-errors CFLAG (which it
used to try to do only for gcc).
The name_num_obj struct was modified to allow its dynamic name_num_item list
to be initialized in a better way.
NEWS for rsync 3.2.5 (14 Aug 2022)
SECURITY FIXES:
Added some file-list safety checking that helps to ensure that a rogue
sending rsync can't add unrequested top-level names and/or include
recursive names that should have been excluded by the sender. These extra
safety checks only require the receiver rsync to be updated. When dealing
with an untrusted sending host, it is safest to copy into a dedicated
destination directory for the remote content (i.e. don't copy into a
destination directory that contains files that aren't from the remote host
unless you trust the remote host). Fixes CVE-2022-29154.
A fix for CVE-2022-37434 in the bundled zlib (buffer overflow issue).
BUG FIXES:
Fixed the handling of filenames specified with backslash-quoted wildcards
when the default remote-arg-escaping is enabled.
Fixed the configure check for signed char that was causing a host that
defaults to unsigned characters to generate bogus rolling checksums. This
made rsync send mostly literal data for a copy instead of finding matching
data in the receiver's basis file (for a file that contains high-bit
characters).
Lots of manpage improvements, including an attempt to better describe how
include/exclude filters work.
If rsync is compiled with an xxhash 0.8 library and then moved to a system
with a dynamically linked xxhash 0.7 library, we now detect this and
disable the XX3 hashes (since these routines didn't stabilize until 0.8).
ENHANCEMENTS:
The --trust-sender option was added as a way to bypass the extra file-list
safety checking (should that be required).
PACKAGING RELATED:
A note to those wanting to patch older rsync versions: the changes in this
release requires the quoted argument change from 3.2.4. Then, you'll want
every single code change from 3.2.5 since there is no fluff in this release.
The build date that goes into the manpages is now based on the developer's
release date, not on the build's local-timezone interpretation of the date.
DEVELOPER RELATED:
Configure now defaults GETGROUPS_T to gid_t when cross compiling.
Configure now looks for the bsd/string.h include file in order to fix the
build on a host that has strlcpy() in the main libc but not defined in the
main string.h file.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Changelog:
"6.0.8 -- 2022-09-27
Task #5552: libhtp 0.5.41
6.0.7 -- 2022-09-27
Security #5430: mqtt: DOS by quadratic with too many transactions in one parse (6.0.x backport)
Bug #5559: BUG_ON triggered from TmThreadsInjectFlowById (6.0.x backport)
Bug #5549: Failed assert DeStateSearchState (6.0.x)
Bug #5548: tcp: assertion failed in DoInsertSegment (BUG_ON) (6.0.x)
Bug #5547: rules: less strict parsing of unexpected flowbit options
Bug #5546: rules: don't error on bad hex in content
Bug #5540: detect: transform strip whitespace creates a 0-sized variable-length array: backport6
Bug #5505: http2: slow http2_frames_get_header_value_vec because of allocation [backport6]
Bug #5471: Reject action is no longer working (6.0.x backport)
Bug #5467: rules: more graceful handling of anomalies for stable versions
Bug #5459: Counters are not initialized in all places. (6.0.x backport)
Bug #5448: nfs: add maximum number of operations per compound (6.0.x backport)
Bug #5436: Infinite loop if the sniffing interface temporarily goes down (6.0.x backports)
Bug #5335: flow: vlan.use-for-tracking is not used for ICMPv4 (6.0.x backport)
Bug #4421: flow manager: using too much CPU during idle (6.0.x backport)
Feature #5535: ips: add "reject" action to exception policies (6.0.x backport)
Feature #5500: ips: midstream: add "exception policy" for midstream (6.0.x backport)
Task #5551: doc: add exception policy documentation (6.0.x)
Task #5533: detect/parse: add tests for parsing signatures with reject and drop action (6.0.x backport)
Task #5525: exceptions: error out when invalid configuration value is passed (6.0.x backport)
Task #5381: add `alert-queue-expand-fails` command-line option (6.0.x backport)
Task #5328: python: distutils deprecation warning (6.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 37 to 38
- Update of rootfile
- mandoc is now a build dependency for efivar
- Old compile fixes patches are no longer required with version 38
- Details for lfs build of version 38 obtained from Beyond Linux From Scratch
- Changelog
bug fixes
Rework some makefile bits to make overriding some options simpler. by @vathpela in #140
Handle /sys/devices/virtual/{nvme-fabrics,nvme-subsystem} devices by @vathpela in #139
guids.S: Include <cet.h> when CET is enabled by @hjl-tools in #149
Fix /sys/block sysfs parsing for eMMC-s by @jwrdegoede in #150
