- This changes the action from HOSTILE_DROP to HOSTILE_DROP_IN for icnoming traffic and
HOSTILE_DROP_OUT for outgoing traffic enabling logging decisions to be taken on each
independently.
Fixes: bug12981
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Acked-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Updated lfs file to core program type
- Moved rootfile from packages to common
- Older suricata versions required elfutils only for building but suricata-7.0.2 fails to
start if elfutils is not present due to libelf.so.1 being missing.
- The requirement for elfutils is not mentioned at all in the changelog.
Fixes: Bug#13516
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 0.22 to 0.22.4
- Update of rootfile
- Changelog
0.22.4
* Bug fixes:
- AM_GNU_GETTEXT now recognizes a statically built libintl on macOS and AIX.
- Build fixes on AIX.
0.22.3
* Portability:
- The libintl library now works on macOS 14. (Older versions of libintl
crash on macOS 14, due to an incompatible change in macOS.)
0.22.2
* Bug fixes:
- The libintl shared library now exports again some symbols that were
accidentally missing.
<https://savannah.gnu.org/bugs/index.php?64323>
This bug was introduced in version 0.22.
0.22.1
* Bug fixes:
- xgettext's processing of large Perl files may have led to errors
<https://savannah.gnu.org/bugs/index.php?64552>
- "xgettext --join-existing" could encounter errors.
<https://savannah.gnu.org/bugs/index.php?64490>
These bugs were introduced in version 0.22.
* Portability:
- Building on Android is now supported.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.3 to 1.3.1
- Update of rootfile
- Changelog
1.3.1
- Reject overflows of zip header fields in minizip
- Fix bug in inflateSync() for data held in bit buffer
- Add LIT_MEM define to use more memory for a small deflate speedup
- Fix decision on the emission of Zip64 end records in minizip
- Add bounds checking to ERR_MSG() macro, used by zError()
- Neutralize zip file traversal attacks in miniunz
- Fix a bug in ZLIB_DEBUG compiles in check_match()
- Various portability and appearance improvements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 5.4.5 to 5.4.6
- Update of rootfile
- Changelog
5.4.6
* Fixed a bug involving internal function pointers in liblzma not
being initialized to NULL. The bug can only be triggered if
lzma_filters_update() is called on a LZMA1 encoder, so it does
not affect xz or any application known to us that uses liblzma.
* xz:
- Fixed a regression introduced in 5.4.2 that caused encoding
in the raw format to unnecessarily fail if --suffix was not
used. For instance, the following command no longer reports
that --suffix must be used:
echo foo | xz --format=raw --lzma2 | wc -c
- Fixed an issue on MinGW-w64 builds that prevented reading
from or writing to non-terminal character devices like NUL.
* Added a new test.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 1.6.39 to 1.6.41
- Update of rootfile
- Changelog
1.6.41
Added SIMD-optimized code for the Loongarch LSX hardware.
(Contributed by GuXiWei, JinBo and ZhangLixia)
Fixed the run-time discovery of MIPS MSA hardware.
(Contributed by Sui Jingfeng)
Fixed an off-by-one error in the function `png_do_check_palette_indexes`,
which failed to recognize errors that might have existed in the first
column of a broken palette-encoded image. This was a benign regression
accidentally introduced in libpng-1.6.33. No pixel was harmed.
(Contributed by Adam Richter; reviewed by John Bowler)
Fixed, improved and modernized the contrib/pngminus programs, i.e.,
png2pnm.c and pnm2png.c
Removed old and peculiar portability hacks that were meant to silence
warnings issued by gcc version 7.1 alone.
(Contributed by John Bowler)
Fixed and modernized the CMake file, and raised the minimum required
CMake version from 3.1 to 3.6.
(Contributed by Clinton Ingram, Timothy Lyanguzov, Tyler Kropp, et al.)
Allowed the configure script to disable the building of auxiliary tools
and tests, thus catching up with the CMake file.
(Contributed by Carlo Bramini)
Fixed a build issue on Mac.
(Contributed by Zixu Wang)
Moved the Autoconf macro files to scripts/autoconf.
Moved the CMake files (except for the main CMakeLists.txt) to
scripts/cmake and moved the list of their contributing authors to
scripts/cmake/AUTHORS.md
Updated the CI configurations and scripts.
Relicensed the CI scripts to the MIT License.
Improved the test coverage.
(Contributed by John Bowler)
1.6.40
Fixed the eXIf chunk multiplicity checks.
Fixed a memory leak in pCAL processing.
