- Update from version 7.92 to 7.94
- Update of rootfile not required
- Changelog
7.94 [2023-05-19]
o Zenmap and Ndiff now use Python 3! Thanks to the many contributors who made
this effort possible:
+ [GH#2088][GH#1176][Zenmap] Updated Zenmap to Python 3 and PyGObject. [Jakub Kulík]
+ [GH#1807][GH#1176][Ndiff] Updated Ndiff to Python 3. [Brian Quigley]
+ Additional Python 3 update fixes by Sam James, Daniel Miller. Special thanks
to those who opened Python 3-related issues and pull requests: Eli
Schwartz, Romain Leonard, Varunram Ganesh, Pavel Zhukov, Carey Balboa,
Hasan Aliyev, and others.
o [Windows] Upgraded Npcap (our Windows raw packet capturing and
transmission driver) from version 1.71 to the latest version 1.75. It
includes dozens of performance improvements, bug fixes and feature
enhancements described at https://npcap.com/changelog.
o Nmap now prints vendor names based on MAC address for MA-S (24-bit), MA-M
(28-bit), and MA-L (36-bit) registrations instead of the fixed 3-byte MAC
prefix used previously for lookups.
o Added partial silent-install support to the Nmap Windows
installer. It previously didn't offer silent mode (/S) because the
free/demo version of Npcap Windoes packet capturing driver that it
needs and ships with doesn't include a silent installer. Now with
the /S option, Nmap checks whether Npcap is already installed
(either the free version or OEM) and will silently install itself if
so. This is similar to how the Wireshark installer works and is
particularly helpful for organizations that want to fully automate
their Nmap (and Npcap) deployments. See
https://nmap.org/nmap-silent-install for more details.
o Lots of profile-guided memory and processing improvements for Nmap, including
OS fingerprint matching, probe matching and retransmission lookups for large
hostgroups, and service name lookups. Overhauled Nmap's string interning and
several other startup-related procedures to speed up start times, especially
for scans using OS detection. [Daniel Miller]
o Integrated many of the most-submitted IPv4 OS fingerprints for recent
versions of Windows, iOS, macOS, Linux, and BSD. Added 22 fingerprints,
bringing the new total to 5700!
o [NSE][GH#548] Added the tftp-version script which requests a
nonexistent file from a TFTP server and matches the error message
to a database of known software. [Mak Kolybabi]
o [Ncat][GH#1223] Ncat can now accept "connections" from multiple UDP hosts in
listen mode with the --keep-open option. This also enables --broker and
--chat via UDP. [Daniel Miller]
o [GH#2575] Upgraded OpenSSL binaries (for the Windows builds and for
RPM's) to version 3.0.8. This resolves some CVE's (CVE-2022-3602;
CVE-2022-3786) which don't impact Nmap proper since it doesn't do
certificate validation, but could possibly impact Ncat when the
--ssl-verify option is used.
o Upgrade included libraries: zlib 1.2.13, Lua 5.4.4, libpcap 1.10.4
o [GH#2532] Removed the bogus OpenSSL message from the Windows Nmap
executable which looked like "NSOCK ERROR ssl_init_helper(): OpenSSL
legacy provider failed to load." We actually already have the legacy
provider built-in to our OpenSSL builds, and that's why loading the
external one fails.
o [GH#2541] UDP port scan (-sU) and version scan (-sV) now both use the same
data source, nmap-service-probes, for data payloads. Previously, the
nmap-payloads file was used for port scan. Port scan responses will be used
to kick-start the version matching process. [Daniel Miller]
o Nmap's service scan (-sV) can now probe the UDP service behind a DTLS tunnel,
the same as it already does for TCP services with SSL/TLS encryption. The
DTLSSessionReq probe has had its rarity lowered to 2 to allow it to be sent
sooner in the scan. [Daniel Miller]
o [Ncat] Ncat in listen mode with --udp --ssl will use DTLS to secure incoming
connections. [Daniel Miller]
o [GH#1023] Handle Internationalized Domain Names (IDN) like Яндекс.рф on
platforms where getaddrinfo supports the AI_IDN flag. [Daniel Miller]
o [Ncat] Addressed an issue from the Debian bug tracker
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969314) regarding data
received immediately after a SOCKS CONNECT response. Ncat can now be
correctly used in the ProxyCommand option of OpenSSH.
o Improved DNS domain name parsing to avoid recursion and enforce name length
limits, avoiding a theoretical stack overflow issue with certain crafted DNS
server responses, reported by Philippe Antoine.
o [GH#2338][NSE] Fix mpint packing in ssh2 library, which was causing OpenSSH
errors like "ssh_dispatch_run_fatal: bignum is negative" [Sami Loone]
o [GH#2507] Updates to the Japanese manpage translation by Taichi Kotake.
o [Ncat][GH#1026][GH#2426] Dramatically speed up Ncat transfers on
Windows by avoiding a 125ms wait for every read from
STDIN. [scriptjunkie]
o [GH#1192][Windows] Periodically reset the system idle timer to keep the
system from going to sleep while scans are in process. This only affects port
scans and OS detection scans, since NSE and version scan do not rely on
timing data to adjust speed.
o Updated the Nmap Public Source License (NPSL) to Version 0.95. This
just clarifies that the derivative works definition and all other
license clauses only apply to parties who choose to accept the
license in return for the special rights granted (such as Nmap
redistribution rights). If a party can do everything they need to
using copyright provisions outside of this license such as fair use,
we support that and aren't trying to claim any control over their
work. Versions of Nmap released under previous versions of the NPSL
may also be used under the NPSL 0.95 terms.
o Avoid storing many small strings from IPv4 OS detection results in the global
string_pool. These were effectively leaked after a host is done being
scanned, since string_pool allocations are not freed until Nmap quits.
7.93 [2022-09-01]
o This release commemorates Nmap's 25th anniversary! It all started with this
September 1, 1997 Phrack article by Fyodor: https://nmap.org/p51-11.html.
o [Windows] Upgraded Npcap (our Windows raw packet capturing and
transmission driver) from version 1.50 to the latest version 1.71. It
includes dozens of performance improvements, bug fixes and feature
enhancements described at https://npcap.com/changelog.
o Ensure Nmap builds with OpenSSL 3.0 using no deprecated API functions.
