- Update from version 1.9.14p2 to 1.9.15p2
- Update of rootfile
- Changelog
1.9.15p2
* Fixed a bug on BSD systems where sudo would not restore the
terminal settings on exit if the terminal had parity enabled.
GitHub issue #326.
1.9.15p1
* Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
sudoers from being able to read the ldap.conf file.
GitHub issue #325.
1.9.15
* Fixed an undefined symbol problem on older versions of macOS
when "intercept" or "log_subcmds" are enabled in sudoers.
GitHub issue #276.
* Fixed "make check" failure related to getpwent(3) wrapping
on NetBSD.
* Fixed the warning message for "sudo -l command" when the command
is not permitted. There was a missing space between "list" and
the actual command due to changes in sudo 1.9.14.
* Fixed a bug where output could go to the wrong terminal if
"use_pty" is enabled (the default) and the standard input, output
or error is redirected to a different terminal. Bug #1056.
* The visudo utility will no longer create an empty file when the
specified sudoers file does not exist and the user exits the
editor without making any changes. GitHub issue #294.
* The AIX and Solaris sudo packages on www.sudo.ws now support
"log_subcmds" and "intercept" with both 32-bit and 64-bit
binaries. Previously, they only worked when running binaries
with the same word size as the sudo binary. GitHub issue #289.
* The sudoers source is now logged in the JSON event log. This
makes it possible to tell which rule resulted in a match.
* Running "sudo -ll command" now produces verbose output that
includes matching rule as well as the path to the sudoers file
the matching rule came from. For LDAP sudoers, the name of the
matching sudoRole is printed instead.
* The embedded copy of zlib has been updated to version 1.3.
* The sudoers plugin has been modified to make it more resilient
to ROWHAMMER attacks on authentication and policy matching.
This addresses CVE-2023-42465.
* The sudoers plugin now constructs the user time stamp file path
name using the user-ID instead of the user name. This avoids a
potential problem with user names that contain a path separator
('/') being interpreted as part of the path name. A similar
issue in sudo-rs has been assigned CVE-2023-42456.
* A path separator ('/') in a user, group or host name is now
replaced with an underbar character ('_') when expanding escapes
in @include and @includedir directives as well as the "iolog_file"
and "iolog_dir" sudoers Default settings.
* The "intercept_verify" sudoers option is now only applied when
the "intercept" option is set in sudoers. Previously, it was
also applied when "log_subcmds" was enabled. Sudo 1.9.14
contained an incorrect fix for this. Bug #1058.
* Changes to terminal settings are now performed atomically, where
possible. If the command is being run in a pseudo-terminal and
the user's terminal is already in raw mode, sudo will not change
the user's terminal settings. This prevents concurrent sudo
processes from restoring the terminal settings to the wrong values.
GitHub issue #312.
* Reverted a change from sudo 1.9.4 that resulted in PAM session
modules being called with the environment of the command to be
run instead of the environment of the invoking user.
GitHub issue #318.
* New Indonesian translation from translationproject.org.
* The sudo_logsrvd server will now raise its open file descriptor
limit to the maximum allowed value when it starts up. Each
connection can require up to nine open file descriptors so the
default soft limit may be too low.
* Better log message when rejecting a command if the "intercept"
option is enabled and the "intercept_allow_setid" option is
disabled. Previously, "command not allowed" would be logged and
the user had no way of knowing what the actual problem was.
* Sudo will now log the invoking user's environment as "submitenv"
in the JSON logs. The command's environment ("runenv") is no
longer logged for commands rejected by the sudoers file or an
approval plugin.
1.9.14p3
* Fixed a crash with Python 3.12 when the sudo Python plugin is
unloaded. This only affects "make check" for the Python plugin.
* Adapted the sudo Python plugin test output to match Python 3.12.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 2.28.3 to 2.28.5
- Update of rootfile
- Changelog
2.28.5
This is a stable bugfix release, with the following changes:
Added support for the HP HyperX Clutch Gladiate controller
Fixed a crash if a controller is disconnected while SDL is opening it
Fixed a crash on Linux if XInput2 isn't available at runtime
2.28.4
This is a stable bugfix release, with the following changes:
Enable clipping for zero sized rectangles in the SDL renderer
Notify X11 clipboard managers when the clipboard changes
Fixed sensor timestamps for third-party PS5 controllers
Added detection for Logitech and Simagic racing wheels
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from 2.8.0 to 2.8.1
- Update of rootfile
- Disable creating docs i9n configure statement
- Changelog is too large to include here (~500 lines). For more details read the NEWS.adoc
file in thye source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 0.189 to 0.190
- Update of rootfile
- Changelog
0.190
CONTRIBUTING: Switch from real name policy to known identity policy.
