For details see:
https://lists.gnu.org/archive/html/info-gnu/2021-03/msg00005.html
"This is a bugfix release, fixing a bug in ECDSA signature
verification that could lead to a denial of service attack
(via an assertion failure) or possibly incorrect results. It
also fixes a few related problems where scalars are required
to be canonically reduced modulo the ECC group order, but in
fact may be slightly larger.
Upgrading to the new version is strongly recommended."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- The PAK_VER number was not incremented in patch 3947
- All other addon patches raised by Adolf Belka at that time checked
and all others have the PAK_VER correctly incremented
- Fixes bug #12598
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update of rootfiles due to perl update from 5.30.0 to 5.32.1
- Update of directory paths in lfs with perl version number change
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 5.30.0 to 5.32.1
- Update of rootfile carried out
- Removal of perl-5.30.0.fix.build.failure-against-gcc-10.patch as no
longer required
- Changelog is too large to fit here.
Full details for release 5.33.1 from 5.32.0 are in the source tarball
in pod/perldelta.pod
For the details of changes in previous releases, see the individual
perlNNNdelta.pod files. For example, pod/perl588delta.pod describes the
changes between versions 5.8.7 and 5.8.8.
- Updated iso from build of perl and all other changes has been installed
in a vm testbed. All pages and graphs that have been looked at worked
without any hiccups.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 4.13.4 to 4.13.7
- Update of x68_64 rootfile
- Changelog
Release Notes for Samba 4.13.7 March 24, 2021
This is a security release in order to address the following defects:
o CVE-2020-27840:
An anonymous attacker can crash the Samba AD DC LDAP server by sending easily
crafted DNs as part of a bind request. More serious heap corruption is likely
also possible.
Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 14595: CVE-2020-27840: Fix unauthenticated remote heap corruption via
bad DNs.
o CVE-2021-20277:
User-controlled LDAP filter strings against the AD DC LDAP server may crash
the LDAP server.
Andrew Bartlett <abartlet@samba.org>
* BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 14655: CVE-2021-20277: Fix out of bounds read in ldb_handler_fold.
Release Notes for Samba 4.13.5 March 09, 2021
This is the latest stable release of the Samba 4.13 release series.
o Trever L. Adams <trever.adams@gmail.com>
* BUG 14634: s3:modules:vfs_virusfilter: Recent talloc changes cause infinite
start-up failure.
o Jeremy Allison <jra@samba.org>
* BUG 13992: s3: libsmb: Add missing cli_tdis() in error path if encryption
setup failed on temp proxy connection.
* BUG 14604: smbd: In conn_force_tdis_done() when forcing a connection closed
force a full reload of services.
o Andrew Bartlett <abartlet@samba.org>
* BUG 14593: dbcheck: Check Deleted Objects and reduce noise in reports about
expired tombstones.
o Ralph Boehme <slow@samba.org
* BUG 14503: s3: Fix fcntl waf configure check.
* BUG 14602: s3/auth: Implement "winbind:ignore domains".
* BUG 14617: smbd: Use fsp->conn->session_info for the initial
delete-on-close token.
o Peter Eriksson <pen@lysator.liu.se>
* BUG 14648: s3: VFS: nfs4_acls. Add missing TALLOC_FREE(frame) in error
path.
o Björn Jacke <bj@sernet.de>
* BUG 14624: classicupgrade: Treat old never expires value right.
o Volker Lendecke <vl@samba.org>
* BUG 14636: g_lock: Fix uninitalized variable reads.
o Stefan Metzmacher <metze@samba.org>
* BUG 13898: s3:pysmbd: Fix fd leak in py_smbd_create_file().
o Andreas Schneider <asn@samba.org>
* BUG 14625: lib:util: Avoid free'ing our own pointer.
o Paul Wise <pabs3@bonedaddy.net>
* BUG 12505: HEIMDAL: krb5_storage_free(NULL) should work.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 4.1.4 to 5.1.0
- Update of rootfile carried out
- Changelog is too long to fit in here.
Changes for versions 5.0.0 and 5.1.0 can be found in the ChangeLog file
in the source tarball
Changes for versions 4.2.0 and 4.2.1 can be found in the ChangeLog.1
file in the source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 0.2 to 1.17
- Update of rootfile carried out
- ed-0.2-mkstemp-1.patch from LFS is no longer required in later versions
of ed or LFS
- Changelog is a bit too long to add here.