Binaries for this release include OpenSSL 3.0.5.
o Upgrade included libraries: libssh2 1.10.0, zlib 1.2.12, Lua 5.3.6, libpcap 1.10.1
o [GH#2416] Fix a bug that prevented Nmap from discovering interfaces on Linux
when no IPv4 addresses were configured. [Daniel Miller, nnposter]
o [NSE][GH#2463] NSE "exception handling" with nmap.new_try() will no longer
result in a stack traceback in debug output nor a "ERROR: script execution
failed" message in script output, since the intended behavior has always been
to end the script immediately without output. [Daniel Miller]
o [GH#2494] Update the Nmap output DTD to match actual output since the
`<hosthint>` element was added in Nmap 7.90.
o [NSE][GH#2496] Fix newtargets support: since Nmap 7.92, scripts could not add
targets in script pre-scanning phase. [Daniel Miller]
o [GH#2468] Scripts dhcp-discover and broadcast-dhcp-discover now support
setting a client identifier. [nnposter]
o [GH#2331][GH#2471] Script oracle-tns-version was not reporting the version
correctly for Oracle 19c or newer [linholmes]
o [GH#2296][GH#2342] Script redis-info was crashing or producing inaccurate
information about client connections and/or cluster nodes. [nnposter]
o [GH#2379] Nmap and Nping were unable to obtain system routes on FreeBSD
[benpratt, nnposter]
o [GH#2464] Script ipidseq was broken due to calling an unreachable library
function. [nnposter]
o [GH#2420][GH#2436] Support for EC crypto was not properly enabled if Nmap
was compiled with OpenSSL in a custom location. [nnposter]
o [NSE] Improvements to event handling and pcap socket garbage collection,
fixing potential hangs and crashes. [Daniel Miller]
o We ceased creating the Nmap win32 binary zipfile. It was useful back when
you could just unzip it and run Nmap from there, but that hasn't worked well
for many years. The win32 self-installer handles Npcap installation and many
other dependencies and complexities. Anyone who needs the binaries for some
reason can still install Nmap on any system and retrieve them from there.
For now we're keeping the Win32 zipfile in the Nmap OEM Edition
(https://nmap.org/oem) for companies building Nmap into their own
products. But even in that case we believe that running the Nmap OEM
self-installer in silent mode is a better approach.
o [GH#2388] Fix TDS7 password encoding for mssql.lua, which had been assuming
ASCII input even though other parts of the library had been passing it Unicode.
o [GH#2402] Replace deprecated CPEs for IIS with their updated identifier,
cpe:/a:microsoft:internet_information_services [Esa Jokinen]
o [NSE][GH#2393] Fix script-terminating error when unknown BSON data types are
encountered. Added parsers for most standard data types. [Daniel Miller]
o [Ncat] Fix hostname/certificate comparison and matching to handle ASN.1
strings without null terminators, a similar bug to OpenSSL's CVE-2021-3712.
o [Ncat][GH#2365] Added support for SOCKS5 proxies that return bind addresses
as hostnames, instead of IPv4/IPv6 addresses. [pomu0325]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 7.92 to 7.94
- Update of rootfile
- Changelog
7.94 [2023-05-19]
o Zenmap and Ndiff now use Python 3! Thanks to the many contributors who made
this effort possible:
+ [GH#2088][GH#1176][Zenmap] Updated Zenmap to Python 3 and PyGObject. [Jakub Kulík]
+ [GH#1807][GH#1176][Ndiff] Updated Ndiff to Python 3. [Brian Quigley]
+ Additional Python 3 update fixes by Sam James, Daniel Miller. Special thanks
to those who opened Python 3-related issues and pull requests: Eli
Schwartz, Romain Leonard, Varunram Ganesh, Pavel Zhukov, Carey Balboa,
Hasan Aliyev, and others.
o [Windows] Upgraded Npcap (our Windows raw packet capturing and
transmission driver) from version 1.71 to the latest version 1.75. It
includes dozens of performance improvements, bug fixes and feature
enhancements described at https://npcap.com/changelog.
o Nmap now prints vendor names based on MAC address for MA-S (24-bit), MA-M
(28-bit), and MA-L (36-bit) registrations instead of the fixed 3-byte MAC
prefix used previously for lookups.
o Added partial silent-install support to the Nmap Windows
installer. It previously didn't offer silent mode (/S) because the
free/demo version of Npcap Windoes packet capturing driver that it
needs and ships with doesn't include a silent installer. Now with
the /S option, Nmap checks whether Npcap is already installed
(either the free version or OEM) and will silently install itself if
so. This is similar to how the Wireshark installer works and is
particularly helpful for organizations that want to fully automate
their Nmap (and Npcap) deployments. See
https://nmap.org/nmap-silent-install for more details.
o Lots of profile-guided memory and processing improvements for Nmap, including
OS fingerprint matching, probe matching and retransmission lookups for large
hostgroups, and service name lookups. Overhauled Nmap's string interning and
several other startup-related procedures to speed up start times, especially
for scans using OS detection. [Daniel Miller]
o Integrated many of the most-submitted IPv4 OS fingerprints for recent
versions of Windows, iOS, macOS, Linux, and BSD. Added 22 fingerprints,
bringing the new total to 5700!
o [NSE][GH#548] Added the tftp-version script which requests a
nonexistent file from a TFTP server and matches the error message
to a database of known software. [Mak Kolybabi]
o [Ncat][GH#1223] Ncat can now accept "connections" from multiple UDP hosts in
listen mode with the --keep-open option. This also enables --broker and
--chat via UDP. [Daniel Miller]
o [GH#2575] Upgraded OpenSSL binaries (for the Windows builds and for
RPM's) to version 3.0.8. This resolves some CVE's (CVE-2022-3602;
CVE-2022-3786) which don't impact Nmap proper since it doesn't do
certificate validation, but could possibly impact Ncat when the
--ssl-verify option is used.
o Upgrade included libraries: zlib 1.2.13, Lua 5.4.4, libpcap 1.10.4
o [GH#2532] Removed the bogus OpenSSL message from the Windows Nmap
executable which looked like "NSOCK ERROR ssl_init_helper(): OpenSSL
legacy provider failed to load." We actually already have the legacy
provider built-in to our OpenSSL builds, and that's why loading the
external one fails.