Corrected the validity report about tRNS inside png_get_valid().
Fixed various build issues on *BSD, Mac and Windows.
Updated the configurations and the scripts for continuous integration.
Cleaned up the code, the build scripts, and the documentation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://midnight-commander.org/wiki/NEWS-4.8.31
"Major changes since 4.8.30
Core
Minimal version of GLib is 2.32.0.
VFS
fish: drop support of native FISH server and protocol. Rename VFS to shell (#4232)
extfs;
uc1541 extfs: update up to 3.6 version (#4511)
s3+: port to Python3 (#4324)
Support for LZO/LZOP compression format (#4509)
...
Skins: add color for non-printable characters in editor (#4433)
Fixes
FTBFS on FreeBSD with ext2fs attribute support (#4493)
Broken stickchars (-a) mode (#4498)
Wrong timestamp after resuming of file copy operation (#4499)
Editor: wrong deletion of marked column (#3761)
Diff viewer: segfault when display of line numbers is enabled (#4500)
Tar VFS: broken handling of hard links (#4494)
Sftp VFS: failure establishing SSH session due hashed host names in ~/.ssh/known_hosts (#4506)
Shell VFS: incorrect file names with cyrillic or diacritic symbols (#4507)
mc.ext.ini: incorrect description of of how multiple sections and keys with same names are processed (#4497)
mc.ext.ini: unescaped backslash \ is treated as invalid escape sequence in glib-2.77.3 and glib-2.79 (#4502)
mc.ext.ini: file "Makefile.zip" is handled as Makefile not as zip-arhive (#4419)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
* A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
NULL, but OpenSSL did not correctly check for this case. A fix has been
applied to prevent a NULL pointer dereference that results in OpenSSL
crashing. If an application processes PKCS12 files from an untrusted source
using the OpenSSL APIs then that application will be vulnerable to this
issue prior to this fix.
OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security
significant.
([CVE-2024-0727])
*Matt Caswell*
* When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this
computation completes quickly. However, if n is an overly large prime,
then this computation would take a long time.
An application that calls EVP_PKEY_public_check() and supplies an RSA key
obtained from an untrusted source could be vulnerable to a Denial of Service
attack.
The function EVP_PKEY_public_check() is not called from other OpenSSL
functions however it is called from the OpenSSL pkey command line
application. For that reason that application is also vulnerable if used
with the "-pubin" and "-check" options on untrusted data.
To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
([CVE-2023-6237])
*Tomáš Mráz*
* Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
rather than SM2.
*Richard Levitte*
* The POLY1305 MAC (message authentication code) implementation in OpenSSL
for PowerPC CPUs saves the contents of vector registers in different
order than they are restored. Thus the contents of some of these vector
registers is corrupted when returning to the caller. The vulnerable code is
used only on newer PowerPC processors supporting the PowerISA 2.07
instructions.
The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the
application process. However unless the compiler uses the vector registers
for storing pointers, the most likely consequence, if any, would be an
incorrect result of some application dependent calculations or a crash
leading to a denial of service.
([CVE-2023-6129])
*Rohan McLure*
* Fix excessive time spent in DH check / generation with large Q parameter
value.
Applications that use the functions DH_generate_key() to generate an
X9.42 DH key may experience long delays. Likewise, applications that use
DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.
([CVE-2023-5678])
*Richard Levitte*
* Disable building QUIC server utility when OpenSSL is configured with
`no-apps`.
*Vitalii Koshura*
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
* A file in PKCS12 format can contain certificates and keys and may come from
an untrusted source. The PKCS12 specification allows certain fields to be
NULL, but OpenSSL did not correctly check for this case. A fix has been
applied to prevent a NULL pointer dereference that results in OpenSSL
crashing. If an application processes PKCS12 files from an untrusted source
using the OpenSSL APIs then that application will be vulnerable to this
issue prior to this fix.
OpenSSL APIs that were vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security
significant.
([CVE-2024-0727])
*Matt Caswell*
* When function EVP_PKEY_public_check() is called on RSA public keys,
a computation is done to confirm that the RSA modulus, n, is composite.
For valid RSA keys, n is a product of two or more large primes and this
computation completes quickly. However, if n is an overly large prime,
then this computation would take a long time.
An application that calls EVP_PKEY_public_check() and supplies an RSA key
obtained from an untrusted source could be vulnerable to a Denial of Service
attack.
The function EVP_PKEY_public_check() is not called from other OpenSSL
functions however it is called from the OpenSSL pkey command line
application. For that reason that application is also vulnerable if used
with the "-pubin" and "-check" options on untrusted data.
