- Update from vesrion 5.69 to 5.71
- Update of rootfile not required
- Changelog
5.71, 2023.09.19, urgency: MEDIUM
Security bugfixes
- OpenSSL DLLs updated to version 3.1.3.
Bugfixes
- Fixed the console output of tstunnel.exe.
Features sponsored by SAE IT-systems
- OCSP stapling is requested and verified in the client mode.
- Using "verifyChain" automatically enables OCSP
stapling in the client mode.
- OCSP stapling is always available in the server mode.
- An inconclusive OCSP verification breaks TLS negotiation.
This can be disabled with "OCSPrequire = no".
- Added the "TIMEOUTocsp" option to control the maximum
time allowed for connecting an OCSP responder.
Features
- Added support for Red Hat OpenSSL 3.x patches.
5.70, 2023.07.12, urgency: HIGH
Security bugfixes
- OpenSSL DLLs updated to version 3.0.9.
- OpenSSL FIPS Provider updated to version 3.0.8.
Bugfixes
- Fixed TLS socket EOF handling with OpenSSL 3.x.
This bug caused major interoperability issues between
stunnel built with OpenSSL 3.x and Microsoft's
Schannel Security Support Provider (SSP).
- Fixed reading certificate chains from PKCS#12 files.
Features
- Added configurable delay for the "retry" option.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 23.08.0 to 24.01.0
- Update of rootfile
- Changelog
24.01.0:
core:
* Don't crash on certain documents on the NSS signature backend
* Fix infinite loop in some annotation code if there's not space for
even one character
* Fix build on Android with generic font configuration
* Small internal code cleanup
23.12.0:
core:
* Rewrite FoFiType1::parse to be more flexible. Issue #1422
* Small internal code refactoring
23.11.0:
core:
* CairoOutputDev: Use internal downscaling algorithm if image exceeds
Cairo's maximum dimensions.
* Internal code improvements
* Fix crash on malformed files
utils:
* pdftocairo: Add option to document logical structure if output is pdf
* pdftocairo: EPS output should not contain %%PageOrientation
23.10.0:
core:
* cairo: update type 3 fonts for cairo 1.18 api
* Fix crash on malformed files
build system:
* Make a few more dependencies soft-mandatory
* Add more supported gnupg releases
* Check if linker supports version scripts
23.09.0:
core:
* Add Android-specific font matching functionality
* Fix digital signatures for NeedAppearance=true
* Forms: Don't look up same glyph multiple times
* Provide the key location for certificates you can sign with
* Add ToUnicode support for similarequal
* Fix crash on malformed files
qt5:
* Provide the key location for certificates you can sign with
* Allow to force a rasterized overprint preview during PS conversion
qt6:
* Provide the key location for certificates you can sign with
* Allow to force a rasterized overprint preview during PS conversion
pdfsig:
* Provide the key location for certificates you can sign with
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 6.20 to 7.00
- Update of rootfile not required
- Changelog
7.00
IMC polling for live DRAM settings
Preliminary support for ECC polling
Add support for MMIO UART
Add debugging options
Bug fixes & optimizations
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 8.10.0 to 10.0.0
- Update of rootfile
- Changelog is too large to include here. Details can be found in the NEWS.rst file in the
source tarball
CVE-2023-3750 was fixed in version 9.6.0
Fix race condition in storage driver leading to a crash
In **libvirt-8.3** a bug was introduced which in rare cases could cause
``libvirtd`` or ``virtstoraged`` to crash if multiple clients attempted to
look up a storage volume by key, path or target path, while other clients
attempted to access something from the same storage pool.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.3.4 to 2.4.1
- Update of rootfile
- Changelog
2.4.1 (2023-07-20)
No change information available anywhere that I could find
2.4.0 (2023-01-18)
No change information available anywhere that I could find
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 7.17 to 7.19
- Update of nrootfile not required
- Changelog
7.19
- build: Fix the double-prefix in pkgconfig (Sam James)
7.18
- Add json output to list command (Thomas Oberhammer)
- tests: hash:ip,port.t: Replace VRRP by GRE protocol (Phil Sutter)
- tests: hash:ip,port.t: 'vrrp' is printed as 'carp' (Phil Sutter)
- tests: cidr.sh: Add ipcalc fallback (Phil Sutter)
- tests: xlate: Make test input valid (Phil Sutter)
- tests: xlate: Test built binary by default (Phil Sutter)
- xlate: Drop dead code (Phil Sutter)
- xlate: Fix for fd leak in error path (Phil Sutter)
- configure.ac: fix bashisms (Sam James)
- lib/Makefile.am: fix pkgconfig dir (Sam James)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.8.5 to 2.9.2
- Update of rootfile not required
- Changelog is too large to include here. Details can be found in the CHANGELOG file in the
source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 10.0.0 to 10.2.1
- Update of rootfile
- Changelog is a bit too large to include here. Details can be found in ChangeLog.md file
in source tarball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3.3 to 3.5
- Update of rootfile not required
- Two patches no longer required as fixes are now in source tarball
- Changelog
3.5 (Tue Mar 14 2023)
- Decode HPE OEM records 216, 224, 230, 238 and 242.