o [GH#2541] UDP port scan (-sU) and version scan (-sV) now both use the same
data source, nmap-service-probes, for data payloads. Previously, the
nmap-payloads file was used for port scan. Port scan responses will be used
to kick-start the version matching process. [Daniel Miller]
o Nmap's service scan (-sV) can now probe the UDP service behind a DTLS tunnel,
the same as it already does for TCP services with SSL/TLS encryption. The
DTLSSessionReq probe has had its rarity lowered to 2 to allow it to be sent
sooner in the scan. [Daniel Miller]
o [Ncat] Ncat in listen mode with --udp --ssl will use DTLS to secure incoming
connections. [Daniel Miller]
o [GH#1023] Handle Internationalized Domain Names (IDN) like Яндекс.рф on
platforms where getaddrinfo supports the AI_IDN flag. [Daniel Miller]
o [Ncat] Addressed an issue from the Debian bug tracker
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969314) regarding data
received immediately after a SOCKS CONNECT response. Ncat can now be
correctly used in the ProxyCommand option of OpenSSH.
o Improved DNS domain name parsing to avoid recursion and enforce name length
limits, avoiding a theoretical stack overflow issue with certain crafted DNS
server responses, reported by Philippe Antoine.
o [GH#2338][NSE] Fix mpint packing in ssh2 library, which was causing OpenSSH
errors like "ssh_dispatch_run_fatal: bignum is negative" [Sami Loone]
o [GH#2507] Updates to the Japanese manpage translation by Taichi Kotake.
o [Ncat][GH#1026][GH#2426] Dramatically speed up Ncat transfers on
Windows by avoiding a 125ms wait for every read from
STDIN. [scriptjunkie]
o [GH#1192][Windows] Periodically reset the system idle timer to keep the
system from going to sleep while scans are in process. This only affects port
scans and OS detection scans, since NSE and version scan do not rely on
timing data to adjust speed.
o Updated the Nmap Public Source License (NPSL) to Version 0.95. This
just clarifies that the derivative works definition and all other
license clauses only apply to parties who choose to accept the
license in return for the special rights granted (such as Nmap
redistribution rights). If a party can do everything they need to
using copyright provisions outside of this license such as fair use,
we support that and aren't trying to claim any control over their
work. Versions of Nmap released under previous versions of the NPSL
may also be used under the NPSL 0.95 terms.
o Avoid storing many small strings from IPv4 OS detection results in the global
string_pool. These were effectively leaked after a host is done being
scanned, since string_pool allocations are not freed until Nmap quits.
7.93 [2022-09-01]
o This release commemorates Nmap's 25th anniversary! It all started with this
September 1, 1997 Phrack article by Fyodor: https://nmap.org/p51-11.html.
o [Windows] Upgraded Npcap (our Windows raw packet capturing and
transmission driver) from version 1.50 to the latest version 1.71. It
includes dozens of performance improvements, bug fixes and feature
enhancements described at https://npcap.com/changelog.
o Ensure Nmap builds with OpenSSL 3.0 using no deprecated API functions.
Binaries for this release include OpenSSL 3.0.5.
o Upgrade included libraries: libssh2 1.10.0, zlib 1.2.12, Lua 5.3.6, libpcap 1.10.1
o [GH#2416] Fix a bug that prevented Nmap from discovering interfaces on Linux
when no IPv4 addresses were configured. [Daniel Miller, nnposter]
o [NSE][GH#2463] NSE "exception handling" with nmap.new_try() will no longer
result in a stack traceback in debug output nor a "ERROR: script execution
failed" message in script output, since the intended behavior has always been
to end the script immediately without output. [Daniel Miller]
o [GH#2494] Update the Nmap output DTD to match actual output since the
`<hosthint>` element was added in Nmap 7.90.
o [NSE][GH#2496] Fix newtargets support: since Nmap 7.92, scripts could not add
targets in script pre-scanning phase. [Daniel Miller]
o [GH#2468] Scripts dhcp-discover and broadcast-dhcp-discover now support
setting a client identifier. [nnposter]
o [GH#2331][GH#2471] Script oracle-tns-version was not reporting the version
correctly for Oracle 19c or newer [linholmes]
o [GH#2296][GH#2342] Script redis-info was crashing or producing inaccurate
information about client connections and/or cluster nodes. [nnposter]
o [GH#2379] Nmap and Nping were unable to obtain system routes on FreeBSD
[benpratt, nnposter]
o [GH#2464] Script ipidseq was broken due to calling an unreachable library
function. [nnposter]
o [GH#2420][GH#2436] Support for EC crypto was not properly enabled if Nmap
was compiled with OpenSSL in a custom location. [nnposter]
o [NSE] Improvements to event handling and pcap socket garbage collection,
fixing potential hangs and crashes. [Daniel Miller]
o We ceased creating the Nmap win32 binary zipfile. It was useful back when
you could just unzip it and run Nmap from there, but that hasn't worked well
for many years. The win32 self-installer handles Npcap installation and many
other dependencies and complexities. Anyone who needs the binaries for some
reason can still install Nmap on any system and retrieve them from there.
For now we're keeping the Win32 zipfile in the Nmap OEM Edition
(https://nmap.org/oem) for companies building Nmap into their own
products. But even in that case we believe that running the Nmap OEM
self-installer in silent mode is a better approach.
o [GH#2388] Fix TDS7 password encoding for mssql.lua, which had been assuming
ASCII input even though other parts of the library had been passing it Unicode.
o [GH#2402] Replace deprecated CPEs for IIS with their updated identifier,
cpe:/a:microsoft:internet_information_services [Esa Jokinen]
o [NSE][GH#2393] Fix script-terminating error when unknown BSON data types are
encountered. Added parsers for most standard data types. [Daniel Miller]
o [Ncat] Fix hostname/certificate comparison and matching to handle ASN.1
strings without null terminators, a similar bug to OpenSSL's CVE-2021-3712.
