- Update from version 9.3p2 to 9.4p1
- Update of rootfile not required.
- The openssh check for zlib version incorrectly identifies version 1.3 as being older
than the buggy zlib version. This bug was found on the oipenssh github pull request page
but merged after openssh-9.4p1 was issued. Patch implemented to fix zlib version
identification. This and the autoconf line can be removed when the next version of
openssh is released.
- Changelog
9.4p1
This release fixes a number of bugs and adds some small features.
Potentially incompatible changes
* This release removes support for older versions of libcrypto.
OpenSSH now requires LibreSSL >= 3.1.0 or OpenSSL >= 1.1.1.
Note that these versions are already deprecated by their upstream
vendors.
* ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system
library directories.
New features
* ssh(1): allow forwarding Unix Domain sockets via ssh -W.
* ssh(1): add support for configuration tags to ssh(1).
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.
* ssh(1): add a "match localnetwork" predicate. This allows matching
on the addresses of available network interfaces and may be used to
vary the effective client configuration based on network location.
* ssh(1), sshd(8), ssh-keygen(1): infrastructure support for KRL
extensions. This defines wire formats for optional KRL extensions
and implements parsing of the new submessages. No actual extensions
are supported at this point.
* sshd(8): AuthorizedPrincipalsCommand and AuthorizedKeysCommand now
accept two additional %-expansion sequences: %D which expands to
the routing domain of the connected session and %C which expands
to the addresses and port numbers for the source and destination
of the connection.
* ssh-keygen(1): increase the default work factor (rounds) for the
bcrypt KDF used to derive symmetric encryption keys for passphrase
protected key files by 50%.
Bugfixes
* ssh-agent(1): improve isolation between loaded PKCS#11 modules
by running separate ssh-pkcs11-helpers for each loaded provider.
* ssh(1): make -f (fork after authentication) work correctly with
multiplexed connections, including ControlPersist. bz3589 bz3589
* ssh(1): make ConnectTimeout apply to multiplexing sockets and not
just to network connections.
* ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
modules being loaded by checking that the requested module
contains the required symbol before loading it.
* sshd(8): fix AuthorizedPrincipalsCommand when AuthorizedKeysCommand
appears before it in sshd_config. Since OpenSSH 8.7 the
AuthorizedPrincipalsCommand directive was incorrectly ignored in
this situation. bz3574
* sshd(8), ssh(1), ssh-keygen(1): remove vestigal support for KRL
signatures When the KRL format was originally defined, it included
support for signing of KRL objects. However, the code to sign KRLs
and verify KRL signatues was never completed in OpenSSH. This
release removes the partially-implemented code to verify KRLs.
All OpenSSH tools now ignore KRL_SECTION_SIGNATURE sections in
KRL files.
* All: fix a number of memory leaks and unreachable/harmless integer
overflows.
* ssh-agent(1), ssh(1): don't truncate strings logged from PKCS#11
modules; GHPR406
* sshd(8), ssh(1): better validate CASignatureAlgorithms in
ssh_config and sshd_config. Previously this directive would accept
certificate algorithm names, but these were unusable in practice as
OpenSSH does not support CA chains. bz3577
* ssh(1): make `ssh -Q CASignatureAlgorithms` only list signature
algorithms that are valid for CA signing. Previous behaviour was
to list all signing algorithms, including certificate algorithms.
* ssh-keyscan(1): gracefully handle systems where rlimits or the
maximum number of open files is larger than INT_MAX; bz3581
* ssh-keygen(1): fix "no comment" not showing on when running
`ssh-keygen -l` on multiple keys where one has a comment and other
following keys do not. bz3580
* scp(1), sftp(1): adjust ftruncate() logic to handle servers that
reorder requests. Previously, if the server reordered requests then
the resultant file would be erroneously truncated.
* ssh(1): don't incorrectly disable hostname canonicalization when
CanonicalizeHostname=yes and ProxyJump was expicitly set to
"none". bz3567
* scp(1): when copying local->remote, check that the source file
exists before opening an SFTP connection to the server. Based on
GHPR#370
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 0.16 to 0.17
- Update of rootfile
- Changelog
0.17 (up to commit 077661f, 2023-08-08)
Deprecated and removed features:
* None
New features
* json_patch: add first implementation only with patch application
* Add --disable-static and --disable-dynamic options to the cmake-configure
script.
