- Update from version 2.10.3 to 2.11.1
- Update of rootfile
- Changelog
There were two CVE's in version 2.10.4
v2.11.1: Apr 30 2023
Fixes build and ABI issues.
- cmake: Fix va_copy detection (Luca Niccoli)
- libxml.m4: Fix quoting
- Link with --undefined-version
- libxml2.syms: Revert removal of version information
v2.11.0: Apr 28 2023
### Major changes
Protection against entity expansion attacks, also known as "billion laughs"
has been greatly improved. Malicious files should be detected reliably now
and false positives should be reduced. It is possible though that large
documents which make heavy use of entities are rejected now.
This release finally fixes symbol visibility on UNIX systems. Internal
symbols will now be hidden. While these symbols were never declared in public
headers, it was still possible to declare them manually. Now this won't work.
All symbol information has been removed from the ELF version script to fix
link errors with --no-undefined-version. The version nodes are kept so it
should still be possible to run binaries linked against older versions.
About 90 memory errors in code paths handling malloc failures have been fixed.
While these issues shouldn't impact security, this improves robustness under
memory pressure.
The XInclude engine has been reworked to properly support nested includes.
Several cases of quadratic behavior in the XML push parser have been fixed.
Refactoring has begun on some buffering and encoding code with the goal of
simplifying this part of the code base and improving error reporting.
Other highlights:
- Consolidated private header files.
- Major rework of the autoconf build.
- Deprecated several outdated and internal functions.
Special thanks to Google's Open Source Security Subsidies program for
sponsoring much of the work on this release!
Ongoing work on libxml2 relies on funding. For a list of important open
issues see <https://gitlab.gnome.org/GNOME/libxml2/-/issues/507>
### Security
- Fix use-after-free in xmlParseContentInternal() (David Kilzer)
- xmllint: Fix use-after-free with --maxmem
- parser: Fix OOB read when formatting error message
- entities: Rework entity amplification checks
### Regressions
- parser: Fix regression in xmlParserNodeInfo accounting
### Bug fixes
- Fix memory errors in code handling malloc failures
- encoding: Fix error code in asciiToUTF8
- xpath: number('-') should return NaN
- xmlParseStartTag2() contains typo when checking for default definitions for
an attribute in a namespace (David Kilzer)
- uri: Fix handling of port numbers
- error: Make sure that error messages are valid UTF-8
- xinclude: Fix nested includes
### Improvements
- xmllint: Validate --maxmem integer option
- xmlValidatePopElement() can return invalid value (-1) (David Kilzer)
- parser: Rework EBCDIC code page detection
- parser: Limit name length in xmlParseEncName
- parser: Rework shrinking of input buffers
- html: Rely on CUR_CHAR to grow the input buffer
- parser: Rely on CUR_CHAR/NEXT to grow the input buffer
- valid: Make xmlValidateElement non-recursive
- html: Fix quadratic behavior in htmlParseTryOrFinish
- xmllint: Fix memory leak with --pattern --stream
- parser: Stop calling xmlParserInputShrink
- html: Impose some length limits
- valid: Allow xmlFreeValidCtxt(NULL)
- parser: Stop calling xmlParserInputGrow
- xinclude: Fix quadratic behavior in xmlXIncludeLoadTxt
- xinclude: Abort immediately if max depth was exceeded
- xpath: Only report the first error
- error: Don't move past current position
- error: Limit number of parser errors
- parser: Lower entity nesting limit with XML_PARSE_HUGE
- parser: Don't increase depth twice when parsing internal entities
- parser: Improve detection of entity loops
- parser: Only report a single entity error
- libxml.h: Remove dubious definition of LIBXML_STATIC
- html: Improve parsing of nested lists
- memory: Don't use locks in xmlMemUsed