o [Ncat][GH#2365] Added support for SOCKS5 proxies that return bind addresses
as hostnames, instead of IPv4/IPv6 addresses. [pomu0325]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.22.6 to 3.23.5
- Update of rootfile
- Changelog
3.23.5 - This release has the following changes:
Added support for the following new Printers:
HP Color LaserJet Enterprise 6700dn
HP Color LaserJet Enterprise 6700
HP Color LaserJet Enterprise 6701dn
HP Color LaserJet Enterprise 6701
HP Color LaserJet Enterprise X654dn
HP Color LaserJet Enterprise X65455dn
HP Color LaserJet Enterprise X654
HP Color LaserJet Enterprise X65465dn
HP Color LaserJet Enterprise X654 65 PPM
HP Color LaserJet Enterprise X654 55 to 65ppm License
HP Color LaserJet Enterprise X654 Down License
HP Color LaserJet Enterprise MFP 6800dn
HP Color LaserJet Enterprise Flow MFP 6800zf
HP Color LaserJet Enterprise Flow MFP 6800zfsw
HP Color LaserJet Enterprise Flow MFP 6800zfw+
HP Color LaserJet Enterprise MFP 6800
HP Color LaserJet Enterprise MFP 6801
HP Color LaserJet Enterprise MFP 6801 zfsw
HP Color LaserJet Enterprise Flow MFP 6801zfw+
HP Color LaserJet Enterprise MFP X677 55 to 65ppm License
HP Color LaserJet Enterprise MFP X677 65ppm
HP Color LaserJet Enterprise MFP X677s
HP Color LaserJet Enterprise Flow MFP X677z
HP Color LaserJet Enterprise MFP X67765dn
HP Color LaserJet Enterprise Flow MFP X67765zs
HP Color LaserJet Enterprise Flow MFP X67765z+
HP Color LaserJet Enterprise MFP X677
HP Color LaserJet Enterprise MFP X67755dn
HP Color LaserJet Enterprise Flow MFP X67755zs
HP Color LaserJet Enterprise Flow MFP X67755z+
HP Color LaserJet Enterprise MFP X677dn
HP Color LaserJet Enterprise Flow MFP X677zs
HP Color LaserJet Enterprise Flow MFP X677z+
HP Color LaserJet Enterprise 5700dn
HP Color LaserJet Enterprise 5700
HP Color LaserJet Enterprise X55745dn
HP Color LaserJet Enterprise X55745
HP Color LaserJet Enterprise MFP 5800dn
HP Color LaserJet Enterprise MFP 5800f
HP Color LaserJet Enterprise Flow MFP 5800zf
HP Color LaserJet Enterprise MFP 5800
HP Color LaserJet Enterprise MFP X57945
HP Color LaserJet Enterprise Flow MFP X57945zs
HP Color LaserJet Enterprise MFP X57945dn
HP Color LaserJet Enterprise Flow MFP X57945z
3.23.3 - This release has the following changes:
Added support for following new Distro's:
LinuxMint 21.1
MxLinux 21.3
Elementary OS 7
Ubuntu 22.10
RHEL 8.6
RHEL 8.7
RHEL 9.1
Fedora 37
Added support for the following new Printers:
HP Smart Tank 520_540 series
HP Smart Tank 580-590 series
HP Smart Tank 5100 series
HP Smart Tank 210-220 series
3.22.10 - This release has the following changes:
Added support for following new Distro's:
Manjaro 21.3
Suse 15.4
RHEL 9
Linux Mint 21.0
Mx Linux 21.2
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.7.4 to 2.8.1
- Update of rootfile not required
- Changelog is too large to include here. Look in the CHANGELOG file in the source
tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.38.1 to 2.41.0
- Update of rootfile
- Changelog is too large to show here. Look in the Source tarball in Documentation
RelNotes and each of the version numbers released - 2.38.2, 2.38.3, 2.38.4, 2.38.5,
2.39.0, 2.39.1, 2.39.2, 2.39.3, 2.40.0, 2.40.1, 2.41.0
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.13.0 to 3.15.0
- Update of rootfile
- Changelog
3.15.0 (2023-06-09)
* Improved support for some less common systems (32 bit, alternative libcs)
* Unsupported mount options are no longer silently accepted.
* auto_unmount is now compatible with allow_other.
3.14.1 (2023-03-26)
* The extended attribute name passed to the setxattr() handler is no longer
truncated at the beginning (bug introduced in 3.13.0).
* As a result of the above, the additional setattr() flags introduced in 3.14 are no
longer available for now. They will hopefully be reintroduced in the next release.
* Further improvements of configuration header handling.
3.14.0 (2023-02-17)
* Properly fix the header installation issue. The fix in 3.13.1 resulted
in conflicts with other packages.
* Introduce additional setattr() flags (FORCE, KILL_SUID, KILL_SGID, FILE,
KILL_PRIV, OPEN, TIMES_SET)
3.13.1 (2023-02-03)
* Fixed an issue that resulted in errors when attempting to compile against
installed libfuse headers (because libc symbol versioning support was not
detected correctly in this case).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.0.1 to 8.5.2
- Update of rootfile
- tar.xz versions are no longer provided by the developers. They onl provide the tar.gz
that is automatically created by github. This started shortly after 8.0.1 was released
- Changelog is too large to include here. For full details see the changelog details at
https://github.com/FRRouting/frr/releases
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.0.26 to 3.2.3
- Update of rootfile
- Changelog
3.2.3
Feature Improvements
Add "max_retries" for connection pools. Fixes#4908. Patch from Nick Porter.
Update dictionary.ciena, dictionary.huawei, dictionary.wifialliance and
dictionary.wispr; add dictionary.eleven.
You can now list "eap" in the "pre-proxy" section. If the packet contains a
malformed EAP message, then the request will be rejected The home server
will either reject (or discard) this packet anyways, so this change can only
help with large proxy scenarios.
Show warnings if libldap is not using OpenSSL.
Support RADIUS/1.1. See
https://datatracker.ietf.org/doc/draft-dekok-radext-radiusv11/ Disabled by
default, can be enabled by passing `--with-radiusv11` to the configure
script. For now, this is for testing interoperability.
Add extra sanity checks for malformed EAP attributes.
More TLS debugging output.
Clear old module instance data before HUP reload. Avoids burst memory use
when e.g. using large data files with rlm_files. Patch from Nick Porter.
`rlm_cache_redis` is now included in the freeradius-redis packages.
Separate out python2/python3 in Debian Packages. Previously python 2 or 3 was
built depending on the system default which led to confusion. We now build
both freeradius-python2 and freeradius-python3 packages where possible.
Bug Fixes
Don't leak MD contexts with OpenSSL 3.0.
Increase internal buffer size for TLS connections, which can help with
high-load proxies.
Send Status-Server checks for TLS connections.
Give descriptive error if "update CoA" is used with "fake" packets, as it
won't work. i.e. inner-tunnel and virtual home servers.
Many small ASAN / LSAN fixes from Jorge Pereira.
Close inbound RADIUS/TLS socket on TLS errors. When a home server sees a TLS
error, it will now close the socket, so proxies do not have an open (but
dead) TLS connection.
Fix mutex locking issues on inbound RADIUS/TLS connections This change avoids
random issues with "bad record mac".
Improve REST encoding loop. Patch from Herwin Weststrate. Closes#4950.
