- Update from version 4.2.8p15 to 4.2.8p17
- Update of rootfile not required
- Tested out on vm testbed. Time correctly updated every hour and pakfire was able to
download and install various addons without any problems indicating that the time
is working correctly.
- patch to enable build with glibc-2.34 no longer needed. ntp updated to work correctly
with glibc-2.34 but IPFire running with version 2.37. Version 2.4.8p17 built without
any problems without the patch.
- Changelog
4.2.8p17 2023/06/06 Released by Harlan Stenn <stenn@ntp.org>
* [Bug 3824] Spurious "ntpd: daemon failed to notify parent!" logged at
event_sync. Reported by Edward McGuire. <hart@ntp.org>
* [Bug 3822] ntpd significantly delays first poll of servers specified by name.
<hart@ntp.org> Miroslav Lichvar identified regression in 4.2.8p16.
* [Bug 3821] 4.2.8p16 misreads hex authentication keys, won't interop with
4.2.8p15 or earlier. Reported by Matt Nordhoff, thanks to
Miroslav Lichvar and Matt for rapid testing and identifying the
problem. <hart@ntp.org>
* Add tests/libntp/digests.c to catch regressions reading keys file or with
symmetric authentication digest output.
4.2.8p16 2023/05/31 Released by Harlan Stenn <stenn@ntp.org>
* [Sec 3808] Assertion failure in ntpq on malformed RT-11 date <perlinger@ntp.org>
* [Sec 3807] praecis_parse() in the Palisade refclock driver has a
hypothetical input buffer overflow. Reported by ... stenn@
* [Sec 3806] libntp/mstolfp.c needs bounds checking <perlinger@ntp.org>
- solved numerically instead of using string manipulation
* [Sec 3767] An OOB KoD RATE value triggers an assertion when debug is enabled.
<stenn@ntp.org>
* [Bug 3819] Updated libopts/Makefile.am was missing NTP_HARD_* values. <stenn@>
* [Bug 3817] Bounds-check "tos floor" configuration. <hart@ntp.org>
* [Bug 3814] First poll delay of new or cleared associations miscalculated.
<hart@ntp.org>
* [Bug 3802] ntp-keygen -I default identity modulus bits too small for
OpenSSL 3. Reported by rmsh1216@163.com <hart@ntp.org>
* [Bug 3801] gpsdjson refclock gps_open() device name mishandled. <hart@ntp.org>
* [Bug 3800] libopts-42.1.17 does not compile with Microsoft C. <hart@ntp.org>
* [Bug 3799] Enable libopts noreturn compiler advice for MSC. <hart@ntp.org>
* [Bug 3797] Windows getaddrinfo w/AI_ADDRCONFIG fails for localhost when
disconnected, breaking ntpq and ntpdc. <hart@ntp.org>
* [Bug 3795] pollskewlist documentation uses | when it shouldn't.
- ntp.conf manual page and miscopt.html corrections. <hart@ntp.org>
* [Bug 3793] Wrong variable type passed to record_raw_stats(). <hart@ntp.org>
- Report and patch by Yuezhen LUAN <wei6410@sina.com>.
* [Bug 3786] Timer starvation on high-load Windows ntpd. <hart@ntp.org>
* [Bug 3784] high-load ntpd on Windows deaf after enough ICMP TTL exceeded.
<hart@ntp.org>
* [Bug 3781] log "Unable to listen for broadcasts" for IPv4 <hart@ntp.org>
* [Bug 3774] mode 6 packets corrupted in rawstats file <hart@ntp.org>
- Reported by Edward McGuire, fix identified by <wei6410@sina.com>.
* [Bug 3758] Provide a 'device' config statement for refclocks <perlinger@ntp.org>
* [Bug 3757] Improve handling of Linux-PPS in NTPD <perlinger@ntp.org>
* [Bug 3741] 4.2.8p15 can't build with glibc 2.34 <perlinger@ntp.org>
* [Bug 3725] Make copyright of clk_wharton.c compatible with Debian.