- encoding: Remove unused variable xmlDefaultCharEncodingHandler
- Rework initialization code
- Add .editorconfig
- parser: Merge misc, prolog and epilog cases in push parser
- parser: Fix 'consumed' accounting when switching encodings
- html: Fix check for end of comment in push parser
- parser: Fix push parser with 1-3 byte initial chunk
- parser: Rewrite push parser boundary checks
- reader: Switch to xmlParserInputBufferCreateMem
- html: Don't escape ASCII chars in href attributes
- io: Don't shrink memory input buffers
- parser: Don't call xmlSHRINK from push parser
- parser: Ignore cdata argument in xmlParseCharData
- parser: Rework push parser parser progress checks
- io: Fix a few integer overflows in I/O statistics
- io: Rework xmlParserInputBufferGrow with encodings
- io: Remove xmlInputReadCallbackNop
- io: Check for memory buffer early in xmlParserInputGrow
- parser: Fix error message in xmlParseCommentComplex
- Bypass proxy in nanoHTTP for hosts in "no_proxy" (Markus Jörg)
- schemas: Fix infinite loop in xmlSchemaCheckElemSubstGroup
- threads: Remove check for pthread_equal
- xinclude: Rework XInclude cache
- xinclude: Remove inefficient refcounting scheme
- xmllint: Improve handling of empty XPath node sets
- parser: Fix potential memory leak in xmlParseAttValueInternal
- error: Don't use initGenericErrorDefaultFunc
- xpath: Lower XPath recursion limit on Windows
- Stop including sys/types.h
- Don't define WIN32 macro
- Make xmlNewSAXParserCtx take a const sax handler
- Consolidate private header files
- Remove internal macros from parserInternals.h
- Move some HTML functions to correct header file
- xmllint: Stop calling xmlSAXDefaultVersion
- Introduce xmlNewSAXParserCtxt and htmlNewSAXParserCtxt
- Don't mess with parser options in htmlParseDocument
- Remove useless call to htmlDefaultSAXHandlerInit
- Remove htmlDefaultSAXHandler from non-SAX1 build
- Don't initialize SAX handler in htmlReadMemory
- Fix htmlReadMemory mixing up XML and HTML functions
- Don't use default SAX handler to report unrelated errors
- Create stream with buffer in xmlNewStringInputStream
- xmlcatalog: Fix memory leaks
### Code quality
- xzlib: Fix implicit sign change in xz_open
- parser: Simplify calculation of available buffer space
- parser: Use size_t when subtracting input buffer pointers
- parser: Check for integer overflow when updating checkIndex
- xpath: Fix harmless integer overflow in xmlXPathTranslateFunction
- schematron: Use logical and
- relaxng: Remove useless if statement
- schemas: Remove useless if statement
- pattern: Merge identical branches
- regexp: Add sanity check in xmlRegCalloc2
- regexp: Simplify xmlRegAtomPush
- encoding: Cast toupper argument to unsigned char
- uri: Add explicit cast in xmlSaveUri
- buf: Fix return value of xmlBufGetInputBase
- parser: Fix integer overflow of input ID
- parser: Remove useless ent->etype test in xmlParseReference
- parser: Remove useless ent->children tests in xmlParseReference
- xmlmemory.c: Remove xmlMemContentShow
- libxml.h: Add comments and indentation
- libxml.h: Don't include stdio.h
- xmlexports.h: Disable docs for internal macro XMLPUBLIC
- parser: Simplify xmlParseConditionalSections
- io: Rearrange code in xmlSwitchInputEncodingInt
- warnings: Fix -Wstrict-prototypes warning
- warnings: Remove set-but-unused variables
- Fix compiler warnings in SAX2.c
- Fix unused variable warning in python/types.c
- Fix compiler warning in examples
- Fix compiler warnings in fuzzing code
- Remove unused code in nanohttp.c
- Remove or annotate char casts
- Don't use sizeof(xmlChar) or sizeof(char)
- Remove explicit integer casts
### Deprecations
- parser: Deprecate more internal functions
- parser: Deprecate some parser input functions
- parser: Deprecate xmlString*DecodeEntities
- threads: Deprecate some internal functions
- buf: Deprecate static/immutable buffers
