- Update from version 4.3 to 4.4
- Update of rootfile
- the $(MAKETUNING) option does not work with the elinks build with version 4.4 A linked
patch has been created for the removal of that option from the elinks lfs file.
- Changelog
Version 4.4 (31 Oct 2022)
A complete list of bugs fixed in this version is available here:
https://sv.gnu.org/bugs/index.php?group=make&report_id=111&fix_release_id=109&set=custom
* WARNING: Deprecation!
The following systems are deprecated in this release:
- OS/2 (EMX)
- AmigaOS
- Xenix
- Cray
In the NEXT release of GNU Make, support for these systems will be removed.
If you want to see them continue to be supported, contact <bug-make@gnu.org>.
* WARNING: Future backward-incompatibility!
In the NEXT release of GNU Make, pattern rules will implement the same
behavior change for multiple targets as explicit grouped targets, below: if
any target of the rule is needed by the build, the recipe will be invoked if
any target of the rule is missing or out of date. During testing some
makefiles were found to contain pattern rules that do not build all targets;
this can cause issues so we are delaying this change for one release cycle
to allow these makefiles to be updated. GNU Make shows a warning if it
detects this situation: "pattern recipe did not update peer target".
* WARNING: Backward-incompatibility!
GNU Make now uses temporary files in more situations than previous releases.
If your build system sets TMPDIR (or TMP or TEMP on Windows) and deletes the
contents during the build, or uses restrictive permissions, this may cause
problems. You can choose an alternative temporary directory only for use by
GNU Make by setting the new MAKE_TMPDIR environment variable before invoking
make. Note that this value CANNOT be set inside the makefile, since make
needs to find its temporary directory before the makefiles are parsed.
* WARNING: Backward-incompatibility!
Previously each target in a explicit grouped target rule was considered
individually: if the targets needed by the build were not out of date the
recipe was not run even if other targets in the group were out of date. Now
if any of the grouped targets are needed by the build, then if any of the
grouped targets are out of date the recipe is run and all targets in the
group are considered updated.
* WARNING: Backward-incompatibility!
Previously if --no-print-directory was seen anywhere in the environment or
command line it would take precedence over any --print-directory. Now, the
last setting of directory printing options seen will be used, so a command
line such as "--no-print-directory -w" _will_ show directory entry/exits.
* WARNING: Backward-incompatibility!
Previously the order in which makefiles were remade was not explicitly
stated, but it was (roughly) the inverse of the order in which they were
processed by make. In this release, the order in which makefiles are
rebuilt is the same order in which make processed them, and this is defined
to be true in the GNU Make manual.
* WARNING: Backward-incompatibility!
Previously only simple (one-letter) options were added to the MAKEFLAGS
variable that was visible while parsing makefiles. Now, all options are
available in MAKEFLAGS. If you want to check MAKEFLAGS for a one-letter
option, expanding "$(firstword -$(MAKEFLAGS))" is a reliable way to return
the set of one-letter options which can be examined via findstring, etc.
* WARNING: Backward-incompatibility!
Previously makefile variables marked as export were not exported to commands
started by the $(shell ...) function. Now, all exported variables are
exported to $(shell ...). If this leads to recursion during expansion, then
for backward-compatibility the value from the original environment is used.
To detect this change search for 'shell-export' in the .FEATURES variable.
* WARNING: New build requirement
GNU Make utilizes facilities from GNU Gnulib: Gnulib requires certain C99
features in the C compiler and so these features are required by GNU Make:
https://www.gnu.org/software/gnulib/manual/html_node/C99-features-assumed.html
The configure script should verify the compiler has these features.
* New feature: The .WAIT special target
If the .WAIT target appears between two prerequisites of a target, then
GNU Make will wait for all of the targets to the left of .WAIT in the list
to complete before starting any of the targets to the right of .WAIT.
This feature is available in some other versions of make, and it will be
required by an upcoming version of the POSIX standard for make.
Different patches were made by Alexey Neyman <alex.neyman@auriga.ru> (2005)
and Steffen Nurpmeso <steffen@sdaoden.eu> (2020) that were useful but the
result is a different implementation (closer to Alexey's idea).