* Add -DBUILD_APPS=NO option to disable app build
* Minimum cmake version is now 3.9
Significant changes and bug fixes
* When serializing with JSON_C_TO_STRING_PRETTY set, keep the opening and
closing curly or square braces on same line for empty objects or arrays.
* Disable locale handling when targeting a uClibc system due to problems
with its duplocale() function.
* When parsing with JSON_TOKENER_STRICT set, integer overflow/underflow
now result in a json_tokener_error_parse_number. Without that flag
values are capped at INT64_MIN/UINT64_MAX.
* Fix memory leak with emtpy strings in json_object_set_string
* json_object_from_fd_ex: fail if file is too large (>=INT_MAX bytes)
* Add back json_number_chars, but only because it's part of the public API.
* Entirely drop mode bits from open(O_RDONLY) to avoid warnings on certain
platforms.
* Specify dependent libraries, including -lbsd, in a more consistent way so
linking against a static json-c works better
* Fix a variety of build problems and add & improve tests
* Update RFC reference to https://www.rfc-editor.org/rfc/rfc8259
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 20221226 to 20230810
- Update of rootfile not required.
- There is no changelog.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.41.0 to 2.42.0
- Update of rootfile not required
- Changelog is too large to include here. See the contents of
Documentation/RelNotes/2.42.0.txt in the source tar ball.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 3420000 to 3430000
- Update of rootfile not required.
- Changelog
3430000
Add support for Contentless-Delete FTS5 Indexes. This is a variety of FTS5
full-text search index that omits storing the content that is being indexed while
also allowing records to be deleted.
Enhancements to the date and time functions:
Added new time shift modifiers of the form ±YYYY-MM-DD HH:MM:SS.SSS.
Added the timediff() SQL function.
Added the octet_length(X) SQL function.
Added the sqlite3_stmt_explain() API.
Query planner enhancements:
Generalize the LEFT JOIN strength reduction optimization so that it works for
RIGHT and FULL JOINs as well. Rename it to OUTER JOIN strength reduction.
Enhance the theorem prover in the OUTER JOIN strength reduction optimization
so that it returns fewer false-negatives.
Enhancements to the decimal extension:
New function decimal_pow2(N) returns the N-th power of 2 for integer N between
-20000 and +20000.
New function decimal_exp(X) works like decimal(X) except that it returns the
result in exponential notation - with a "e+NN" at the end.
If X is a floating-point value, then the decimal(X) function now does a full
expansion of that value into its exact decimal equivalent.
Performance enhancements to JSON processing results in a 2x performance
improvement for some kinds of processing on large JSON strings.
New makefile target "verify-source" checks to ensure that there are no
unintentional changes in the source tree. (Works for canonical source code only
- not for precompiled amalgamation tarballs.)
Added the SQLITE_USE_SEH compile-time option that enables Structured Exception
Handling on Windows while working with the memory-mapped shm file that is part of
WAL mode processing. This option is enabled by default when building on Windows
using Makefile.msc.
The VFS for unix now assumes that the nanosleep() system call is available unless
compiled with -DHAVE_NANOSLEEP=0.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
The WWW library seems to report status code 500 for issues like DNS
resolving problems and connection timeouts. In that case, we won't go on
searching for another functioning mirror, which we should.
This patch removes that special break clause.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 4.2.0 to 4.2.1
- Update of rootfile
- Changelog
4.2.1
patches 1 to 12 from 4.2.0 have been built in to 4.2.1
Other bugs fixed in the 4.2 branch for the MPFR 4.2.1 release:
The + and space flags were ignored on NaN and Inf. While this was loosely
documented as such (without an explicit mention of these flags), the MPFR
manual also says that the flags have the same meaning as for the standard
printf function. So this was contradictory and regarded as a bug. Behaving
like the ISO C standard should give less surprise, and this is probably
what is expected (better for alignment purpose). See discussion (only for
NaN and the + flag at that time).
Corresponding changeset in the 4.2 branch: 3761bee3c.
Huge negative exponents can trigger integer overflows in mpfr_strtofr,
meaning undefined behavior. Two bugs have been identified: 1, 2. In
practice, the consequences may be incorrect results. But for the first bug,
it has been seen that a GCC optimization makes it invisible. There are
other issues with the code for huge exponents, but it is not clear whether
the problematic cases can occur in the context of mpfr_strtofr; such
potential bugs are not fixed yet.