Correctly report the LDAP group a user was found in. Fixes#3084 Patch from
Nick Porter.
Force correct packet type when running Post-Auth-Type. Helps with #4980.
Fix small leak in Client-Lost code. Patch from Terry Burton. PR #4996.
Fix TCP socket statistics. Closes#4990.
Use NAS-Port-Id instead of NAS-Port during SQL simultaneous-use checks. Helps
with #5010.
3.2.2
Feature Improvements
The "configure" process now gives a much clearer report when it's finished.
Patches by Matthew Newton.
Fallback to "uname -n" on missing "hostname". Fixes#4771.
Export thread details in radmin "stats threads". Fixes#4770.
Improve queries for processing radacct into periodic usage data Fix from Nick
Porter.
Update dictionary.juniper.
Add dictionary.calix.
Fix dictionary.rfc6519 DS-Lite-Tunnel-Name to be "octets".
Update documentation for robust-proxy-accounting, and be more aggressive
about sending packets.
Add per-module README.md files in the source.
Add default Visual Studio configuration for developers.
Postgres can now automatically use alternate queries for errors other than
duplicate keys.
%{listen:TLS-PSK-Identity} is now set when using PSK and psk_query This helps
the server track the identity of the client which is connecting.
Include thread stats in Status-Server attributes. Fixes#4870.
Mark rlm_unbound stable and add to packages. Patches by Nick Porter.
Remove broken/unsupported Dockerfiles for centos8 and debian9.
Ensure Docker containers have stable uid/gid. Patches from Terry Burton.
Bug Fixes
Preliminary support for non-blocking TLS sockets. Helps with #3501.
Fix support for partial certificate chains after adding reload support.
Fixes#4753.
Fix handling of debug_condition.
Clean up home server states, and re-sync with the dictionaries.
Correct certificate order when creating TLS-* attributes Fixes#4785.
Update use of isalpha() etc. so broken configurations have less impact on the
server.
Outgoing TLS sockets now set SNI correctly from the "hostname" configuration
item.
Support Apple Homebrew on the M1. Fixes#4754.
Better error messages when %{listen:TLS-...} is used.
Getting statistics via Status-Server can now be done within a virtual server.
Fixes#4868.
Make TTLS+MS-CHAP work with TLS 1.3. Fixes#4878.
Fix md5 xlat memory leak when using OpenSSL 3. Fix by Terry Burton.
3.2.1
Feature Improvements
Add dictionary.ciena, dictionary.nile, and DHCPv4 dictionaries,.
Add simultaneous-use queries for MS SQL.
Add radmin command for "stats pool <module-name>" Which prints out statistics
about the connection pools.
Client statistics now shows "conflicts", to count conflicting packets.
New optional "lightweight accounting-on/off" strategy. When refreshing
queries.conf you should also add the new nasreload table and corresponding
GRANTs to your DB schema.
Add TLS-Client-Cert-X509v3-Certificate-Policies, which helps with Eduroam.
Suggested by Stefan Winter.
Allow auth+acct for TCP sockets, too.
Add rlm_cache_redis. See raddb/mods-available/cache for details.
Allow radmin to look up home servers by name, too.
Ensure that dynamic clients don't create loops on duplicates Reported by Sam
Yee.
Removed rlm_sqlhpwippool. There was no documentation, no configuration, and
the module was ~15 years old with no one using it.
Marked rlm_python3 as stable.
Add sigalgs_list. See raddb/mods-available/eap. Patch from Boris Lytochkin.
For rlm_linelog, when opening files in /dev, look at "permissions" to see
whether to open them r/w.
More flexibility for dynamic home servers. See
doc/configuration/dynamic_home_servers.md and raddb/home_servers/README.md.
Allow setting of application_name for PostgreSQL. See mods-available/sql.
Bug Fixes
Correct test for open sessions in radacct for MS SQL.
The linelog module now opens /dev/stdout in "write-only" mode if the
permissions are set to "u+w" (0002).
Various fixes to rlm_unbound from Nick Porter.
PEAP now correctly runs Post-Auth-Type Accept.
Create "TLS-Cert-*" for outbound Radsec, instead of TLS-Client-Cert-*
Fixes#4698. See sites-available/tls, and fix_cert_order.
Minor updates and fixes to CI, Dockerfiles and packaging.
Fix rlm_python3 build with python >= 3.10. Fixes#4441.
3.2.0
Feature Improvements
All features from 3.0.x are included in the 3.2.x releases. In addition:.
Add 'reset_day' and '%%r' parameter for rlm_sqlcounter to specify which day
of the month the counter should be reset.
Partial backport of rlm_json from v4, providing the json_encode xlat See
mods-available/json for documentation.
Support for haproxy "PROXY" protocol See sites-available/tls,
"proxy_protocol" and doc/antora/modules/howto/pages/protocols/proxy/.
Support for sending CoA-Request and Disconnect-Request packets in "reverse"
down RadSec tunnels. Experimental for now, and undocumented.
It is now possible to run a virtual server when saving / loading TLS cache
attributes. See sites-available/tls-cache for more information.
Removed the "cram" module. It was undocumented, and used old and insecure
authentication methods.
Remove the "otp" module. The "otpd" program it needs is no longer available,
and the module has not been usable since at least 2015.
All features from 3.0.x are included in the 3.2.x releases.
3.2.0 requires OpenSSL 1.0.2 or greater.
Bug Fixes
All bug fixes from 3.0.x are included in the 3.2.x releases.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20060126 to 20100919
- Version 20100919 is the most recent version that is available as a .tar.gz file
There is a 20120503 version but it is only available as a .zip file
- This patch brings this package as up to date as it can be.