Updated ChangeLog policy (no more separate ChangeLog files).
There is a SECURITY bug policy now.
The default branch is now 'main'.
libelf: Add RELR support.
libdw: Recognize .debug_[ct]u_index sections
readelf: Support readelf -Ds, --use-dynamic --symbol.
Support .gdb_index version 9
scrlines: New tool that compiles a list of source files associated
with a specified dwarf/elf file.
debuginfod: Schema change (reindexing required, sorry!) for a 60%
compression in filename representation, which was a large
part of the sqlite index; also, more deliberate sqlite
-wal management during scanning using the
--scan-checkpoint option.
backends: Various LoongArch updates.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 8.1.1 to 8.2.2
- Update of rootfile
- Changelog
8.2.2
- Fix regression from 8.1.0 in shaping fonts with duplicate feature tags.
- Fix regression from 8.2.0 in parsing CSS-style feature strings.
- Variable fonts instanciation now handles more tables.
- Various CMake build improvements.
- various fixes to build without errors with gcc 4.9.2.
8.2.1
- Unicode 15.1 support.
8.2.0
- Various build and fuzzing fixes
- Improvements to COLRv1 painting.
- New API:
+hb_paint_color_glyph_func_t
+hb_paint_funcs_set_color_glyph_func
+hb_paint_color_glyph
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 10.01.2 to 10.02.1
- Update of rootfile
- Changelog - these are highlights. For more details the git commits have to be used.
10.02.1
release fixes CVE-2023-43115.
CVE-2023-43115 affects all Ghostscript/GhostPDL versions prior to 10.02.0.
CVE-2023-43115 is a remote code execution risk, so we recommend upgrading to
version 10.02.0 as a matter of urgency
10.02.0
release fixes CVE-2023-43115.
CVE-2023-43115 affects all Ghostscript/GhostPDL versions prior to 10.02.0.
CVE-2023-43115 is a remote code execution risk, so we recommend upgrading to
version 10.02.0 as a matter of urgency
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 5.2.2 to 5.3.0
- Update of rootfile
- Changelog
5.3.0
1. Infrastructure changes: Removed the use of libsigsegv. The
value-add was never very much and it caused problems in some
environments.
2. In keeping with new features in BWK awk, gawk now has built-in
CSV file parsing. The behavior is intended to be identical to
that of the "One True AWK" when --csv is applied. See the
manual for details.
3. Also in keeping with BWK awk, gawk now supports a new \u escape
sequence. This should be followed by 1-8 hexadecimal digits. The
given code point is converted to its corresponding multibyte encoding
for storage inside gawk. See the manual.
4. If PROCINFO["BUFFERPIPE"] exists, then pipe output is buffered.
You can also use PROCINFO["command", "BUFFERPIPE"]. See the manual
for details.
5. Because of the additional `do_csv' variable in the API, which breaks
binary compatibility, the API major version was updated to 4 and
the minor version was reset to zero. The API remains source code
compatible; that is, existing extensions should only require recompilation.
6. The manual now requires Texinfo 7.1 and its texinfo.tex for formatting.
As a result, we no longer need to pre-process it, removing the need
for gawktexi.in and leaving just gawk.texi.
7. And of course, there have been several minor code cleanups and bug fixes.
See the ChangeLog for details.
5.2.x
1. The readdir extension has been updated with additonal code and
features, see the manual or its man page. As a result, the
readdir_test.c extension has been removed.
2. We have a new translation: Ukranian.
3. Several subtle issues related to null regexp matches around
multibyte characters have been fixed.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
For details see:
https://blog.clamav.net/2023/10/clamav-121-113-104-010311-patch.html
Excerpt:
"ClamAV 1.2.1 is a patch release with the following fixes:
Eliminate security warning about unused "atty" dependency.
Upgrade the bundled UnRAR library (libclamunrar) to version 6.2.12.
Build system: Fix link error with Clang/LLVM/LLD version 17. Patch courtesy of Yasuhiro Kimura.