- Deprecate internal parser functions
- Deprecate old HTML SAX API
- Generate deprecation warnings for old SAX API
- Mark more functions setting globals as deprecated
- Mark more parser functions as deprecated
- Mark most SAX1 functions as deprecated
- Deprecate some global variables
### Portability
- autoconf: Warn about outdated C compilers
- win32: Remove broken libxml2.def.src
- Remove symbols from version script
- catalog.c: Silence a cast warning on VS 2022 (Lukáš Tyrychtr)
- libxml.h: Remove ancient LynxOS setup
- Use python3 not python (Ross Burton)
- xstc/fixup-tests.py: port to Python 3 (Ross Burton)
- xstc/fixup-tests.py: unify whitespace (Ross Burton)
- Remove hacky heuristic from b2dc5675 (Alex Richardson)
- Avoid creating an out-of-bounds pointer by rewriting a check
(Alex Richardson)
- Hide internal functions
- Correctly relocate internal pointers after realloc() (Alex Richardson)
- Visual Studio builds: Allow silencing deprecation warnings (Chun-wei Fan)
- Visual Studio: Define XML_DEPRECATED (Chun-wei Fan)
- xmllint: Include <io.h> on Windows
- warnings: Work around MSVC bug
- sources: Silence C4013 warnings on Visual Studio (Chun-wei Fan)
- python/setup.py.in: Improve Windows import patching (Chun-wei Fan)
- python: Create .pyd on Windows
- Fix Python build on Windows
- Fix Windows compiler warnings in python/types.c
- Fix libxml_PyFileGet
- Remove BeOS support
- Fix libxml_PyFileGet with stdout on macOS
- Migrate from PyEval_ to PyObject_
- Port build_glob.py to Python 3
- Port genChRanges.py to Python 3
- xmlexports.h: Remove LIBXML_FASTCALL optimization
- Remove XMLCALL and XMLCDECL macros from public headers
- Remove XMLDECL macro from .c files
### Build systems
- cmake: Link against `dl` and `dld` only when `LIBXML2_WITH_MODULES` is
enabled (Alexander Kutelev)
- autotools: Fix make distcheck
- Remove RPM build, Makefile.tests, README.tests
- libxml.m4: deprecate AM_PATH_XML2, wrap PKG_CHECK_MODULES instead
(Ross Burton)
- libxml.m4: fix -Wstrict-prototypes (Sam James)
- cmake: Build static library with -DLIBXML_STATIC
- autotools: Don't use version script on Windows
- autotools: Fix winsock detection
- autotools: Only add network libraries if HTTP/FTP enabled
- autotools: Disable parallel Python build
- python: Don't output missing generators during build
- build: Remove check for broken ss_family
- http: Simplify IPv6 checks
- autotools: Fix network checks on Windows
- Fix detection of GNU libiconv
- cmake: Fix Python installation
- cmake: Don't check for Python 2
- configure.ac: Also check for MSYS host
- Improve network library detection
- Detect ws2_32 with AC_SEARCH_LIBS
- Rework network configure checks
- Remove arg cast configure checks
- Fix dlopen check
- Remove HAVE_WIN32_THREADS configuration flag
- Rework dlopen and pthread detection
- Fix test in configure.ac
- cmake: Enable GCC compiler warnings
- Always link with -no-undefined
- Use AM_CFLAGS and AM_LDFLAGS consistently
- Remove -Wredundant-decls
- Call AC_CHECK_* with multiple arguments
- configure.ac: Remove checks for unused programs
- Rework library detection in configure.ac
- Rearrange configure.ac
- Consolidate zlib and lzma detection
- Remove "runtime debugging"
- Consolidate simple API modules in configure.ac
- Fix dependency resolution in configure.ac
- Fix --with-valid --without-regexps build
- Fix --with-schemas --without-xpath build
- Don't build unneeded .c source files
- Move xmlIsXHTML to tree.c
- Cleanup distribution settings in Makefile.am
- Also clean *.pyc files for Python 2
- Don't distribute libxml2.spec
### Tests
- testchar: Add test for memory pull parser with encoding
- fuzz: Also test init function of URI fuzzer
- fuzz: Separate fuzzer for DTD validation
- gitlab-ci: Enable all "integer" sanitizers
- fuzz: Inject random malloc failures
- fuzz: Support variable integer sizes in fuzz data