* New feature: .NOTPARALLEL accepts prerequisites
If the .NOTPARALLEL special target has prerequisites then all prerequisites
of those targets will be run serially (as if .WAIT was specified between
each prerequisite).
* New feature: The .NOTINTERMEDIATE special target
.NOTINTERMEDIATE disables intermediate behavior for specific files, for all
files built using a pattern, or for the entire makefile.
Implementation provided by Dmitry Goncharov <dgoncharov@users.sf.net>
* New feature: The $(let ...) function
This function allows user-defined functions to define a set of local
variables: values can be assigned to these variables from within the
user-defined function and they will not impact global variable assignments.
Implementation provided by Jouke Witteveen <j.witteveen@gmail.com>
* New feature: The $(intcmp ...) function
This function allows conditional evaluation controlled by a numerical
comparison.
Implementation provided by Jouke Witteveen <j.witteveen@gmail.com>
* New feature: Improved support for -l / --load-average
On systems that provide /proc/loadavg (Linux), GNU Make will use it to
determine the number of runnable jobs and use this as the current load,
avoiding the need for heuristics.
Implementation provided by Sven C. Dack <sdack@gmx.com>
* New feature: The --shuffle command line option
This option reorders goals and prerequisites to simulate non-determinism
that may be seen using parallel build. Shuffle mode allows a form of "fuzz
testing" of parallel builds to verify that all prerequisites are correctly
described in the makefile.
Implementation provided by Sergei Trofimovich <siarheit@google.com>
* New feature: The --jobserver-style command line option and named pipes
A new jobserver method is used on systems where mkfifo(3) is supported.
This solves a number of obscure issues related to using the jobserver
and recursive invocations of GNU Make. This change means that sub-makes
will connect to the jobserver even if they are not marked as recursive.
It also means that other tools that want to participate in the jobserver
will need to be enhanced as described in the GNU Make manual.
You can force GNU Make to use the simple pipe-based jobserver (perhaps if
you are integrating with other tools or older versions of GNU Make) by
adding the '--jobserver-style=pipe' option to the command line of the
top-level invocation of GNU Make, or via MAKEFLAGS or GNUMAKEFLAGS.
To detect this change search for 'jobserver-fifo' in the .FEATURES variable.
* Some POSIX systems (*BSD) do not allow locks to be taken on pipes, which
caused the output sync feature to not work properly there. Also multiple
invocations of make redirecting to the same output file (e.g., /dev/null)
would cause hangs. Instead of locking stdout (which does have some useful
performance characteristics, but is not portable) create a temporary file
and lock that. Windows continues to use a mutex as before.
* GNU Make has sometimes chosen unexpected, and sub-optimal, chains of
implicit rules due to the definition of "ought to exist" in the implicit
rule search algorithm, which considered any prerequisite mentioned in the
makefile as "ought to exist". This algorithm has been modified to prefer
prerequisites mentioned explicitly in the target being built and only if
that results in no matching rule, will GNU Make consider prerequisites
mentioned in other targets as "ought to exist".
Implementation provided by Dmitry Goncharov <dgoncharov@users.sf.net>
* GNU Make was performing secondary expansion of all targets, even targets
which didn't need to be considered during the build. In this release
only targets which are considered will be secondarily expanded.
Implementation provided by Dmitry Goncharov <dgoncharov@users.sf.net>
* If the MAKEFLAGS variable is modified in a makefile, it will be re-parsed
immediately rather than after all makefiles have been read. Note that
although all options are parsed immediately, some special effects won't
appear until after all makefiles are read.
* The -I option accepts an argument "-" (e.g., "-I-") which means "reset the
list of search directories to empty". Among other things this can be used
to prevent GNU Make from searching in its default list of directories.
* New debug option "print" will show the recipe to be run, even when silent
mode is set, and new debug option "why" will show why a target is rebuilt
(which prerequisites caused the target to be considered out of date).
Implementation provided by David Boyce <David.S.Boyce@gmail.com>
* The existing --trace option is made equivalent to --debug=print,why
* Target-specific variables can now be marked "unexport".
