- Update from 5.9.2 to 5.9.3
- Update of rootfile not required
- Changelog
strongswan-5.9.3
- Added AES_ECB, SHA-3 and SHAKE-256 support to wolfssl plugin.
- Added AES_CCM and SHA-3 signature support to openssl plugin.
- The x509 and openssl plugins now consider the authorityKeyIdentifier, if
available, before verifying signatures, which avoids unnecessary signature
verifications after a CA key rollover if both certificates are loaded.
- The pkcs11 plugin better handles optional attributes like CKA_TRUSTED, which
previously depended on a version check.
- charon-nm now supports using SANs as client identities, not only full DNs.
- charon-tkm now handles IKE encryption.
- A MOBIKE update is sent again if a a change in the NAT mappings is detected
but the endpoints stay the same.
- Converted most of the test case scenarios to the vici interface
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 1.2.15 (2013) to 2.0.16 (2021)
- Source file name changed from SDL to SDL2 so also deleted old sdl and created sdl2
files for rootfile and lfs
- Changelog is too large to include here. Details can be found in the WhatsNew.txt file
in the source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Full changelog as per https://gitweb.torproject.org/tor.git/plain/ChangeLog?h=tor-0.4.6.7:
Changes in version 0.4.6.7 - 2021-08-16
This version fixes several bugs from earlier versions of Tor,
including one that could lead to a denial-of-service attack. Everyone
running an earlier version, whether as a client, a relay, or an onion
service, should upgrade to Tor 0.3.5.16, 0.4.5.10, or 0.4.6.7.
o Major bugfixes (cryptography, security):
- Resolve an assertion failure caused by a behavior mismatch between
our batch-signature verification code and our single-signature
verification code. This assertion failure could be triggered
remotely, leading to a denial of service attack. We fix this issue
by disabling batch verification. Fixes bug 40078; bugfix on
0.2.6.1-alpha. This issue is also tracked as TROVE-2021-007 and
CVE-2021-38385. Found by Henry de Valence.
o Minor feature (fallbackdir):
- Regenerate fallback directories list. Close ticket 40447.
o Minor features (geoip data):
- Update the geoip files to match the IPFire Location Database, as
retrieved on 2021/08/12.
o Minor bugfix (crypto):
- Disable the unused batch verification feature of ed25519-donna.
Fixes bug 40078; bugfix on 0.2.6.1-alpha. Found by Henry
de Valence.
o Minor bugfixes (onion service):
- Send back the extended SOCKS error 0xF6 (Onion Service Invalid
Address) for a v2 onion address. Fixes bug 40421; bugfix
on 0.4.6.2-alpha.
o Minor bugfixes (relay):
- Reduce the compression level for data streaming from HIGH to LOW
in order to reduce CPU load on the directory relays. Fixes bug
40301; bugfix on 0.3.5.1-alpha.
o Minor bugfixes (timekeeping):
- Calculate the time of day correctly on systems where the time_t
type includes leap seconds. (This is not the case on most
operating systems, but on those where it occurs, our tor_timegm
function did not correctly invert the system's gmtime function,
which could result in assertion failures when calculating voting
schedules.) Fixes bug 40383; bugfix on 0.2.0.3-alpha.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
We are using CPU-affinity and packet steering functions in various
places in IPFire, but packets might still be received on a random CPU
core.
This feature enables that packets that belong to the same connection
(i.e. have the save tuple) will be steered to the same queue. This will
increase cache locality and decrease locking which results in higher
throughput.
https://www.kernel.org/doc/Documentation/networking/scaling.txt
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Acked-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://blog.clamav.net/2021/09/clamav-01040-released.html
New requirements and major changes:
"As of ClamAV 0.104, CMake is required to build ClamAV
...
The built-in LLVM for the bytecode runtime has been removed."
But since the current 'llvm 12.0.1' version refused to be build
"...you will need to supply the development libraries for LLVM
version 3.6.2" - which is ~6 years old - I gave up with 'llvm'
and stayed with the bytecode "interpreter".
