- Update from 2.3.0 to 2.4.1
- Update rootfile
- Changelog (URL in changelog changed to https://verbump(dot)de as mail was
rejected by IPFire mail system due to policy violation because URL was
highlighted as a blacklisted addresss
Release 2.4.1 Sun May 23 2021
Bug fixes:
#488#490 Autotools: Fix installed header expat_config.h for multilib
systems; regression introduced in 2.4.0 by pull request #486
Other changes:
#491#492 Version info bumped from 9:0:8 to 9:1:8;
see https://verbump(dot)de/ for what these numbers do
Special thanks to:
Gentoo's QA check "multilib_check_headers"
Release 2.4.0 Sun May 23 2021
Security fixes:
#34#466#484 CVE-2013-0340/CWE-776 -- Protect against billion laughs attacks
(denial-of-service; flavors targeting CPU time or RAM or both,
leveraging general entities or parameter entities or both)
by tracking and limiting the input amplification factor
(<amplification> := (<direct> + <indirect>) / <direct>).
By conservative default, amplification up to a factor of 100.0
is tolerated and rejection only starts after 8 MiB of output bytes
(=<direct> + <indirect>) have been processed.
The fix adds the following to the API:
- A new error code XML_ERROR_AMPLIFICATION_LIMIT_BREACH to
signals this specific condition.
- Two new API functions ..
- XML_SetBillionLaughsAttackProtectionMaximumAmplification and
- XML_SetBillionLaughsAttackProtectionActivationThreshold
.. to further tighten billion laughs protection parameters
when desired. Please see file "doc/reference.html" for details.
If you ever need to increase the defaults for non-attack XML
payload, please file a bug report with libexpat.
- Two new XML_FEATURE_* constants ..
- that can be queried using the XML_GetFeatureList function, and
- that are shown in "xmlwf -v" output.
- Two new environment variable switches ..
- EXPAT_ACCOUNTING_DEBUG=(0|1|2|3) and
- EXPAT_ENTITY_DEBUG=(0|1)
.. for runtime debugging of accounting and entity processing.
Specific behavior of these values may change in the future.
- Two new command line arguments "-a FACTOR" and "-b BYTES"
for xmlwf to further tighten billion laughs protection
parameters when desired.
If you ever need to increase the defaults for non-attack XML
payload, please file a bug report with libexpat.
Bug fixes:
#332#470 For (non-default) compilation with -DEXPAT_MIN_SIZE=ON (CMake)
or CPPFLAGS=-DXML_MIN_SIZE (GNU Autotools): Fix segfault
for UTF-16 payloads containing CDATA sections.
#485#486 Autotools: Fix generated CMake files for non-64bit and
non-Linux platforms (e.g. macOS and MinGW in particular)
that were introduced with release 2.3.0
Other changes:
#468#469 xmlwf: Improve help output and the xmlwf man page
#463 xmlwf: Improve maintainability through some refactoring
#477 xmlwf: Fix man page DocBook validity
#458#459 CMake: Support absolute paths for both CMAKE_INSTALL_LIBDIR
and CMAKE_INSTALL_INCLUDEDIR
#471#481 CMake: Add support for standard variable BUILD_SHARED_LIBS
#457 Unexpose symbol _INTERNAL_trim_to_complete_utf8_characters
#467 Resolve macro HAVE_EXPAT_CONFIG_H
#472 Delete unused legacy helper file "conftools/PrintPath"
#473#483 Improve attribution
#464#465#477 doc/reference.html: Fix XHTML validity
#475#478 doc/reference.html: Replace the 90s look by OK.css
#479 Version info bumped from 8:0:7 to 9:0:8
due to addition of new symbols and error codes;
see https://verbump(dot)de/ for what these numbers do
Infrastructure:
#456 CI: Enable periodic runs
#457 CI: Start covering the list of exported symbols
#474 CI: Isolate coverage task
#476#482 CI: Adapt to breaking changes in image "ubuntu-18.04"
#477 CI: Cover well-formedness and DocBook/XHTML validity
of doc/reference.html and doc/xmlwf.xml
Special thanks to:
Dimitry Andric
Eero Helenius
Nick Wellnhofer
Rhodri James
Tomas Korbar
Yury Gribov and Clang LeakSan
JetBrains
OSS-Fuzz
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 7.76.1 to 7.77.0
- Update rootfile
- Changelog is too large to include here. It can be accesed at
https://curl.se/changes.html
There are 5 changes and 133 bug fixes of which 3 are related to CVE's
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 1.4.9 to 1.5.0