Properly check mmap return error by @hannob in #152
Fix s{yt,ty}le typo in efi_get_variable(3) by @nabijaczleweli in #162
Handle NULL set_variable() by @lcp in #159
Fix parsing for nvme-subsystem devices by @dannf in #158
Attempt to fix the identified thread safety bugs by @vathpela in #155
Make thread-test depend on libefivar.so by @hjl-tools in #176
Upstream a local patch from rawhide by @frozencemetery in #177
Fix conversion from UTF8 to UCS2 by @freedge in #171
efivar: make docs match current code for 'efivar -A' by @vathpela in #178
Migrate CI to Github actions by @frozencemetery in #179
Add code of conduct by @frozencemetery in #180
Misc minor fixes by @vathpela in #182
Add efi_time_t declarations and helper functions. by @vathpela in #183
More misc fixes by @vathpela in #185
Run CI on more targets by @vathpela in #187
Coverity fixes 20211208 by @vathpela in #189
CI: run abicheck by @frozencemetery in #190
Fix linux virtual root device parsing by @vathpela in #188
efivar.spec.in: fix license to be valid SPDX by @frozencemetery in #192
Add efisecdb tooling by @vathpela in #184
Fix linker string comparison for dash by @frozencemetery in #194
Full changelog diff between version 37 and 38 is available in github repo
https://github.com/rhboot/efivar/compare/37...38
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
The scope option does not seem to work at all now, which is surprising
since I tested it quite well.
The secondary flag cannot be set from userspace (aparently), but it
works, so I would prefer to go with this option for now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
On some installations, we are running out of space on the /boot
partition due to growing sizes of the ramdisk and the kernel.
To accomodate for that and have room to grow in the future, we increase
the size of the partition to 256 MiB.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
This is a maintenance release that bundles all the previously added
patches, which have therefore been deleted.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- Added new getmetadata function for easy access to all available
metadata of a pak without knowledge about or need to parse
pakfire internal db files.
- Added new 'pakfire info' functionality for displaying all available
metadata of (a) pak(s) to the user, using the new getmetadata.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
- Removed UI code from status function now returning hash with status
properties.
- Removed function coreupdate_available as it is now not used anymore
- Added UI code to pakfire status routine
- Added meaningfull exitcode to status:
- 2: Core update available
- 3: Pak update available
- 4: Reboot required
- Error codes can be added together: 2+3 = 5 means both core update
and pak update is available
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
- Added possibility to list available upgrades from commandline
using 'pakfire list upgrade'.
- Added exitcode to 'pakfire list'
- Moved 'Pakfire has finished' log message inside END block to
always log when pakfire exited.
- Fix: allow [options] between 'list' and [installed/notinstalled/
upgrade] parameters (Partly fixes Bug #12868)
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
upgradecore function should just upgrade the core:
Moved check if upgrade is necessary to pakfire upgrade code, removing
code from upgradecore function duplicating codedbinfo workings.
Also adding more vebosity to pakfire upgrade.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Replace dbgetlist code duplicating dblist and getmetafile
workings with call to actual dblist and getmetafile functions.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
- Removed UI code from dblist function and refactor it making it return
a hash representing the pak db for easier handling of this data.
- Moved core update check in dblist to new seperate dbcoreinfo function
making it return a hash with current and possibly available core
version info.
- Update existing calls to dblist
- Bring UI parts previously in dblist to pakfire program itself,
pakfire.cgi and index.cgi with a few small enhancements:
- Translations for 'Core-Update', 'Release', 'Update' and 'Version'
- Add currently installed version numbers to installed paks list in
pakfire.cgi
- Add 'Installed: yes/no' to pakfire list output so people not using
colors have this information too. (Partly fixes Bug #12868)
- Add update available details to pakfire list output if package has
updates available.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
The informative pakfire message
"No new upgrades available. You are on release ..."
does not mean that an error has happened. This patch adjusts
the log level prefix to "info" accordingly.