* Exporting / unexporting target-specific variables is handled correctly, so
that the attribute of the most specific variable setting is used.
* Special targets like .POSIX are detected upon definition, ensuring that any
change in behavior takes effect immediately, before the next line is parsed.
* When the pipe-based jobserver is enabled and GNU Make decides it is invoking
a non-make sub-process and closes the jobserver pipes, it will now add a new
option to the MAKEFLAGS environment variable that disables the jobserver.
This prevents sub-processes that invoke make from accidentally using other
open file descriptors as jobserver pipes. For more information see
https://savannah.gnu.org/bugs/?57242 and https://savannah.gnu.org/bugs/?62397
* A long-standing issue with the directory cache has been resolved: changes
made as a side-effect of some other target's recipe are now noticed as
expected.
* GNU Make can now be built for MS-Windows using the Tiny C tcc compiler.
Port provided by Christian Jullien <eligis@orange.fr>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
This removes support for building IPFire for 32 bit ARM architectures.
This has been decided in August 2022 with six months notice as there are
not very many users and hardware is generally not available any more.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- libtirpc is required for lsof to work from CU172 onwards. rpc.h is no longer available
from glibc. This would normally cause the lsof build to fail but libtirpc as an addon
is built before lsof and so is present in the build and lsof is linked to it.
When running lsof it fails as the linked libtirpc library is not present unless it has
been installed as an addon.
- This patch converts the libtirpc lfs from an addon to a core program and moves the
rootfile from the packages directory to the common directory.
- Tested out on my vm testbed. With CU172 lsof fails to run due to the missing libtirpc
With the build based on this patch installed lsof works normally again.
- Disabled the static library build in the configure options and updated the rootfile
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Fixes: Bug#13015
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Changes in version 0.4.7.13 - 2023-01-12
This version contains three major bugfixes, two for relays and one for
client being a security fix, TROVE-2022-002. We have added, for Linux, the
support for IP_BIND_ADDRESS_NO_PORT for relays using OutboundBindAddress.
We strongly recommend to upgrade to this version considering the important
congestion control fix detailed below.
o Major bugfixes (congestion control):
- Avoid incrementing the congestion window when the window is not
fully in use. Thia prevents overshoot in cases where long periods
of low activity would allow our congestion window to grow, and
then get followed by a burst, which would cause queue overload.
Also improve the increment checks for RFC3742. Fixes bug 40732;
bugfix on 0.4.7.5-alpha.
o Major bugfixes (relay):
- When opening a channel because of a circuit request that did not
include an Ed25519 identity, record the Ed25519 identity that we
actually received, so that we can use the channel for other
circuit requests that _do_ list an Ed25519 identity. (Previously
we had code to record this identity, but a logic bug caused it to
be disabled.) Fixes bug 40563; bugfix on 0.3.0.1-alpha. Patch
from "cypherpunks".
o Major bugfixes (TROVE-2022-002, client):
- The SafeSocks option had its logic inverted for SOCKS4 and
SOCKS4a. It would let the unsafe SOCKS4 pass but not the safe
SOCKS4a one. This is TROVE-2022-002 which was reported on
Hackerone by "cojabo". Fixes bug 40730; bugfix on 0.3.5.1-alpha.
o Minor feature (authority):
- Reject 0.4.6.x series at the authority level. Closes ticket 40664.
o Minor features (fallbackdir):
- Regenerate fallback directories generated on January 12, 2023.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2023/01/12.
o Minor features (relays):
- Set the Linux-specific IP_BIND_ADDRESS_NO_PORT option on outgoing
sockets, allowing relays using OutboundBindAddress to make more
outgoing connections than ephemeral ports, as long as they are to
separate destinations. Related to issue 40597; patch by Alex
Xu (Hello71).
o Minor bugfixes (relay, metrics):
- Fix typo in a congestion control label on the MetricsPort. Fixes
bug 40727; bugfix on 0.4.7.12.
o Minor bugfixes (sandbox, authority):
- With the sandbox enabled, allow to write "my-consensus-
{ns|microdesc}" and to rename them as well. Fixes bug 40729;
bugfix on 0.3.5.1-alpha.