- Update of rootfile not required
- Changelog for changes made from Feb 2006 till 2010 is too large to show here - approx
5000 lines. See the contents of the ChangeLog file in the source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.1.0 to 8.2.0
- Update of rootfile
- Changelog
8.2.0
Changes:
curl: add --ca-native and --proxy-ca-native
curl: add --trace-ids
CURLOPT_MAIL_RCPT_ALLOWFAILS: replace CURLOPT_MAIL_RCPT_ALLLOWFAILS
haproxy: add --haproxy-clientip flag to set client IPs
lib: add CURLINFO_CONN_ID and CURLINFO_XFER_ID
Bugfixes:
bufq: make write/pass methods more robust
build: drop unused/redundant `HAVE_WINLDAP_H`
cf-socket: don't bypass fclosesocket callback if cancelled before connect
cf-socket: move ctx declaration under HAVE_GETPEERNAME
cf-socket: skip getpeername()/getsockname for TFTP
checksrc: modernise perl file open
checksrc: quote the file name to work with "funny" letters
CI: brew fix for openssl in default path
CI: don't install impacket if tests are not run
CI: enable parallel make in more builds
circleci: install impacket & wolfssl 5.6.0
cmake: add support for "unity" builds
cmake: make use of snprintf
cmake: stop CMake from quietly ignoring missing Brotli
configure: add check for ldap_init_fd
configure: fix run-compiler for old /bin/sh
configure: the --without forms of the options are also gone
connect-timeout.d: mention that the DNS lookup is included
curl.h: include <sys/select.h> for vxworks
curl: count uploaded data to stop at the originally given size
curl: return error when asked to use an unsupported HTTP version
curl_easy_nextheader.3: add missing open parenthesis examples
curl_log: evaluate log statement only when transfer is verbose
curl_mprintf.3: minor fix of the example
curl_pushheader_byname/bynum.3: document in their own man pages
curl_url_set: enforce the max string length check for all parts
CURLOPT_AWS_SIGV4.3: remove unused variable from example
CURLOPT_INFILESIZE.3: mention -1 triggers chunked
CURLOPT_MIMEPOST.3: clarify what setting to NULL means
CURLOPT_SSH_PRIVATE_KEYFILE.3: expand on the file search
docs/libcurl/libcurl.3: cleanups and improvements
docs: add more .IP after .RE to fix indentation of generate paragraphs
docs: fix missing parameter names in examples
docs: update CURLOPT_UPLOAD.3
docs: update HTTP3.md for newer ngtcp2 and nghttp3
docs: use a space after RFC when spelling out RFC numbers
example/connect-to: show CURLOPT_CONNECT_TO
example/crawler: also set CURLOPT_AUTOREFERER
example/crawler: make it use a few more options
example/default-scheme: set the default scheme for schemeless URLs
example/hsts-preload: show one way to HSTS preload
example/http2-download: set CURLOPT_BUFFERSIZE
example/ipv6: feature CURLOPT_ADDRESS_SCOPE in use
example/maxconnects: set maxconnect example
example/opensslthreadlock: remove
examples/ftpuploadresume.c: add use of CURLOPT_ACCEPTTIMEOUT_MS
examples/http-options: show how to send "OPTIONS *"
examples/https.c: use CURLOPT_CA_CACHE_TIMEOUT
examples/multi-debugcallback.c: avoid the bool typedef
examples/smtp-mime: use CURLOPT_MAIL_RCPT_ALLOWFAILS
examples/unixsocket.c: example using CURLOPT_UNIX_SOCKET_PATH
examples/websocket.c: websocket example using CONNECT_ONLY
examples: make use of CURLOPT_(REDIR_|)PROTOCOLS_STR
fopen: fix conversion warning on 32-bit Android
fopen: optimize
hostip.c: Move macOS-specific calls into global init call
HTTP/2: upload handling fixes
http2: better support for --limit-rate
http2: error stream resets with code CURLE_HTTP2_STREAM
http2: fix crash in handling stream weights
http2: fix variable type
http2: h2 and h2-PROXY connection alive check fixes
http2: raise header limitations above and beyond
http2: send HEADER & DATA together if possible
http2: treat initial SETTINGS as a WINDOW_UPDATE
HTTP3.md: update openssl version
http3/ngtcp2: upload EAGAIN handling
http: rectify the outgoing Cookie: header field size check
hyper: fix EOF handling on input
hyper: unslow
imap-append.c: update to make it more likely to work
imap: Provide method to disable SASL if it is advertised
krb5: add typecast to please Coverity
libcurl-url.3: also mention CURLUPART_ZONEID
libcurl-ws.3. WebSocket API overview
libssh2: provide error message when setting host key type fails
libssh2: use custom memory functions
ngtcp2: assigning timeout, but value is overwritten before used
ngtcp2: build with 0.17.0 and nghttp3 0.13.0
ngtcp2: use ever increasing timestamp in io
quiche: avoid NULL deref in debug logging
quiche: fix defects found in latest coverity report
quote.d: fix indentation of generated paragraphs
runtests: abort test run after failure without -a
runtests: better handle ^C during slow tests
runtests: consistently write the test check summary block
runtests: create multiple test runners when requested
runtests: include missing valgrind package
runtests: make test file directories in log/N
runtests: rename server command file
runtests: use more consistent failure lines
runtests: work around a perl without SIGUSR1
runtests; give each server a unique log lock file
scripts: Fix GHA matrix job detection in cijobs.pl
sectransp: fix EOF handling
system.h: remove __IBMC__/__IBMCPP__ guards and apply to all z/OS compiles
test2600: fix the description
test427: verify sending more cookies than fit in a 8190 bytes line
tests/http: Add mod_h2 directive `H2ProxyRequests`
tests/servers.pm: pick unused port number with a server socket
tests/servers: generate temp names in /tmp for unix domain sockets
tests: fix error messages & handling around sockets
tests: improve reliability of TFTP tests
testutil: allow multiple %-operators on the same line
timeval: use CLOCK_MONOTONIC_RAW if available
tls13-ciphers.d: include Schannel
tool: remove exclamation marks from error/warning messages
tool: remove newlines from all helpf/notef/warnf/errorf calls
tool_easysrc.h: correct `easysrc_perform` for `CURL_DISABLE_LIBCURL_OPTION`
tool_getparam: fix comment
tool_operate: allow cookie lines up to 8200 bytes
tool_parsecfg: accept line lengths up to 10M
tool_urlglob: use curl_off_t instead of longs
tool_writeout_json: fix encoding of control characters
transfer: clear credentials when redirecting to absolute URL
urlapi: have *set(PATH) prepend a slash if one is missing
urlapi: scheme must start with alpha
vtls: avoid memory leak if sha256 call fails
websocket-cb: example doing WebSocket download using callback
wolfssl: detect when TLS 1.2 support is not built into wolfssl
wolfssl: support setting CA certificates as blob
ws: make the curl_ws_meta() return pointer a const
8.1.2
Bugfixes:
configure: quote the assignments for run-compiler
configure: without pkg-config and no custom path, use -lnghttp2
curl: cache the --trace-time value for a second
http2: fix EOF handling on uploads with auth negotiation
http3: send EOF indicator early as possible
lib1560: verify more scheme guessing
lib: remove unused functions, make single-use static
libcurl.m4: remove trailing 'dnl' that causes this to break autoconf
libssh: when keyboard-interactive auth fails, try password
misc: fix spelling mistakes
page-header: mention curl version and how to figure out current release
page-header: minor wording polish in the URL segment
scripts/singleuse.pl: add more API calls
urlapi: remove superfluous host name check
8.1.1
Bugfixes:
cf-socket: completely remove the disabled USE_RECV_BEFORE_SEND_WORKAROUND
checksrc: disallow spaces before labels
cmake: avoid `list(PREPEND)` for compatibility
cmake: repair cross compiling
configure: fix --help alignment
configure: generate a script to run the compiler
curl_easy_getinfo: clarify on return data types
docs: document that curl_url_cleanup(NULL) is a safe no-op
hostip: move easy_lock.h include above curl_memory.h
http2: double http request parser max line length
http2: increase stream window size to 10 MB
http2: upload improvements
lib: fix conversion warnings with gcc on macOS
lib: rename struct 'http_req' to 'httpreq'
ngtcp2: fix compiler warning about possible null-deref
ngtcp2: proper handling of uint64_t when adjusting send buffer
os400: update chkstrings.c
runtests: handle interrupted reads from IPC pipes
runtests: use the correct fd after select
sectransp.c: make the code c89 compatible
select: avoid returning an error on EINTR from select() or poll()
test425: fix the log directory for the upload
url: provide better error message when URLs fail to parse
urlapi: allow numerical parts in the host name
vquic.c: make recvfrom_packets static, avoid compiler warning
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Added new IPFire specific monitoring capabilities to Zabbix Agent:
- ipfire.ovpn.clients.discovery: Discovery of configured ovpn
clients. Returns a JSON array.