Reported-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Leo-Andres Hofmann <hofmann@leo-andres.de>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changelog:
"5.0.10 -- 2022-07-12
Bug #5429: TCP flow that retransmits the SYN with a newer TSval not properly tracked (5.0.x backport)
[Note: Therefore 'suricata-5.0-stream-tcp-Handle-retransmitted-SYN-with-TSval.patch' could be removed]
Bug #5424: inspection of smb traffic without smb/dcerpc doesn't work correct. (5.0.x backport)
Bug #5423: DCERPC protocol detection when nested in SMB (5.0.x backport)
Bug #5404: detect: will still inspect packets of a "dropped" flow for non-TCP (5.0.x backport)
Bug #5388: detect/threshold: offline time handling issue (5.0.x backports)
Bug #5358: test failure on Ubuntu 22.04 with GCC 12 (5.0.x backport)
Bug #5354: detect/alert: fix segvfault when incrementing discarded alerts if alert-queue-expand fails (5.0.x backport)
Bug #5345: CIDR prefix calculation fails on big endian archs (5.0.x backport)
Bug #5343: ftp: quadratic complexity for tx iterator with linked list (5.0.x backport)
Bug #5341: decode/mime: base64 decoding for data with spaces is broken (5.0.x backport)
Bug #5339: PreProcessCommands does not handle all the edge cases (5.0.x backport)
Bug #5325: FTP: expectation created in wrong direction (5.0.x backport)
Bug #5305: cppcheck: various static analyzer "warning"s
Bug #5302: Failed assert DeStateSearchState
Bug #5301: eve: payload field randomly missing even if the packet field is present
Bug #5289: Remove unneeded stack-on-signal initialization.
Bug #5283: 5.0.x: ftp: don't let first incomplete segment be over maximum length
Bug #5124: alerts: 5.0.8/6.0.4 count noalert sigs towards built-in alert limit (5.0.x backport)
Bug #5113: Off-by-one in flow-manager flow_hash row allocation
Bug #5055: Documentation copyright years are invalid
Bug #5021: dataset: error with space in rule language
Bug #4926: Rule error in SMB dce_iface and dce_opnum keywords (5.0.x backport)
Bug #4646: TCP reassembly, failed assert app_progress > last_ack_abs, both sides need to be pruned
Optimization #5123: alerts: use alert queing in DetectEngineThreadCtx (5.0.x backport)
Optimization #5121: Use configurable or more dynamic @ PACKET_ALERT_MAX@ (5.0.x backport)
Task #5322: stats/alert: log out to stats alerts that have been discarded from packet queue (5.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.2 to 9.0
- Update of rootfile
- Remove gcc10 detection patch as this is now built into the source tarball
- Update hardening crash patch. The issue related to the gcc10 patch seems to suggest
that when that is fixed then the hardening crash patch is not required but it wasn't
100% clear. So I have left the patch in place as it only changes one line and if it
worked with the earlier versions then it should also work now. If it is decided that
it is not needed then it can always be removed at a future update.
- Changelog is massive with over 30000 lines.
vim provides fixed updates such as 8.2 and 9.0 but then issues very frequent patch
updates. For version 8.2 there are 5172 patch updates none of which have been applied
to IPFire. All of these are now built into version 9.0
https://vimhelp.org/version9.txt.html#new-9 provides the details of what is new with
version 9.0, including details of all the 5172 patches.
- Key thing for version 9.0 is that there is a new Vim9 script language which is not
backwards compatible. However the old legacy script language will continue to be
supported so all old scripts can continue to be used.
- Version 9.0 already has 48 patches released. The releases occur virtually every day
with several days having multiple patch releases.
- Once this 9.0 version of vim has been confirmed to work successfully by people
experienced in using vim (I struggle to remember the set of characters to press to
exit from an editing session), then my plan is to periodically submit an update of the
patches, although some may be missed out as they are not relevant for IPFire - such
as deleting Travis CI config and improving the recognition of some Visual Basic files.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