Philippe De Muyter <phdm@macqel.be>
* [Bug 3724] ntp-keygen with openSSL 1.1.1 fails on Windows <perlinger@ntp.org>
- openssl applink needed again for openSSL-1.1.1
* [Bug 3719] configure.ac checks for closefrom() and getdtablesize() missing.
Reported by Brian Utterback, broken in 2010 by <hart@ntp.org>
* [Bug 3699] Problems handling drift file and restoring previous drifts <perlinger@ntp.org>
- command line options override config statements where applicable
- make initial frequency settings idempotent and reversible
- make sure kernel PLL gets a recovered drift componsation
* [Bug 3695] Fix memory leak with ntpq on Windows Server 2019 <perlinger@ntp.org>
* [Bug 3694] NMEA refclock seems to unnecessarily require location in messages
- misleading title; essentially a request to ignore the receiver status.
Added a mode bit for this. <perlinger@ntp.org>
* [Bug 3693] Improvement of error handling key lengths <perlinger@ntp.org>
- original patch by Richard Schmidt, with mods & unit test fixes
* [Bug 3692] /dev/gpsN requirement prevents KPPS <perlinger@ntp.org>
- implement/wrap 'realpath()' to resolve symlinks in device names
* [Bug 3691] Buffer Overflow reading GPSD output
- original patch by matt<ntpbr@mattcorallo.com>
- increased max PDU size to 4k to avoid truncation
* [Bug 3690] newline in ntp clock variable (parse) <perlinger@ntp.org>
- patch by Frank Kardel
* [Bug 3689] Extension for MD5, SHA-1 and other keys <perlinger@ntp.org>
- ntp{q,dc} now use the same password processing as ntpd does in the key
file, so having a binary secret >= 11 bytes is possible for all keys.
(This is a different approach to the problem than suggested)
* [Bug 3688] GCC 10 build errors in testsuite <perlinger@ntp.org>
* [Bug 3687] ntp_crypto_rand RNG status not known <perlinger@ntp.org>
- patch by Gerry Garvey
* [Bug 3682] Fixes for warnings when compiled without OpenSSL <perlinger@ntp.org>
- original patch by Gerry Garvey
* [Bug 3677] additional peer events not decoded in associations listing <perlinger@ntp.org>
- original patch by Gerry Garvey
* [Bug 3676] compiler warnings (CMAC, interrupt_buf, typo, fallthrough)
- applied patches by Gerry Garvey
* [Bug 3675] ntpq ccmds[] stores pointer to non-persistent storage
* [Bug 3674] ntpq command 'execute only' using '~' prefix <perlinger@ntp.org>
- idea+patch by Gerry Garvey
* [Bug 3672] fix biased selection in median cut <perlinger@ntp.org>
* [Bug 3666] avoid unlimited receive buffer allocation <perlinger@ntp.org>
- follow-up: fix inverted sense in check, reset shortfall counter
* [Bug 3660] Revert 4.2.8p15 change to manycast. <hart@ntp.org>
* [Bug 3640] document "discard monitor" and fix the code. <hart@ntp.org>
- fixed bug identified by Edward McGuire <perlinger@ntp.org>
* [Bug 3626] (SNTP) UTC offset calculation needs dst flag <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3428] ntpd spinning consuming CPU on Linux router with full table.
Reported by Israel G. Lugo. <hart@ntp.org>
* [Bug 3103] libopts zsave_warn format string too few arguments <bkorb@gnu.org>
* [Bug 2990] multicastclient incorrectly causes bind to broadcast address.