Fix alert-exceeds-max feature for files > 2GB and < max-filesize."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
This will affect new IPFire installations only, implementing a
long-standing BCP for preemptively combating botnet spam. Reject is
chosen over drop to reduce the likelihood for confusion during network
troubleshooting.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Tested-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 11.5.0 to 11.6.1
- Update of rootfile
- Changelog
11.6.1: release
* Fix a logic error introduced in 11.6.0 in the fix to
copyForeignObject. The bug could result in some pages not being
copied.
11.6.0: release
* ascii85 parser: ignore spaces everywhere including between ~
and >. Fixes#973.
* Bug fix: with --pages, if one of the external files had warnings
but the main file did not, the warning was previously not taken
into consideration when determining the exit status.
* Put quotation marks around the command in completion output to
better handle spaces in paths. It is not a perfect fix (ideally,
full shell-compatible quoting should be used), but it handles more
cases than the old code and should handle all reasonable cases of
qpdf being in a directory with a space in its name, which is
common in Windows. Fixes#1021.
* Move check for random number device to runtime instead of
compile time. Since, by default, the crypto provider provides
random numbers, runtime determination of a random number device is
usually not needed. Fixes#1022.
* Maintain links to foreign pages when copying foreign objects.
This allows hyperlinks in imported files to work. Fixes#1003.
* Bug fix: Return a null object if an attempt is made to to copy a
foreign /Pages object with copyForeignObject. This corrects a
possible crash. Fixes#1010.
* Bug fix: Return a null object if an attempt is made to to copy a
foreign /Pages object with copyForeignObject. Fixes#1003.
* Add /MediaBox to a page if absent. Thanks M. Holger.
* Use std::vector internally for Pl_Buffer to
avoid incompatibility with C++20. Thanks to Zoe Clifford. Fixes#1024.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.6 to 1.7
- This project had little happen to it for 5 years but is now going again
https://jqlang.github.io/jq/
- Update of rootfile
- Changelog
1.7
After a five year hiatus we're back with a GitHub organization, with new admins
and new maintainers who have brought a great deal of energy to make a
long-awaited and long-needed new release. We're very grateful for all the new
owners, admins, and maintainers. Special thanks go to Owen Ou (@owenthereal)
for pushing to set up a new GitHub organization for jq, Stephen Dolan (@stedolan)
for transferring the jq repository to the new organization, @itchyny for doing a
great deal of work to get the release done, Mattias Wadman (@wader) and Emanuele
Torre (@emanuele6) for many PRs and code reviews. Many others also contributed
PRs, issues, and code reviews as well, and you can find their contributions in
the Git log and on the [closed issues and PRs page]
(https://github.com/jqlang/jq/issues?q=is%3Aclosed+sort%3Aupdated-desc).
Since the last stable release many things have happened:
- jq now lives at <https://github.com/jqlang>
- New maintainers, admins, and owners have been recruited.
- A list of [current maintainers](https://github.com/jqlang/jq/blob/jq-1.7/AUTHORS#L4-L14)
- NEWS file is replaced by NEWS.md with Markdown format. @wader #2599
- CI, scan builds, release, website builds etc now use GitHub actions. @owenthereal @wader @itchyny #2596#2603#2620#2723
- Lots of documentation improvements and fixes.