Full change log can be found by viewing ChangeLog file in tar sourceball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 3.6 to 3.7
- No update of rootfile required
- Changelog
2018-12-31 Jim Meyering <meyering@fb.com>
version 3.7
* NEWS: Record release date.
maint: distribute new file, init.cfg
Otherwise, strip-trailing-cr would fail on a system without valgrind.
* tests/Makefile.am (EXTRA_DIST): Include init.cfg.
2018-12-30 Dennis Lambe Jr <malsyned@malsyned.net>
diff: adjust ANSI escapes for compatibility with less -R
GNU less can display ANSI-colored text with the -R flag, but this
support has some limitations. One of them is that if an escape
sequence starts on one line and ends on a different line, only the
first line will be colored in less.
As a result, when diff creates colored output with multi-line deletes
or adds, less will only color the first line.
This change resets ANSI color to the default at the end of
each line and restarts it at the beginning of the next. It patches
normal and context mode. Side-by-side already worked in my testing.
* src/context.c (print_context_label, pr_context_hunk): As above.
(pr_unidiff_hunk, print_context_header): Likewise.
* src/normal.c (print_normal_hunk): Likewise.
* tests/colors: Adjust existing tests to accommodate this.
* NEWS (Improvements): Mention it.
Proposed in http://bugs.gnu.org/31105
2018-12-29 Jim Meyering <meyering@fb.com>
tests: fix colors test on systems lacking fractional timestamp support
* tests/colors: The .NNNNNNNNN suffix is not printed on some systems.
Adapt the test to accommodate those systems.
tests: strip-trailing-cr: avoid failure with ASAN
Valgrind cannot operate on an ASAN-compiled binary.
* tests/strip-trailing-cr (valgrind): Define as no-op when diff
was compiled with sanitizer support.
2018-12-28 Jim Meyering <meyering@fb.com>
tests: add test for --strip-trailing-cr UMR bug
* tests/strip-trailing-cr: New file. Test for today's bug fix.
* tests/Makefile.am (TESTS): Add it.
tests: import test infrastructure from coreutils
* tests/init.cfg: New file, for require_valgrind_ definition (from coreutils).
* tests/Makefile.am (PATH): Don't set stderr_fileno_ here, since it is
now initialized in init.cfg.
2018-12-28 Paul Eggert <eggert@cs.ucla.edu>
Jim Meyering <jim@meyering.net>
diff: fix UMR with --strip-trailing-cr
Problem reported by Hongxu Chen (Bug#31935).
* src/io.c (prepare_text): Strip trailing CR before
doing the rest of the analysis.
* NEWS: Mention the fix.
2018-12-28 Bruno Haible <bruno@clisp.org>
tests: colors: avoid test failure on AIX 7
* tests/colors: Splice the argument into the printf format string.
2018-12-27 Bruno Haible <address@hidden>
maint: don't use an undocumented Autoconf macro
* configure.ac: Use AC_CONFIG_HEADERS instead of AC_CONFIG_HEADER.
2018-12-23 Jim Meyering <meyering@fb.com>
build: avoid build failure with --enable-gcc-warnings and latest gcc
* src/diff.c (usage): Assert that each line length is no longer than
the minimum required size of 4095. This lets newer gcc (currently
9.0.0 20181219) infer that it need not issue this warning:
diff.c:1012:19: error: '%.*s' directive output between 0 and 2147483647
bytes may exceed minimum required size of 4095
[-Werror=format-overflow=]
1012 | printf (" %.*s", msglen, msg);
build: update gnulib to latest; and bootstrap and init.sh
build: make the autoconf-2.63 requirement explicit
* configure.ac: AC_PREREQ: Require 2.63, not 2.59. And quote properly.
Autoconf-2.63 has been required for some time via gnulib.
This merely makes it explicit.
2018-12-20 Jim Meyering <meyering@fb.com>
maint: use https: in gnu mirror URL prefix, not http
This appears in the generated release announcement message.
* cfg.mk (url_dir_list): Use https: prefix, not http:.
2018-07-24 Paul Eggert <eggert@cs.ucla.edu>
cmp: fix bug in -b diagnostic
Problem reported by mancha (Bug#32249).
* src/cmp.c (count_newlines): Restore old value of sentinel.