Integrated patch from Brian Utterback. <hart@ntp.org>
* [Bug 2525] Turn on automake subdir-objects across the project. <hart@ntp.org>
* [Bug 2410] syslog an error message on panic exceeded. <brian.utterback@oracle.com>
* Use correct rounding in mstolfp(). perlinger/hart
* M_ADDF should use u_int32. <hart@ntp.org>
* Only define tv_fmt_libbuf() if we will use it. <stenn@ntp.org>
* Use recv_buffer instead of the longer recv_space.X_recv_buffer. hart/stenn
* Make sure the value returned by refid_str() prints cleanly. <stenn@ntp.org>
* If DEBUG is enabled, the startup banner now says that debug assertions
are in force and that ntpd will abort if any are violated. <stenn@ntp.org>
* syslog valid incoming KoDs. <stenn@ntp.org>
* Rename a poorly-named variable. <stenn@ntp.org>
* Disable "embedded NUL in string" messages in libopts, when we can. <stenn@>
* Use https in the AC_INIT URLs in configure.ac. <stenn@ntp.org>
* Implement NTP_FUNC_REALPATH. <stenn@ntp.org>
* Lose a gmake construct in ntpd/Makefile.am. <stenn@ntp.org>
* upgrade to: autogen-5.18.16
* upgrade to: libopts-42.1.17
* upgrade to: autoconf-2.71
* upgrade to: automake-1.16.15
* Upgrade to libevent-2.1.12-stable <stenn@ntp.org>
* Support OpenSSL-3.0
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
There are no functional changes in these files, but they are however
linked against OpenSSL 1.1.1 and need to be re-shipped before we remove
the legacy library.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This reverts commit aa8a659ab7.
This cannot be done, yet, because an updated system still has hundreds
of files using the old libraries. Those will have to be re-shipped first
before we actually remove OpenSSL 1.1.1.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Changelog is too long to include it here, please refer to the ChangeLog
file in the sourcecode tarball.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
The function tries to figure out which networks are connected locally,
but VPN tunnels that use 0.0.0.0 and GRE/VTI interfaces will be
considered local and the proxy is being disabled for everyone.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.15.4 to 1.20.4
- Update of x86_64 rootfile
aarch64 rootfile needs to be created on a aarch64 build system
- Changelog is very large. For details see https://go.dev/doc/devel/release
50 mentions of security fixes in the changes from 1.15.4 to 1.20.4
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- In Core Update 175 lvm was updated and 69-dm-lvm-metad.rules was replaced with
69-dm-lvm.rules in the lvm rootfile.
- That previous patch update did not remove the no longer existing 69-dm-lvm-metad.rules
from existing installations. This patch corrects that.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Redhat updated lvm udev rule 69-dm-lvm.rules to only work with systemd
- Update 69-dm-lvm.rules to work with IPFire based on input from @Daniel of what worked
to mount an existing lvm volume
Suggested-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
This patch does not include the rootfile for riscv64 because GCC FTBFS.
Bug #13156 has been opened to address this.
But since we don't officially support IPFire riscv64, yet, this should
not delay this going into next.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from version 3.9.0 to 3.10.0
- Update of rootfile
- version 3.9.0 failed to output some of the symbols. This was found as a bug in Fedora but
also seen by some people in IPFire CU175 with flashrom where the version 3.3 symbol is
provided.
Fedora made a patch to resolve this issue for 3.9.0 but 3.10.0 has been released since
then and Fedora removed the patch that was used for 2.9.0 as pciutils has had that bug
fixed - see first item in changelog.
- Changelog
Released as 3.10.0.
Fixed bug in definition of versioned symbol aliases
in shared libpci, which made compiling with link-time
optimization fail.
Filters now accept "0x..." syntax for backward compatibility.
Windows: The cfgmgr32 back-end which provides the list of devices
can be combined with another back-end which provides access
to configuration space.
ECAM (Enhanced Configuration Access Mechanism), which is defined
by the PCIe standard, is now supported. It requires root privileges,
access to physical memory, and also manual configuration on some
systems.
lspci: Tree view now works on multi-domain systems. It now respects
filters properly.