- Website updated with new section search box, better section ids for linking, dark mode, etc. @itchyny #2628
- Release builds for:
- Linux `amd64`, `arm64`, `armel`, `armhf`, `i386`, `mips`, `mips64`, `mips64el`, `mips64r6`, `mips64r6el`, `mipsel`, `mipsr6`, `mipsr6el`, `powerpc`, `ppc64el`, `riscv64` and `s390x`
- macOS `amd64` and `arm64`
- Windows `i386` and `amd64`
- Docker `linux/386`, `linux/amd64`, `linux/arm64`, `linux/mips64le`, `linux/ppc64le`, `linux/riscv64` and `linux/s390x`
- More details see @owenthereal #2665
- Docker images are now available from `ghcr.io/jqlang/jq` instead of Docker Hub. @itchyny #2652#2686
- OSS-fuzz. @DavidKorczynski #2760#2762
Full commit log can be found at <https://github.com/jqlang/jq/compare/jq-1.6...jq-1.7> but here are some highlights:
CLI changes
- Make object key color configurable using `JQ_COLORS` environment variable. @itchyny @haguenau @ericpruitt #2703
- Change the default color of null to Bright Black. @itchyny #2824
- Respect `NO_COLOR` environment variable to disable color output. See <https://no-color.org> for details. @itchyny #2728
- Improved `--help` output. Now mentions all options and nicer order. @itchyny @wader #2747#2766#2799
- Fix multiple issues of exit code using `--exit-code`/`-e` option. @ryo1kato #1697
- Add `--binary`/`-b` on Windows for binary output. To get `\n` instead of `\r\n` line endings. @nicowilliams 0dab2b1
- Add `--raw-output0` for NUL (zero byte) separated output. @asottile @pabs3 @itchyny #1990#2235#2684
- Fix assert crash and validate JSON for `--jsonarg`. @wader #2658
- Remove deprecated `--argfile` option. @itchyny #2768
- Enable stack protection. @nicowilliams #2801
Language changes
- Use decimal number literals to preserve precision. Comparison operations respects precision but arithmetic operations might truncate. @leonid-s-usov #1752
- Adds new builtin `pick(stream)` to emit a projection of the input object or array. @pkoppstein #2656#2779
- Adds new builtin `debug(msgs)` that works like `debug` but applies a filter on the input before writing to stderr. @pkoppstein #2710
- Adds new builtin `scan($re; $flags)`. Was documented but not implemented. @itchyny #1961
- Adds new builtin `abs` to get absolute value. This potentially allows the literal value of numbers to be preserved as `length` and `fabs` convert to float. @pkoppstein #2767
- Allow `if` without `else`-branch. When skipped the `else`-branch will be `.` (identity). @chancez @wader #1825#2481
- Allow use of `$binding` as key in object literals. @nicowilliams 8ea4a55
- Allow dot between chained indexes when using `.["index"]` @nicowilliams #1168
- Allow dot for chained value iterator `.[]`, `.[]?` @wader #2650
- Fix try/catch catches more than it should. @nicowilliams #2750
- Speed up and refactor some builtins, also remove `scalars_or_empty/0`. @muhmuhten #1845
- Now `halt` and `halt_error` exit immediately instead of continuing to the next input. @emanuele6 #2667
- Fix issue converting string to number after previous convert error. @thalman #2400
- Fix issue representing large numbers on some platforms causing invalid JSON output. @itchyny #2661
- Fix deletion using assigning empty against arrays. @itchyny #2133
- Allow keywords to be used as binding name in more places. @emanuele6 #2681
- Allow using `nan` as NaN in JSON. @emanuele6 #2712
- Expose a module's function names in `modulemeta`. @mrwilson #2837
- Fix `contains/1` to handle strings with NUL. @nicowilliams 61cd6db
- Fix `stderr/0` to output raw text without any decoration. @itchyny #2751
- Fix `nth/2` to emit empty on index out of range. @itchyny #2674
- Fix `implode` to not assert and instead replace invalid unicode codepoints. @wader #2646
- Fix `indices/1` and `rindex/1` in case of overlapping matches in strings. @emanuele6 #2718
- Fix `sub/3` to resolve issues involving global search-and-replace (gsub) operations. @pkoppstein #2641
- Fix `significand/0`, `gamma/0` and `drem/2` to be available on macOS. @itchyny #2756#2775
- Fix empty regular expression matches. @itchyny #2677
- Fix overflow exception of the modulo operator. @itchyny #2629
- Fix string multiplication by 0 (and less than 1) to emit empty string. @itchyny #2142
- Fix segfault when using libjq and threads. @thalman #2546
- Fix constant folding of division and reminder with zero divisor. @itchyny #2797
- Fix `error/0`, `error/1` to throw null error. @emanuele6 #2823
- Simpler and faster `transpose`. @pkoppstein #2758
- Simple and efficient implementation of `walk/1`. @pkoppstein #2795
- Remove deprecated filters `leaf_paths`, `recurse_down`. @itchyny #2666
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.14.6 to 1.14.10
- Update of rootfile
- Changelog
dbus 1.14.10 (2023-09-01)
Bug fixes:
• Avoid a dbus-daemon crash if re-creating a connection's policy fails.