To resolve this issue RSA keys larger than OPENSSL_RSA_MAX_MODULUS_BITS will
now fail the check immediately with an RSA_R_MODULUS_TOO_LARGE error reason.
([CVE-2023-6237])
*Tomáš Mráz*
* Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to
have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey
rather than SM2.
*Richard Levitte*
* The POLY1305 MAC (message authentication code) implementation in OpenSSL
for PowerPC CPUs saves the contents of vector registers in different
order than they are restored. Thus the contents of some of these vector
registers is corrupted when returning to the caller. The vulnerable code is
used only on newer PowerPC processors supporting the PowerISA 2.07
instructions.
The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the
application process. However unless the compiler uses the vector registers
for storing pointers, the most likely consequence, if any, would be an
incorrect result of some application dependent calculations or a crash
leading to a denial of service.
([CVE-2023-6129])
*Rohan McLure*
* Fix excessive time spent in DH check / generation with large Q parameter
value.
Applications that use the functions DH_generate_key() to generate an
X9.42 DH key may experience long delays. Likewise, applications that use
DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.
([CVE-2023-5678])
*Richard Levitte*
* Disable building QUIC server utility when OpenSSL is configured with
`no-apps`.
*Vitalii Koshura*
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 0.22.0 to 0.23.1
- Update of rootfile
- Changelog
0.23.0
Headline features
Add type hints. (#543)
Features
When exiting a nursery block, the parent task always waits for child tasks
to exit. This wait cannot be cancelled. However, previously, if you tried
to cancel it, it would inject a Cancelled exception, even though it wasn’t
cancelled. Most users probably never noticed either way, but injecting a
Cancelled here is not really useful, and in some rare cases caused
confusion or problems, so Trio no longer does that. (#1457)
If called from a thread spawned by trio.to_thread.run_sync,
trio.from_thread.run and trio.from_thread.run_sync now reuse the task and
cancellation status of the host task; this means that context variables and
cancel scopes naturally propagate ‘through’ threads spawned by Trio. You
can also use trio.from_thread.check_cancelled to efficiently check for
cancellation without reentering the Trio thread. (#2392)
trio.lowlevel.start_guest_run() now does a bit more setup of the guest run
before it returns to its caller, so that the caller can immediately make
calls to trio.current_time(), trio.lowlevel.spawn_system_task(),
trio.lowlevel.current_trio_token(), etc. (#2696)
Bugfixes
When a starting function raises before calling trio.TaskStatus.started(),
trio.Nursery.start() will no longer wrap the exception in an undocumented
ExceptionGroup. Previously, trio.Nursery.start() would incorrectly raise an
ExceptionGroup containing it when using trio.run(...,
strict_exception_groups=True). (#2611)
Deprecations and removals
To better reflect the underlying thread handling semantics, the keyword
argument for trio.to_thread.run_sync that was previously called cancellable
is now named abandon_on_cancel. It still does the same thing – allow the
thread to be abandoned if the call to trio.to_thread.run_sync is
cancelled – but since we now have other ways to propagate a cancellation
without abandoning the thread, “cancellable” has become somewhat of a
misnomer. The old cancellable name is now deprecated. (#2841)
Deprecated support for math.inf for the backlog argument in
open_tcp_listeners, making its docstring correct in the fact that only
TypeError is raised if invalid arguments are passed. (#2842)
Removals without deprecations
Drop support for Python3.7 and PyPy3.7/3.8. (#2668)
Removed special MultiError traceback handling for IPython. As of version
8.15 ExceptionGroup is handled natively. (#2702)
Miscellaneous internal changes
Trio now indicates its presence to sniffio using the sniffio.thread_local
interface that is preferred since sniffio v1.3.0. This should be less
likely than the previous approach to cause sniffio.current_async_library()
to return incorrect results due to unintended inheritance of contextvars.
(#2700)
On windows, if SIO_BASE_HANDLE failed and SIO_BSP_HANDLE_POLL didn’t return
a different socket, runtime error will now raise from the OSError that
indicated the issue so that in the event it does happen it might help with
debugging. (#2807)
0.22.2
Bugfixes
Fix PermissionError when importing trio due to trying to access pthread.