Cited:
"The bytecode interpreter is the default runtime for bytecode
signatures just as it was in ClamAV 0.103.
@ALL:
In 'clamav 0.104.0' there is no appropriate cmake option for
"CONFIGURE_FLAGS = --disable-fanotify" for ARM buildings anymore.
Perhaps there is a kernel option for this?
=> https://docs.clamav.net/manual/OnAccess.html#requirements
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
The mq_notify function has a potential use-after-free issue when using a
notification type of SIGEV_THREAD and a thread attribute with a non-default
affinity mask.
The fix for this introduced a NULL pointer dereference.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- wlanap.cgi was using regdbdump from crda to create a text based list of the
wireless settings by country database.
- With the removal of crda as part of the removal of python2 this option could not be
used.
- wireless-regdb also has a text based database list in the source tarball and this
patch makes wlanap.cgi read this list into the @countrylist_cmd variable
- This needs to be tested by someone that has an IPFire system with wifi that can access
and evaluate wlanap.cgi to confirm that this change functions as expected.
- This version changes the name of the stored text file from db.txt to regulatorydb.txt
- The command to read the data from regulatorydb.txt into @countrylist_cmd has been
corrected
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- db.txt is the text file version of the wireless settings by country database
- Using db.txt means that regdbdump from crda is not required by wlanap.cgi
- This patch copies the db.txt file from the source tarball to /lib/firmware/ where
it can be read by wlanap.cgi
- This version of the patch renames the db.txt file to regulatorydb.txt
- Updated rootfile to include regulatorydb.txt
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- python3 has this functionality built in with ipaddress.py
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- With the removal of python-m2crypto then this module is not longer required as a
dependency.
- python3-setuptools was already released into Core Update 157
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- With the removal of python-m2crypto then python-typing is no longer rerquired as a
dependency.
- The functionality of the python2 typing module is built in to python3.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- A python3 version of this module is not required as python-m2crypto is only used for
the build of crda.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- From kernel 4.15 and onwards the function of what crda does is built into the kernel.
- Tested the removal of crda with kernel 4.14.232 and kernel 5.10.45
Country code set by "iw reg set NL" was recognised with kernel 5.10.45 and set at
the global value of 00 with kernel 4.14.232 confirming the kernel built in option is
working without the prescence of crda
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- crda only works with python2 version of m2crypto
python-m2crypto requires python-setuptools and python-typing
- With Linux kernel 4.15 and later the country code status check that crda did is built
into the kernel.
- So from kernel 4.15, crda can be removed, which allows removal of m2crypto, setuptools
and typing.
- python-typing is built into python3 so no additional python3 module required.
- python3 version of python-setuptools has already been installed.
- python3 version of python-m2crypto is not required. python-m2crypto is only used for the
build of crda.
- ipaddr can be removed as the function of this python2 module is built into python3 with
ipaddress.py
- removal of crda tested with 5.10.45 kernel and the setting of a country code was
recognised. If this test carried out with crda removed and 4.14.232 kernel then country
code stays defined as the global code "00".
- wlanap.cgi uses regdbdump from crda to create a text based list of the
wireless settings by country database. With the removal of crda a modification is
required to wireless-reg to copy the db.txt file to a specific location that wlan.cgi
can then access. db.txt is the text file version of the wireless settings by country
database.
- This series version copies the db.txt file and renames it regulatorydb.txt and places it in
/lib/firmware/
- This series version also corrects the loading command from regulatorydb.txt into the
@countrylist_cmd variable
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Patch created to convert all python modules to python3 compatibility that need it.
2to3 converter used for this.
- Start initscript changed to use python3
- No change required in rootfile
- Execution of patch added to lfs file
- Tested in vm machine. WUI page showed the same as with the python version.
scan of directory for mp3 (.flac) files was successful. Could not test actual audio
playing capability as my vm testbed does not have any audio setup at this time.
I believe that the purpose of client175 is to provide the WUI page and for that my
testing seemed to show everything working as expected.