Last but not least, pci.ids were updated to the current snapshot
of the database. This includes overall cleanup of entries with
non-ASCII characters in their names -- such characters are allowed,
but only if they convey interesting information (e.g., umlauts
in German company names, but not the "registered trade mark" sign).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- This was fixed for creating a static ip address pool name in bug#12865 but was not
applied to the case when the static ip address pool name was being edited.
- This fix corrects that oversight.
Fixes: Bug#13136
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Excerpt from changelog:
"6.0.13 -- 2023-06-15
Security #6119: datasets: absolute path in rules can overwrite arbitrary files (6.0.x backport)
Bug #6138: Decode-events of IPv6 packets are not triggered (6.0.x backport)
Bug #6136: suricata-update: dump-sample-configs: configuration files not found (6.0.x backport)
Bug #6125: http2: cpu overconsumption in rust moving/memcpy in http2_parse_headers_blocks (6.0.x backport)
Bug #6113: ips: txs still logged for dropped flow (6.0.x backport)
Bug #6056: smtp: long line discard logic should be separate for server and client (6.0.x backport)
Bug #6055: ftp: long line discard logic should be separate for server and client (6.0.x backport)
Bug #5990: smtp: any command post a long command gets skipped (6.0.x backport)
Bug #5982: smtp: Long DATA line post boundary is capped at 4k Bytes (6.0.x backport)
Bug #5809: smb: convert transaction list to vecdeque (6.0.x backport)
Bug #5604: counters: tcp.syn, tcp.synack, tcp.rst depend on flow (6.0.x backport)
Bug #5550: dns: allow dns messages with invalid opcodes (6.0.x backport)
Task #5984: libhtp 0.5.44 (6.0.x backport)
Documentation #6134: userguide: add instructions/explanation for (not) running suricata with root (6.0.x backport)
Documentation #6121: datasets: 6.0.x work-arounds for dataset supply chain attacks"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This patch will return the exit code from the called process which has
not been done before. This made it more difficult to catch any
unsuccessful calls from the web UI.
Partly Fixes: #12863
Tested-by: Jon Murphy <jon.murphy@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 0.7.5 to 0.9.4
- Update of rootfile
- wavemon would not build because it could not find the netlink include files. wavemon was
still looking in include/netlink/ as for libnl version 1 but with libnl3 the include
files are in include/libnl3/netlink/
- Based on an issue entry in the wavemon github repo I created the patch to force wavemon
to look in the correct place.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.3 to 3.3a
- Update of rootfile not required
- Changelog
CHANGES FROM 3.3 TO 3.3a
* Do not crash when run-shell produces output from a config file.
* Do not unintentionally turn off all mouse mode when button mode is also
present.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 5.63 to 5.69
- Update of rootfile not required
- Changelog
Version 5.69, 2023.03.04, urgency: MEDIUM
* New features
- Improved logging performance with the "output" option.
- Improved file read performance on the WIN32 platform.
- DH and kDHEPSK ciphersuites removed from FIPS defaults.
- Set the LimitNOFILE ulimit in stunnel.service to allow
for up to 10,000 concurrent clients.
* Bugfixes
- Fixed the "CApath" option on the WIN32 platform by
applying https://github.com/openssl/openssl/pull/20312.
- Fixed stunnel.spec used for building rpm packages.
- Fixed tests on some OSes and architectures by merging
Debian 07-tests-errmsg.patch (thx to Peter Pentchev).
Version 5.68, 2023.02.07, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.8.
* New features
- Added the new 'CAengine' service-level option
to load a trusted CA certificate from an engine.
- Added requesting client certificates in server
mode with 'CApath' besides 'CAfile'.
- Improved file read performance.
- Improved logging performance.
* Bugfixes
- Fixed EWOULDBLOCK errors in protocol negotiation.
- Fixed handling TLS errors in protocol negotiation.
- Prevented following fatal TLS alerts with TCP resets.
- Improved OpenSSL initialization on WIN32.