- Fortify entry point length checks.
- Add a --no-quirks option.
- Drop the CPUID exception list.
- Do not let --dump-bin overwrite an existing file.
- Ensure /dev/mem is a character device file.
- Bug fixes:
Fix segmentation fault in HPE OEM record 240
- Minor improvements:
Typo fixes
Write the whole dump file at once
Fix a build warning when USE_MMAP isn't set
3.4 (Mon Jun 27 2022)
- Support for SMBIOS 3.4.0. This includes new memory device types, new
processor upgrades, new slot types and characteristics, decoding of memory
module extended speed, new system slot types, new processor characteristics
and new format of Processor ID.
- Support for SMBIOS 3.5.0. This includes new processor upgrades, BIOS
characteristics, new slot characteristics, new on-board device types, new
pointing device interface types, and a new record type (type 45 -
Firmware Inventory Information).
- Decode HPE OEM records 194, 199, 203, 236, 237, 238 and 240.
- Bug fixes:
Fix OEM vendor name matching
Fix ASCII filtering of strings
Fix crash with option -u
- Minor improvements:
Skip details of uninstalled memory modules
Don't display the raw CPU ID in quiet mode
Improve the formatting of the manual pages
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.0.12 to 2.14
- Update of rootfile not required
- Changelog
2.14 (2023-10-06)
o MPLS subsystem
o L3VPN: BGP/MPLS VPNs (RFC 4364)
o BGP: Access to unknown route attributes
o RAdv: Custom options
o Babel: RTT metric extension
o BMP: Refactored route monitoring
o BMP: Multiple instances of BMP protocol
o BMP: Both pre-policy and post-policy monitoring
o Experimental route aggregation
o Filter: Method framework
o Filter: Functions have return type statements
o Filter: New bytestring data type
o Kernel: Option to learn kernel routes
o Many bugfixes and improvements
Notes:
User-defined filter functions that return values now should have return type
statements. We still accept functions without such statement, if they could be
properly typed.
For loops allowed to use both existing iterator variables or ones defined in
the for statement. We no longer support the first case, all iterator variables
must be defined in the for statement (e.g. 'for int i in bgp_path ...').
Due to oversight, VRF interfaces were not included in respective VRFs, this is
fixed now.
2.13.1 (2023-06-23)
o BGP: Fix role check when no capability option is present
o Filter: Fixed segfault when a case option had an empty block
This is a bugfix version.
2.13 (2023-04-21)
o Babel: IPv4 via IPv6 extension (RFC 9229)
o Babel: Improve authentication on lossy networks
o BGP: New 'allow bgp_med' option
o BSD: Support for IPv4 routes with IPv6 nexthop on FreeBSD
o Experimental BMP protocol implementation
o Important bugfixes
Notes:
We changed versioning scheme from <epoch>.<major>.<minor> to more common
<major>.<minor>.<patch> . From now on, you may expect that BIRD 2.13.x will be
strictly only fixing bugs found in 2.13, whereas BIRD 2.14 will also contain
new features.
This BIRD version contains an alpha release of BMP protocol implementation.
It is not ready for production usage and therefore it is not compiled by
default and have to be enabled during installation.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This updated version of this script avoids any errors if collectd is not
running (yet) which might happen during the boot process.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
new openssl need at least 2048 bit rsa keys for apache.
So if the existing is smaller a new 4096 bit key is generated.
fixes#13527
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
To quote from the kernel documentation:
> Historically the kernel has allowed TIOCSTI, which will push
> characters into a controlling TTY. This continues to be used
> as a malicious privilege escalation mechanism, and provides no
> meaningful real-world utility any more. Its use is considered
> a dangerous legacy operation, and can be disabled on most
> systems.
>
> Say Y here only if you have confirmed that your system's
> userspace depends on this functionality to continue operating
> normally.
>
> Processes which run with CAP_SYS_ADMIN, such as BRLTTY, can
> use TIOCSTI even when this is set to N.
>
> This functionality can be changed at runtime with the
> dev.tty.legacy_tiocsti sysctl. This configuration option sets
> the default value of the sysctl.