- Update of rootfile
- Changelog
v1.5.0 (May 11, 2021)
api: Various functions promoted from experimental to stable API: (#2579-2581, @senhuang42)
`ZSTD_defaultCLevel()`
`ZSTD_getDictID_fromCDict()`
api: Several experimental functions have been deprecated and will emit a compiler warning (#2582, @senhuang42)
`ZSTD_compress_advanced()`
`ZSTD_compress_usingCDict_advanced()`
`ZSTD_compressBegin_advanced()`
`ZSTD_compressBegin_usingCDict_advanced()`
`ZSTD_initCStream_srcSize()`
`ZSTD_initCStream_usingDict()`
`ZSTD_initCStream_usingCDict()`
`ZSTD_initCStream_advanced()`
`ZSTD_initCStream_usingCDict_advanced()`
`ZSTD_resetCStream()`
api: ZSTDMT_NBWORKERS_MAX reduced to 64 for 32-bit environments (@Cyan4973)
perf: Significant speed improvements for middle compression levels (#2494, @senhuang42 @terrelln)
perf: Block splitter to improve compression ratio, enabled by default for high compression levels (#2447, @senhuang42)
perf: Decompression loop refactor, speed improvements on `clang` and for `--long` modes (#2614#2630, @Cyan4973)
perf: Reduced stack usage during compression and decompression entropy stage (#2522#2524, @terrelln)
bug: Improve setting permissions of created files (#2525, @felixhandte)
bug: Fix large dictionary non-determinism (#2607, @terrelln)
bug: Fix non-determinism test failures on Linux i686 (#2606, @terrelln)
bug: Fix various dedicated dictionary search bugs (#2540#2586, @senhuang42 @felixhandte)
bug: Ensure `ZSTD_estimateCCtxSize*() `monotonically increases with compression level (#2538, @senhuang42)
bug: Fix --patch-from mode parameter bound bug with small files (#2637, @occivink)
bug: Fix UBSAN error in decompression (#2625, @terrelln)
bug: Fix superblock compression divide by zero bug (#2592, @senhuang42)
bug: Make the number of physical CPU cores detection more robust (#2517, @PaulBone)
doc: Improve `zdict.h` dictionary training API documentation (#2622, @terrelln)
doc: Note that public `ZSTD_free*()` functions accept NULL pointers (#2521, @animalize)
doc: Add style guide docs for open source contributors (#2626, @Cyan4973)
tests: Better regression test coverage for different dictionary modes (#2559, @senhuang42)
tests: Better test coverage of index reduction (#2603, @terrelln)
tests: OSS-Fuzz coverage for seekable format (#2617, @senhuang42)
tests: Test coverage for ZSTD threadpool API (#2604, @senhuang42)
build: Dynamic library built multithreaded by default (#2584, @senhuang42)
build: Move `zstd_errors.h` and `zdict.h` to `lib/` root (#2597, @terrelln)
build: Allow `ZSTDMT_JOBSIZE_MIN` to be configured at compile-time, reduce default to 512KB (#2611, @Cyan4973)
build: Single file library build script moved to `build/` directory (#2618, @felixhandte)
build: `ZBUFF_*()` is no longer built by default (#2583, @senhuang42)
build: Fixed Meson build (#2548, @SupervisedThinking @kloczek)
build: Fix excessive compiler warnings with clang-cl and CMake (#2600, @nickhutchinson)
build: Detect presence of `md5` on Darwin (#2609, @felixhandte)
build: Avoid SIGBUS on armv6 (#2633, @bmwiedmann)
cli: `--progress` flag added to always display progress bar (#2595, @senhuang42)
cli: Allow reading from block devices with `--force` (#2613, @felixhandte)
cli: Fix CLI filesize display bug (#2550, @Cyan4973)
cli: Fix windows CLI `--filelist` end-of-line bug (#2620, @Cyan4973)
contrib: Various fixes for linux kernel patch (#2539, @terrelln)
contrib: Seekable format - Decompression hanging edge case fix (#2516, @senhuang42)
contrib: Seekable format - New seek table-only API (#2113#2518, @mdittmer @Cyan4973)
contrib: Seekable format - Fix seek table descriptor check when loading (#2534, @foxeng)
contrib: Seekable format - Decompression fix for large offsets, (#2594, @azat)
misc: Automatically published release tarballs available on Github (#2535, @felixhandte)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 2.34 to 2.46
- Update rootfile
- Changelog
2.46 2019-09-24 (by Todd Rinaldo)
- use foreach not for for loops
- produce README.md so travis will show up on github
- remove use vars and switch to our.