- Improved testing suite stability.
Version 5.67, 2022.11.01, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.7.
* New features
- Provided a logging callback to custom engines.
* Bugfixes
- Fixed "make cert" with OpenSSL older than 3.0.
- Fixed the code and the documentation to use conscious
language for SNI servers (thx to Clemens Lang).
Version 5.66, 2022.09.11, urgency: MEDIUM
* New features
- OpenSSL 3.0 FIPS Provider support for Windows.
* Bugfixes
- Fixed building on machines without pkg-config.
- Added the missing "environ" declaration for
BSD-based operating systems.
- Fixed the passphrase dialog with OpenSSL 3.0.
Version 5.65, 2022.07.17, urgency: HIGH
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.5.
* Bugfixes
- Fixed handling globally enabled FIPS.
- Fixed openssl.cnf processing in WIN32 GUI.
- Fixed a number of compiler warnings.
- Fixed tests on older versions of OpenSSL.
Version 5.64, 2022.05.06, urgency: MEDIUM
* Security bugfixes
- OpenSSL DLLs updated to version 3.0.3.
* New features
- Updated the pkcs11 engine for Windows.
* Bugfixes
- Removed the SERVICE_INTERACTIVE_PROCESS flag in
"stunnel -install".
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 1.0.5 to 1.0.7
- Update of rootfile not required
- Changelog
Version 1.0.7
* Check for sys/prctl.h availability, because non-Linux
architectures don't provide <sys/prctl.h>.
* Improved GitHub CI:
- Added CI test for macOS.
- Added a check for stress command.
- Added a test for 'make dist-bzip2'.
* Moved manpage from doc/ to man/.
Version 1.0.6
* Register parent termination signal in child processes.
* Added 'make dist' check in CI test.
* Added rights for Vratislav Bendel.
* Re-organized src/stress.c via astyle command.
* Updated GPL-2 license text for src/stress.c.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 6.1 to 6.3
- Update of rootfile not required
- Changelog
Noteworthy changes in release 6.3 (2023-05-08)
* Improvements
* Implemented --trace-fds=set option for filtering only the syscalls
that operate on the specified set of file descriptors.
* Implemented --decode-fds=signalfd option for decoding of signal masks
associated with signalfd file descriptors.
* Implemented --syscall-limit option to automatically detach tracees
after capturing the specified number of syscalls.
* Implemented --argv0 option to set argv[0] of the command being executed.
* Implemented decoding of PR_GET_MDWE and PR_SET_MDWE operations of prctl
syscall.
* Implemented decoding of IP_LOCAL_PORT_RANGE socket option.
* Implemented decoding of IFLA_BRPORT_MCAST_N_GROUPS,
IFLA_BRPORT_MCAST_MAX_GROUPS, IFLA_GSO_IPV4_MAX_SIZE,
IFLA_GRO_IPV4_MAX_SIZE, and TCA_EXT_WARN_MSG netlink attributes.
* Updated lists of F_SEAL_*, IFLA_*, IORING_*, MFD_*, NFT_*, TCA_*,
and V4L2_PIX_FMT_* constants.
* Updated lists of ioctl commands from Linux 6.3.
* Bug fixes
* Fixed build on hppa with uapi headers from Linux >= 6.2.
* Fixed --status filtering when -c option is in use.
Noteworthy changes in release 6.2 (2023-02-26)
* Improvements
* Implemented collision resolution for overlapping ioctl commands
from tty and snd subsystems.
* Implemented decoding of IFLA_BRPORT_MAB and IFLA_DEVLINK_PORT
netlink attributes.
* Updated lists of ALG_*, BPF_*, IFLA_*, KEY_*, KVM_*, LANDLOCK_*,
MEMBARRIER_*, NFT_*, NTF_*, and V4L2_* constants.
* Updated lists of ioctl commands from Linux 6.2.
* Bug fixes
* Fixed build on alpha architecture.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