- fuzz: Fix duplicate detection in fuzzEntityRecorder
- fuzz: Set filename in xmlFuzzEntityLoader
- fuzz: Allow xmlFuzzReadString(NULL)
- fuzz: Fix Makefile dependencies
- fuzz: Add test/recurse to seed corpus
- fuzz: Add separate XInclude fuzzer
- runsuite: Some errors are expected
- testrecurse: Test entity expansion stats
- testapi.c: Initialize catalog early
- gentest.py: Fix memory leak in API tests
- tests: Enable "runsuite" test
- python/tests/reader2: use absolute paths everywhere (Ross Burton)
- python/tests/reader2: always exit(1) if a test fails (Ross Burton)
- testModule: exit if the module can't be opened (Ross Burton)
- CI: disable modules in gcc:static build (Ross Burton)
- CI: fix CI on MinGW builds (Ross Burton)
- python: Fix memory leak checks
- tests: Check that xmlInitParser doesn't allocate memory
- tests: Fix use-after-free in Python tests
- tests: Remove unneeded #includes
- gitlab-ci: Make Test-Msvc exit if ctest fails
- gitlab-ci: Treat compiler warnings as errors on MSVC
- test: Add test for push parser boundaries
- gitlab-ci: Upgrade image to Ubuntu 22.10, reenable MSan
- gitlab-ci: Reenable LeakSanitizer
- gitlab-ci: Fix llvm-symbolizer
- xinclude: Don't create result doc for test with errors
- xinclude: Also test error messages
- gitlab-ci: Allow cast-align warnings from clang
- gitlab-ci: Fix tar invocation
- gitlab-ci: Move MSVC test to separate script
- gitlab-ci: Fix SUFFIX, remove MINGW_PATH
- gitlab-ci: Consolidate CMake test scripts
- gitlab-ci: Only install MinGW autotools if needed
- gitlab-ci: Only install cmake MinGW package if needed
- gitlab-ci: Install 7-Zip using the .msi
- Use $MSYSTEM and 'bash -lc' in MinGW CI
- Add CI job for MinGW/Autotools
- Consolidate CI scripts
- Allow empty MINGW_PACKAGE_PREFIX
- Move Dockerfile to .gitlab-ci directory
- testapi: Disable on Windows for now
- Disable fuzzer tests if glob.h wasn't found
- Move automata test to runtest.c
- Fix testapi when building --without-sax1
# Documentation
- doc: Remove ancient files
- Remove ancient TODOs
- html: Fix htmlInitAutoClose documentation
- doc: Mention new location of XML catalog as breaking change
- doc: Mention potentially breaking changes in NEWS
- doc: Remove xmlDllMain from documentation and version script
- doc: Mention ${sysconfdir} in man pages
- doc: Document xmlcatalog --convert
- doc: Document xmllint --nodict and --pedantic
- doc: Fix indentation in source XML files
- xmllint: Document --quiet option
- Improve cross-references in API docs
- Improve documentation of globals
- Fix documentation parser
- Support comments for global variables in documentation
- Fix update call in apibuild.py
- Don't index anything in DOC_DISABLE sections
- Fix warnings from apibuild.py
- Start with documentation for maintainers
v2.10.4: Apr 11 2023
### Security
- [CVE-2023-29469] Hashing of empty dict strings isn't deterministic
- [CVE-2023-28484] Fix null deref in xmlSchemaFixupComplexType
- schemas: Fix null-pointer-deref in xmlSchemaCheckCOSSTDerivedOK
### Regressions
- SAX2: Ignore namespaces in HTML documents
- io: Fix "buffer full" error with certain buffer sizes
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from version 7.0.1 to 7.2.0
- Update of rootfile
- Changelog
Overview of changes leading to 7.2.0
- Add Tifinagh to the list of scripts that can natively be either right-to-left
or left-to-right, to improve handling of its glyph positioning.
(Simon Cozens)
- Return also single substitution from hb_ot_layout_lookup_get_glyph_alternates()
(Behdad Esfahbod)
- Fix 4.2.0 regression in applying across syllables in syllabic scripts.
(Behdad Esfahbod)
- Add flag to avoid glyph substitution closure during subsetting, and the
corresponding “--no-layout-closure” option to “hb-subset” command line tool.
(Garret Rieger)
- Support instancing COLRv1 table. (Qunxin Liu)
- Don’t drop used user-defined name table entries during subsetting.
