Changelog:
"6.0.8 -- 2022-09-27
Task #5552: libhtp 0.5.41
6.0.7 -- 2022-09-27
Security #5430: mqtt: DOS by quadratic with too many transactions in one parse (6.0.x backport)
Bug #5559: BUG_ON triggered from TmThreadsInjectFlowById (6.0.x backport)
Bug #5549: Failed assert DeStateSearchState (6.0.x)
Bug #5548: tcp: assertion failed in DoInsertSegment (BUG_ON) (6.0.x)
Bug #5547: rules: less strict parsing of unexpected flowbit options
Bug #5546: rules: don't error on bad hex in content
Bug #5540: detect: transform strip whitespace creates a 0-sized variable-length array: backport6
Bug #5505: http2: slow http2_frames_get_header_value_vec because of allocation [backport6]
Bug #5471: Reject action is no longer working (6.0.x backport)
Bug #5467: rules: more graceful handling of anomalies for stable versions
Bug #5459: Counters are not initialized in all places. (6.0.x backport)
Bug #5448: nfs: add maximum number of operations per compound (6.0.x backport)
Bug #5436: Infinite loop if the sniffing interface temporarily goes down (6.0.x backports)
Bug #5335: flow: vlan.use-for-tracking is not used for ICMPv4 (6.0.x backport)
Bug #4421: flow manager: using too much CPU during idle (6.0.x backport)
Feature #5535: ips: add "reject" action to exception policies (6.0.x backport)
Feature #5500: ips: midstream: add "exception policy" for midstream (6.0.x backport)
Task #5551: doc: add exception policy documentation (6.0.x)
Task #5533: detect/parse: add tests for parsing signatures with reject and drop action (6.0.x backport)
Task #5525: exceptions: error out when invalid configuration value is passed (6.0.x backport)
Task #5381: add `alert-queue-expand-fails` command-line option (6.0.x backport)
Task #5328: python: distutils deprecation warning (6.0.x backport)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 2.4.8 to 2.4.9
- Update of rootfile
- Changelog
Release 2.4.9 Tue September 20 2022
Security fixes:
#629#640 CVE-2022-40674 -- Heap use-after-free vulnerability in
function doContent. Expected impact is denial of service
or potentially arbitrary code execution.
Bug fixes:
#634 MinGW: Fix mis-compilation for -D__USE_MINGW_ANSI_STDIO=0
#614 docs: Fix documentation on effect of switch XML_DTD on
symbol visibility in doc/reference.html
Other changes:
#638 MinGW: Make fix-xmltest-log.sh drop more Wine bug output
#596#625 Autotools: Sync CMake templates with CMake 3.22
#608 CMake: Migrate from use of CMAKE_*_POSTFIX to
dedicated variables EXPAT_*_POSTFIX to stop affecting
other projects
#597#599 Windows|CMake: Add missing -DXML_STATIC to test runners
and fuzzers
#512#621 Windows|CMake: Render .def file from a template to fix
linking with -DEXPAT_DTD=OFF and/or -DEXPAT_ATTR_INFO=ON
#611#621 MinGW|CMake: Apply MSVC .def file when linking
#622#624 MinGW|CMake: Sync library name with GNU Autotools,
i.e. produce libexpat-1.dll rather than libexpat.dll
by default. Filename libexpat.dll.a is unaffected.
#632 MinGW|CMake: Set missing variable CMAKE_RC_COMPILER in
toolchain file "cmake/mingw-toolchain.cmake" to avoid
error "windres: Command not found" on e.g. Ubuntu 20.04
#597#627 CMake: Unify inconsistent use of set() and option() in
context of public build time options to take need for
set(.. FORCE) in projects using Expat by means of
add_subdirectory(..) off Expat's users' shoulders
#626#641 Stop exporting API symbols when building a static library
#644 Resolve use of deprecated "fgrep" by "grep -F"
#620 CMake: Make documentation on variables a bit more consistent
#636 CMake: Drop leading whitespace from a #cmakedefine line in
file expat_config.h.cmake
#594 xmlwf: Fix harmless variable mix-up in function nsattcmp
#592#593#610 Address Cppcheck warnings
#643 Address Clang 15 compiler warnings
#642#644 Version info bumped from 9:8:8 to 9:9:8;
see https://verbump.de/ for what these numbers do
Infrastructure:
#597#598 CI: Windows: Start covering MSVC 2022
#619 CI: macOS: Migrate off deprecated macOS 10.15
#632 CI: Linux: Make migration off deprecated Ubuntu 18.04 work
#643 CI: Upgrade Clang from 14 to 15
#637 apply-clang-format.sh: Add support for BSD find
#633 coverage.sh: Exclude MinGW headers
#635 coverage.sh: Fix name collision for -funsigned-char
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.33/doc/arm/html/notes.html#notes-for-bind-9-16-33
"Security Fixes
Previously, there was no limit to the number of database lookups
performed while processing large delegations, which could be abused to
severely impact the performance of named running as a recursive
resolver. This has been fixed. (CVE-2022-2795)
ISC would like to thank Yehuda Afek from Tel-Aviv University and Anat
Bremler-Barr & Shani Stajnrod from Reichman University for bringing
this vulnerability to our attention. [GL #3394]
named running as a resolver with the stale-answer-client-timeout option
set to 0 could crash with an assertion failure, when there was a stale
CNAME in the cache for the incoming query. This has been fixed.