o Code simplifications and refactoring:
- Rely on actual error returned by the kernel when choosing what
resource exhaustion to log. Fixes issue 40613; Fix
on tor-0.4.6.1-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 0.40.0 to 0.42.2
- Update of rootfile
- Build converted to meson
- Changelog is empty in the source tarball as is the NEWS file. There is no change log
info on the webpage. The only source of change info are the commits from the git repo
https://cgit.freedesktop.org/pixman/log/
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.16.0 to 1.17.6
- Update of rootfile
- Next version will only build with meson and as there were some bugs with the autoconf
tools build which required a hack to overcome, this version was changed to run with
meson. beos and os2 backends are no longer supported and windows only builds if the
platform being used for the build is windows based. Therefore those options are no
longer needed. meson uses shared libraries only by default.
- The cairo-1.16.0-binutils-2.34 patch is no longer needed as the changes have been
included in the source tarball.
- tarball had to be changed to .bz2 as xz is no longer provided.
- Changelog
Release 1.17.6 (2022-03-18 Emmanuele Bassi <ebassi@gnome.org>)
I spy with my little eye… a Cairo snapshot!
First of all, many, many thanks to everyone who contributed to Cairo
during this development cycle. A special thank you goes to:
- Adrian Johnson
- Uli Schlachter
for their tireless efforts in ensuring that the lights are still on
in the Cairo project.
This snapshot sees the removal of the following backends and platform
support:
- Qt4
- BeOS
- OS/2
- DirectFB
- DRM
- Cogl
- OpenVG
Thanks to all past contributors for their work on them. If you were using
any of these backends then you will need to stick to Cairo 1.16.
To offset the removal of the backends above, Adrian Johnson landed the
DWrite font rendering backend on Windows.
There have been multiple improvements in the Quartz backend, courtesy of
John Ralls.
Tim-Philipp Müller has kept the Meson build in top shape.
This snapshot is going to be the **last** release of Cairo with the
Autotools build system. The Meson build has seen many improvements and
it is considerably easier to maintain and faster to build.
Release 1.17.4 (2020-11-27 Bryce Harrington <bryce@bryceharrington.org>)
Thank you to the many people who have contributed the large number of
bug fixes and refinements since 1.17.2.
A particularly noteworthy improvement in this release is the addition of
the meson build system as an alternative to autotools. Autotools is
still used for producing the releases, so will be the default in the
tarball and presumably will still be preferred by distro packagers of
Cairo. It should be possible to build the release tarball using meson,
but as this is new functionality consider it still a work in progress.
The meson configuration has striven to track the autotools
implementation but be aware there may still be some differences between
the two.
Continuous Integration configurations have been added that enable
testing on a variety of platforms including Fedora, Windows MSVC, etc.
This work has helped in identifying updates and fixes including
adjusting to changes in API calls in dependencies like rsvg and
fontconfig, and to fix platform-specific build issues.
The cogl Cairo backend underwent significant development this cycle.
Cogl provides GPU accelerated drawing support. The development work
includes implementation of core functionality, performance
optimizations, and stabilization.
Subpixel positioning support allows improved glyph outlines with the
Freetype font backend.
For a complete log of changes, please see
https://cairographics.org/releases/ChangeLog.1.17.4
[On a personal note, this will be my last release for Cairo. My Cairo
time availability has been non-existent (particularly this crazy past
year). The release process is well documented and hopefully will help
whomever picks up the baton from here.]
Release 1.17.2 (2019-01-31 Bryce Harrington <bryce@bryceharrington.org>)
This snapshot provides the new support for writing floating point
formats as 16 bpc PNGs, with support for RGBA128F and RGB96F formats.
This new feature increases Cairo's pixman version requirement to 0.36.0.
Beyond this are a range of bugfixes and some work on establishing CI for
Cairo.