(Qunxin Liu)
- Optimize handling of “gvar” table. (Behdad Esfahbod)
- Various subsetter bug fixes and improvements. (Garret Rieger, Qunxin Liu)
- Various documentation improvements. (Behdad Esfahbod, Josef Friedrich)
- New API:
+HB_SUBSET_FLAGS_NO_LAYOUT_CLOSURE
+HB_UNICODE_COMBINING_CLASS_CCC132
- Deprecated API:
+HB_UNICODE_COMBINING_CLASS_CCC133
Overview of changes leading to 7.1.0
- New experimental hb_shape_justify() API that uses font variations to expand
or shrink the text to a given advance. (Behdad Esfahbod)
- Various build and bug fixes. (Behdad Esfahbod, Garret Rieger, Qunxin Liu)
- New API:
+hb_font_set_variation()
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from version 2.26.4 to 2.26.5
- Update of rootfile
- Changelog
2.26.5
The minimum deployment target on macOS is now 10.11, due to changes in the
latest Xcode update
Fixed incorrect modifier keys handling on macOS
Fixed occasional duplicate controller visible on macOS
Fixed handling of third party PS4 controller input reports
Added support for the trigger buttons on the Victrix Pro FS for PS5
Added mapping for Flydigi Vader 2 with the latest firmware (6.0.4.9)
Added mapping for DualSense Edge Wireless Controller on Linux
Added mapping for Hori Pokken Tournament DX Pro Pad
Improved the speed and quality of audio resampling
Fixed crash on Linux if dbus can't be initialized
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
this patch add nanopi r2c plus support.
if this u-boot is installed on the eMMC this is also
supported.
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from version 4.17.5 to 4.18.1
- Update of rootfile
some libraries now use x86-64 instead of x86_64 but most are still left with x86_64
Good thing that we create a separate version of the rootfile for each architecture
because it is no longer just the arm version that is unique but also the x86_64 one.
- Since version 4.17.0 it has been possible to do a build excluding SMB1 server capability.
As SMB1 is insecure and has known exploits including ransomeware based ones it seems
reasonable to build samba without SMB1 server capability for use on a firewall.
The option to build wiythout SMB1 server capability has been added to the LFS file.
- Changelog
Release Notes for Samba 4.18.1
This is a security release in order to address the following defects:
o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
but otherwise unprivileged users to delete this attribute from
any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html
o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was
insufficient and an attacker may be able to obtain
confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should
assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
* BUG 15276: CVE-2023-0225.
* BUG 15270: CVE-2023-0614.
* BUG 15331: ldb wildcard matching makes excessive allocations.
* BUG 15332: large_ldap test is inefficient.
* BUG 15315: CVE-2023-0922.
* BUG 15270: CVE-2023-0614.
* BUG 15276: CVE-2023-0225.
Release Notes for Samba 4.18.0
NEW FEATURES/CHANGES
SMB Server performance improvements
The security improvements in recent releases
(4.13, 4.14, 4.15, 4.16), mainly as protection against symlink races,
caused performance regressions for metadata heavy workloads.
While 4.17 already improved the situation quite a lot,
with 4.18 the locking overhead for contended path based operations
is reduced by an additional factor of ~ 3 compared to 4.17.
It means the throughput of open/close
operations reached the level of 4.12 again.
More succinct samba-tool error messages
Historically samba-tool has reported user error or misconfiguration by
means of a Python traceback, showing you where in its code it noticed
something was wrong, but not always exactly what is amiss. Now it
tries harder to identify the true cause and restrict its output to
describing that. Particular cases include:
* a username or password is incorrect
* an ldb database filename is wrong (including in smb.conf)
* samba-tool dns: various zones or records do not exist
* samba-tool ntacl: certain files are missing
* the network seems to be down
* bad --realm or --debug arguments
Accessing the old samba-tool messages
This is not new, but users are reminded they can get the full Python
stack trace, along with other noise, by using the argument '-d3'.
This may be useful when searching the web.
The intention is that when samba-tool encounters an unrecognised
problem (especially a bug), it will still output a Python traceback.
If you encounter a problem that has been incorrectly identified by
samba-tool, please report it on https://bugzilla.samba.org.
Colour output with samba-tool --color
For some time a few samba-tool commands have had a --color=yes|no|auto
option, which determines whether the command outputs ANSI colour
codes. Now all samba-tool commands support this option, which now also
accepts 'always' and 'force' for 'yes', 'never' and 'none' for 'no',
and 'tty' and 'if-tty' for 'auto' (this more closely matches
convention). With --color=auto, or when --color is omitted, colour
codes are only used when output is directed to a terminal.
Most commands have very little colour in any case. For those that
already used it, the defaults have changed slightly.
* samba-tool drs showrepl: default is now 'auto', not 'no'
* samba-tool visualize: the interactions between --color-scheme,
--color, and --output have changed slightly. When --color-scheme is
set it overrides --color for the purpose of the output diagram, but
not for other output like error messages.