* tests/cmp: Test for the bug.
build: update gnulib submodule to latest
2018-05-14 Paul Eggert <eggert@cs.ucla.edu>
doc: prepend "GNU" to NAME in man pages
Requested by RMS.
* src/cmp.c, src/diff.c, src/diff3.c, src/sdiff.c:
Prepend "GNU" to first comment, so that the man page says "GNU".
2018-04-20 Paul Eggert <eggert@cs.ucla.edu>
sdiff: port to mingw
Problem reported by Ross Burton (Bug#31218).
* src/sdiff.c (checksigs): Use ‘raise’, not ‘kill’.
2018-03-23 Paul Eggert <eggert@cs.ucla.edu>
build: update gnulib submodule to latest
2018-01-14 Jim Meyering <meyering@fb.com>
tests: fix quoting error in previous change
* tests/colors: Double-quote $PATH.
2018-01-06 Jim Meyering <meyering@fb.com>
tests: port tests/colors to some env-munging shell
* tests/colors: Also set PATH="$PATH" in env invocation.
maint: update gnulib and copyright dates for 2018
* gnulib: Update to latest.
* all files: Run "make update-copyright".
* bootstrap: Update from gnulib.
maint: suppress gcc's new -Wcast-function-type in gnulib
* configure.ac (WERROR_CFLAGS): Suppress gcc's new -Wcast-function-type
warning in gnulib, because it would trigger on this:
sig-handler.h:47:12: error: cast between incompatible function types\
from 'void (* const)(int, siginfo_t *, void *)' \
{aka 'void (* const)(int, struct <anonymous> *, void *)'} \
to 'void (*)(int)' [-Werror=cast-function-type]
return (sa_handler_t) a->sa_sigaction;
2017-10-22 Jim Meyering <meyering@fb.com>
tests: add expected-failing test for minor subopimality
In some unusual cases, diff -u prints suboptimal output.
* tests/large-subopt: New test script.
* tests/Makefile.am (TESTS): Add it.
(XFAIL_TESTS): Add it here, too, to record that this test is
currently expected to fail.
* tests/large-subopt.in1, tests/large-subopt.in2: Inputs derived from
those in http://bugs.gnu.org/28796
2017-09-23 Jim Meyering <meyering@fb.com>
gnulib: update to latest
2017-05-21 Jim Meyering <meyering@fb.com>
maint: make the announcement template Cc the devel- list
* cfg.mk (announcement_Cc_): Define.
maint: post-release administrivia
* NEWS: Add header line for next release.
* .prev-version: Record previous version.
* cfg.mk (old_NEWS_hash): Auto-update.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 1.0.6 to 1.0.8
- Update of rootfile
- Changelog
1.0.8 (13 Jul 19)
* Accept as many selectors as the file format allows.
This relaxes the fix for CVE-2019-12900 from 1.0.7
so that bzip2 allows decompression of bz2 files that
use (too) many selectors again.
* Fix handling of large (> 4GB) files on Windows.
* Cleanup of bzdiff and bzgrep scripts so they don't use
any bash extensions and handle multiple archives correctly.
* There is now a bz2-files testsuite at
https://sourceware.org/git/bzip2-tests.git
1.0.7 (27 Jun 19)
* Fix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH
* bzip2: Fix return value when combining --test,-t and -q.
* bzip2recover: Fix buffer overflow for large argv[0]
* bzip2recover: Fix use after free issue with outFile (CVE-2016-3189)
* Make sure nSelectors is not out of range (CVE-2019-12900)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 3.7.1 to 3.7.6
- No update of rootfile required
- Changelog is too large to include here
Full changelog can be viewed in ChangeLog file in the source tarball
3.7.6 1 bug fix
3.7.5 4 bug fixes
3.7.4 2 bug fixes
3.7.3 2 bug fixes
3.7.2 6 bug fixes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
If you have 2GB RAM the build of dnsdist will fail because MAX_PARALLELISM was
set to zero by RAM/2048 because a bit of RAM is used by the system.
This patch ensure that the lowest PARALLELISM value is 1.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Full changelog as per https://gitweb.torproject.org/tor.git/plain/ChangeLog?h=tor-0.4.5.7:
Changes in version 0.4.5.7 - 2021-03-16
Tor 0.4.5.7 fixes two important denial-of-service bugs in earlier
versions of Tor.