- travis-ci testing from 5.8..5.28
- Convert XML::Parser to use 3 arg opens with no barewords.
- Migrate tracker to github
- Switch to XSLoader
- Fix a buffer overwrite in parse_stream()
2.44 2015-01-12 (by Todd Rinaldo)
- RT 99098 - Revert "Add more useful error message on parse to Expat". It breaks
XML::Twig. Calling code will need to do this if it's needed.
- RT 100959 - Add use FileHandle to t/astress.t - Make perl 5.10.0 happy.
2.43 2014-12-11 (by Todd Rinaldo)
- POD patch to man from Debian via Nicholas Bamber
- POD patch from Debian via gregor herrmann.
- Add more useful error message on parse to Expat
- Fix LWP dependency to be LWP::Useragent
- Bump to 2.43 for overdue release to CPAN.
2.42_01 2013-07-12 (by Todd Rinaldo)
- Added instructions to README for OSX
- XS changes: stop using SvPV(string, PL_na)
- Fix documentation typos
2.41 2011-06-01 (by Todd Rinaldo)
- Tests are cleaned. promoting to stable. No changes since 2.40_02
2.40_02 2011-05-31 (by Todd Rinaldo)
- TODO some tests which fail in Free BSD due to improper expat CVE patch
http://www.freebsd.org/cgi/query-pr.cgi?pr=157469
2.40_01 2011-05-24 (by Todd Rinaldo)
- better installation instructions
- Small spelling patches from Debian package - Thanks Nicholas Bamber
- RT 68399 - Upgrade Devel::CheckLib to 0.93 to make it
perl 5.14 compliant - qw()
- RT 67207 - Stop doing tied on globs - Thanks sprout
- RT 31319 - Fix doc links in POD for XML/Parser.pm
2.40 2010-09-16 (by Alexandr Ciornii)
- Add windows-1251.enc, ibm866.enc, koi8-r.enc (Russian)
- Add windows-1255.enc (Hebrew)
- Update iso-8859-7.enc (RT#40712)
- Use Devel::CheckLib
- Better description of expat packages
- Better Perl style in both code and docs
2.36
- Fix for Carp::Heavy bugs
2.35 (mostly by Alexandr Ciornii)
- Works in 5.10 (Andreas J. Koenig)
- Added license in Makefile.PL (Alexandr Ciornii)
- Makefile.PL also searches for expat in C:/lib/Expat-2.0.0 (Alexandr Ciornii)
- No longer uses variable named 'namespace' in Expat.xs (Jeff Hunter)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Full changelog as per CHANGELOG file:
2020-12-09: v1.0.24
* Add new platform abstraction (#252)
* Add Null POSIX backend
* Add support for eventfd
* Add support for thread IDs on Haiku, NetBSD and Solaris
* New API libusb_hotplug_get_user_data()
* Darwin (macOS): Fix race condition that results in segmentation fault (#701)
* Darwin (macOS): Fix stale descriptor information post reset (#733)
* Darwin (macOS): use IOUSBDevice as darwin_device_class explicitly (#693)
* Linux: Drop support for kernel older than 2.6.32
* Linux: Provide an event thread name (#689)
* Linux: Wait until all USBs have been reaped before freeing them (#607)
* NetBSD: Recognize device timeouts (#710)
* OpenBSD: Allow opening ugen devices multiple times (#763)
* OpenBSD: Support libusb_get_port_number() (#764)
* SunOS: Fix a memory leak (#756)
* SunOS: Various fixes (#627, #628, #629)
* Windows: Add Visual Studio 2019 support
* Windows: Drop support for WinCE and Visual Studio older than 2013
* Windows: Drop support for Windows XP
* Windows: Support building all examples using Visual Studio (#151)
* Documentation fixes and improvements
* Various other bug fixes and improvements
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The changelog between version "s20160803" is too large to include it
here, please refer to https://github.com/iputils/iputils/releases for a
human-readable version.
