- This v3 version has split the logging choice for drop hostile to separate the logging of
incoming drop hostile and outgoing drop hostile.
- The bug originator had no port forwards so all hostile would be dropped normally anyway.
However the logs were being swamped by the logging of drop hostile making analysis
difficult. So incoming drop hostile was desired to not be logged. However logging of
outgoing drop hostile was desired to identify if clients on the internal lan were
infected with malware trying to reach home.
- Added option with drop hostile section to decide if the dropped traffic should be
logged or not.
Fixes: bug12981
Tested-by: Adolf Belka <adolf.belka@ipfire.org
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Tested-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Updated lfs file to core program type
- Moved rootfile from packages to common
- Older suricata versions required elfutils only for building but suricata-7.0.2 fails to
start if elfutils is not present due to libelf.so.1 being missing.
- The requirement for elfutils is not mentioned at all in the changelog.
Fixes: Bug#13516
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.23 to 1.24
- Update of rootfile not required
- Changelog
1.24
The option '--empty-error', which forces exit status 2 if any empty member
is found, has been added.
The option '--marking-error', which forces exit status 2 if the first LZMA
byte is non-zero in any member, has been added.
File diagnostics have been reformatted as 'PROGRAM: FILE: MESSAGE'.
Diagnostics caused by invalid arguments to command-line options now show the
argument and the name of the option.
The option '-o, --output' now preserves dates, permissions, and ownership of
the file when (de)compressing exactly one file.
The option '-o, --output' now creates missing intermediate directories when
writing to a file.
The variable MAKEINFO has been added to configure and Makefile.in.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 0.22 to 0.22.4
- Update of rootfile
- Changelog
0.22.4
* Bug fixes:
- AM_GNU_GETTEXT now recognizes a statically built libintl on macOS and AIX.
- Build fixes on AIX.
0.22.3
* Portability:
- The libintl library now works on macOS 14. (Older versions of libintl
crash on macOS 14, due to an incompatible change in macOS.)
0.22.2
* Bug fixes:
- The libintl shared library now exports again some symbols that were
accidentally missing.
<https://savannah.gnu.org/bugs/index.php?64323>
This bug was introduced in version 0.22.
0.22.1
* Bug fixes:
- xgettext's processing of large Perl files may have led to errors
<https://savannah.gnu.org/bugs/index.php?64552>
- "xgettext --join-existing" could encounter errors.
<https://savannah.gnu.org/bugs/index.php?64490>
These bugs were introduced in version 0.22.
* Portability:
- Building on Android is now supported.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.19 to 1.20
- Update of rootfile not required
- Changelog
1.20
New command-line options '+line', '+/RE', and '+?RE' have been implemented to
set the current line to the line number specified or to the first or last line
matching the regular expression 'RE'.
(Suggested by Matthew Polk and John Cowan).
File names containing control characters 1 to 31 are now rejected unless they
are allowed with the command-line option '--unsafe-names'.
File names containing control characters 1 to 31 are now printed using octal
escape sequences.
Ed now rejects file names ending with a slash.
Intervening commands that don't set the modified flag no longer make a second
'e' or 'q' command fail with a 'buffer modified' warning.
Tilde expansion is now performed on file names supplied to commands; if a file
name starts with '~/', the tilde (~) is expanded to the contents of the
variable HOME. (Suggested by John Cowan).
Ed now warns the first time that a command modifies a buffer loaded from a
read-only file. (Suggested by Dan Jacobson).
Ed now creates missing intermediate directories when writing to a file.
It has been documented that 'e' creates an empty buffer if file does not exist.
It has been documented that 'f' sets the default filename, whether or not its
argument names an existing file.
The description of the exit status has been improved in '--help' and in the
manual.
The variable MAKEINFO has been added to configure and Makefile.in.
It has been documented in INSTALL that when choosing a C standard, the POSIX
features need to be enabled explicitly:
./configure CFLAGS+='--std=c99 -D_POSIX_C_SOURCE=2'
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.9 to 3.10
- Update of rootfile not required
- Changelog
3.10
Bug fixes
cmp/diff can again work with file dates past Y2K38
[bug introduced in 3.9]
diff -D no longer fails to output #ifndef lines.