Corresponding changesets in the 4.2 branch: 261d3852b (tests), 06e7b6bc1
(bug fixes).
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
http://midnight-commander.org/wiki/NEWS-4.8.30
Summary:
"Major changes since 4.8.29
Core
Support PCRE2 as search engine (via --with-search-engine=pcre2) (#4450)
Implement panelization buffers for both file panels (#4370)
VFS
tar: support extended headers (including long file names and sparse files) (#1952, #2201)
extfs helpers: replace "perl -w" with "use warnings" (MidnightCommander?/mc#174)
extfs/patchfs: be more specific in error message (#4485)
Editor
Add syntax highlighting:
Jenkinsfiles (#4469)
B language (#4470)
Improve syntax highlighting:
ECMAScript (MidnightCommander?/mc#172)
ECMAScript in TypeScript? (MidnightCommander?/mc#172)
use diff syntax highlighting for git commit messages (COMMIT_EDITMSG) (MidnightCommander?/mc#85)
Misc
Code cleanup (#4426, #4438)
Filehighlight:
recognize vsix files as zip files (MidnightCommander?/mc#171)
Skin updates:
julia256 (#4441, #4445)
Fixes
Usage of 'sed' in build system/makefiles is not portable (#4459, #4466)
Unportable '$<' in Makefiles (#4460)
FTBFS if ncurses used without --with-ncurses-includes= configure parameter (#4462)
Ncurses library is duplicated in MCLIBS (#4463, #4465)
FTBFS without ext2fs attributes support (#4464)
Wrong sort order after swapping panels (#4432)
Incorrect time delimiter in the copy/move progress window (#4437)
Incorrect redraw of overlapped file panels (#4408)
Subshell/Command? line prompt is empty/missing (#3121)
Find file: relative ignore directory is applied to the start search directory (#4235)
Diff viewer: options are not applied on second run (#4486)
mc.ext.ini: 'Edit' command from 'Default' section is ignored (#4434)
mc.ext.ini: .md files are not recognized as Markdown ones by extension (#4444)
mcedit: off-by-one error in paragraph formatting (#4446)
ftp: incomplete file listing: block and character devices, pipes, sockets are missed (#4472)
Various typos in the source code (MidnightCommander?/mc#177, MidnightCommander?/mc#178)"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Doing so avoids situations where a service is started without being
configured to do so, thus reducing the potential for confusion and
exposure of services not intended to be exposed by the user.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- This issue was found by Peter Müller in the CU179 Testing evaluation.
- The issue was found to have already been raised and closed on the ppp github issues page.
- Patch for fix downloaded and applied to this submission.
- When ppp-2.5.1 is released then this patch can be removed.
- update of rootfile not required.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- The original poster of the bug#13164 has already tested out ppp-2.5.0 in CU179 (master)
and identified that the startup could not find the directory /usr/var/run/. This is due
to the change in use of the prefix command in 2.5.0 vs 2.4.9 so --localstatedir set to
/var. runstatedir is then set to localstatedir/run ie /var/run which is then correct
for IPFire.
- This fix needs to be implemented into CU179 so that the bug poster can test out the update
- Updated rootfile to remove additional empty line
Fixes: Bug#13164
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://humdi.net/vnstat/CHANGES
"2.11 / 19-Aug-2023
- Fixed
- Database queries worked only if SQLite double-quoted string (DQS)
feature (https://www.sqlite.org/quirks.html#dblquote) was enabled
- Disabling data resolutions in data retention configuration didn't result
in possibly existing database entries getting removed from the database
- Disabling data resolutions in data retention configuration didn't result
in the data resolution getting disabled but instead storing data forever
- "expr: syntax error" during configure in BSD (pull request by namtsui)
- Image output summary would show only "no data available" text in case of
zero total traffic even when the historical data of no traffic could have
been shown instead
- Image output "-o -" content could get corrupted due to info, warning and
error messages also using stdout, configuration file warnings being the
most likely source, now uses stderr in image output
- Configuration validation was too heavily limiting and enforcing image
output 5 minute graph related configuration options for combinations that
would have resulted in usable images
- New
- Database cleanup has been changed to interpret data retention
configuration as number of entries to be kept instead of calendar time,
this restores the behaviour to similar as it was up to version 1.18, the
difference is visible only on systems that aren't powered all the time
- Database is vacuumed during daemon startup and reload, behaviour is
configurable using VacuumOnStartup and VacuumOnHUPSignal configuration
options
- Add configuration option InterfaceOrder for controlling the interface
order in outputs with multiple interfaces
- Used data retention configuration is made visible during daemon startup
and after configuration reloads
- Daemon will no longer start if all data resolutions have been disabled
in the configuration file
- SQLite version is visible in --version outputs
- Notes
- "Not enough data available yet." message has been replaced with
"No data. Timestamp of last update is same YYYY-MM-DD HH:MM:SS as of
database creation." to better explain the reason why there's nothing to
show, this message is expected to disappear within configured
SaveInterval if the interface is active"
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Reiserfs was stopped in IPFire in Core Update 167. It has been announced that reiserfs
will be removed from the kernel in 2025.