For a complete log of changes, please see
https://cairographics.org/releases/ChangeLog.1.17.2
API Changes
None
Dependency Changes
pixman 0.36.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 5.4.0 to 5.4.1
- Update of rootfile
- Changelog
5.4.1 (2023-01-11)
* liblzma:
- Fixed the return value of lzma_microlzma_encoder() if the
LZMA options lc/lp/pb are invalid. Invalid lc/lp/pb options
made the function return LZMA_STREAM_END without encoding
anything instead of returning LZMA_OPTIONS_ERROR.
- Windows / Visual Studio: Workaround a possible compiler bug
when targeting 32-bit x86 and compiling the CLMUL version of
the CRC64 code. The CLMUL code isn't enabled by the Windows
project files but it is in the CMake-based builds.
* Build systems:
- Windows-specific CMake changes:
* Don't try to enable CLMUL CRC64 code if _mm_set_epi64x()
isn't available. This fixes CMake-based build with Visual
Studio 2013.
* Created a workaround for a build failure with windres
from GNU binutils. It is used only when the C compiler
is GCC (not Clang). The workaround is incompatible
with llvm-windres, resulting in "XZx20Utils" instead
of "XZ Utils" in the resource file, but without the
workaround llvm-windres works correctly. See the
comment in CMakeLists.txt for details.
* Included the resource files in the xz and xzdec build
rules. Building the command line tools is still
experimental but possible with MinGW-w64.
- Visual Studio: Added stream_decoder_mt.c to the project
files. Now the threaded decompressor lzma_stream_decoder_mt()
gets built. CMake-based build wasn't affected.
- Updated windows/INSTALL-MSVC.txt to mention that CMake-based
build is now the preferred method with Visual Studio. The
project files will probably be removed after 5.4.x releases.
- Changes to #defines in config.h:
* HAVE_DECL_CLOCK_MONOTONIC was replaced by
HAVE_CLOCK_MONOTONIC. The old macro was always defined
in configure-generated config.h to either 0 or 1. The
new macro is defined (to 1) only if the declaration of
CLOCK_MONOTONIC is available. This matches the way most
other config.h macros work and makes things simpler with
other build systems.
* HAVE_DECL_PROGRAM_INVOCATION_NAME was replaced by
HAVE_PROGRAM_INVOCATION_NAME for the same reason.
* Tests:
- Fixed test script compatibility with ancient /bin/sh
versions. Now the five test_compress_* tests should
no longer fail on Solaris 10.
- Added and refactored a few tests.
* Translations:
- Updated the Catalan and Esperanto translations.
- Added Korean and Ukrainian man page translations.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 6.1.0 to 6.1.1
- Update of rootfile not required
- Changelog
There is no changelog in the source tarball or in the kernel site where the source
tarballs are available from. xfs.org, which normally provides access to the git
repository, fails to connect. xfs.wiki.kernel.org has no changelog info in it.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.9.3 to 1.9.4
- Update of rootfile
- Changelog
v1.9.4
perf : faster decoding speed (~+20%) on aarch64 platforms
perf : faster decoding speed (~+70%) for -BD4 setting in CLI
api : new function `LZ4_decompress_safe_partial_usingDict()` by @yawqi
api : lz4frame: ability to provide custom allocators at state creation
api : can skip checksum validation for improved decoding speed
api : new experimental unit `lz4file` for file i/o API, by @anjiahao1
api : new experimental function `LZ4F_uncompressedUpdate()`, by @alexmohr
cli : `--list` works on `stdin` input, by @Low-power
cli : `--no-crc` does not produce (compression) nor check (decompression) checksums
cli : fix: `--test` and `--list` produce an error code when parsing invalid input
cli : fix: support skippable frames when passed via `stdin`, reported by @davidmankin
build: fix: Makefile respects CFLAGS directives passed via environment variable
build: `LZ4_FREESTANDING`, new build macro for freestanding environments, by @t-mat
build: `make` and `make test` are compatible with `-j` parallel run
build: AS/400 compatibility, by @jonrumsey
build: Solaris 10 compatibility, by @pekdon
build: MSVC 2022 support, by @t-mat
build: improved meson script, by @eli-schwartz
doc : Updated LZ4 block format, provide an "implementation notes" section
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
For details see:
https://lists.gnu.org/archive/html/info-gnu/2023-01/msg00007.html
"
...