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 7.80 to 7.91
- Update of rootfile
- Changelog is too long to include here
Full details can be found in the CHANGELOG file in the source tarball
- Added patch to fix segfault - https://github.com/nmap/nmap/issues/2154
- Ran with unpatched 7.91 version
$ touch /tmp/foo
$ nc -U /tmp/foo
Segmentation fault - flagged problem in #12647
- Ran with patched 7.91 version
$ touch /tmp/foo
$ nc -U /tmp/foo
Ncat: Connection refused. - Expected behaviour
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 2.8.8 to 2.10.0
- Update of rootfile carried out
- Changelog
2.10.0:
[ tatsuz ]
* updated Visual Studio projects to VS 2019 (#54)
[ Fabian Greffrath ]
* mp4read.c: fix stack-buffer-overflow in stringin()/ftypin()
* fix heap-buffer-overflow in mp4read.c
[ Clayton Smith ]
* Remove non-ASCII characters
* Remove trailing whitespace
[ Andrew Wesie ]
* Check return value of ltp_data.
* Restrict SBR frame length to 960 and 1024 samples.
* Support object type 29.
* Support implicit SBR signaling in frontend.
* Fix PNS decoding when only right channel is noise.
* Initialize element_id array with an invalid id.
* Fix NULL pointer dereferences.
* Fix infinite loop in adts_parse.
* Fix infinite loop in huffman_getescape.
* Check for error after each channel decode.
* Check for inconsistent number of channels.
2.9.2:
[ Michał Janiszewski ]
* Only use x86-assembly when explicitly on x86
* Use unsigned integers correctly
* Initialize pointers that might otherwise not be
[ Fabian Greffrath ]
* update README esp. WRT directory structure
[ Rosen Penev ]
* fix compilation without SBR/PS_DEC (#48)
* fix compilation with LC_ONLY_DECODER (#47)
[ Fabian Greffrath ]
* fix "inline function 'cfftf1' declared but never defined" compiler warning
* fix some inconsistencies in the frontend output
* mp4read_open: add check for failed frame buffer allocation
* stszin: add check for allocation error and integer overflow
* add a pkg-config file
[ Stefan Pöschel ]
* frontend: address compile warning + add missing LF (#50)
[ François Cartegnie ]
* library name is faad (#52)
* Unbreak PS audio (#51)
2.9.1:
[ Fabian Greffrath ]
* Include stdio.h in libfaad/ps_dec.c for stderr (Michael Fink)
* Fix Tille -> Title typo in frontend/mp4read.c (Alexander Thomas)
2.9.0:
[ Krzysztof Nikiel ]
* Build system fixes and code clean-up
[ LoRd_MuldeR ]
* Fix compiler warnings and code indentation
* Fix compilation with GCC <= 4.7.3
* MSVC solution file clean-up
[ Cameron Cawley ]
* Fix compilation with GCC 4.7.4
* Fix compilation with MinGW
[ Michael Fink ]
* MSVC 2017 project file update
[ Hugo Lefeuvre ]
* Fix crash with unsupported MP4 files (NULL pointer dereference,
division by zero)
* CVE-2019-6956: ps_dec: sanitize iid_index before mixing
* CVE-2018-20196: sbr_fbt: sanitize sbr->M (should not exceed MAX_M)
* CVE-2018-20199, CVE-2018-20360: specrec: better handle unexpected
parametric stereo (PS)
* CVE-2018-20362, CVE-2018-19504, CVE-2018-20195, CVE-2018-20198,
CVE-2018-20358: syntax.c: check for syntax element inconsistencies
* CVE-2018-20194, CVE-2018-19503, CVE-2018-20197, CVE-2018-20357,
CVE-2018-20359, CVE-2018-20361: sbr_hfadj: sanitize frequency band
borders
[ Hugo Beauzée-Luyssen ]
* CVE-2019-15296, CVE-2018-19502: Fix a couple buffer overflows
[ Filip Roséen ]
* Prevent crash on SCE followed by CPE
[ Gianfranco Costamagna ]
* Fix linking with GCC 9 and "-Wl,--as-needed"
[ Fabian Greffrath ]
* Enable the frontend to be built reproducibly
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 1.15.1 to 1.16
- Update of rootfile not required
- Changelog
1.16 - 2021-07-02
- Increase width of size bar depending on terminal size (Christian Göttsche)