This patch therefore proposes to no longer allow legacy TIOCSTI usage
in IPFire, given its security implications and the apparent lack of
legitimate usage.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://github.com/htop-dev/htop/blob/main/ChangeLog
"What's new in version 3.3.0
* Multiple refactorings and code improvements
* Shorten docker container IDs to 12 characters
* Settings: preserve empty header
* Fix execlp() argument without pointer cast
* OpenFilesScreen: Make column sizing dynamic for file size, offset and inode
* Add support for "truss" (FreeBSD equivalent of "strace")
* Darwin: add NetworkIOMeter support
* HeaderLayout: add "3 columns - 40/30/30", "... 30/40/30" & "... 30/30/40"
* Meter: use correct unicode characters for digit '9'
* Note in manual re default memory units of KiB
* Add column for process container name
* Add logic to filter the container name (+type) from the CGroup name
* Change NetworkIOMeter value unit from KiB/s to bytes/second
* Cap DiskIOMeter "utilisation" percentage at 100%
* PCP platform implementation of frontswap and zswap accounting
* Shorten podman/libpod container IDs to 12 characters
* Write configuration to temporary file first
* Incorporate shared memory in bar text
* Move shared memory next to used memory
* Correct order of memory meter in help
* Add recalculate to Ctrl-L refresh
* Update process list on thread visibility toggling
* Support dynamic screens with 'top-most' entities beyond processes
* Introduce Row and Table classes for screens beyond top-processes
* Rework ZramMeter and remove MeterClass.comprisedValues
* More robust logic for CPU process percentages (Linux & PCP)
* Show year as start time for processes older than a year
* Short-term fix for docker container detection
* default color preset: use bold blue for better visibility
* Document 'O' keyboard shortcut
* Implement logic for '--max-iterations'
* Update F5 key label on tab switch (Tree <-> List)
* Force re-sorting of the process list view after switching between list/treeview mode
* Linux: (hack) work around the fact that Zswapped pages may be SwapCached
* Linux: implement zswap support
* {Memory,Swap}Meter: add "compressed memory" metrics
* Darwin: add DiskIOMeter support
* Fix scroll relative to followed process
* ZramMeter: update bar mode
* Use shared real memory on FreeBSD
* Increase Search and Filter max string length to 128
* Improve CPU computation code
* Remove LXC special handling for the CPU count
* Create new File Descriptor meter
* PCP: add IRQ PSI meter
* Linux: add IRQ PSI meter
* Linux: highlight username if process has elevated privileges
* Add support for scheduling policies
* Add a systemd user meter to monitor user units.
* FreeBSD: remove duplicate zfs ARC size subtraction"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
This script has been modified when we touched ExtraHD in Core Update
179/180, but has been forgotten to be shipped.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The "ping" plugin does not re-resolve the gateway IP address after
pinging it for the first time. For most people this won't be a big
problem, but if the default gateway changes, the latency graph won't
work any more.
In order to do re-resolve "gateway", the only way is to restart
collectd.
Fixes: #13522
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Because of a single variable being passwd with the workgroup, it would
have been possible to inject shell commands here. Passing it in the
array prevents that.
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
- lfs and toorfile created for wsdd
- wsdd added to make.sh script
- created install/update/uninstall scripts for wsdd that create an unpriveleged user and
group.
- initscript created for wsdd. As wsdd is a python3 script, when it is run as a daemon the
pidof command does not find any pid for wsdd. So a directory/file for a pid file was
created. This is then passed to the loadproc and killproc commands. After the loadproc
command has been created the pid is extracted from the ps aux command and put into the
pid file. This then works when running the killproc command for it to know what to go
and stop. The statusproc command does not have the ability to feed in the pid from a
pid file and so it fails to find a running wsdd as it uses the pidof command. Code was
added to the status section of the initscript to check if the pid file exists and if so
to print the same command as used with the statusproc command, and also the same
wording if the pid file does not exist because wsdd is not running.
- info from the ethernet/settings file is used to identify if only green0 is available or
if blue0 is also used and based on this the appropriate interface commands are added to
the wsdd command.
- wsdd is also set up to run in a chroot
- Has been tested on my vm testbed, initially by editing the files on the vm clone. After
everything confiremd to be working, the build was successfully carried out and the
.ipfire package was copied to a new vm clone installed and shown to perform as expected.
This test only confirms that wsdd is correctly installed and started. Shutsdown and
restarts on reboot successfully. Confirmed from the ps aux info that wsdd has been
started with the correct options. Thge testing can not evaluate if wsdd enables windows
systems newer than version 7 top be able to detect the samba shares as I have no
windows systems.
Fixes: Bug13445
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Some programs do not write their own PID files any more, but since our
initscripts heavily rely on those, this extension allows to store it
easily.
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
getpids() checked whether it needed to pass a pid file to pidofproc, but
the check was inverted.
Signed-off-by: Daniel Weismüller <daniel.weismueller@ipfire.org>