New samba-tool dsacl subcommand for deleting ACES
The samba-tool dsacl tool can now delete entries in directory access
control lists. The interface for 'samba-tool dsacl delete' is similar
to that of 'samba-tool dsacl set', with the difference being that the
ACEs described by the --sddl argument are deleted rather than added.
No colour with NO_COLOR environment variable
With both samba-tool --color=auto (see above) and some other places
where we use ANSI colour codes, the NO_COLOR environment variable will
disable colour output. See https://no-color.org/ for a description of
this variable. `samba-tool --color=always` will use colour regardless
of NO_COLOR.
New wbinfo option --change-secret-at
The wbinfo command has a new option, --change-secret-at=<DOMAIN CONTROLLER>
which forces the trust account password to be changed at a specified domain
controller. If the specified domain controller cannot be contacted the
password change fails rather than trying other DCs.
New option to change the NT ACL default location
Usually the NT ACLs are stored in the security.NTACL extended
attribute (xattr) of files and directories. The new
"acl_xattr:security_acl_name" option allows to redefine the default
location. The default "security.NTACL" is a protected location, which
means the content of the security.NTACL attribute is not accessible
from normal users outside of Samba. When this option is set to use a
user-defined value, e.g. user.NTACL then any user can potentially
access and overwrite this information. The module prevents access to
this xattr over SMB, but the xattr may still be accessed by other
means (eg local access, SSH, NFS). This option must only be used when
this consequence is clearly understood and when specific precautions
are taken to avoid compromising the ACL content.
Azure Active Directory / Office365 synchronisation improvements
Use of the Azure AD Connect cloud sync tool is now supported for
password hash synchronisation, allowing Samba AD Domains to synchronise
passwords with this popular cloud environment.
REMOVED FEATURES
smb.conf changes
Parameter Name Description Default
acl_xattr:security_acl_name New security.NTACL
server addresses New
CHANGES SINCE 4.18.0rc4
* BUG 15314: streams_xattr is creating unexpected locks on folders.
* BUG 15310: New samba-dcerpc architecture does not scale gracefully.
CHANGES SINCE 4.18.0rc3
* BUG 15308: Avoid that tests fail because other tests didn't do cleanup on
failure.
* BUG 15311: fd_load() function implicitly closes the fd where it should not.
CHANGES SINCE 4.18.0rc2
* BUG 15301: Improve file_modtime() and issues around smb3 unix test.
* BUG 15299: Spotlight doesn't work with latest macOS Ventura.
* BUG 15298: Build failure on solaris with tevent 0.14.0 (and ldb 2.7.0).
(tevent 0.14.1 and ldb 2.7.1 are already released...)
* BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
fsp_get_pathref_fd() in close and fstat.
* BUG 15291: test_chdir_cache.sh doesn't work with SMBD_DONT_LOG_STDOUT=1.
* BUG 15301: Improve file_modtime() and issues around smb3 unix test.
CHANGES SINCE 4.18.0rc1
* BUG 10635: Office365 azure Password Sync not working.
* BUG 15286: auth3_generate_session_info_pac leaks wbcAuthUserInfo.
* BUG 15293: With clustering enabled samba-bgqd can core dump due to use
after free.
Release Notes for Samba 4.17.7
This is a security release in order to address the following defects:
o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
but otherwise unprivileged users to delete this attribute from
any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html
o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was
insufficient and an attacker may be able to obtain
confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should
assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
* BUG 15276: CVE-2023-0225.
* BUG 15270: CVE-2023-0614.
* BUG 15331: ldb wildcard matching makes excessive allocations.
* BUG 15332: large_ldap test is inefficient.
* BUG 15315: CVE-2023-0922.
* BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
allow full write to all attributes (additional changes).
* BUG 15270: CVE-2023-0614.
* BUG 15276: CVE-2023-0225.
Release Notes for Samba 4.17.6
* BUG 15314: streams_xattr is creating unexpected locks on folders.
* BUG 10635: Use of the Azure AD Connect cloud sync tool is now supported for
password hash synchronisation, allowing Samba AD Domains to synchronise
passwords with this popular cloud environment.
* BUG 15299: Spotlight doesn't work with latest macOS Ventura.
* BUG 15310: New samba-dcerpc architecture does not scale gracefully.