- ipfire.ovpn.statusreport.get: Parses and returns
/var/run/ovpnserver.log in a JSON array
Since /var/run/ovpnserver.log is only readable by root, 'cat' of that
file is added to sudoers.d/zabbix_agentd.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 6.0.16 to 6.0.19
- Update of rootfile not required
Bugs fixed:
- ZBX-22798:
Incorrect output of vfs.file.contents when reading frequently
modified file
- ZBX-22470:
Zabbix Agent locks in tls_recv() when using DebugLevel=5
- ZBX-21892:
vfs.fs.get returns wrong data if multiple file systems have identical
mount point
Full changelogs since 6.0.16:
- https://www.zabbix.com/rn/rn6.0.17
- https://www.zabbix.com/rn/rn6.0.18
- https://www.zabbix.com/rn/rn6.0.19
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.0.10-4 (Sep 2014) to 2.0.11 (Dec 2019)
- Update of rootfile
- Deletion of patch to prevent installing in usr/local as new tarball now has a ./configure
file that enables setting prefix to /usr and sysconfdir to /etc
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.26.5 to 2.28.1
- Update of rootfile
- Changelog
2.28.1
This is a stable bugfix release, with the following changes:
Added support for the Nintendo Online Famicom controllers
Improved support for third-party Nintendo Switch controllers
Fixed setting the player LED on Nintendo Switch controllers
Added Linux controller mapping for the Logitech Chillstream
Fixed appending to a file greater than 4GB in size on Windows
2.28.0
Thanks to all the people who contributed code and feedback, SDL 2.28.0 is now
available!
In addition to lots of bug fixes, here are the major changes in this release:
General:
Added SDL_HasWindowSurface() and SDL_DestroyWindowSurface() to switch between
the window surface and rendering APIs
Added a display event SDL_DISPLAYEVENT_MOVED which is sent when the primary
monitor changes or displays change position relative to each other
Added the hint SDL_HINT_ENABLE_SCREEN_KEYBOARD to control whether the
on-screen keyboard should be shown when text input is active
With this release, SDL 2.0 is entering maintenance mode. While we will continue
to support the library and provide stable bug fix updates, the SDL team is
focusing on SDL 3.0 and all new feature development will be happening there. We
are simultaneously bringing up sdl2-compat so your existing SDL 2.0 applications
can run on the SDL 3.0 runtime in the future.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.11.0 to 1.11.1
- Update of rootfile not required
- Changelog
1.11.1
This is a hotfix release for a SIGFPE on Linux: #2173
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 7.3.0 to 8.0.1
- Update of rootfile
- Changelog
Overview of changes leading to 8.0.1
- Build fix on 32-bit arm.
- More speed optimizations:
- 60% speedup in retaingids subsetting SourceHanSans-VF.
- 38% speed up in subsetting (beyond-64k) mega-merged Noto.
- 16% speed up in retain-gid (used for IFT) subsetting of NotoSansCJKkr.
Overview of changes leading to 8.0.0
- New, experimental, WebAssembly (WASM) shaper, that provides greater
flexibility over OpenType/AAT/Graphite shaping, using WebAssembly embedded
inside the font file. Currently WASM shaper is disabled by default and needs
to be enabled at build time. For details, see:
https://github.com/harfbuzz/harfbuzz/blob/main/docs/wasm-shaper.md
For example fonts making use of the WASM shaper, see:
https://github.com/simoncozens/wasm-examples
- Improvements to Experimental features introduced in earlier releases:
- Support for subsetting beyond-64k and VarComposites fonts.
- Support for instancing variable fonts with cubic “glyf” table.
- Many big speed optimizations:
- Up to 89% speedup loading variable fonts for shaping.
- Up to 88% speedup in small subsets of large (eg. CJK) fonts (both TTF and
OTF), essential for Incremental Font Transfer (IFT).
- Over 50% speedup in loading Roboto font for shaping.
- Up to 40% speed up in loading (sanitizing) complex fonts.
- 30% speed up in shaping Gulzar font.
- Over 25% speedup in glyph loading Roboto font.
- 10% speed up loading glyph shapes in VarComposite Hangul font.
- hb-hashmap optimizations & hashing improvements.
- New macro HB_ALWAYS_INLINE. HarfBuzz now inlines functions more aggressively,
which results in some speedup at the expense of bigger code size. To disable
this feature define the macro to just inline.