If it isn't possible to re-create its policy (for example if it belongs
to a user account that has been deleted or if the Name Service Switch is
broken, on a system not supporting SO_PEERGROUPS), we now log a warning,
continue to use its current policy, and continue to reload other
connections' policies. (dbus#343; Peter Benie, Simon McVittie)
• If getting the groups from a user ID fails, report the error correctly,
instead of logging "(null)" (dbus#343, Simon McVittie)
• Return the primary group ID in GetConnectionCredentials()' UnixGroupIDs
field for processes with a valid-but-empty supplementary group list
(dbus!422, cptpcrd)
dbus 1.14.8 (2023-06-06)
Denial-of-service fixes:
• Fix an assertion failure in dbus-daemon when a privileged Monitoring
connection (dbus-monitor, busctl monitor, gdbus monitor or similar)
is active, and a message from the bus driver cannot be delivered to a
client connection due to <deny> rules or outgoing message quota. This
is a denial of service if triggered maliciously by a local attacker.
(dbus#457; hongjinghao, Simon McVittie)
Other fixes:
• Fix compilation on compilers not supporting __FUNCTION__
(dbus!404, Barnabás Pőcze)
• Fix some memory leaks on out-of-memory conditions
(dbus!403, Barnabás Pőcze)
• Documentation:
· Fix syntax of a code sample in dbus-api-design
(dbus!396; Yen-Chin, Lee)
Tests and CI enhancements:
• Fix CI pipelines after freedesktop/freedesktop#540
(dbus!405, dbus#456; Simon McVittie)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Fixes custom IPFire Zabbix Agent userparameter ipfire.net.gateway.ping
returning 1 (success) when fping failed for other reasons (rc 2,3 or 4)
than host unreachable (rc 0).
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This has been our default setting on x86_64 for quite some time now,
which is why this patch aligns the aarch64 kernel configuration to that
value.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This subsystem has been a frequent source of security vulnerabilities
affecting the Linux kernel; as a result, Google announced on June 14,
2023, that they would disable it in their environment as widely as
possible.
IPFire does not depend on the availability of io_uring. Therefore,
disable this subsystem as well in order to preemptively cut attack
surface.
See also: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
v4.19.1. => https://www.samba.org/samba/history/samba-4.19.1.html
"
==============================
Release Notes for Samba 4.19.1
October 10, 2023
==============================
This is a security release in order to address the following defects:
o CVE-2023-3961: Unsanitized pipe names allow SMB clients to connect as root to
existing unix domain sockets on the file system.
https://www.samba.org/samba/security/CVE-2023-3961.html
o CVE-2023-4091: SMB client can truncate files to 0 bytes by opening files with
OVERWRITE disposition when using the acl_xattr Samba VFS
module with the smb.conf setting
"acl_xattr:ignore system acls = yes"
https://www.samba.org/samba/security/CVE-2023-4091.html
o CVE-2023-4154: An RODC and a user with the GET_CHANGES right can view all
attributes, including secrets and passwords. Additionally,
the access check fails open on error conditions.
https://www.samba.org/samba/security/CVE-2023-4154.html
o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
server block for a user-defined amount of time, denying
service.
https://www.samba.org/samba/security/CVE-2023-42669.html
o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
listeners, disrupting service on the AD DC.
https://www.samba.org/samba/security/CVE-2023-42670.html"
v4.19.2 => https://www.samba.org/samba/history/samba-4.19.2.html
"Changes since 4.19.1
--------------------
o Jeremy Allison <jra@samba.org>
* BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown
after failed IPC FSCTL_PIPE_TRANSCEIVE.
* BUG 15426: clidfs.c do_connect() missing a "return" after a cli_shutdown()
call.
o Ralph Boehme <slow@samba.org>
* BUG 15463: macOS mdfind returns only 50 results.
o Volker Lendecke <vl@samba.org>
* BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with
previous cache entry value.
o Stefan Metzmacher <metze@samba.org>
* BUG 15464: libnss_winbind causes memory corruption since samba-4.18,
impacts sendmail, zabbix, potentially more.
o Martin Schwenke <mschwenke@ddn.com>
* BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the
Heimdal KDC in Samba 4.19
* BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is
in use."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- A script was added to the update.sh script to add pass/no pass to the ovpnconfig entries
but I forgot that this was also needed in the backup.pl file to add those statuses into
any ovpnconfig file restored from a backup before the pass/no pass entries were added.
- This patch corrects that oversight.
- Confirmed by testing on my vm. Before the script added to backup.pl a restore of older
ovpnconfig ended up not showing any icons or status elements. With the script in
backup.pl confirmed that the restored ovpnconfig showed up in the WUI page correctly
with the right icons and with the status elements correctly displayed.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