* BUG 15307: vfs_ceph incorrectly uses fsp_get_io_fd() instead of
fsp_get_pathref_fd() in close and fstat.
* BUG 15293: With clustering enabled samba-bgqd can core dump due to use
after free.
* BUG 15311: fd_load() function implicitly closes the fd where it should not.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 3.5 to 3.6
- Update of rootfile
- Changelog
Noteworthy changes in release 3.6 (2023-04-10) [stable]
Promoting alpha release to stable release 3.6
Noteworthy changes in release 3.5.28 (2023-03-24) [alpha]
New Features
Support GPT partition attribute bit 63 as no_automount flag.
Add type commands to set type-id on MS-DOS and type-uuid on GPT.
Add swap flag support to the dasd disklabel
Add display of GPT disk and partition UUIDs in JSON output
Bug Fixes
Fix use of enums in flag limits by switching to using #define
Fix ending sector location when using kibi IEC suffix
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.10.1 to 1.10.2
- Update of rootfile
- Changelog
Noteworthy changes in version 1.10.2 (2023-04-06) [C24/A4/R2]
* Bug fixes:
- Fix Argon2 for the case output > 64. [rC13b5454d26]
- Fix missing HWF_PPC_ARCH_3_10 in HW feature. [rCe073f0ed44]
- Fix RSA key generation failure in forced FIPS mode. [T5919]
- Fix gcry_pk_hash_verify for explicit hash. [T6066]
- Fix a wrong result of gcry_mpi_invm. [T5970]
- Allow building with --disable-asm for HPPA. [T5976]
- Fix Jitter RNG for building native on Windows. [T5891]
- Allow building with -Oz. [T6432]
- Enable the fast path to ChaCha20 only when supported. [T6384]
- Use size_t to avoid counter overflow in Keccak when directly
feeding more than 4GiB. [T6217]
* Other:
- Do not use secure memory for a DRBG instance. [T5933]
- Do not allow PKCS#1.5 padding for encryption in FIPS mode.
[T5918]
- Fix the behaviour for child process re-seeding in the DRBG.
[rC019a40c990]
- Allow verification of small RSA signatures in FIPS mode. [T5975]
- Allow the use of a shorter salt for KDFs in FIPS mode. [T6039]
- Run digest+sign self tests for RSA and ECC in FIPS mode.
[rC06c9350165]
- Add function-name based FIPS indicator function.
GCRYCTL_FIPS_SERVICE_INDICATOR_FUNCTION. This is not considered
an ABI changes because the new FIPS features were not yet
approved. [rC822ee57f07]
- Improve PCT in FIPS mode. [rC285bf54b1a, rC4963c127ae, T6397]
- Use getrandom (GRND_RANDOM) in FIPS mode. [rCcf10c74bd9]
- Disable RSA-OAEP padding in FIPS mode. [rCe5bfda492a]
- Check minimum allowed key size in PBKDF in FIPS mode.
[T6039,T6219]
- Get maximum 32B of entropy at once in FIPS mode. [rCce0df08bba]
- Prefer gpgrt-config when available. [T5034]
- Mark AESWRAP as approved FIPS algorithm. [T5512]
- Prevent usage of long salt for PSS in FIPS mode. [rCfdd2a8b332]
- Prevent usage of X9.31 keygen in FIPS mode. [rC392e0ccd25]
- Remove GCM mode from the allowed FIPS indicators. [rC1540698389]
- Add explicit FIPS indicators for hash and MAC algorithms. [T6376]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.46 to 1.47
- Update of rootfile
- Changelog
Noteworthy changes in version 1.47 (2023-04-06) [C34/A34/R0]
* New error codes for PUKs and reset codes. [T6421]
* Avoid segv in logging with improper use of the "socket://".
[rE68333be630]
* Fixed translation of argparse's internal option --help.
[rE885a287a57]
* Interface changes relative to the 1.46 release:
GPG_ERR_SOURCE_TKD NEW.
GPG_ERR_BAD_PUK NEW.
GPG_ERR_NO_RESET_CODE NEW.
GPG_ERR_BAD_RESET_CODE NEW.
GPGRT_SPAWN_KEEP_STDIN NEW.
GPGRT_SPAWN_KEEP_STDOUT NEW.
GPGRT_SPAWN_KEEP_STDERR NEW.