The specific issue that was addressed in this release:
https://savannah.gnu.org/bugs/?63616 (pasting succeeded despite --view)
Changes between v7.1 and v7.2:
------------------------------
Benno Schulenberg (12):
bindings: let ^/ toggle between the 'search' and 'gotoline' menus
bump version numbers and add a news item for the 7.2 release
copyright: update the years for the FSF
docs: give ^K and ^U some useful function in the alternative bindings
docs: put the binding of ^Y after its unbinding, for it to be effective
gnulib: update to its current upstream state
input: disallow bracketed pastes when in view mode
po: update translations and regenerate POT file and PO files
syntax: html: colorize specially the other two emphasizing tags too
tweaks: avoid warnings when compiling with -Wpedantic
tweaks: rewrap an old news item
tweaks: separate a special thanks from the preceding ones"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
For details for 9.16.36 and 9.16.37 see:
https://downloads.isc.org/isc/bind9/9.16.37/doc/arm/html/notes.html#notes-for-bind-9-16-37
"Notes for BIND 9.16.37
Security Fixes
An UPDATE message flood could cause named to exhaust all available
memory. This flaw was addressed by adding a new update-quota option
that controls the maximum number of outstanding DNS UPDATE messages
that named can hold in a queue at any given time (default: 100).
(CVE-2022-3094)
ISC would like to thank Rob Schulhof from Infoblox for bringing this
vulnerability to our attention. [GL #3523]
named could crash with an assertion failure when an RRSIG query was
received and stale-answer-client-timeout was set to a non-zero value.
This has been fixed. (CVE-2022-3736)
ISC would like to thank Borja Marcos from Sarenet (with assistance by
Iratxe Niño from Fundación Sarenet) for bringing this vulnerability to
our attention. [GL #3622]
named running as a resolver with the stale-answer-client-timeout option
set to any value greater than 0 could crash with an assertion failure,
when the recursive-clients soft quota was reached. This has been fixed.
(CVE-2022-3924)
ISC would like to thank Maksym Odinintsev from AWS for bringing this
vulnerability to our attention. [GL #3619]
New Features
The new update-quota option can be used to control the number of
simultaneous DNS UPDATE messages that can be processed to update an
authoritative zone on a primary server, or forwarded to the primary
server by a secondary server. The default is 100. A new statistics
counter has also been added to record events when this quota is
exceeded, and the version numbers for the XML and JSON statistics
schemas have been updated. [GL #3523]
Feature Changes
The Differentiated Services Code Point (DSCP) feature in BIND has been
deprecated. Configuring DSCP values in named.conf now causes a warning
to be logged. Note that this feature has only been partly operational
since the new Network Manager was introduced in BIND 9.16.0. [GL #3773]
The catalog zone implementation has been optimized to work with
hundreds of thousands of member zones. [GL #3744]
Bug Fixes
In certain query resolution scenarios (e.g. when following CNAME
records), named configured to answer from stale cache could return a
SERVFAIL response despite a usable, non-stale answer being present in
the cache. This has been fixed. [GL #3678]
...
Notes for BIND 9.16.36
Feature Changes
The auto-dnssec option has been deprecated and will be removed in a
future BIND 9.19.x release. Please migrate to dnssec-policy. [GL #3667]
Bug Fixes
When a catalog zone was removed from the configuration, in some cases a
dangling pointer could cause the named process to crash. This has been
fixed. [GL #3683]
When a zone was deleted from a server, a key management object related
to that zone was inadvertently kept in memory and only released upon
shutdown. This could lead to constantly increasing memory use on
servers with a high rate of changes affecting the set of zones being
served. This has been fixed. [GL #3727]
In certain cases, named waited for the resolution of outstanding
recursive queries to finish before shutting down. This was unintended
and has been fixed. [GL #3183]
The zone <name>/<class>: final reference detached log message was moved
from the INFO log level to the DEBUG(1) log level to prevent the
named-checkzone tool from superfluously logging this message in
non-debug mode. [GL #3707]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
I have removed the patches instead of readd the mpfr-4.1.0
patchset because this result may result in different builds if we
not update the prebuild toolchain.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