One of these vulnerabilities (TROVE-2021-001) would allow an attacker
who can send directory data to a Tor instance to force that Tor
instance to consume huge amounts of CPU. This is easiest to exploit
against authorities, since anybody can upload to them, but directory
caches could also exploit this vulnerability against relays or clients
when they download. The other vulnerability (TROVE-2021-002) only
affects directory authorities, and would allow an attacker to remotely
crash the authority with an assertion failure. Patches have already
been provided to the authority operators, to help ensure
network stability.
We recommend that everybody upgrade to one of the releases that fixes
these issues (0.3.5.14, 0.4.4.8, or 0.4.5.7) as they become available
to you.
This release also updates our GeoIP data source, and fixes a few
smaller bugs in earlier releases.
o Major bugfixes (security, denial of service):
- Disable the dump_desc() function that we used to dump unparseable
information to disk. It was called incorrectly in several places,
in a way that could lead to excessive CPU usage. Fixes bug 40286;
bugfix on 0.2.2.1-alpha. This bug is also tracked as TROVE-2021-
001 and CVE-2021-28089.
- Fix a bug in appending detached signatures to a pending consensus
document that could be used to crash a directory authority. Fixes
bug 40316; bugfix on 0.2.2.6-alpha. Tracked as TROVE-2021-002
and CVE-2021-28090.
o Minor features (geoip data):
- We have switched geoip data sources. Previously we shipped IP-to-
country mappings from Maxmind's GeoLite2, but in 2019 they changed
their licensing terms, so we were unable to update them after that
point. We now ship geoip files based on the IPFire Location
Database instead. (See https://location.ipfire.org/ for more
information). This release updates our geoip files to match the
IPFire Location Database as retrieved on 2021/03/12. Closes
ticket 40224.
o Minor bugfixes (directory authority):
- Now that exit relays don't allow exit connections to directory
authority DirPorts (to prevent network reentry), disable
authorities' reachability self test on the DirPort. Fixes bug
40287; bugfix on 0.4.5.5-rc.
o Minor bugfixes (documentation):
- Fix a formatting error in the documentation for
VirtualAddrNetworkIPv6. Fixes bug 40256; bugfix on 0.2.9.4-alpha.
o Minor bugfixes (Linux, relay):
- Fix a bug in determining total available system memory that would
have been triggered if the format of Linux's /proc/meminfo file
had ever changed to include "MemTotal:" in the middle of a line.
Fixes bug 40315; bugfix on 0.2.5.4-alpha.
o Minor bugfixes (metrics port):
- Fix a BUG() warning on the MetricsPort for an internal missing
handler. Fixes bug 40295; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (onion service):
- Remove a harmless BUG() warning when reloading tor configured with
onion services. Fixes bug 40334; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (portability):
- Fix a non-portable usage of "==" with "test" in the configure
script. Fixes bug 40298; bugfix on 0.4.5.1-alpha.
o Minor bugfixes (relay):
- Remove a spammy log notice falsely claiming that the IPv4/v6
address was missing. Fixes bug 40300; bugfix on 0.4.5.1-alpha.
- Do not query the address cache early in the boot process when
deciding if a relay needs to fetch early directory information
from an authority. This bug resulted in a relay falsely believing
it didn't have an address and thus triggering an authority fetch
at each boot. Related to our fix for 40300.
o Removed features (mallinfo deprecated):
- Remove mallinfo() usage entirely. Libc 2.33+ now deprecates it.
Closes ticket 40309.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
From https://www.openssl.org/news/secadv/20210325.txt:
OpenSSL Security Advisory [25 March 2021]
=========================================
CA certificate check bypass with X509_V_FLAG_X509_STRICT (CVE-2021-3450)
========================================================================
Severity: High
The X509_V_FLAG_X509_STRICT flag enables additional security checks of the
certificates present in a certificate chain. It is not set by default.
Starting from OpenSSL version 1.1.1h a check to disallow certificates in
the chain that have explicitly encoded elliptic curve parameters was added
as an additional strict check.
An error in the implementation of this check meant that the result of a
previous check to confirm that certificates in the chain are valid CA
certificates was overwritten. This effectively bypasses the check
that non-CA certificates must not be able to issue other certificates.