- Set/increment $NCDU_LEVEL variable when spawning a shell
- Indicate whether apparent size or disk usage is being displayed
- Display setuid, setgid and sticky bits in file flags in extended mode
- Fix error handling while reading --exclude-from file
- Improve JSON import to allow for several future extensions to the format
- Export link count in JSON dumps
- Don't export inode in JSON dumps for non-hardlinks
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 3.0.3 to 3.0.6
- Update of rootfile carried out
- Changelog
## Lynis 3.0.6 (2021-07-22)
### Added
- OS detection: Artix Linux, macOS Monterey, NethServer, openSUSE MicroOS
- Check for outdated translation files
### Changed
- DBS-1826 - Check if PostgreSQL is being used
- DBS-1828 - Test multiple PostgreSQL configuration file(s)
- KRNL-5830 - Sort kernels by version instead of modification date
- PKGS-7410 - Don't show exception for systems using LXC
- GetHostID function: fallback options added for Linux systems
- Fix: macOS Big Sur detection
- Fix: show correct text when egrep is missing
- Fix: variable name for PostgreSQL
- German and Spanish translations extended
## Lynis 3.0.5 (2021-07-02)
### Added
- OS detection of Arch Linux 32, BunsenLabs Linux, and Rocky Linux
- CRYP-8006 - Check MemoryOverwriteRequest bit to protect against cold-boot attacks (Linux)
### Changed
- ACCT-9622 - Corrected typo
- HRDN-7231 - When calling wc, use the short -l flag instead of --lines (Busybox compatibility)
- PKGS-7320 - extended to Arch Linux 32
- Generation of host identifiers (hostid/hostid2) extended
- Linux host identifiers are now using ip as preferred input source
- Improved logging in several areas
## Lynis 3.0.4 (2021-05-11)
### Added
- ACCT-9670 - Detection of cmd tooling
- ACCT-9672 - Test cmd configuration file
- BOOT-5140 - Check for ELILO boot loader presence
- OS detection of AlmaLinux, Garuda Linux, Manjaro (ARM), and others
### Changed
- BOOT-5104 - Add service manager detection support for runit
- FILE-6430 - Report suggestion only when at least one kernel module is not in the blacklist
- FIRE-4540 - Corrected nftables empy ruleset test
- LOGG-2138 - Do not check for klogd when metalog is being used
- TIME-3185 - Improved support for Debian stretch
- Corrected issue when Lynis is not executed directly from lynis directory
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 2.0.7 to 2.0.8
- Update of rootfile not required
- Changelog
Version 2.0.8 (2021-03-18)
o Automatic channel reloads based on RPKI changes
o Multiple static routes with the same network
o Use bitmaps to keep track of exported routes
o Per-channel debug flags
o CLI commands show info from multiple protocols
o Linux: IPv4 routes with IPv6 nexthops
o Filter: Optimized redesign of prefix sets
o Filter: Improved type checking of user filters
o Filter: New src/dst accessors for Flowspec and SADR
o Filter: New 'weight' route attribute
o Filter: BGP path mask loop operator
o Filter: Remove quitbird command
o RIP: Demand circuit support (RFC 2091)
o BGP: New 'allow as sets' and 'enforce first as' options
o BGP: Support for BGP hostname capability
o BGP: Support for MD5SIG with dynamic BGP
o BFD: Optional separation of IPv4 / IPv6 BFD instances
o BFD: Per-peer session options
o RPKI: Allow build without libSSH
o RPKI: New 'ignore max length' option
o OSPF: Redesign of handling of unnumbered PtPs
o OSPF: Allow key id 0 in authentication
o Babel: Use onlink flag for routes with unreachable next hop
o Many bugfixes
Notes:
Automatic channel reloads based on RPKI changes are enabled by default,
but require import table enabled when used in BGP import filter.