Due to build system changes, single binaries cannot be compiled by
running "make [program]" anymore, updated rootfiles to reflect that
change.
20210202's version of /usr/bin/ping is bug-compatible to s20160803's
one, hence does not cause trouble in ~/src/ppp/ip-up. Tested, works.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://downloads.isc.org/isc/bind9/9.11.31/RELEASE-NOTES-bind-9.11.32.html
"Notes for BIND 9.11.32
Feature Changes
DNSSEC responses containing NSEC3 records with iteration counts
greater than 150 are now treated as insecure. [GL #2445]
The maximum supported number of NSEC3 iterations that can be
configured for a zone has been reduced to 150. [GL #2642]
The implementation of the ZONEMD RR type has been updated to match
RFC 8976. [GL #2658]
Notes for BIND 9.11.31
Security Fixes
A malformed incoming IXFR transfer could trigger an assertion
failure in named, causing it to quit abnormally. (CVE-2021-25214)
ISC would like to thank Greg Kuechle of SaskTel for bringing this
vulnerability to our attention. [GL #2467]
named crashed when a DNAME record placed in the ANSWER section
during DNAME chasing turned out to be the final answer to a client
query. (CVE-2021-25215)
ISC would like to thank Siva Kakarla for bringing this vulnerability
to our attention. [GL #2540]
When a server's configuration set the tkey-gssapi-keytab
or tkey-gssapi-credential option, a specially crafted GSS-TSIG query
could cause a buffer overflow in the ISC implementation of SPNEGO
(a protocol enabling negotiation of the security mechanism used for
GSSAPI authentication). This flaw could be exploited to crash named
binaries compiled for 64-bit platforms, and could enable remote code
execution when named was compiled for 32-bit platforms.
(CVE-2021-25216)
This vulnerability was reported to us as ZDI-CAN-13347 by Trend
Micro Zero Day Initiative. [GL #2604]
Feature Changes
The ISC implementation of SPNEGO was removed from BIND 9 source
code. Instead, BIND 9 now always uses the SPNEGO implementation
provided by the system GSSAPI library when it is built with GSSAPI
support. All major contemporary Kerberos/GSSAPI libraries contain
an implementation of the SPNEGO mechanism. [GL #2607]
Notes for BIND 9.11.30
The BIND 9.11.30 release was withdrawn after a backporting bug was
discovered during pre-release testing. ISC would like to acknowledge the
assistance of Natan Segal of Bluecat Networks.2"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Current situation is that any restrictions in the exclude file will not
be overwritten by the include.user file
- For example the global exclude file has *.tmp preventing any tmp files
being backed up from the globally included IPFire files
If a user has some specific tmp files they want to backup and include
them in the include.user file they will not override the global
exclude file.
- This fix does the backup of the global and user backups as two separate
events and then appends them. This means that any tmp files in the
include.user file will be backed up.
- The backups are created as a global tar file and then have the user
tar file appended and then the combined file gzipped and given the .ipf
suffix. This has to be done this was as gzipped files can not be
appended to each other whereas tar files can.
Fixes: 12626
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These are owned (hence being writable) by "nobody", posing a potential
security risk. Since the files itself were already exluded from being
shipped, their parent directory should be as well.
This patch should reduce the amount of executable files being owned by
nobody to zero after upgrading to Core Update 157. Due to complexity
reasons, not all applications available in Pakfire could be tested,
though, so your mileage may vary.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These are needed by pppd, but were not previously shipped as such.
Instead, since their parent directory at /usr/lib/pppd/${version}/ was
not commented out, we implicitly shipped the entire directory.