[bug#61193 introduced in 3.9]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3450000 to 3450100
- Update of rootfile not required
- Changelog
3.45.1
Restore the JSON BLOB input bug, and promise to support the anomaly in subsequent
releases, for backward compatibility.
Fix the PRAGMA integrity_check command so that it works on read-only databases
that contain FTS3 and FTS5 tables. This resolves an issue introduced in version
3.44.0 but was undiscovered until after the 3.45.0 release.
Fix issues associated with processing corrupt JSONB inputs:
Prevent exponential runtime when converting a corrupt JSONB into text.
Fix a possible read of one byte past the end of the JSONB blob when
converting a corrupt JSONB into text.
Enhanced testing using jfuzz to prevent any future JSONB problems such as the
above.
Fix a long-standing bug in which a read of a few bytes past the end of a
memory-mapped segment might occur when accessing a craftily corrupted database
using memory-mapped database.
Fix a long-standing bug in which a NULL pointer dereference might occur in the
bytecode engine due to incorrect bytecode being generated for a class of SQL
statements that are deliberately designed to stress the query planner but which
are otherwise pointless.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.2 with patch 1 to 8.2 with patches 1 to 10
- Update of rootfile not required
- Changelog
Patch 10
Fix the case where text to be completed from the line buffer (quoted) is
compared to the common prefix of the possible matches (unquoted) and the
quoting makes the former appear to be longer than the latter. Readline
assumes the match doesn't add any characters to the word and doesn't display
multiple matches.
Patch 9
Fix issue where the directory name portion of the word to be completed (the
part that is passed to opendir()) requires both tilde expansion and dequoting.
Readline only performed tilde expansion in this case, so filename completion
would fail.
Patch 8
Add missing prototypes for several function declarations.
Patch 7
If readline is called with no prompt, it should display a newline if return
is typed on an empty line. It should still suppress the final newline if
return is typed on the last (empty) line of a multi-line command.
Patch 6
This is a variant of the same issue as the one fixed by patch 5. In this
case, the signal arrives and is pending before readline calls rl_getc().
When this happens, the pending signal will be handled by the loop, but may
alter or destroy some state that the callback uses. Readline needs to treat
this case the same way it would if a signal interrupts pselect/select, so
compound operations like searches and reading numeric arguments get cleaned
up properly.
Patch 5
If an application is using readline in callback mode, and a signal arrives
after readline checks for it in rl_callback_read_char() but before it
restores the application's signal handlers, it won't get processed until the
next time the application calls rl_callback_read_char(). Readline needs to
check for and resend any pending signals after restoring the application's
signal handlers.
Patch 4
There are systems that supply one of select or pselect, but not both.
Patch 3
The custom color prefix that readline uses to color possible completions
must have a leading `.'.
Patch 2
It's possible for readline to try to zero out a line that's not null-
terminated, leading to a memory fault.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20231026 to 20240125
- Update of rootfile not required
- Changelog - update of iana-etc files
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.49.2 to 1.49.3
- Update of rootfile not required
- Changelog
1.49.3
* Cleanup whitespace in po-texi/help2man-texi.pot.
* Add Korean translation (thanks to Seong-ho Cho).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 5.44 to 5.45
- Update of rootfile not required
- Changelog
5.45
* PR/465: psrok1: Avoid muslc asctime_r crash
* add SIMH tape format support
* bump the max size of the elf section notes to be read to 128K
and make it configurable
* PR/415: Fix decompression with program returning empty
* PR/408: fix -p with seccomp
* PR/412: fix MinGW compilation
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These include (amongst others) fixes for:
GLIBC-SA-2024-0001:
===================
syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6246)
__vsyslog_internal did not handle a case where printing a SYSLOG_HEADER
containing a long program name failed to update the required buffer
size, leading to the allocation and overflow of a too-small buffer on
the heap.
GLIBC-SA-2024-0002:
===================
syslog: Heap buffer overflow in __vsyslog_internal (CVE-2023-6779)
__vsyslog_internal used the return value of snprintf/vsnprintf to
calculate buffer sizes for memory allocation. If these functions (for
any reason) failed and returned -1, the resulting buffer would be too
small to hold output.