- This patch gives a warning about this deprecation and removal if reiserfs is used. The
warning also requests that the user does a re-installation using either ext4 or xfs
filesystems.
- Tested out on a vm installation with reiserfs, ext4 and xfs. Messgae shown on system
with reiserfs filesystem but nopt on the other two.
- Warning message added into the English language file and ./make.sh lang run.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 10.0.1 to 10.0.2
- Update of rootfile not required
- Changelog
10.0.2
Major changes listed as:-
chore: Link to GitHub for the updated commit log by @frazar in #203
Additional DHCP options by @rrobgill in #214
risc-v fix vendor error by @Im-0xea in #213
compat sync by @tobhe in #226
Commit list can be seen at
https://github.com/NetworkConfiguration/dhcpcd/compare/v10.0.1...v10.0.2
This includes two bug fixes for two situations causing segfaults
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
For details see:
https://blog.clamav.net/2023/07/2023-08-16-releases.html
Excerpts from changelog:
"ClamAV 1.1.1 is a critical patch release with the following fixes:
CVE-2023-20197 Fixed a possible denial of service vulnerability
in the HFS+ file parser. This issue affects versions 1.1.0,
1.0.1 through 1.0.0, 0.105.2 through 0.105.0, 0.104.4 through
0.104.0, and 0.103.8 through 0.103.0.
Fixed a build issue when using the Rust nightly toolchain, which
was affecting the oss-fuzz build environment used for regression tests.
Fixed a build issue on Windows when using Rust version 1.70 or newer.
CMake build system improvement to support compiling with OpenSSL 3.x on
macOS with the Xcode toolchain. The official ClamAV installers and
packages are now built with OpenSSL 3.1.1 or newer.
Removed a warning message showing the HTTP response codes during the
Freshclam database update process."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- The original poster of the bug#13164 has already tested out ppp-2.5.0 in CU179 (master)
and identified that the startup could not find the directory /usr/var/run/. This is due
to the change in use of the prefix command in 2.5.0 vs 2.4.9 so --localstatedir set to
/var. runstatedir is then set to localstatedir/run ie /var/run which is then correct
for IPFire.
- This fix needs to be implemented into CU179 so that the bug poster can test out the update
- Updated rootfile to remove additional empty line
Fixes: Bug#13164
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
This update builds glibc with FORTIFY_SOURCE and disables building nscd
which has been unused in IPFire.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Update from version 2.5.8 to 2.5.9 which is the last version in the 2.5 series
- Update of rootfile not required
- Tested openvpn-2.5.9 in my vm testbed. OpenVPN RW connection worked fine. Also tested
OpenVPN N2N connection with CU179 & OpenVPN version 2.5.9 at one end and CU177 &
OpenVPN version 2.5.8 at the other end. N2N connection worked with no problemns.
- Changelog
2.5.9
Implement optional cipher in --data-ciphers prefixed with ?
Fix handling an optional invalid cipher at the end of data-ciphers
Ensure that argument to parse_line has always space for final sentinel
Improve documentation on user/password requirement and unicodize function
Remove unused gc_arena
Fix corner case that might lead to leaked file descriptor
msvc: always call git-version.py
git-version.py: proper support for tags
Check if pkcs11_cert is NULL before freeing it
Do not add leading space to pushed options
pull-filter: ignore leading "spaces" in option names
Do not include auth-token in pulled option digest
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