(CVE-2022-3080) [GL #3517]
A memory leak was fixed that could be externally triggered in the
DNSSEC verification code for the ECDSA algorithm. (CVE-2022-38177) [GL
#3487]
Memory leaks were fixed that could be externally triggered in the
DNSSEC verification code for the EdDSA algorithm. (CVE-2022-38178) [GL
#3487]
Feature Changes
Response Rate Limiting (RRL) code now treats all QNAMEs that are
subject to wildcard processing within a given zone as the same name, to
prevent circumventing the limits enforced by RRL. [GL #3459]
Zones using dnssec-policy now require dynamic DNS or inline-signing to
be configured explicitly. [GL #3381]
A backward-compatible approach was implemented for encoding
internationalized domain names (IDN) in dig and converting the domain
to IDNA2008 form; if that fails, BIND tries an IDNA2003 conversion. [GL
#3485]
Bug Fixes
A serve-stale bug was fixed, where BIND would try to return stale data
from cache for lookups that received duplicate queries or queries that
would be dropped. This bug resulted in premature SERVFAIL responses,
and has now been resolved. [GL #2982]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://lists.nlnetlabs.nl/pipermail/unbound-users/2022-September/007885.html
"This release fixes CVE-2022-3204 Non-Responsive Delegation
Attack. It was reported by Yehuda Afek from Tel-Aviv
University and Anat Bremler-Barr and Shani Stajnrod from
Reichman University.
This fixes for better performance when under load, by cutting
promiscuous queries for nameserver discovery and limiting the
number of times a delegation point can look in the cache for
missing records.
Bug Fixes
- Patch for CVE-2022-3204 Non-Responsive Delegation Attack."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Since we disabled Bluetooth support in the kernel a long time ago due to
security reasons, these do not serve any purpose anymore. Therefore, do
not ship them and delete them on existing installations.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 37 to 38
- Update of rootfile
- mandoc is now a build dependency for efivar
- Old compile fixes patches are no longer required with version 38
- Details for lfs build of version 38 obtained from Beyond Linux From Scratch
- Changelog
bug fixes
Rework some makefile bits to make overriding some options simpler. by @vathpela in #140
Handle /sys/devices/virtual/{nvme-fabrics,nvme-subsystem} devices by @vathpela in #139
guids.S: Include <cet.h> when CET is enabled by @hjl-tools in #149
Fix /sys/block sysfs parsing for eMMC-s by @jwrdegoede in #150
Properly check mmap return error by @hannob in #152
Fix s{yt,ty}le typo in efi_get_variable(3) by @nabijaczleweli in #162
Handle NULL set_variable() by @lcp in #159
Fix parsing for nvme-subsystem devices by @dannf in #158
Attempt to fix the identified thread safety bugs by @vathpela in #155
Make thread-test depend on libefivar.so by @hjl-tools in #176
Upstream a local patch from rawhide by @frozencemetery in #177
Fix conversion from UTF8 to UCS2 by @freedge in #171
efivar: make docs match current code for 'efivar -A' by @vathpela in #178
Migrate CI to Github actions by @frozencemetery in #179
Add code of conduct by @frozencemetery in #180
Misc minor fixes by @vathpela in #182
Add efi_time_t declarations and helper functions. by @vathpela in #183
More misc fixes by @vathpela in #185
Run CI on more targets by @vathpela in #187
Coverity fixes 20211208 by @vathpela in #189
CI: run abicheck by @frozencemetery in #190
Fix linux virtual root device parsing by @vathpela in #188
efivar.spec.in: fix license to be valid SPDX by @frozencemetery in #192
Add efisecdb tooling by @vathpela in #184
Fix linker string comparison for dash by @frozencemetery in #194
Full changelog diff between version 37 and 38 is available in github repo
https://github.com/rhboot/efivar/compare/37...38
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 3.7.3 to 3.8.1
- Update of rootfile
- Changelog
3.8.1 release
This is a bugfix release, fixing a few portability issues
reported for Nettle-3.8.