If a "purpose" has been configured then there is a subsequent opportunity
for checks that the certificate is a valid CA. All of the named "purpose"
values implemented in libcrypto perform this check. Therefore, where
a purpose is set the certificate chain will still be rejected even when the
strict flag has been used. A purpose is set by default in libssl client and
server certificate verification routines, but it can be overridden or
removed by an application.
In order to be affected, an application must explicitly set the
X509_V_FLAG_X509_STRICT verification flag and either not set a purpose
for the certificate verification or, in the case of TLS client or server
applications, override the default purpose.
OpenSSL versions 1.1.1h and newer are affected by this issue. Users of these
versions should upgrade to OpenSSL 1.1.1k.
OpenSSL 1.0.2 is not impacted by this issue.
This issue was reported to OpenSSL on 18th March 2021 by Benjamin Kaduk
from Akamai and was discovered by Xiang Ding and others at Akamai. The fix was
developed by Tomáš Mráz.
NULL pointer deref in signature_algorithms processing (CVE-2021-3449)
=====================================================================
Severity: High
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation
ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits
the signature_algorithms extension (where it was present in the initial
ClientHello), but includes a signature_algorithms_cert extension then a NULL
pointer dereference will result, leading to a crash and a denial of service
attack.
A server is only vulnerable if it has TLSv1.2 and renegotiation enabled (which
is the default configuration). OpenSSL TLS clients are not impacted by this
issue.
All OpenSSL 1.1.1 versions are affected by this issue. Users of these versions
should upgrade to OpenSSL 1.1.1k.
OpenSSL 1.0.2 is not impacted by this issue.
This issue was reported to OpenSSL on 17th March 2021 by Nokia. The fix was
developed by Peter Kästle and Samuel Sapalski from Nokia.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This package ships a bundled version of luajit and concurrency kit.
The latter does not build on this architecture.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 1.02 to 1.04
- Update of rootfile not required
- This is a dependency of git addon package
- Changelog
1.04 2016-10-09
- mark this library deprecated, suggest newer Net::SMTP instead
1.03 2015-06-20
- $net_smtp_ssl->isa('Net::SMTP') is now true
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 3.15 to 3.16
- No update of rootfile required
- This a dependency to the git addon package
- Changelog
2020-09-26
- Convert the build to Dist::Zilla to ensure we're releasing well built packages
- Ensure all tests are using strict and warnings (thanks, Nicolas R).
- Cleanup this change log
- Add a .mailmap to cleanup our contributors list
- Use `our` instead of `use vars`
- Bump the required Perl version to v5.6.2
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update git from 2.28.0 to 2.31.0
- Updated rootfile
- Changelog
Nine releases between these two versions so the changes are too many
to enter here.
The change logs for each version can be found in the tarball under
Documentation/RelNotes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 3.18 to 4.14
- No update of rootfile required
- Changelog
2019-11-12 crda: Makefile: fix .so compilation line with some compilersHEADmaster Brian Norris
2018-11-21 README: add legacy notice Luis Chamberlain
2018-11-21 crda: add URLs to README Xose Vazquez Perez
2018-11-21 crda: be explicit about file permission on install Luis Chamberlain
2018-04-28 reglib: properly ident code on reglib_is_valid_rd() Luis R. Rodriguez
2018-01-05 crda: Fix error: `keys’ defined but not usedv4.14 Jelle van der Waa
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 0.91 to 0.92
- Update of rootfile
- Changelog
2019-07-16 Tim Bishop <tim@bishnet.net>
Fix build/install of manpages.
This defaults to attempting to install manpages, unless --disable-man is
given to stop it. It defaults to not building the manpages, unless it
finds docbook2man to build them with.
So for users of the release tarball this will install the manual pages
from the tarball, unless requested not to.
For users of the git repository it will error if they don't have
docbook2man, unless they choose to disable manual pages. I think this is
reasonable because docbook2man is a required tool for build from source.
Files affected:
configure.ac
docs/libstatgrab/Makefile.am
docs/saidar/Makefile.am
docs/statgrab/Makefile.am
2019-07-15 Tim Bishop <tim@bishnet.net>
Allow version to be overridden.
By default, it still uses the short version of the commit reference.
This is most useful for normal CI builds so you can easily see which
commit a tarball is made from. But when testing for a release one might
want to specify the version explicitly, so this can now be overridden by
manually triggering a build and setting LSG_VERSION (eg. 0.92).
Files affected:
.gitlab-ci.yml
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