GPGRT_SPAWN_INHERIT_FILE NEW.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
For details see:
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-17-1
"Features
Expose 'statistics-inhibit-zero' as a configuration option; the default
value retains Unbound's behavior.
Expose 'max-sent-count' as a configuration option; the default value
retains Unbound's behavior.
Merge #461 from Christian Allred: Add max-query-restarts option.
Exposes an internal configuration but the default value retains
Unbound's behavior.
Merge #569 from JINMEI Tatuya: add keep-cache option to
'unbound-control reload' to keep caches.
Bug Fixes
Merge #768 from fobser: Arithmetic on a pointer to void is a GNU
extension.
In unit test, print python script name list correctly.
testcode/dohclient sets log identity to its name.
Clarify the use of MAX_SENT_COUNT in the iterator code.
Fix that cachedb does not store failures in the external cache.
Merge #767 from jonathangray: consistently use IPv4/IPv6 in
unbound.conf.5.
Fix to ignore tcp events for closed comm points.
Fix to make sure to not read again after a tcp comm point is closed.
Fix#775: libunbound: subprocess reap causes parent process reap to
hang.
iana portlist update.
Complementary fix for distutils.sysconfig deprecation in Python 3.10 to
commit 62c5039ab9da42713e006e840b7578e01d66e7f2.
Fix#779: [doc] Missing documention in ub_resolve_event() for callback
parameter was_ratelimited.
Ignore expired error responses.
Merge #720 from jonathangray: fix use after free when WSACreateEvent()
fails.
Fix for the ignore of tcp events for closed comm points, preserve the
use after free protection features.
Fix#782: Segmentation fault in stats.c:404.
Add SVCB and HTTPS to the types removed by 'unbound-control flush'.
Clear documentation for interactivity between the subnet module and the
serve-expired and prefetch configuration options.
Fix#773: When used with systemd-networkd, unbound does not start until
systemd-networkd-wait-online.service times out.
Merge #808: Wrap Makefile script's directory variables in quotes.
Fix to wrap Makefile scripts directory in quotes for uninstall.
Fix windows compile for libunbound subprocess reap comm point closes.
Update github workflows to use checkout v3.
Fix wildcard in hyperlocal zone service degradation, reported by Sergey
Kacheev."
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
- powertop requires debug_fs to be enabled in the kernel for it to function. In Core
Update 171 debug_fs was disabled as a security risk for a firewall application.
- Based on the above powertop has stopped functioning since Core Update 171. Discussed
at IPFire Developers monthly conf call for April and agreed to remove the addon as
debug_fs will not be re-enabled.
- removal of lfs and rootfiles and removal of powertop line in make.sh
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Acked-by: Michael Tremer <michael.tremer@ipfire.org>
In a future Core Update, the following remnants of OpenSSL 1.1.1 need to
be removed:
/usr/lib/engines-1.1/afalg.so
/usr/lib/engines-1.1/capi.so
/usr/lib/engines-1.1/padlock.so
/usr/lib/libcrypto.so.1.1
/usr/lib/libssl.so.1.1
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Compiling the kernel has automatically introduced
CONFIG_INIT_STACK_ALL_ZERO=y and removed GCC's structleak plugin (not to
be confused with its stackleak counterpart). However, according to
related documentation, this neither introduces a security nor
performance disadvantage.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
- removal of EX-addonsvc.menu entry in config/menu/ as the lfs file for this could not be
found in the IPFire git repo all the way back to CU30
- removal of EX-addonsvc.menu, EX-asterisk.menu and EX-bluetooth.menu which are no longer
in IPfire for two years or longer.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 1.23.12 to 1.27.100
- Update of rootfile
- Changelog is over 2000 lines long. For details please see the CHNGELOG.rst file in the
source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
- Update from version 10.0.0 to 10.01.1
- Update of rootfile
- Changelog highlights is only shown in the website. For more details of the changes made
you bhave to go and look at the commit log
https://git.ghostscript.com/?p=ghostpdl.git;a=shortlog;h=refs/heads/master
Version 10.01.0 (2023-03-22)
Highlights in this release include:
We've continued to improve the performance of the PDF interpreter written in
C and improve it's behaviour in edge and out-of-specification cases.
Our efforts in code hygiene and maintainability continue.
The usual round of bug fixes, compatibility changes, and incremental
improvements.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