Bug fixes:
* Avoid non-posix m4 argument references in the chacha
implementation for arm64, powerpc64 and s390x. Reported by
Christian Weisgerber, fix contributed by Mamone Tarsha.
* Use explicit .machine pseudo-ops where needed in s390x
assembly files. Bug report by Andreas K. Huettel, fix
contributed by Mamone Tarsha.
Optimizations:
* Implemented runtime detection of cpu features for OpenBSD on
arm64. Contributed by Christian Weisgerber.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.6 and libhogweed.so.6.6, with sonames
libnettle.so.8 and libhogweed.so.6.
3.8 release
This release includes a couple of new features, and many
performance improvements. It adds assembly code for two more
architectures: ARM64 and S390x.
The new version is intended to be fully source and binary
compatible with Nettle-3.6. The shared library names are
libnettle.so.8.5 and libhogweed.so.6.5, with sonames
libnettle.so.8 and libhogweed.so.6.
New features:
* AES keywrap (RFC 3394), contributed by Nicolas Mora.
* SM3 hash function, contributed by Tianjia Zhang.
* New functions cbc_aes128_encrypt, cbc_aes192_encrypt,
cbc_aes256_encrypt.
On processors where AES is fast enough, e.g., x86_64 with
aesni instructions, the overhead of using Nettle's general
cbc_encrypt can be significant. The new functions can be
implemented in assembly, to do multiple blocks with reduced
per-block overhead.
Note that there's no corresponding new decrypt functions,
since the general cbc_decrypt doesn't suffer from the same
performance problem.
Bug fixes:
* Fix fat builds for x86_64 windows, these appear to never
have worked.
Optimizations:
* New ARM64 implementation of AES, GCM, Chacha, SHA1 and
SHA256, for processors supporting crypto extensions. Great
speedups, and fat builds are supported. Contributed by
Mamone Tarsha.
* New s390x implementation of AES, GCM, Chacha, memxor, SHA1,
SHA256, SHA512 and SHA3. Great speedups, and fat builds are
supported. Contributed by Mamone Tarsha.
* New PPC64 assembly for ecc modulo/redc operations,
contributed by Amitay Isaacs, Martin Schwenke and Alastair
D´Silva.
* The x86_64 AES implementation using aesni instructions has
been reorganized with one separate function per key size,
each interleaving the processing of two blocks at a time
(when the caller processes multiple blocks with each call).
This gives a modest performance improvement on some
processors.
* Rewritten and faster x86_64 poly1305 assembly.
Known issues:
* Nettle's testsuite doesn't work out-of-the-box on recent
MacOS, due to /bin/sh discarding the DYLD_LIBRARY_PATH
environment variable. Nettle's test scripts handle this in
some cases, but currently fails the test cases that are
themselves written as /bin/sh scripts. As a workaround, use
make check EMULATOR='env DYLD_LIBRARY_PATH=$(TEST_SHLIB_DIR)'
Miscellaneous:
* Updated manual to current makeinfo conventions, with no
explicit node pointers. Generate pdf version with texi2pdf,
to get working hyper links.
* Added square root functions for NIST ecc curves, as a
preparation for supporting compact point representation.
* Reworked internal GCM/ghash interfaces, simplifying assembly
implementations. Deleted unused GCM C implementation
variants with less than 8-bit lookup table.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 3.6.0 to 3.6.1
- Update of rootfile
- Changelog
Libarchive 3.6.1 is a bugfix and security release.
Security fixes:
7zip reader: fix PPMD read beyond boundary (#1671)
ZIP reader: fix possible out of bounds read (OSS-Fuzz 38766 #1672)
ISO reader: fix possible heap buffer overflow in read_children() (OSS-Fuzz 38764, #1685)
RARv4 redaer: fix multiple issues in RARv4 filter code (introduced in libarchive 3.6.0)
fix heap use after free in archive_read_format_rar_read_data() (OSS-Fuzz 44547, 52efa50)
fix null dereference in read_data_compressed() (OSS-Fuzz 44843, 1271f77)
fix heap user after free in run_filters() (OSS-Fuzz 46279, #1715)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.16.32/doc/arm/html/notes.html#notes-for-bind-9-16-32
Excerpt from changelog:
"5934. [func] Improve fetches-per-zone fetch limit logging to log
the final allowed and spilled values of the fetch
counters before the counter object gets destroyed.