- New API:
+HB_CODEPOINT_INVALID
+hb_ot_layout_get_baseline2()
+hb_ot_layout_get_baseline_with_fallback2()
+hb_ot_layout_get_font_extents()
+hb_ot_layout_get_font_extents2()
+hb_subset_input_set_axis_range()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.2.11 to 3.2.12
- Update of rootfile
- Changelog
3.2.12
-rules/50-udev-default.rules: add PTP entry for Hyper-V/Azure by @dermotbradley
in #218
-Add the BUILD instructions for Gentoo by @lu-zero in #224
-Fix warnings by @bbonev in #222
-udev: add udev_dir as synonym of udevdir by @oreo639 in #225
-build: Remove dead g-i-r configuration by @akiernan in #231
-Hwdb.7 by @bbonev in #221
-Precompiled hwdb by @bbonev in #223
-Merge suitable rules changes from systemd by @bbonev in #220
-Merge hwdb from systemd by @bbonev in #219
-Fix problems detected by fortified builds by @bbonev in #232
-Avoid warning on 32bit by @bbonev in #233
-Systemd PR 24353 by @bbonev in #239
-Do not free a static string by @bbonev in #238
-man: udev.7, mention /usr/lib with split-usr by @omnivagant in #246
-Missing tools by @bbonev in #240
-Fix compile-time issue on very old kernels by @cockroach in #247
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 4.4.33 to 4.4.36
- Update of rootfile not required
- Changelog
Version 4.4.36
* Fix left over bits failing with Perl v5.38.0 (issue #173).
Version 4.4.35
* Fix build with Perl v5.38.0 (issue #170).
* Fix build with MinGW-w(32|64).
Version 4.4.34
* Update build-aux/m4/ax_valgrind_check.m4 to v23.
* Optimize some cast operation for performance in
lib/alg-yescrypt-platform.c.
* Add SHA-2 Maj() optimization proposed by Wei Dai in lib/alg-sha512.c.
* Explicitly clean the stack and context state after computation in
lib/alg-gost3411-2012-hmac.c, lib/alg-hmac-sha1.c, and lib/alg-sha256.c
(issue #168).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
-fcf-protection enables Indirect Branch Tracking, which we have recently
enabled in the kernel. We should enable this in userspace, too.
I could not find out what GCC defaults to without any value, so this
patch is explicitely enabling IBT for function returns, indirect
function calls and indirect jumps.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 4.18.4 to 4.18.5
- Update of rootfile not required
- Changelog
4.18.5
This is a security release in order to address the following defects:
o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously
crafted request can trigger an out-of-bounds read in winbind
and possibly crash it.
https://www.samba.org/samba/security/CVE-2022-2127.html
o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured
"server signing = required" or for SMB2 connections to Domain
Controllers where SMB2 packet signing is mandatory.
https://www.samba.org/samba/security/CVE-2023-3347.html
o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
Spotlight can be triggered by an unauthenticated attacker by
issuing a malformed RPC request.
https://www.samba.org/samba/security/CVE-2023-34966.html
o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
Spotlight can be used by an unauthenticated attacker to
trigger a process crash in a shared RPC mdssvc worker process.
https://www.samba.org/samba/security/CVE-2023-34967.html
o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
side absolute path of shares and files and directories in
search results.
https://www.samba.org/samba/security/CVE-2023-34968.html
o Ralph Boehme <slow@samba.org>
* BUG 15072: CVE-2022-2127.
* BUG 15340: CVE-2023-34966.
* BUG 15341: CVE-2023-34967.
* BUG 15388: CVE-2023-34968.
* BUG 15397: CVE-2023-3347.
o Volker Lendecke <vl@samba.org>
* BUG 15072: CVE-2022-2127.
o Stefan Metzmacher <metze@samba.org>
* BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The Linux firmware microcode patches require Git to apply binary
patches as they are not supported by patch(8).
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 9.3p1 to 9.3p2
- Update of rootfile not required
- Changelog
9.3p2 (2023-07-19)
This release fixes a security bug.
Security
Fix CVE-2023-38408 - a condition where specific libaries loaded via
ssh-agent(1)'s PKCS#11 support could be abused to achieve remote
code execution via a forwarded agent socket if the following
conditions are met:
* Exploitation requires the presence of specific libraries on
the victim system.
* Remote exploitation requires that the agent was forwarded
to an attacker-controlled system.
Exploitation can also be prevented by starting ssh-agent(1) with an
empty PKCS#11/FIDO allowlist (ssh-agent -P '') or by configuring
an allowlist that contains only specific provider libraries.
This vulnerability was discovered and demonstrated to be exploitable
by the Qualys Security Advisory team.
In addition to removing the main precondition for exploitation,
this release removes the ability for remote ssh-agent(1) clients
to load PKCS#11 modules by default (see below).
Potentially-incompatible changes
* ssh-agent(8): the agent will now refuse requests to load PKCS#11
modules issued by remote clients by default. A flag has been added
to restore the previous behaviour "-Oallow-remote-pkcs11".
Note that ssh-agent(8) depends on the SSH client to identify
requests that are remote. The OpenSSH >=8.9 ssh(1) client does
this, but forwarding access to an agent socket using other tools
may circumvent this restriction.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.9.14 to 1.9.14p2
- Update of rootfile not required
- Changelog
1.9.14p2
* Fixed a crash on Linux systems introduced in version 1.9.14 when
running a command with a NULL argv[0] if "log_subcmds" or
"intercept" is enabled in sudoers.
* Fixed a problem with "stair-stepped" output when piping or
redirecting the output of a sudo command that takes user input.
* Fixed a bug introduced in sudo 1.9.14 that affects matching
sudoers rules containing a Runas_Spec with an empty Runas user.
These rules should only match when sudo's -g option is used but
were matching even without the -g option. GitHub issue #290.
1.9.14p1
* Fixed an invalid free bug in sudo_logsrvd that was introduced
in version 1.9.14 which could cause sudo_logsrvd to crash.
* The sudoers plugin no longer tries to send the terminal name
to the log server when no terminal is present. This bug was
introduced in version 1.9.14.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This change will make sure that dehydrated will continue if (re-)issuing
one or more certificate fails.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Since the update is not built on the day when people install it, we will
ship an outdated database. For updates, where the firewall is being
reloaded or rebooted, we will have an old database in place until the
next database update job runs.
Secondly, the data is 33 MiB in size, which is useless data shipped as
every system will already have a database that is very likely to be more
recent.
In this update, we are not shipping the location database again, but I
wanted to add this change so it does not get lost next time.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
This changes the old "diff" algorithm that we needed to have before
Unbound was able to reload its own configuration.
Now, it can do this even without dropping the cache. This should
hopefully perform much better and be more reliable than the old way.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