This patch does not change our behaviour in the end, but makes things
more transparent to developers.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is required as "backup" itself does not gets updated automatically,
contrary to it's LFS file suggesting by having a "PAK_VER" number.
In order to fix#12619, it is therefore necessary to ship the backup
files with Core Update 157.
Partially fixes: #12619
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This is necessary to fix SSH not starting after upgrading to Core Update
157 unless it's settings are manually written via the WebUI.
Reported-by: Erik Kapfer <ummeegge@ipfire.org>
Reported-by: Tom Rymes <tom@rymes.net>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Since I only ran "find . -type f -name ...", I missed mostly directories
containing configuration and initscripts of recently dropped add-ons and
packages.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 2.2.0 to 2.4.7
- Migrate from python2 to python3
- Move the rootfile from common to packages as pyparsing is an addon
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- python3-setuptools works with python3-daemon but not with
python-m2crypto. m2crypto has to stay with python2 because crda
will not find the python3 version of m2crypto.
- python-m2crypto only works with python-setuptools so both the
python2 and python3 versions of setuptools need to stay in place.
- Therefore this patch only creates python3-setuptools, it does not
remove python-setuptools
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 10.3.0 to 10.3.2
- Update rootfiles
- Changelog
* 10.3.2: release
* Fix problem that caused the generated manual from being included
in the Windows distributions. Fixes#521.
* Fix 11-year-old bug of leaving unreferenced objects in preserved
object streams. Fixes#520.
* Portability fix: use tm_gmtoff rather than global timezone
variable if available to get timezone offset. This fixes
compilation on BSD and also results in a daylight saving
time-aware offset for Linux or other GNU systems. Fixes#515.
* When adding a page, if the page already exists, make a shallow
copy of the page instead of throwing an exception. This makes the
behavior of adding a page from the library consistent with what
the CLI does and also with what the library does if it starts with
a file that already has a duplicated page. Note that this means
that, in some cases, the page you pass to addPage or addPageAt
(either in QPDF or QPDFPageDocumentHelper) will not be the same
object that actually gets added. (This has actually always been
the case.) That means that, if you are going to do subsequent
modification on the page, you should retrieve it again.
* 10.3.1: release
* Bug fix: allow /DR to be direct in /AcroForm
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 2.68.1 to 2.68.2
- Update rootfiles
- Changelog
Overview of changes in GLib 2.68.2
* Fix building third-party projects against GLib on CentOS 7 (work by
Ignacio Casal Quinteiro) (#2387)
* Bugs fixed:
- #2387 json-glib does not build with glib 2.68.1
- !2060 gmacros: check that __cplusplus or _MSC_VER is defined
- !2068 gmacros: missing check if __STDC_VERSION__ is defined
- !2079 Backport !2078 “gthreadedresolver: don't ignore flags in lookup_by_name_with_flags” to glib-2-68
* Translation updates:
- Nepali
- Serbian
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from 1.3.2 to 1.3.3
- Update rootfiles
- Changelog
General:
Fix CPU detection (Janne Hyvärinen).
Switch from unsigned types to uint32_t (erikd).
CppCheck fixes (erikd).
Improve SIMD decoding of 24 bit files (lvqcl).
POWER* amnd POWER9 improvements (Anton Blanchard).
More tests.
FLAC format:
(none)
Ogg FLAC format:
(none)
flac:
When converting to WAV, use WAVEFORMATEXTENSIBLE when bits per
second is not 8 or 16 (erikd).
Fix --output-prefix with input-files in sub-directories (orbea).
metaflac:
(none)
plugins:
(none)
build system:
Cmake support (Vitaliy Kirsanov, evpobr).
Visual Studio updates (Janne Hyvärinen).
Fix for MSVC when UNICODE is enabled (lvqcl).
Fix for OpenBSD/i386 (Christian Weisgerber).
documentation:
(none)
libraries:
(none).
Interface changes:
libFLAC:
(none)
libFLAC++:
(none)
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
These include rootfiles, firewall menue entries that have been
unmaintained for a long time, and firewall chains which were never used
in recent time.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This library has received no attention within the last three years. By
design, UPnP is a security risk on any firewall, and and outdated
version of a UPnP library definitely is.
This patch therefore drops libupnp completely.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