[GL #3461]
5933. [port] Automatically disable RSASHA1 and NSEC3RSASHA1 in
named on Fedorda 33, Oracle Linux 9 and RHEL9 when
they are disabled by the security policy. [GL #3469]
5932. [bug] Fix rndc dumpdb -expired and always include expired
RRsets, not just for RBTDB_VIRTUAL time window.
[GL #3462]
5929. [bug] The "max-zone-ttl" option in "dnssec-policy" was
not fully effective; it was used for timing key
rollovers but did not actually place an upper limit
on TTLs when loading a zone. This has been
corrected, and the documentation has been clarified
to indicate that the old "max-zone-ttl" zone option
is now ignored when "dnssec-policy" is in use.
[GL #2918]
5924. [func] When it's necessary to use AXFR to respond to an
IXFR request, a message explaining the reason
is now logged at level info. [GL #2683]
5923. [bug] Fix inheritance for dnssec-policy when checking for
inline-signing. [GL #3438]
5922. [bug] Forwarding of UPDATE message could fail with the
introduction of netmgr. This has been fixed. [GL #3389]"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 3.2.6 to 3.2.11
- Update of rootfile
- Changelog
Release 3.2.11 Latest
add actions workflows to check compilation on glibc and musl (devuan, alpine) by @ArsenArsen in #206
Add build instructions by @slicer69 in #207
src/libudev/conf-files.c: fix bug of using basename by @xfan1024 in #198
Permit eudev to work with rules which include escaped double-quotes by @slicer69 in #208
sync src/ata_id/ata_id.c by @bbonev in #201
sync src/v4l_id/v4l_id.c by @bbonev in #202
sync src/scsi_id/scsi_id.c by @bbonev in #203
sync src/mtd_probe/*.[ch] by @bbonev in #204
sparse: avoid clash with __bitwise and __force from 4.10 linux/types.… by @bbonev in #209
Silence deprecation warnings by @bbonev in #210
update CONTRIBUTING to reflect updated governance, clarify systemd commit hash requirements by @kaniini in #211
hashmap: don't initialize devt_hash_ops in the header by @kaniini in #212
Update to latest Devuan stable by @wwuck in #213
hwdb: sync with systemd/main by @bbonev in #215
Add getrandom(2) system call number for PowerPC by @Low-power in #216
No changelog for versions prior to 3.2.11 found. Looks like they are in nthe systemd
releases and not easily extracted.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 7.83.1 to 7.84.0
- Update of rootfile
- Changelog
7.84.0 - June 27 2022
Changes:
curl: add --rate to set max request rate per time unit
curl: deprecate --random-file and --egd-file
curl_version_info: add CURL_VERSION_THREADSAFE
CURLINFO_CAPATH/CAINFO: get the default CA paths from libcurl
lib: make curl_global_init() threadsafe when possible
libssh2: add CURLOPT_SSH_HOSTKEYFUNCTION
opts: deprecate RANDOM_FILE and EGDSOCKET
socks: support unix sockets for socks proxy
Bugfixes:
aws-sigv4: fix potentional NULL pointer arithmetic
bindlocal: don't use a random port if port number would wrap
c-hyper: mark status line as status for Curl_client_write()
ci: avoid `cmake -Hpath`
CI: bump FreeBSD 13.0 to 13.1
ci: update github actions
cmake: add libpsl support
cmake: do not add libcurl.rc to the static libcurl library
cmake: enable curl.rc for all Windows targets
cmake: fix detecting libidn2
cmake: support adding a suffix to the OS value
configure: skip libidn2 detection when winidn is used
configure: use the SED value to invoke sed
configure: warn about rustls being experimental
content_encoding: return error on too many compression steps
cookie: address secure domain overlay
cookie: apply limits
copyright.pl: parse and use .reuse/dep5 for skips
copyright: make repository REUSE compliant
curl.1: add a few see also --tls-max
curl.1: mention exit code zero too
curl: re-enable --no-remote-name
curl_easy_pause.3: remove explanation of progress function
curl_getdate.3: document that some illegal dates pass through
Curl_parsenetrc: don't access local pwbuf outside of scope
curl_url_set.3: clarify by default using known schemes only
CURLOPT_ALTSVC.3: document the file format
CURLOPT_FILETIME.3: fix the protocols this works with
CURLOPT_HTTPHEADER.3: improve comment in example
CURLOPT_NETRC.3: document the .netrc file format
CURLOPT_PORT.3: We discourage using this option
CURLOPT_RANGE.3: remove ranged upload advice
digest: added detection of more syntax error in server headers
digest: tolerate missing "realm"
digest: unquote realm and nonce before processing
DISABLED: disable 1021 for hyper again
docs/cmdline-opts: add copyright and license identifier to each file
docs/CONTRIBUTE.md: document the 'needs-votes' concept