GLIBC-SA-2024-0003:
===================
syslog: Integer overflow in __vsyslog_internal (CVE-2023-6780)
__vsyslog_internal calculated a buffer size by adding two integers, but
did not first check if the addition would overflow.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Calling a global sync operation manually is generally a bad idea as it
can block for forever. If people have storage that does not retain
anything that is being written to it, they need to fix their hardware.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.3 to 1.3.1
- Update of rootfile
- Changelog
1.3.1
- Reject overflows of zip header fields in minizip
- Fix bug in inflateSync() for data held in bit buffer
- Add LIT_MEM define to use more memory for a small deflate speedup
- Fix decision on the emission of Zip64 end records in minizip
- Add bounds checking to ERR_MSG() macro, used by zError()
- Neutralize zip file traversal attacks in miniunz
- Fix a bug in ZLIB_DEBUG compiles in check_match()
- Various portability and appearance improvements
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 5.4.5 to 5.4.6
- Update of rootfile
- Changelog
5.4.6
* Fixed a bug involving internal function pointers in liblzma not
being initialized to NULL. The bug can only be triggered if
lzma_filters_update() is called on a LZMA1 encoder, so it does
not affect xz or any application known to us that uses liblzma.
* xz:
- Fixed a regression introduced in 5.4.2 that caused encoding
in the raw format to unnecessarily fail if --suffix was not
used. For instance, the following command no longer reports
that --suffix must be used:
echo foo | xz --format=raw --lzma2 | wc -c
- Fixed an issue on MinGW-w64 builds that prevented reading
from or writing to non-terminal character devices like NUL.
* Added a new test.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 1.6.39 to 1.6.41
- Update of rootfile
- Changelog
1.6.41
Added SIMD-optimized code for the Loongarch LSX hardware.
(Contributed by GuXiWei, JinBo and ZhangLixia)
Fixed the run-time discovery of MIPS MSA hardware.
(Contributed by Sui Jingfeng)
Fixed an off-by-one error in the function `png_do_check_palette_indexes`,
which failed to recognize errors that might have existed in the first
column of a broken palette-encoded image. This was a benign regression
accidentally introduced in libpng-1.6.33. No pixel was harmed.
(Contributed by Adam Richter; reviewed by John Bowler)
Fixed, improved and modernized the contrib/pngminus programs, i.e.,
png2pnm.c and pnm2png.c
Removed old and peculiar portability hacks that were meant to silence
warnings issued by gcc version 7.1 alone.
(Contributed by John Bowler)
Fixed and modernized the CMake file, and raised the minimum required
CMake version from 3.1 to 3.6.
(Contributed by Clinton Ingram, Timothy Lyanguzov, Tyler Kropp, et al.)
Allowed the configure script to disable the building of auxiliary tools
and tests, thus catching up with the CMake file.
(Contributed by Carlo Bramini)
Fixed a build issue on Mac.
(Contributed by Zixu Wang)
Moved the Autoconf macro files to scripts/autoconf.
Moved the CMake files (except for the main CMakeLists.txt) to
scripts/cmake and moved the list of their contributing authors to
scripts/cmake/AUTHORS.md
Updated the CI configurations and scripts.
Relicensed the CI scripts to the MIT License.
Improved the test coverage.
(Contributed by John Bowler)
1.6.40
Fixed the eXIf chunk multiplicity checks.
Fixed a memory leak in pCAL processing.
Corrected the validity report about tRNS inside png_get_valid().
Fixed various build issues on *BSD, Mac and Windows.
Updated the configurations and the scripts for continuous integration.
Cleaned up the code, the build scripts, and the documentation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 5.2 with patches 1 to 21 to 5.2 with patches 1 to 26
- Update of rootfile not required
- Changelog
Patch 26
The custom color prefix that readline uses to color possible completions
must have a leading `.'.
Patch 25
Make sure a subshell checks for and handles any terminating signals before
exiting (which might have arrived after the command completed) so the parent
and any EXIT trap will see the correct value for $?.
Patch 24
Fix bug where associative array compound assignment would not expand tildes
in values.
Patch 23
Running `local -' multiple times in a shell function would overwrite the
original saved set of options.
Patch 22
It's possible for readline to try to zero out a line that's not null-
terminated, leading to a memory fault.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