BIRD now uses bitmaps to keep track of exported routes instead of
re-evaluation of export filters. That should improve speed and accuracy in
route export handling during reconfiguration, but takes some more memory.
Per-channel debug logging and some CLI commands (like 'show ospf neighbors')
defaulting to all protocol instances lead to some minor changes in log and
CLI output. Caution is recommended when logs or CLI output are monitored by
scripts.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
For details see:
https://mmonit.com/monit/changes/
New: Issue #979: If filesystem mount flags changed, show both old
and new value. Originally only the new value was reported.
Fixed: Issue #960: The memory usage may report wrong value if system
memory size changed after Monit start. The problem was frequent
on KVM/LXC containers where MemTotal is dynamicaly updated.
Fixed: Issue #965: Monit CLI: if a custom configuration file was
used with the -c option, and the file cannot be read by Monit,
an AssertException was thrown. Monit will report normal error
instead of the exception now.
Fixed: Issue #966: Monit CLI: The service name pattern was changed
to case-sensitive in Monit 5.28.0. Revert the behaviour back
to case-insensitive.
Fixed: Issue #971: The LINK UP and LINK DOWN tests now support short
form of the optional ELSE condition, in addition to the verbose ELSE
IF <SUCCEEDED|FAILED> form.
Fixed: Issue #976: The space free test recovery always reported
value in percent, regardless of the test setting. If the test uses
absolute limit, Monit will report absolute space usage now.
Fixed: Issue #986: Services checks with custom schedule (the EVERY
statement) did set the data collection timestamp even if the
monitoring was skipped in the given cycle. The timestamp is now
updated only when the check was performed.
Fixed: Issue #990: Monit built with libressl may crash during
verification of the expired SSL certificate.
Fixed: Issue #968: Systemd and upstart templates: templates used
to set the path to the configuration file in the sysconfdir, which
is optionally set via the configure script during the compilation.
The path wasn't fully expanded in the template though, so it was
invalid. The template doesn't specify the explicit path now and lets
Monit search for the configuration file in all supported locations
(including the sysconfdir).
Changed: Issue #984: The permission check of the SSL PEM key file
allows group read permissions now (originally Monit enforced that
the file is readable only by the file owner).
Signed-off-by: Matthias Fischer <matthias.fischer@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
In the past only the fist line of the status output has been passed
to the cleanhtml() function and displayed. Now the whole output will be
converted to a string, cleaned and displyed on the WUI again.
Fixes#12666.
Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Bernhard Bitsch <bbitsch@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 1.9.7p1 to 1.9.7p2
- Update of rootfile not required.
- Changelog - more details can be found at https://www.sudo.ws/changes.html
Major changes between version 1.9.7p2 and 1.9.7p1:
When formatting JSON output, octal numbers are now stored as strings, not numbers.
The JSON spec does not actually support octal numbers with a 0 prefix.
Fixed a compilation issue on Solaris 9.
Sudo now can handle the getgroups() function returning a different number of groups
for subsequent invocations. GitHub PR #106.
When loading a Python plugin, python_plugin.so now verifies that the module loaded
matches the one we tried to load. This allows sudo to display a more useful error
message when trying to load a plugin with a name that conflicts with a Python
module installed in the system location.
Sudo no longer sets the the open files resource limit to unlimited while it runs.
This avoids a problem where sudo's closefrom() emulation would need to close a
very large number of descriptors on systems without a way to determine which ones
are actually open.
Sudo now includes a configure check for va_copy or __va_copy and only defines its
own version if the configure test fails.
Fixed a bug in sudo's utmp file handling which prevented old entries from being
reused. As a result, the utmp (or utmpx) file was appended to unnecessarily.
GitHub PR #107.
Fixed a bug introduced in sudo 1.9.7 that prevented sudo_logsrvd from accepting TLS
connections when OpenSSL is used. Bug #988.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Since systemd, many programs no longer behave like a well-behaved
daemon. To avoid any extra solutions, this patch adds a -b switch which
will start a program in the background and throw away any output.
The behaviour remains unchanged for any other programs.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