docs: clarify data replacement policy for MIME API
doh: remove UNITTEST macro definition
examples/crawler.c: use the curl license
examples: remove fopen.c and rtsp.c
FAQ: Clarify Windows double quote usage
fopen: add Curl_fopen() for better overwriting of files
ftp: restore protocol state after http proxy CONNECT
ftp: when failing to do a secure GSSAPI login, fail hard
GHA/hyper: enable debug in the build
gssapi: improve handling of errors from gss_display_status
gssapi: initialize gss_buffer_desc strings
headers api: remove EXPERIMENTAL tag
http2: always debug print stream id in decimal with %u
http2: reject overly many push-promise headers
http: restore header folding behavior
hyper: use 'alt-used'
krb5: return error properly on decode errors
lib: make more protocol specific struct fields #ifdefed
libcurl-security.3: add "Secrets in memory"
libcurl-security.3: document CRLF header injection
libssh: skip the fake-close when libssh does the right thing
links: update dead links to the curl-wiki
log2changes: do not indent empty lines [ci skip]
macos9: remove partial support
Makefile.am: fix portability issues
Makefile.m32: delete obsolete options, improve -On [ci skip]
Makefile.m32: delete two obsolete OpenSSL options [ci skip]
Makefile.m32: stop forcing XP target with ipv6 enabled [ci skip]
max-time.d: clarify max-time sets max transfer time
mprintf: ignore clang non-literal format string
netrc: check %USERPROFILE% as well on Windows
netrc: support quoted strings
ngtcp2: allow curl to send larger UDP datagrams
ngtcp2: correct use of ngtcp2 and nghttp3 signed integer types
ngtcp2: enable Linux GSO
ngtcp2: extend QUIC transport parameters buffer
ngtcp2: fix alert_read_func return value
ngtcp2: fix typo in preprocessor condition
ngtcp2: handle error from ngtcp2_conn_submit_crypto_data
ngtcp2: send appropriate connection close error code
ngtcp2: support boringssl crypto backend
ngtcp2: use helper funcs to simplify TLS handshake integration
ntlm: provide a fixed fake host name
projects: fix third-party SSL library build paths for Visual Studio
quic: add Curl_quic_idle
quiche: support ca-fallback
rand: stop detecting /dev/urandom in cross-builds
remote-name.d: mention --output-dir
runtests.pl: add the --repeat parameter to the --help output
runtests: fix skipping tests not done event-based
runtests: skip starting the ssh server if user name is lacking
scripts/copyright.pl: fix the exclusion to not ignore man pages
sectransp: check for a function defined when __BLOCKS__ is undefined
select: return error from "lethal" poll/select errors
server/sws: support spaces in the HTTP request path
speed-limit/time.d: mention these affect transfers in either direction
strcase: some optimisations
test 2081: add a valid reply for the second request
test 675: add missing CR so the test passes when run through Privoxy
test414: add the '--resolve' keyword
test681: verify --no-remote-name
tests 266, 116 and 1540: add a small write delay
tests/data/test1501: kill ftp server after slow LIST response
tests/getpart: fix getpartattr to work with "data" and "data2"
tests/server/sws.c: change the HTTP writedelay unit to milliseconds
test{440,441,493,977}: add "HTTP proxy" keywords
tool_getparam: fix --parallel-max maximum value constraint
tool_operate: make sure --fail-with-body works with --retry
transfer: fix potential NULL pointer dereference
transfer: maintain --path-as-is after redirects
transfer: upload performance; avoid tiny send
url: free old conn better on reuse
url: remove redundant #ifdefs in allocate_conn()
url: URL encode the path when extracted, if spaces were set
urlapi: make curl_url_set(url, CURLUPART_URL, NULL, 0) clear all parts
urlapi: support CURLU_URLENCODE for curl_url_get()
urldata: reduce size of a few struct fields
urldata: remove three unused booleans from struct UserDefined
urldata: store tcp_keepidle and tcp_keepintvl as ints
version: allow stricmp() for sorting the feature list
vtls: make curl_global_sslset thread-safe
wolfssh.h: removed
wolfssl: correct the failf() message when a handle can't be made
wolfSSL: explicitly use compatibility layer
x509asn1: mark msnprintf return as unchecked
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
The third version of this patch conducts the necessary changes in
configroot. Previously, they took place in ipblocklist itself, which
would have caused user settings to be overwritten, should ipblocklist be
shipped in future Core Updates.
Fixes: #12917
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Stefan Schantl <stefan.schantl@ipfire.org>