(#2688)
0.22.1
Breaking changes
Timeout functions now raise ValueError if passed math.nan. This includes
trio.sleep, trio.sleep_until, trio.move_on_at, trio.move_on_after,
trio.fail_at and trio.fail_after. (#2493)
Features
Added support for naming threads created with trio.to_thread.run_sync,
requires pthreads so is only available on POSIX platforms with glibc
installed. (#1148)
trio.socket.socket now prints the address it tried to connect to upon
failure. (#1810)
Bugfixes
Fixed a crash that can occur when running Trio within an embedded Python
interpreter, by handling the TypeError that is raised when trying to
(re-)install a C signal handler. (#2333)
Fix sniffio.current_async_library() when Trio tasks are spawned from a
non-Trio context (such as when using trio-asyncio). Previously, a regular
Trio task would inherit the non-Trio library name, and spawning a system
task would cause the non-Trio caller to start thinking it was Trio. (#2462)
Issued a new release as in the git tag for 0.22.0, trio.__version__ is
incorrectly set to 0.21.0+dev. (#2485)
Improved documentation
Documented that Nursery.start_soon does not guarantee task ordering. (#970)
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.2.2 to 3.3.0
- Update of rootfile
- Changelog
3.3.0
Note: This is the first pyfuse3 release compatible with Cython 3.0.0 release.
Cython 0.29.x is also still supported.
Cythonized with latest Cython 3.0.0.
Drop Python 3.6 and 3.7 support and testing, #71.
CI: also test python 3.12. test on cython 0.29 and cython 3.0.
Tell Cython that callbacks may raise exceptions, #80.
Fix lookup in examples/hello.py, similar to #16.
Misc. CI, testing, build and sphinx related fixes.
3.2.3
cythonize with latest Cython 0.29.34 (brings Python 3.12 support)
add a minimal pyproject.toml, require setuptools
tests: fix integer overflow on 32-bit arches, fixes#47
test: Use shutil.which() instead of external which(1) program
setup.py: catch more generic OSError when searching Cython, fixes#63
setup.py: require Cython >= 0.29
fix basedir computation in setup.py (fix pip install -e .)
use sphinx < 6.0 due to compatibility issues with more recent versions
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 23.0 to 23.2
- Update of rootfile
- Changelog
23.2
Document calendar-based versioning scheme (#716)
Enforce that the entire marker string is parsed (#687)
Requirement parsing no longer automatically validates the URL (#120)
Canonicalize names for requirements comparison (#644)
Introduce metadata.Metadata (along with metadata.ExceptionGroup and
metadata.InvalidMetadata; #570)
Introduce the validate keyword parameter to utils.normalize_name() (#570)
Introduce utils.is_normalized_name() (#570)
Make utils.parse_sdist_filename() and utils.parse_wheel_filename() raise
InvalidSdistFilename and InvalidWheelFilename, respectively, when the
version component of the name is invalid
23.1
Parse raw metadata (#671)
Import underlying parser functions as an underscored variable (#663)
Improve error for local version label with unsupported operators (#675)
Add dedicated error for specifiers with incorrect .* suffix
Replace spaces in platform names with underscores (#620)
Relax typing of _key on _BaseVersion (#669)
Handle prefix match with zeros at end of prefix correctly (#674)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Updated from version 1.1.0 to 1.2.0
- Update of rootfile
- Changelog
1.2.0
Added special monkeypatching if Apport has overridden sys.excepthook so it
will format exception groups correctly (PR by John Litborn)
Added a backport of contextlib.suppress() from Python 3.12.1 which also
handles suppressing exceptions inside exception groups
Fixed bare raise in a handler reraising the original naked exception rather
than an exception group which is what is raised when you do a raise in an
except* handler
1.1.3
catch() now raises a TypeError if passed an async exception handler instead
of just giving a RuntimeWarning about the coroutine never being awaited.
(#66, PR by John Litborn)
Fixed plain raise statement in an exception handler callback to work like a
raise in an except* block
Fixed new exception group not being chained to the original exception when
raising an exception group from exceptions raised in handler callbacks
Fixed type annotations of the derive(), subgroup() and split() methods to
match the ones in typeshed
1.1.2
Changed handling of exceptions in exception group handler callbacks to not
wrap a single exception in an exception group, as per CPython issue 103590
1.1.1
Worked around CPython issue #98778, urllib.error.HTTPError(..., fp=None)
raises KeyError on unknown attribute access, on affected Python versions.
(PR by Zac Hatfield-Dodds)
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used setup.py build approach as the pyproject.toml approach failed to build successfully
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used setup.py build approach as the pyproject.toml approach failed to build successfully.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used setup.py build approach as pyproject.toml approach kept failing to build
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- lfs and rootfile created.
- rootfile put into common as it is only used as a build dependency.
- Used pyproject.toml build approach
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
